Slashdot Mirror
Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones
An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.
The number of exploits is increasing exponentially but the vendors are scaling back security patches across the board.
MBA's FTW.
Apple doesn't either. I bought a 3G at about the end of its sale, and got one year support.
Learn to love Alaska
I don't understand why phone manufacturers and carriers don't get sued for things like this. Carriers have typically required two year contracts for phone subsidies, and normally it's possible to buy a phone two years old and get it free. At least that's how it is in the US. That means you can buy a phone that's as much as three years old and have a reasonable expectation to use it for two years because that's the contract with your carrier. That means manufacturers and carriers should provide support for a minimum of five years. That means a phone released in October 2015 should have support until October 2020. I think a customer has a reasonable expectation of this. If nothing else, that should be grounds for a lawsuit against manufacturers and carriers. There's also the issue of delays in fixing vulnerabilities both with the manufacturers and then the carriers. Again, I think there's a reasonable expectation for security updates in a timely manner. Also, when phones ship with locked bootloaders and customers can't choose to unlock them, it makes it very difficult to install a patched version of the OS. This also voids the warranty if you're able to do it. Customers are screwed no matter what they do in this situation, which is why carriers and manufacturers should be sued in the absence of specific laws to protect customers.
I can't help but wonder if the decision to not provide software updates to older phones is partly because people don't see a huge difference between models and this is one way to push people to buy newer and more expensive phones. I can't say it for certain, but it wouldn't surprise me if that's part of the decision process.
M-I-Z
kU still sucks!
How do you fix bugs in the proprietary closed source drivers?
Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone.
Sure, but the new phone I get will be from a vendor that I can trust to support it for its lifetime. I may upgrade my phone after 2-3 years, but I'll probably hand the old one off to someone else or use it as a spare. If the phone becomes useless after 1 year, then I'll factor that in when I calculate the value of the phone - if I can amortise the cost over 4 years rather than 2, then the cost of the phone is not as good.
Your contract will be up in 2 years
What kind of idiot signs a 2-year phone contract in 2015?
I am TheRaven on Soylent News
bullshit.
Software wise apple supports out to at least 3 years and with iOS 9 out to 5 years of previous build models.
if you bought a 3 year old phone and then expected updates you got what you deserve.
Android models rarely get one year of updates, and almost never get 3-5 years of bug fixes.
i thought once I was found, but it was only a dream.
And if a company dies, the IP of all its products go to the official receiver - who should put them in the public domain.
Everyone with a phone should be entitled to join a class action against any manufacturer who does not provide a way to fix security problems - so long as the phone is capable of operation: ie until physical death of said phone.
Separately, there ought to be a law preventing sale of undocumented hardware to the general public. If you don't know what it is you own, how do you know it is safe to own it? If the manufacturer prevents you from knowing, surely he takes responsibility for its safety, and should be required to place a bond with the government covering the maximum possible risk (of being sued by all phone owners, everywhere, repeatedly, with the highest legal costs that lawyers can imagine).
Sent from my ASR33 using ASCII
This article makes no sense. It says the vulnerability affects the Galaxy S4 but only if you are running an outdated firmware (like Kit kat). However, there is an official (pushed OTA) update to Jelly Bean on this device, so all you have to do to not be vulnerable is apply the update! Same as usual: if you want to avoid vulnerabilities, update your stuff regularly.
> What kind of dumbass company is going to spend money porting a new version of an OS to an old platform,
> with no payday for doing so?
Well, that's kind of the point. Companies should be forced to state up front how long the phones are going to be kept up to date (from both a security and Android version point of view) and if they don't they can be sued for breaking the terms under which people bought the phones in the first place.
No-one expects Microsoft to provide updates for windows xp, but they do expect them for 7, because of the published support timelines. Android needs the same; it's no different just because it's not a desktop or a laptop.
What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?
Apple.
Well, OK there must be a payday. Perhaps they see the fact that you can put the latest iOS onto a 4s as a selling point. i.e. if you splashed the cash for one in 2011 you would feel better knowing that, theoretically, you could still have the latest OS four years later even if unreality you replace it after two years.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe