Google proffers plugs in Android MMS pwnfest Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs. The vulnerabilities could allow user phones to be compromised through a variety of means including MMS, email, and following web links. Nexus users get the fixes first along …
*sigh* It appears to be a recurring theme even between minor versions. The wailing and gnashing of teeth appears to be constant between now-it-works-for-me and now-it's-broken-for-me, especially with relation to car kits.
I want a Bluetooth-capable unit for my (slightly aging car), but don't fancy it variously working or not depending on the minor release cycle. A friend's keeping his Nexus 3 with Android 4.3 as "bridge", since that's the last version that worked with his car (major luxury german brand OEM)'s head unit.
Yup, Nexus forums awash with this one, looks like just about every car manufacturer affected.
Had some direct exchange with google, proffering the usual 'solutions', including Factory Reset (which doesn't reset the device to KitKat, so not a lot of use...) concluding in a distinct washing their hands of it.
Really pissed at having spent a shitload of cash on their 'flagship' device to have them piss all over one of the major functions (for me anyway).
certainly not inclined to spend my hard-earned with them next time round, but unless someone comes up with a better alternative that isn't apple or microsoft...
As an aside the most recent update (about two weeks ago on 3 in the UK) to the s5 seems to have fixed the Android 5 update which, like you say, pretty much bricked the phone.
The Android industry really does need to fix this slow to never and unreliable update problem, other branches of IT manage it. Microsoft used to be good until they started abusing the trust and Debian haven't broken anything for years. Speed of patching is now one of my purchasing decisions when buying a phone.
"Windows phone + browser = best of both worlds!!!"
Well yes - no spyware on Windows Phone - or Edge - unlike with Google Android / Chrome. And Edge is faster than Chrome, and Windows Phone is faster and smoother (and far more secure!) than Android.
The Android industry really does need to fix this slow to never and unreliable update problem
It certainly does!
But the trouble is, they don't need to! 95%[0] of phone users don't care about this. Making matters worse, they've been burned too many times with updates on the desktop, that they don't even want it.
Until the masses start voting with their wallets, the manufacturers/carriers aren't going to waste their time updating their stuff.
I wouldn't mind, but the fixes are already made for them, and they don't even have to develop the OS!
Google really need to clamp down on this.
[0] That number was pulled out my arse
I agree with AC, and think the same is probably true for iPhone users despite the large uptake on updates. I have an iPhone and appreciate the regular updates that last five years or so after the phone is introduced, but fixing security holes is pretty invisible to the typical user. While iPhone users update in large numbers, it is because they will hear about some new feature like Apple Music. When there's a x.y.z point release that just fixes a few bugs it I doubt it gets much attention beyond people who update just to get rid of that little red "1" on the Settings app...
I think it would take a severe security issue (one that is being exploited in fairly large numbers that is hard to defend yourself against via simply being careful) before the masses really appreciated the difference in the speed of updates and support life of devices for iPhone over Android. Even then those who go for the less expensive devices might think to themselves "I can buy a $150 Android or $650 iPhone, and if there's a security issue I can always "update" by buying a brand new $150 Android and still come out ahead". That's not exactly a strategy that Android OEMs would have a problem with, so you can see why there's little incentive for them to change their behavior.
FWIW, while writing this I wondered if iOS 9.2 was out and found it had just been released this morning. Just finished updating while writing this :)
Manufacturers and providers are going to have to realise that smartphones are no different to any other personal computing device and need security updates provided as and when they become available. If they tried this in the Windows world, there would be an uproar.
The core OS should come form AOSP or Google directly and be patched directly. The provider and manufacturer should have no say in this level of security patches, they should only be responsible for their "value add".
The Android OS should be more like ChromeOS, the same OS irrespective of the devices origin.
You could then do the 'value add', by a simple 'branding on boot' process.
The 'branding' could be a simple zip file containing things like...
* wallpapers
* notification audio files
* manufacturers apps
* Bookmarks
* Device drivers
* Custom settings, including setting defaults, (i.e. use this background/ringtone/home page/app etc).
On first boot (or after a factory reset), the OS simply looks for a 'branding' file (or files). If there isn't one, you get a stock Android, (aka Nexus), if one exists, then during initial boot up, the branding items are applied.
Edit:
Forgot to mention, of course OS updates should be OTA and direct from Google, only the branding component would be produced by the Manufacturer/Carrier, and even then, generated via tools provided by Google.
Google's been actively moving away from that model by incorporating more and more into Play Services, to the point where I'd argue that AOSP is becoming irrelevant for much more than the kernel and HAL.
The baseband stuff should be spun out so they can do base OS/firmware updates without requiring re-certification every time. The latter is a barrel full of pain that they push onto the OEMs and that significantly extent the shortest possible patch cycle.
I don't understand why they didn't simply push out a new messaging system without the bug from the play store. (Even if some need to manually install it).
I recently discovered that android phones alarm won't work from off. WTF? (The same flaw is my main gripe with BB10, every phone I have used before did it.)
I don't understand why they didn't simply push out a new messaging system without the bug from the play store.
The bug isn't in the messaging system - it's in Stagefright, the rendering engine for various types of media. It's just easy to exploit automatically through MMS clients that auto-preview media.
I suppose Google could have put Yet Another MMS client in the Store, without auto-preview. But since you can turn that feature off in most or all clients, there isn't really much point.
And Stagefright (and other core components) can't be updated through the Store.
"Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs."
Substitute "Microsoft" for "Google" and "Android" for "Windows" and I'd swear we were back in the early 2000s with that opening line... those who do not learn from history...
Android 6.01
Patch level Dec 1st 2015
Don't really see what this nonsense about android devices not getting updates is all about. My Nexus is as well supported as anything apple makes (and more functional)
Guess its just a lazy reporting bandwagon to jump aboard, as I know the other big android are committed to monthly ota updates, Samsung, Sony, HTC LG and the like.
A minutes googling would show you that the vast majority of Android handsets run old versions and don't get patches. 40% on 4.4 or lower, another 40% on 4.4.
It would appear the nonsense is your mistaken belief that Android devices get patches.
But then "Google is taking the lead on revitalising the patching pipeline for the Android ecosystem". About 6 years too late.....
Family has a Galaxy S3 and S4. Well out of date and updates, but so far we haven't apparently been ripped apart by hackers .
So what is the real risk of bad things happening to the average Joe? Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?
So what is the real risk of bad things happening to the average Joe?
Impossible to estimate. Given the number of Android devices out there, I suppose it's not hugely likely that you'll get attacked randomly via MMS or any other relatively expensive vector. On the other hand, the Stagefright issues can be exploited via email and web, too, if you attempt to render multimedia content delivered over those media (or any other).
MMS is the traditional vector for discussions of Stagefright because many MMS clients default to auto-preview, which means they're vulnerable by default - no user action (or, at most, viewing the message) is required.
On the other hand, if any of you manage to piss off someone who's both knowledgeable and immoral...
Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?
No. All you have to do is attempt to render malicious media, which can arrive by any number of means. A standard Android device with a sufficiently old version of the OS is vulnerable out of the box.
If you have a phone configured to preview media in MMS messages without being unlocked (assuming that's possible - I know some clients can be configured to preview at least the text portion without being unlocked), it should be possible to take it over without even unlocking it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
