Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones

Posted by timothy on from the aggressive-triage dept.

An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.

3 of 144 comments (clear)

  1. Re:The new normal for Android by sexconker · · Score: 3, Insightful

    Yup, Android is no longer a platform I can recommend.
    Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

  2. Why aren't there lawsuits over this? by Rainbow+Nerds · · Score: 4, Insightful

    I don't understand why phone manufacturers and carriers don't get sued for things like this. Carriers have typically required two year contracts for phone subsidies, and normally it's possible to buy a phone two years old and get it free. At least that's how it is in the US. That means you can buy a phone that's as much as three years old and have a reasonable expectation to use it for two years because that's the contract with your carrier. That means manufacturers and carriers should provide support for a minimum of five years. That means a phone released in October 2015 should have support until October 2020. I think a customer has a reasonable expectation of this. If nothing else, that should be grounds for a lawsuit against manufacturers and carriers. There's also the issue of delays in fixing vulnerabilities both with the manufacturers and then the carriers. Again, I think there's a reasonable expectation for security updates in a timely manner. Also, when phones ship with locked bootloaders and customers can't choose to unlock them, it makes it very difficult to install a patched version of the OS. This also voids the warranty if you're able to do it. Customers are screwed no matter what they do in this situation, which is why carriers and manufacturers should be sued in the absence of specific laws to protect customers.

    I can't help but wonder if the decision to not provide software updates to older phones is partly because people don't see a huge difference between models and this is one way to push people to buy newer and more expensive phones. I can't say it for certain, but it wouldn't surprise me if that's part of the decision process.

    --
    M-I-Z
    kU still sucks!
  3. Re: It's OK - Android is open! by cyber-vandal · · Score: 3, Insightful

    How do you fix bugs in the proprietary closed source drivers?