back to article Google flubs patch for Stagefright security bug in 950 million Androids

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed. The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable …

  1. Anonymous Coward
    Anonymous Coward

    How the hell do I know if my shit phone is going to get the update? Does it come through Google Play?

    It's a Samsung S3

    1. Michael Habel

      Re: How the hell do I know

      You should know that the answer is to chuck your Phablet, and get a Galaxy 6, thats still in support. Samsung honestly couldn't give a toss about the Galaxy S -- 2/3/4 anymore.

      1. dotdavid

        Re: How the hell do I know

        "the answer is to chuck your Phablet, and get a Galaxy 6, thats still in support. Samsung honestly couldn't give a toss about the Galaxy S -- 2/3/4 anymore."

        Why would you support this behaviour by buying *another* Samsung? The S6 is getting on a bit now (several months old already, gasp) - it won't be long before it's out of support too.

        1. dotdavid

          Re: How the hell do I know

          Regarding the S3 in particular though there were rumours of it getting this as a patch over the air, but I wouldn't hold my breath. CyanogenMod 11's (which is the latest "official" CM KitKat based ROM) latest nightly build has the patches. Probably various other third party ROMs have it too.

    2. Dan 55 Silver badge

      You're out of luck. It's an OTA update for...

      Nexus

      Galaxy S5, S6, S6 Edge, and Note Edge

      HTC One M7, One M8, One M9

      LG Electronics G2, G3, G4

      Sony Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact

      Android One platform

      http://arstechnica.co.uk/security/2015/08/google-pushes-update-for-critical-android-bug-but-wont-say-if-its-fixed/

      So for most custom ROMs are still the way forward.

  2. Gene Cash Silver badge

    Does this require updating to Lollipop?

    I've got an old 3G Moto G, and all the people that have upgraded theirs to Lollipop do nothing but complain of short battery life, unexplained crashes, and wi-fi that continually dies, among other problems.

    This is in addition to the folks that have found they don't like Lollipop and regret upgrading.

    So I'm rather leery and have disabled MotorolaOTA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does this require updating to Lollipop?

      Biggest problem I have seen on at least custom Lollipop roms on my old gnex (back up phone) was how flaky full phone encryption was. Performance wise (though never did get encryption to work) it was actually decent (long live unofficial CM).

    2. Stuart 22

      Re: Does this require updating to Lollipop?

      "I've got an old 3G Moto G, and all the people that have upgraded theirs to Lollipop do nothing but complain of short battery life, unexplained crashes, and wi-fi that continually dies, among other problems."

      Something wrong with my 2013 Moto G then as it works perfectly with 5.0.3 and has never crashed and my Nexus 4 is 5.1.1 which now takes less power from the battery. People with problems complain. People without, don't.

    3. Anonymous Coward
      Anonymous Coward

      Re: Does this require updating to Lollipop?

      No the patch will be patched onto whatever you currently have. This isn't a free ticket to a new OS version

      1. Dan 55 Silver badge

        Re: Does this require updating to Lollipop?

        Although people on 4.3 or before won't get anything as fixes in AOSP are applied to the latest three versions.

    4. dotdavid

      Re: Does this require updating to Lollipop?

      Motorola won't bother updating their 4.4 software, they'll patch their latest 5.1-based software and send OTAs (eventually).

      I heard 5.1.1 is much better than 5.0.x so it may be a good excuse to upgrade. A factory reset can fix some of the problems people have experienced with the Lollipop upgrades apparently. There are ways to revert to 4.4 but that might be fiddly.

  3. John Crisp

    Reckon pigs will fly before I see an update from my carrier. They just aren't interested. Sold you the phone and taken the cash. Then only interested in upselling services.

    It's a friggin disgrace but no idea how we can get the bastards to budge.

    What would people do if Dell supplied you a Windows box but never pushed you any Windoes updates ?

    IMHO Google should be kicking the crap out of carriers. But they don't much seem to care either. They have assimilated you. Got your data.

    And I thought Windows 10 was a mess. Makes M$ look good.

    1. Anonymous Coward
      Anonymous Coward

      >> What would people do if Dell supplied you a Windows box but never pushed you any Windoes updates ?

      Therein lies the problem, who would set up a system where Dell was responsible for giving you updates to a Microsoft product?

      The people who thought it would be a great idea for carriers and/or manufacturers to distribute phone OS updates should all be shot.

      Phones should all be designed to run stock Android and receive stock updates. Any special hardware on the phone should be supported by separate drivers that could be registered with Google and downloaded/installed separately. And any special bloatware that the carriers require, contractually, should be installed as 3rd party apps.

    2. Michael Habel

      And I thought Windows 10 was a mess. Makes M$ look good.a

      As much as I hate to agree with you... You are on to something with this line of thought.

      A better question is why hasn't Google already drawn a line in the sand and said; Ok Samsung has control (as such), of the GUI. But, the underlying Android OS IS OURS, and we'll take care of that bit as needed. Not so much for the sake of an easy upgrade from Gingerbread to Lollipop. As such, but at least where these Security updates are concerned. At this point I'm willing to almost forgive Google this faux pas. in some mischaracterization, that this is still largely a new-ish arena, and they honestly never saw it coming. But, it seems to me more of the same old lip service being paid, and nothings getting done.

      1. Anonymous Coward
        Anonymous Coward

        A better question is why hasn't Google already drawn a line in the sand and said; Ok Samsung has control (as such), of the GUI. But, the underlying Android OS IS OURS, and we'll take care of that bit as needed

        You mean as in actually taking responsibility for anything? That would be the day. It could have started with a decent layered design where what you suggest is actually possible, also because making that Open Source would mean others could push in a fix until the "official" fix emerged, a bit like what happens with a Linux bug.

        950 MILLION people can but dream..

      2. fuzzie

        I disagree that this is a new area. It's been a long and painful lesson in the Windows world. If you look at the architectural design for Symbian and in addition its Trusted Platform, they foresaw exactly these scenarios. That's why they used the micro-kernel model, strong Hardware Abstraction Layer and user space modules for everything above. That brought them other issues, but security-wise it's a great model.

        One thing people tend to forget is the baseband radio stack. Each revision of this has to be certified before it can be pushed. This is a regulatory requirement. Unfortunately, Android appears to be a pretty monolithic system. Google's trying to pull more stuff from the base into Google Play Services, but I suspect that's more driven by wished for strong-ownership/lock-in more than security or ease of upgrade. It also doesn't help that OEMs get new releases by way of one big code dump in AOSP and then have to reintegrate from scratch.

        As you point out, Android must be more layered and modular so the HAL/drivers from Qualcomm et al, the baseband stack and the kernel/base system and user-land bits are properly independent and can be independently updated/patched. We've known and done this for many years.

  4. Mark 85

    Hmm....

    My Samsung tries to contact AT&T for an update and comes back with "no connection". Been that way for years. I guess I'll never know....

    1. elDog

      Re: Hmm....

      Oh, dear. Didn't anyone tell you that ATT went out of business several years ago?

      Perhaps there were a few bits left in the pipeline and maybe a couple of customer reps that didn't know they were "remaindered".

      Sorry about your problems. However, you are important to us. Please stay on the line.

  5. This post has been deleted by its author

  6. Zola
    Mushroom

    Monthly security updates will soon become a major PITA

    It's all very well Google promising to push out monthly security updates, but the design of the current Android platform ensures that frequent updates will become a major PITA and something I'm sure users will grow weary of pretty quickly.

    The problem is that the Android platform takes over 20 minutes - tested on a quad-core Nexus 5 (2013) - to apply even the smallest update. Every application on the device (and I haven't installed many myself, maybe only a dozen, but the number of apps on the device still runs to about 120) has to be (re-)"optimised" - thanks to ART - every time the system is updated. And optimisation is a very, very slow process (I actually wonder if it's only running on a single core, it's _that_ frickin' slow).

    1MB update? Boom, 20+ fudging minutes to apply the update.

    10MB update? Another 20+ fudging minutes to apply.

    200MB update? You get the picture. The size of the update doesn't matter, it's always going to be dwarfed by the colossal time it takes for ART to get it's shit together.

    It's a horribly flawed process that is going to become a major burden for users if small security updates are pushed out frequently. I can see myself skipping updates just to avoid the inconvenience of the slow update process (although at least they're unlikely to be as bad as Twitter, who seem able/willing to publish new builds of their app on an almost daily basis with no hint of a changelog - it does make you wonder how crap their developers are).

