Google Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge

MojoKid writes: Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. The team gave themselves a week to root out vulnerabilities. To keep everyone sharp, the researchers made a contest out of it, pitting the North American and European participants against each other. Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.

And in other news...

[arglebargle_xiv]

... other Android phone vendors have also responded to these vulnerabilities by informing their customers to keep buying new phones every few months and checking whether they contain updated firmware that may fix some of the problems.

(Dedicated Android user here, but damn, sometimes I envy the iOS blue pill).

Re:This.

Meanwhile, the unbranded telco-free Australian firmware for the Galaxy S4 is behind the rest of the world - as far as I'm aware, every country except Australia and Colombia are on Lollipop (carriers included), but we're stuck on KitKat. The carriers certainly aren't the cause of that.

Re:The winner?

[Alwin+Henseler]

Those end-users that are 'lucky' enough to actually receive updates once in a while.

That is THE problem with Android right now imho: leaving updates to the OS to 3rd parties that are just interested in selling a phone or call/SMS/data package, is a totally broken model. Those 3rd parties should be required to provide working drivers for the hardware in their phone, in source form, and whoever maintains the OS (Google I suppose, or maybe some industry co-operation) should take it from there. Including the distribution of updates.

Those 3rd parties have too big a tendency to sell the phone & walk away. That is easy to foresee, and has been proven time and time again. So you simply CAN NOT rely on phone makers or providers to supply updates. Period. Trying to fix the problem when it's too late, doesn't help much: even if Google changes Android update model to how it should be, that still leaves hundreds of millions of phones out there which will never ever see an update again, but still be used for a long time to come.

Re:As if Samsung will give a shit.

[drinkypoo]

Samsung have no control over telco update deployment.

Telco update deployment is a red herring. I can just wander over the Nexus download page and grab a new system image for any Nexus device, and I don't need my carrier's permission. What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?