Slashdot Mirror
Google Fixes Rooting Vulnerabilities In Android (csoonline.com)
itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.
A friend of mine uses an android phone offline. He never connects to the internet and never receives any MMS . He only uses inbuilt apps and text and calling . What is the kind of risk he is exposed to ?
P.S. he is not interested in android updates and is only using an android phone because Nokia went bust.
You're right for the crappo sub-$100 phones, but flagships and Nexus devices do get the security updates.
Turn off push MMS. Problem solved.
"No one will get these fixes."
Not even the people who are mentioned in the article you're replying to? The ones with Nexus devices that the fixes were pushed out to on Monday?
That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.
Perhaps I'm misreading your post, but you seem very confused. Unlike jailbreaking iPhones, where one has to find some tiny privilege escalation vulnerability before Apple does and then abuse it to flash a custom ROM, Android is designed to allow rooting fairly easily. In fact, Google themselves provide a page that gives layman instructions to how to unlock the bootloader and flash the stock ROM for their Nexus devices (https://developers.google.com/android/nexus/images); that includes all the latest security updates, so rooting is unnecessary, but doing so from there is trivial. It's a little bit more complicated than that if one has a non-Nexus devices, but not prohibitively so.
The article is about Nexus devices, they are supported for many years.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.
And Bluetooth, since there is a privilege escalation issue there too (CVE-2015-6641). In fact, just turn off everything, then you will be completely safe. Maybe. Just to be 100% sure, keep the phone off and pull the battery.
My phone makes calls that cost money, so I DO need security.I would not want it to make calls that cost money (or send messages) without my knowledge.
And even if that were not the case, I do not like people being able to snoop around on it. Just because I do not have anything to hide does not mean I do not vallue my privacy.
Don't fight for your country, if your country does not fight for you.
I have sending and receiving MMS turned of at my provider. As well as paid services, except helpdesk numbers that are fixed priced and have a restricted duration.
So no drunk call to sex lines by 'accident'. No sending sms to paid services. No SMS.
I can even turn on and off roaming for in and outcoming calls seperately.
Don't fight for your country, if your country does not fight for you.
My phone makes calls that cost money
I thought the majority of smartphones were on plans with unlimited talk and text by now, and that major U.S. carriers were making pay-per-minute plans available only for dumbphones.
Many Android devices have a guaranteed update period of time. eg: 2 years for the Moto G (180$).
Is that two years after you buy one new or just two years after release day? Some carriers sell previous generation phones as entry-level devices. They're "new" in the sense of never having been used since burn-in by the manufacturer, but they're new old stock.
Android is open sores.
First-stage bootloaders often are not. Nor are device drivers on most phones. And that's even without considering Google Play Store/Services.
Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?
You understand this is a fix for the Nexus devices, right? Those are the Google branded ones without OEM crap on them.
So, no.
The OEMs have likely introduced their own security holes they'll have to deal with.
Lost at C:>. Found at C.
'many years' meaning ~2 years. There's no updates for Nexus 7 2012 or Nexus 4 devices.
That's only true for Nexus devices, for devices with locked bootloaders and stock ROMs without root and no first party root ROM then you need to exploit a bug to gain root and then either gain permanent root or install a slotted second level bootloader that can bootstrap a rooted ROM image.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Uh, good for you? I use MMS on a weekly basis, either for picture messages with the wife or for messages greater than 160 characters.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Or don't. If you don't know that 85% of Android devices won't ever get proper security/platform updates due to Phone/Tablet OEMs being completely clueless regarding security then go back to sleep. Phone companies just want to concentrate on billing you as much as possible per GB and Tablet OEMs? Don't get me started on the glut of crappy Android tablets that have been rushed out the door over the years.
A total disservice to a solid OS.
If you wanna get rich, you know that payback is a bitch
I'd like to fix my mediaserver and stagefright. I'd run Cyanogenmod, but Verzion prevents me from using an unsigned kernel.
