Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.

1 of 132 comments (clear)

  1. Re:Ridiculous by shawn2772 · · Score: 5, Informative

    what if the manufacturers have disabled SELinux or set it to be permissive?

    Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.

    It's a matter of time before a worm like Blaster hits Android and does some serious damage.

    I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.

    So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.

    Fix your damn security model!

    The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).

    The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.

    In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

    (Full disclosure: I'm a Google engineer, on the Android security team.)