Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.

15 of 132 comments (clear)

  1. Ridiculous by Anonymous Coward · · Score: 2, Insightful

    If there's a security fix for iOS, I can download and install it right away. There's no reason that shouldn't be the case for Android. This is ridiculous. And what if the manufacturers have disabled SELinux or set it to be permissive? It's a matter of time before a worm like Blaster hits Android and does some serious damage. Fix your damn security model!

    1. Re:Ridiculous by phantomfive · · Score: 3, Insightful

      If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!

      Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Ridiculous by Harlequin80 · · Score: 2

      Out of interest can you point to any in the wild infections for Android?

    3. Re:Ridiculous by SirSlud · · Score: 2, Insightful

      You're right. Some people would say that security depends on being perfect. Those people however are living in a dream world where trying to prevent mistakes and fixing mistakes are somehow physically mutually exclusive.

      --
      "Old man yells at systemd"
    4. Re:Ridiculous by Anonymous Coward · · Score: 2, Insightful

      Nobody can deny the the Android update situation is a complete mess. But Apple aren't exactly security darlings here. Sure, you get the updates immediately... when Apple gets around to it. You still have to live with years-old known vulnerabilities, and major issues being held back for more product-cycle friendly release timescales.

    5. Re:Ridiculous by shawn2772 · · Score: 5, Informative

      what if the manufacturers have disabled SELinux or set it to be permissive?

      Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.

      It's a matter of time before a worm like Blaster hits Android and does some serious damage.

      I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.

      So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.

      Fix your damn security model!

      The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).

      The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.

      In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

      (Full disclosure: I'm a Google engineer, on the Android security team.)

    6. Re: Ridiculous by io333 · · Score: 2

      Google could require that manufactures subscribe to some sort of security update model as a requirement before using android software. By not doing this, Google is opening itself up to tremendous liability should something bad ever happen. You may not think so, but some jury someday may think differently. I know of what I speak, though I would prefer not to give full disclosure.

    7. Re:Ridiculous by cfalcon · · Score: 2

      Well, given that we're discussing a case where Android has a vulnerability, then the speed of the update is pretty relevant.

    8. Re:Ridiculous by MachineShedFred · · Score: 2

      That's a fantastic excuse for a horrible model.

      If Google actually wanted to get serious about this, they would contractually obligate their OEMs to send security-related updates in a timely fashion. Yet they don't, and *their* platform continues to have this god damn mess.

      Throwing up your hands and saying "that is the OEM's problem" is a fantastic way to be selling devices that are actively exploitable, and ruin the reputation of your brand. Even Microsoft recognizes that.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    9. Re:Ridiculous by shawn2772 · · Score: 2

      Yes here is the list of manufacturers that offer timely updates: * None

      Not true. Nexus devices get monthly updates. So do some Samsung devices. I know there are some other manufacturers. It seems like the list the AC is asking for is something Google could potentially provide.

  2. if OEM disabled security. Tautology by raymorris · · Score: 3, Funny

    > what if the manufacturers have disabled SELinux

    Yes, if an OEM disabled the security model, that would be a security problem. Tautology much? That hasn't happened on any relevant device.

    Oh I know, if the manufacturer installed a botnet malware and gave access to spammers, that would be a problem too! Oh my, a manufacturer could mess up the device the manufacturer!

  3. That doesn't mean ..... by frovingslosh · · Score: 2, Insightful

    That doesn't mean the patch will hit users' phones ever, though.

    There, I fixed it for you.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  4. The problem with a root kit is that it's a root ki by raymorris · · Score: 2

    Lenovo's root kit wasn't bad because of some obscure bug in Windows. Lenovo's root kit was bad because it was a root kit.

    Once you assume that the manufacturer is going to purposely ruin the security the security of the device, unrelated bugs don't have much effect on that.

    In other words, if the manufacturer puts a tautology on your device, your device will have a tautology on it.

  5. Weeks? by cyber-vandal · · Score: 5, Insightful

    How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

    1. Re:Weeks? by thegarbz · · Score: 2

      How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

      Yes but so are most attack vectors. When a problem gets discovered in Windows, IE, Flash, Acrobat etc it's sometimes a matter of hours / days before exploits are in the wild, sometimes the exploits are out before the the problem is discovered.

      In the Android world I've yet to actually hear of a wide spread exploit self propagating between devices and turning them all into mass zombies. Typically we only hear about devices that were compromised via some dodgy app with questionable permissions, which is a far easier attack vector than any of the others which are theorised.

      My phone isn't up to date yet on the whole I feel safe.