If I follow these instructions for my Samsung phone, can I pull the mediaserver and stagefright libraries out of the resulting .zip and load them in place of the existing binaries, can I have a running system that closes the exploits? I can likely use the nm utility on the resulting .so and check that all the symbols in the old libraries exist in the new.
The build process appears to pull from both aosp and cyanogenmod, and I understand that aosp Kitkat has been retroactively patched.
Yeah, I love Android but the update policy is atrocious. I'm not for Google gaining an Apple-like control of the OS - I think the enhancements by the OEMs are sometimes valuable - but security updates should definitely be managed in a better way
Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.
Google doesn't "keep promising" long-term support. Google has a specific support policy for Nexus devices: Security patches are provided for three years from the date the device goes on sale in the Play Store, or 18 months from the date the last device is sold from the Play Store, whichever is longer. Major upgrades are provided for two years from the date the device goes on sale.
Some may wish those support durations were longer, but AFAIK, Google is the only seller of mobile devices that offers any firm (and legally binding) commitment on updates. In practice, Apple does a reasonably good job with supporting older hardware, but they do not make any commitments.
The Nexus S was released in 2010, so it has been out of support for both security fixes and upgrades for quite some time.
I wasn't aware that U.S. carriers were even allowing international calls by default without letting the subscriber set up and agree to a rate plan for them. Otherwise, an app that takes the dialer permission for itself would just get "This number is blocked."
No, this is a fix to AOSP which is the base tree for the OEM's, the OEM's might have additional bugs but they'll also need to apply these fixes to their own code tree, test, and push out the fixes (or not as is their want, though the big OEM's are now at least paying lip service to monthly security patches but it seems to really only be for flagship and flagship-1 and some midrange hero devices while a lot of their product range sits unpatched)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Depends on another factor entirely - the destination phone number (e.g. if that phone # begins with 1-900 ).
A dialer that surreptitiously dialed a cost-per-minute "premium" phone number would be a way for a black hat to make money. Doesn't have to be more than a minute or two a week per phone, say $2.50/call per week per phone ($10 per month would be small enough to pass muster for most users, who would pay it without a second thought, if they even checked their phone bill). $10/mo multiplied by N victims would net a tidy amount of cash for someone who was moderately successful at it.
Quo usque tandem abutere, Nimbus, patientia nostra?
The article is about Nexus devices, they are supported for many years.
Well that's the point isn't it. The updates are available for Nexus devices but the vulnerabilities are in Android...of which the vast majority are not Nexus devices and do not have, and never will have, security updates for these vulns.
blindly antisocialist = antisocial
Guaranteed by what? Where's the legally-binding contract you have with Motorola for 2 years of updates?
Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.
Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts in the current Western systems.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
What else would I need to block at the carrier other than 1-900 and international calls?
The article is about Nexus devices
Which is all well and good, but that doesn't change the fact that the vulnerability is a part of Android, hence why Google is also having to push the fixes out to AOSP. As such, while the OP may be trolling a bit, their concern remains a valid one: how many of the handset manufacturers that have utilized a vulnerable version of AOSP will push these fixes out to their handsets?
Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.
No, they haven't which is why I'm asking how he got a contract from Motorola for 2 years of updates. At best Motorola has made non-committal statements about updates but nowhere have they ever gave a legally-binding guarantee of 2 years of updates. The fact that the 2015 Moto E won't get Marshmallow is an attests to no such legally-binding guarantee.
Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts [youtube.com] in the current Western systems.
I'm not mistaking anything. Don't make the mistake of assuming things since you're not a very good mind reader.
Depends (err, again)... sometimes 'premium' numbers are 1-866 or 1-877, and internally shift to a 1-900 (though your phone wouldn't see that happen). I only pointed out 1-900 for clarity/shorthand more than anything else.
Quo usque tandem abutere, Nimbus, patientia nostra?
I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..
“He’s not deformed, he’s just drunk!”
I can't wait to get these updates for my Galaxy Nexus!