    1. Anonymous Coward
      IT Angle

      Big suprise? Vendors. IT. Right.

      Okay, I'll bite. Why does the optimization process run equally as long here whether I select ART or Dalvik for the Runtime. I'm with you on the beastly run time as dual-core or quad-core matters not a bit, and clock speed does shorten it here. [Broken tablets are common here (nuero-degeneration), just killed another today, so I experience the painful update cycle regularly.]

      We should all be quite familiar with any setup like this anyway. IT, multiple vendors, equals at last twice as many fingers pointed per vendor, seemingly a geometric expansion in extreme cases.

    2. Adam 1

      Re: Monthly security updates will soon become a major PITA

      Whether it is ART or Dalvik or whatever, it is an important point. The update process for me just took 20 minutes and at least 1/4 of the battery to spin through 141 apps. Further, if your device is encrypted then you need to enter your pass code in the middle of it, so you can't just run it unattended overnight. If it truly is optimising apps then they need to move it to a lazy load model and only optimise on first launch, and have a background process completing the job. Sometimes I wonder if they forget it is also a phone.

    3. Zola

      Re: Monthly security updates will soon become a major PITA

      Correction: Nexus 7 (2013), not Nexus 5...

  7. Bota

    Sailfish 2.0

    Is looking more and more appealing, has anyone tried it out?

    1. fuzzie

      Re: Sailfish 2.0

      I've not been adventurous enough to try out the phone, but I'm awaiting the shipments of the tablet to give it a spin without impacting daily life :)

      1. Bota

        Re: Sailfish 2.0

        May treat myself to the phone, looks nicely designed tbh and I'm sick of the Android "no OTA" updates from my carrier.

  8. heyrick Silver badge

    Riight...

    Samsung just pushed out an ~90MB update to my S5 Mini. I have contacted them to ask what the update fixes, but now have to deal with the fact (if they reply with any actual detail) that if they think they've fixed Stagefright...no they haven't? Marvellous.

    (be nice if we were properly informed in the beginning as to what the update updates)

    1. 404

      Re: Riight...

      hehe - thank your lucky stars that you're *getting* updates - I haven't seen any updates from Verizon on my Note3 since April and that was the 5.0 upgrade...

      Makes me feel like singing:

      Rarripop, Rarripop, oh what a Rarripop.. bedew dew dew POP!*

      *yeah yeah - coat *there*, door *there*... got it!

      Ya'll have a great day!

    2. heyrick Silver badge
      FAIL

      Re: Riight...

      Update:

      Samsung replied. Couldn't tell me what the upgrade actually contained and, worse yet, couldn't tell me about whether or not any vulnerabilities had been addressed.

      Useful. I have no choice but to assume that my phone is vulnerable to everything that can affect standard Android 4.4.2.

  9. Alistair
    Windows

    FD:

    Samsung SIIx T989D, 4+ years old. - 2nd battery which is going to get replaced this month as I'm under the 60% value, yes I'm hard as hell on my phone.

    Running Telsa 9.1.x Lollipop -

    The /cache rebuild after an update was horrendously slow the first few times (on CM11 with CyMOD recovery) with the standard format, I've found that the f2fs TWRP wipe and reformat of /cache and /system is *much* faster -- however at least on my phone it took 3 full resets, and reinstalls to get TWRP fully functional - I've also modified my pit for the extra system space. Now, given an update of the mod only - it takes about half the time. Updating *any* gapps kit .... forget it, it seems to wander into the forest for a lovely afternoon tea with some Horrible Harry type and they get lost in the book.

    That said, YMMV, I don't Odin, I use Heimdahl and have Recovery level backups, Nandroid backups and Titanium backups, so I bare bones things and reinstall from those.

    Haven't seen Tesla add this latest patch yet, but I'm sure it will happen.

  10. Anonymous Coward
    Anonymous Coward

    Umm..

    I hate to tell you this, but my iPhone updated fine just now. Took something like 8 minutes, including making a backup first (updates have never failed me yet, but that's no reason to become careless).

    I'm not telling you this to be smug, but out of concern. It may be worth pushing Google and your providers a LOT harder for a decent approach to updates, because the fact that Android updating is such a painful process will deter many people from doing it, which is *not* a good thing.

    It must be possible to structure Android in such a way that each party involved has their own segment so an update doesn't need to do a full rip & replace of the software stack.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like