It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerability called Stagefright – and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.
But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.
Seeing is believing, but the signs are at least somewhat positive. I doubt all of these will get the fix, though.
That being said, as the linked article explains, this bug really isn’t as worrisome as people made it out to be. Security researchers (often working for companies selling security software) have cried wolf so many times I really don’t take any of them seriously at this point, no matter which operating system’s users they are trying to scare into buying their crap.
In other words, Patch Tuesday’s back. Great.
Yes, it is a great thing…
Google announced it will be following Samsung with monthly security updates for Nexus devices. –> http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devi…
Edited 2015-08-05 19:36 UTC
It’s not. Mobile device security updates should be released at once as soon as they’re tested. Do you know what kind of damage can be done in a week, let alone a month?
It’s not ideal, but compared to the previous update pace of NEVER it’s pretty good.
I guess you don’t know how Android security updates have worked in the past…
Can you give me an example of this type of damage happening on Android before?
Edited 2015-08-06 14:21 UTC
Excuse me, but why the hell is Google following Samsung here? Shouldn’t it be the other way around? Shouldn’t the OS developer be a shining example for the third parties to follow?
This kind of “release and forget” bullshit is part of why I left Android.
I’m not sure if Thom and I are reading the same article, but the one linked to here quite clearly says that the bug does allow for remote execution, it’s just difficult to do reliably — not impossible. That’s far from crying wolf and even if it did require a highly skilled attacker instead of your usual script-kiddie a remote execution vulnerability that, depending on your messaging-app, can be triggered completely automatically is definitely a big deal.
Perhaps my wording was unclear, but what I meant was that they HAVE cried wolf so many times that it’s hard to get worked up over any new supposed issues.
I understand your aversion against “security researchers”, especially the ones that work for anti-viruscompanies (wij van wc-eend adviseren…wc-eend)
but the reason lots of real-in-the-lab-problems don’t become real-in-the-world-problems is because security researchers ARE crying wolf, getting noticed and things get fixed. The system isn’t perfect but it works pretty well.
P.S. the group of “good” security researchers that you talk about at blackhat and the group of “bad” security researchers at security-companies share a remarkable amount of people
I don’t see how anything’s changed! I have a Google Galaxy Nexus from that I bought brand new less than 3 years ago that will not get any updates. I’m stuck on 4.3 for no technical reason, just that Google decided to stop supporting it over a year ago, when the phone want even 2 years old. I could move to CM but that is stuck on 4.4.
The fact is that, as usual, only a handful of devices will get the updates and the rest will be left to rot away. When you purchase a new phone or tablet, it will not come with any guarantee that you will get updates, be it a Nexus device from Google or a flagship device from Samsung.
Please get your facts straight before making comments.
The Galaxy Nexus did get major Android updates for 18 months which WAS the policy. It uses a TI chipset and they are not even in the mobile business anymore so no drivers for Lollipop. Sorry, no one wants to hear about how a phone that came out in 2011 does not get updates anymore. Buy an iPhone, it will get updates for like four years but missing the newest features.
Edited 2015-08-06 14:46 UTC
Your reply makes you sound like a complete tool. I’ll respond anyway because I’ve been trying to give people the benefit of the doubt these days.
A buddy of mine has the iPhone 4S, which came out around the same time as my Galaxy Nexus and he’s in a similar spot. Instead of the phone no longer being supported, though, it just slows down so bad it’s unusable. Guess what, he’s also stuck on a previous version of his OS. Different path, same result.
I wish the mobile industry was more like the computer industry. The fact is mobile hardware manufacturers control their products under tighter licensing arrangements and have limited driver support cycles. We won’t get started on the mobile carriers…
Computers have always enjoyed longer support with Windows but one has always had to pay for new versions which is not the case with Android. Yes, Windows 10 works a little different.
Google knows their is an issue and is extending the minimum support period.
Edited 2015-08-06 19:15 UTC
In the EU, as a consumer, you get at least 2 years of warranty on anything that you buy.
These 2 years don’t start when the product is initially sold but start when you buy it.
In this case the problem with Android is that newer versions seem to require newer drivers that aren’t available. Why can I still run a 10 year old Vista driver on Windows 10? Because Microsoft makes products for Enterprise that have to last forever while Google makes products for the web that can be replaced tomorrow. This mindset is embedded deep in these companies but doesn’t work for Google Android (believe me, they hate this upgrade issue as well)
Thanks for your input but we are talking about something totally different. A product warranty has nothing to do with free software updates.
I am now actually unsure if this is true. I researched quite a bit but couldn’t find out. The general idea is that “a product should work as you would expect” and “a product should be fit for the tasks that it is expected to perform”.
So if the software is included with your phone, needed for the correct working of your phone it might actually fall under warranty already.
In the above situation it is the OEMs (Samsung, Sony, etc) that individually have to fulfill these warranties.
It is a difficult topic, because software is also sold seperately where you can have a discussion about “sold” vs “licensed” and there was actually talk about having this kind of software fall under the 2 year warranty law, but I don’t know if that ever happened or not (so I am assuming not)
Just because a manufacturer of software puts “licensed” and “limited warranty” and “provided as is” in a Eula doesn’t mean they aren’t responsible for providing good products.
I don’t have the Stagefright fix for my phone (Nexus 5 – go figure) yet and it still works as I would expect it and is fit for the tasks that it is expected to perform.
Edited 2015-08-10 20:20 UTC
I understand what you are saying and since I don’t know enough about the legal status here it is (unfortunately) safe to assume that this doesn’t fall under warranty…
but…
How is this any different from the security problems with those 1.4 million Chrysler cars that DO get recalled even though they are also still driving just fine
The TI support thing is legitimate (you can’t release a new version of Android for a chipset the manufacturer won’t give you drivers for), though it sucks badly for anyone who owns a phone built on that platform. Just be glad you didn’t buy a Motorola phone back then; up until the last few devices, support for Motorola phones ended before you bought the phone, and that’s no exaggeration. I bought a Motorola Photon 4G new right after it came out, and I found out they not only stopped development of 4.0 for it before the phone was actually released[1], they wouldn’t even put out fixes for the horribly buggy 2.3 ROM that it shipped with, not even security fixes. They went back on their promise of 18 months of support in a huge way.
Of course Motorola has improved greatly in the past two years, but on the whole, the Android update situation has always and probably will always suck.
[1] https://en.wikipedia.org/wiki/Motorola_Photon#Android_updates
The last update I got from Samsung disabled the ability to play ringtones from device storage and record video with the screen off. Prior to that, the update to Kitkat disabled call recording without giving such apps root access.
I’m sure all these were done with security in mind, but they took functionality away from the user in the process, which I’m afraid is exactly how the majors are going to handle things. And there’s no way to tell which updates came from where and when either, so you can’t uninstall or troubleshoot them. Finally given Samsung’s record when it comes to honesty, security, and software quality, I have no doubt they’ll mess things up anyway. Hell, Lookout’s Stagefright Detector only lists one bugfix:
“We fixed an issue that caused some Galaxy devices to crash when opening the app”
– https://play.google.com/store/apps/details?id=com.lookout.stagefrigh…
But how much better are the other Android OEMs really, and how effectively can security updates be rolled out in an ecosystem which relies on Google writing them, the OEMs modifying them, the Carriers distributing them, and the users disabling them because they don’t trust any of those guys and are tired of updates @#$%ing up the functionality of their device?