Your comment reminds me the old Soviet joke about a director of a kolkhoz, who during an important meeting announced: "I have two news for you, one good and the other bad. The bad news is that we lost all crops and we will have to eat shit all of the next year. The good news is that we have plenty of shit!"
I am not even sure if your comment is on topic, but I recall that RBAC is basically Sun's answer to sudo. As usual, instead of adopting in a well known, well liked, and well understood open source program into Solaris 8, Sun came up with its own "RBAC", which only works on Solaris and barely anyone used it.
That was briefly true for a short time in the 90s (the ESS switching protocol exposed functionality whose security assumed it was under the control of a responsible phone company, but could be abused by malicious clients), but not any more. The vulnerability was fixed, and the FCC made it clear that any charges for fraudulently redirected calls HAD to be refunded to consumers. That's part of the reason why mobile phone carriers block calls to those numbers outright... they aren't required by law to participate, and they don't want to be bothered by the customer service nightmare (and financial losses) every time some incident occurs.
You have a point if this happens... I personally haven't heard of it happening. Plus I'm sure if it did happen, the phone company would refund the charge.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Use Carbon (Titanium is superior if you're already rooted, but Carbon should do the trick). Try deleting an app and restoring it from backup as a test. Unfortunately there's no way to be 100% sure unless you test every single app you wanted to backup, but that's true of all backup systems unfortunately.
Just in time! I got the Lolipop update with the Stagefright fix on my Verizon Moto G two months ago.
Since then I was starting to get the DTs from not having any Android vulnerabilities. Thanks all around!
I did some googling and found the pwn2own vulnerability, but to do that you have to have a fake station in range of your phone, so it seems highly unlikely any given person would ever get hit by it. Are there any highly practical attacks that can dial a phone without someone knowing?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Or a Nexus device. I already have these updates.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you. That said, there's nothing stopping you from installing Chroma on it; Android 6.0.1, splt-screen windowing, and a host of other features, including these updates once the maintainers issue another release after the updates hit AOSP today.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Just to be sure, did you mean ClockworkMod Helium (formerly Carbon), or did you mean Carbonite? I'm guessing Carbonite is responsible for the rename to Helium.
And the same applies to and computer system. Funny, that.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I already got them. So you want to correct yourself?
And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.
While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife is an iPhone user and her and I are both iPad users, I certainly hope the keep it up, but I'll be neither surprised not disappointed if they do not; I knew what I was buying when I bought it.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you.
To be fair, Google didn't have an official support policy for Nexus devices when the Galaxy Nexus was released. In fact, Google didn't have such a policy until August 2015. It was understood previously that devices would get updates for a couple of years, but there was no specific commitment.
Actually, it seems that official update policies for mobile devices are a new idea. AFAICT Google's was the first, and I don't know that any other company has yet matched it. That includes Apple -- though in practice Apple usually supports devices for longer than 2-3 years.
(Disclaimer: I'm a Google Android engineer, working on the Android security team. I'm speaking for myself, though, not for Google.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
what i mean is that running android applications as root is currently necessary to achieve some goals (e.g. app backups) but stupid from a security point of view - all or nothing permissions. that's one of the reasons google isn't too keen on this.
instead, i'd like a finer grained privilege escalation that's well integrated into the system instead of a dangerous hack. RBAC as implemented in solaris or aix is a beautiful way of doing such things (not so much in HP-UX). it is more advanced than sudo but not a significantly more complicated concept. it's just different and requires getting used to. it would be nice if google defined roles within android that applications can be allowed to have (with user's permission) without automatically gaining the ability to destroy the system.
Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?
What apps do you use that need to be backed up? Games, I suppose... if you care about having your progress saved.
Personally, I don't worry about backup/restore. When I reflash, or get a new device, I just start clean. Pretty much everything I'd care to back up and restore is synced to the cloud anyway, so it just shows up. Android Marshmallow made it particularly slick the most recent time. It asked if I wanted to restore all my apps and stuff from my old phone and it did an outstanding job. Nearly everything was automatically installed and it even laid out my home screen and set my background. It still took a few minutes to set up a few things, and then for a while I was having to log into various apps the first time I used them, but all in all it was quite painless.
I suppose if you turn off all of the cloud backup options then it would be a different story.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Nexus 7 2012 and Nexus 4 are not getting security patches, look at the official image build versions, they are not current for lollipop.
In fact, Google didn't have such a policy until August 2015.
I'll take your word, given that you're a Google engineer, but I seem to recall reading the policy before I bought my Nexus 6 in November 2014. I was under the impression that they had simply rewritten the policy and issued a few press releases in August 2015.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I just got an OTA update that fixed the stagefright vuln for my [Boost] Galaxy S3. AFAICT, it was [mostly] just security fixes, which is fine.
IMO, Google had to create the tools for the "rapid response" updates, which they did. Now, [IMO smart] vendors like Moto, Samsung, et. al. are beginning to use them.
As a computer engineer myself, I use git. I know how relatively easy it is to apply source patches to older tree branches using it. Since git is at the core of Android source tree development, this is also easy to do. Google just had to package this up as a release system.
This works for everybody: Consumers, vendors, and telcos. It improves the brand quality/loyalty. I really like Android, but the prospect of "being left behind" on security fixes was beginning to make me think [reluctantly] about Apple/iPhone/iOS because of the security update issue.
It also can address the "fragmentation" issue, if the monthly updates add some forward compatibility libraries. Apps crashing because they were built for Android version N, when I only have N-x. I don't mind a few feature restrictions, because that's better than outright freeze/crash/lockup/etc. necessitating a reboot.
Like a good neighbor, fsck is there
Drop it in a bucket of water just to be sure.
We need a "+1 -- nice sig" moderation.
Oh, this is all FUD. Hackers of these exploits aren't using them to place long distance phone calls.
And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.
While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife is an iPhone user and her and I are both iPad users, I certainly hope the keep it up, but I'll be neither surprised not disappointed if they do not; I knew what I was buying when I bought it.
Sure, and I knew what I was buying when I got my Android based Marshall music player (which also happens to be a normal Android phone but I chose it for the sound quality so I'm calling it a music player ;-) ), and I accept the fact that it's insecure - which does not mean that I like the fact that it's insecure.
As such, until and unless the Android model changes I'll continue to complain about it as publicly as possible in the hope that enough people will complain to Google that something gets done about it.
blindly antisocialist = antisocial
Wow you're a horses ass, the second part is the important part for 99.999+% of Android users, they're releasing it to AOSP so that flows into all the other providers source tree.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Well, yes, if you by the cheap shoddy ones, they are. Here's a tip: don't buy cheap shoddy crap.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.
Sorry but no.
Google owns the OS, the architecture for the OS and the model of distribution for that OS.
If Google were to abstract the hardware layer from the rest of said OS, allowing hardware vendors to provide only drivers and forcing telephone service providers to not block the distribution of Android then there would be no problem.
The model is broken.
blindly antisocialist = antisocial
Uhm... It's Linux, the hardware layer is abstracted, it does use drivers, and hardware manufacturers need only provide drivers. Also, whether the hardware layer is abstracted from the OS or not has nothing to do with whether or not providers can block distribution of firmware; the manufacturers work out their own contracts under which the carrier sells their devices and the carrier often demands this. Google has no say in a carrier's negotiations with a device manufacturer. My pipe is empty, can you please share some of whatever it is that you're smoking? Seems like some good stuff and I could use a good day trip.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
"My pipe is empty, can you please share some of whatever it is that you're smoking? Seems like some good stuff and I could use a good day trip."
Why do people on this site have to be dicks?
blindly antisocialist = antisocial
If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.
Take responsibility for your own actions.
Have a wonderful day :-D
blindly antisocialist = antisocial
Likewise. You know, for spouting off about shit you don't understand.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Hi Licht,
My mouse failed when I was moderating one of your Windows 10 comments, and I accidentally selected "Redundant" instead of "Insightful". I wanted to let you know, and this was the only way I knew how without undoing my other mods.