Slashdot Mirror
Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com)
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
Really glad all these software engineers who railed against malicious PDFs delivered through the Flash plugin, can't do any better when left to their own devices.
Truly sorry that you have to be suspicious about all the anime pictures on your Android phone
Since the carriers are no longer providing updates.
only one can be disabled.
Regretfully, I upgraded yesterday.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
It just shows what a shitty pile of garbage Android has become and how weak your arguments are.
Wow, did the NSA ask for that to be added or is Google's whiteboard torture interview style just not selecting good candidates?
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I got one update to my phone, once, to 5.5.1.
went to RTFA, it has jack squat, =TFS
went and checked monthly android bulletin, poked into the bug submissions. it's admittedly over my head so I can't authoritatively declare what I suspect: newshype monkey trying to keep his numbers up with a proof of concept that had room for dramatic interpretation, whether android apple or IoT dildo
let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches
...I still prefer an iPhone.
Slashdot, fix the reply notifications... You won't get away with it...
And at least you'll be able to get the bug fix with a simple security update, without having to also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones "for battery reasons" that, strangely, no phone from any other manufacturer suffers from.
The problem with modern android phones is most of them have some variant on stock android that won't get many updates. PCs are the same way, but then I haven't bought a new PC with windows on it, um, ever I think. (They come with so much crap, that an update may be challenging, to say nothing of just using them..) I've bought windows separately a half dozen or so times, but try to stick to Linux where possible. With Linux Mint lately I can image a system over what 20 minutes top?
We need that kind of thing for phones. Download a cryptographic ally signed live usb image, that uses UEFI and such then boot it on a stock PC. Once that image is up, it should allow you to simply plug a usb cable between your computer and phone and do a full wipe/reinstall to stock current android. I'm not talking any exotic process. It needs to be simple enough for best buy geek squad to do, not that I'd ever recommend them to well anyone I actually liked. Basically it should be the first thing you do when you get a phone, but right now I think its more trouble than its worth, and phones tend to be locked by default. Bonus points if you can save your preferences somewhere and get an image just with those.
Ever hear of android one?
Old iPhone devices aren't getting updates either. The difference is they cost 3x more than Android devices
You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.
More OS memory access bugs, yay.
According to this breakdown, 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
I could buy a new android phone for the cost of a ifruity battery
I actually asked whether this was possible some time back, because I was suspiscious of some anime photos on my iPhone. I doubt Apple would ever admit to such a vulnerability.
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
Go buy an Android device from Lenovo and see how many updates you get. Go on. I'm waiting.
Google has been EXTREMELY self-destructive by allowing Android to be a method of abusing customers, in my opinion.
Android generally gets NO updates. That policy is intended to make more money for cell phone providers.
With Apple, you have to worry whether your device is up-to-date and secure.
With Droid, we can always be sure that we'll never be secure. It's refreshing and assuring.
It's not. It's a theoretical exploit that may lead to actual exploits, but even then, they likely have to be crafted for the specific phone.
Apple's issue is already patched for all devices that it can occur on (that support Group FaceTime). Millions (hundreds of millions?) of Android devices have this exploit that will never see this patch.
And on top of that, the Apple bug affected only people who received a FaceTime call and did not answer, and the attacker knew the secret combo to activate the bug. In short it ALSO was a theoretical exploit, that was a one time deal that never impacted basic phone security.
Android people like you that defend this inexcusable flaw are the worst kind of scum.
they likely have to be crafted for the specific phone
Nope.
And at least you'll be able to get the bug fix with a simple security update
Which for millions will never come. Meantime anyone who can craft a good meme can and will own your phone. Good luck with that.
also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones
iOS 12 sped up phones. That speed throttling that protected phones from sudden shutdowns is now in Android as well, since it was inherently a good idea.. but on Apple if you are and idiot you can choose to disable it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But youâ(TM)re not smug at all right?
You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.
The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.
Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.
All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.
Reading the bulletin though it only works when the process that triggers it is privileged in the first place. So there is no privilege escalation. So there isn't a way that this exploit could root a phone.
I'm sure there are things that this could be used for. But it can't get out of the particular sandbox the application that views the PNG is sitting it.
Yea I am replying to your spam (I shall be flogged for this I am sure), but I don't see an android installer AND this can't possibly block every png image hosted on the internet - your host file is useless, and as such, off-topic to this whole subject. Plus, no one trusts a spammer, so why bother?
You cannot reason with APK. No matter what you say, no matter what great point you make, he will hand-wave all around it and declare himself "the victor". He will probably also accuse you of being someone you are not, thus enhancing his imagined "victory".
Think of him as being like a religious fanatic who views contrary evidence as testament to the depth of his faith. It's fun to goad him because he nearly always responds (usually multiple times to your single provocation) but that's all you're going to get. He simply cannot properly respond to a rational argument with the intent of reaching some kind of agreement. He is just not prepared to be reasoned with in such an adult way. Take him for what he is (a spammer, a jester, a sideshow) and move on.
His ass-licking fans who may or may not be his sock-puppets are amusing too the way they defend him to the end. See: religious fanatics. If they are not sockpuppets, perhaps they want to bask in his imagined glory? Maybe they are the downtrodden who feel a need to root for the underdog? Perhaps they are truly impressed by the "elite skills" of his text-file manipulation program (Delphi/Lazarus, Visual Basic, etc) that he still refuses to release the source of? Maybe they are simply ignorant of the problems with blacklists because APK himself refuses to acknowledge them (you mean, there is no Ultimate Solution, that all approaches have advanrages and disadvantages?? Say it isn't so!!) Just enjoy the ride, man.
Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.
Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.
Wwwwaaaaayyyy past time to fire the cooks.
I get them monthly for my 1 year old Note 8...
Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.
But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.
Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!
We need more, Lots more. Of stuff.
Sure, if your phone is older than the iPhone 5S (from 2013).
Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image
I NEVER let my phone view PNG (or any other) images without supervision. I keep a small piece of electrical tape over the camera to make sure.
Wait are you talking about a malware installing with root from the webpage, or simply rooting your phone? A rooted phone is a lot more trustworthy (and better able to fend off viruses by enabling better adblocking) than one where you can't do anything about all the crap from Google and the carrier running.
Sure you do. Despite all the other products they still actively sell the only device Lenovo actually supports with updates at the moment is the Tab 4, https://support.lenovo.com/au/....
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
So if they email you a malicious PNG then they can read all your emails? That's not good. Plus who knows how many privilege escalation zero days may be out there?
Does this apply to all Android apps or just Google Chrome based ones?
(T>t && O(n)--) == sqrt(666)
Of course not
Courage
But
Apples are much better for you than cake
Malicious PNG
To be fair, privilege escalation exploits are rather common on all OSes. That's not something we've figured out how to solve.
"First they came for the slanderers and i said nothing."
All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.
The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
"First they came for the slanderers and i said nothing."
How do these things keep happening? What happened to sanity checking your input? Geezus, this is inexcusable.
How: C, C++, and Java making errors easy.
It's early days & we trade for speed with grossly unsafe situations. It's like a shortcut though a warzone.
We need contacts requiring:
- provably zero: buffer overflows, use-after-free, double-free, stack overflows, memory race conditions
- Malloc failures must crash if unrecoverable.
Then we could begin to have software with greater peace of mind.
Rust does this, as does JavaScript without extensions. Go does most and can be limited to a subset that does all. Some provers exist for C subsets.
Science & open-source build trust from peer review. Learn systems you can trust.
Not sure what's up with all the FUD about Android security patch irregularity. My Sony Xperia and One Plus phones are 3 years old and they are still receiving the monthly security updates from the manufacturer, so lag time is at most 2 months. It shouldn't be much different for Samsung and the other more popular brands and models.
It's true that updates between the major versions of Android are slow or even non-existent, but security updates are different. You can remain on an older version of Android and still receive security updates.
Move out of your shithole country and youll find plenty of devices with support, Drongo.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I get regular patches for mine (Xioami Mix).
No sig today...
Actually, Android has developed this new technique where it releases security updates monthly to address issues like this. It reduces the modifications OEMs need to do and limits QA testing. Novel approach, right? (yes, I'm being sarcastic about it being a new technique, but funnily enough MS & others seem to be going the other way of including the kitchen sink in "security updates")
I obtained the update about the time it was released a week ago. Apple weren't that quick, except for disabling Facetime Groups.
I also seem to remember being able to jailbreak my work iPhone (3gs, I think, but 4 might have been out too) just by viewing a pdf on a website. Swings and roundabouts.
The reason I haven been installing updates in the past year! Common people, where is online no click root?
At least in comparison with any other Linux distribution.
I can understant the personalization and kernel issues to customize for a specific vendor. But kernel and drivers are a very specific piece of software.
Most components should be unified and distributed from a unique source, so Android should update without vendor intervention with most of the pieces of the Android base.
Actual way of Android only makes our phones completely insecure.
It seems a flaw made pointedly just to force us to update the hardware just because old hardware hasn't the needed software updates.
my vendor never pushed update beyond 6.0
Actually drivers are the problem. Particular drivers for radios.
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.
Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly, and indeed in this case the issue has been mitigated that way even if the manufacturer doesn't supply updates.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I know, I'm stuck on the Jan 2019 update with my old moto x4
Ok, so you've successfully argued that they need to deliver a binary kernel module for IO. The rest of the OS and all the libraries need to be upgradeable on the play store, even between Android versions.
(Isn't that what Android 8.0's Project Treble was supposed to do? And if not, WTF didn't they do that?)
What you say is true, but there aren't that many SoC vendors. Support for just 5 chipsets would probably cover 90% of phones, and if you had support for 100 chipsets, you'd probably cover 99.99% of smartphones in use today.
It's totally possible to create a single OS which auto detects which of the 100 chipsets it's running on and behaves accordingly.
this just sucks, as we all know a lot of phones are not going to get any fix for this and even the ones that do will have to wait for a longer then normal time. i'm used to almost always same-day fixes on my linux desktop/servers, which is nothing more then normal.
how do we fix this for devices other then pc's/servers?
in this case i see no other way but to make it a law. if, for example, the EU can dictate the standard connector to use for phone-chargers, they should be able to do the same for something way more serious.
make it a law that all devices must get a lot of years of security updates (i don't even care about OS upgrades at this point), make it a long enough time, something like 6 to 8 years.
what will happen is that companies MUST design the software part better otherwise it will be too expensive to maintain all these security fixes for all these different devices with different implementations. to keep their costs down, they will have to have one build that can be installed and used on their whole range.
again, don't tell me it is impossible, we've been doing it with linux distro's for more than 20 years.
On a long enough timeline, the survival rate for everyone drops to zero.
My iPhone 4S still makes calls, send and receives texts fine - why would I replace it? Too bad I can't update it though.
> But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
Let's get even more real: I own 4 Android devices, and not a single one of them has ever got a single OS patch.
I'm not going to own a fifth. And I refuse to get my electronics from a fashion accessories maker. Who does that leave out?
And people are surprised I don't carry a smartphone.
No one is wasting their time on malware for the 3 % or less of iPhones that are not getting security updates.
Because custom ROMs serve the interests of the people selling the phones, allowing them to issue the phone with undeletable adware or bloatware that they're paid to ensure is on every phone (and which is also undeletable). The fact that they do not serve the interests of the people using the phones is of no concern to them.
So my Galaxy S5 is still safe? ...
Android is so shit. With all this spying. Touch interface (on the whole surface too) and with the lack of updates.
Where's the PC equivalent?
20 years of support rule yourself.
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Worse than murderers and pedophiles, poisoners and spies? I think you may need to reassess.
Actually, the bug might be mitigated even faster.
Many of the Android system components are updatable through the play store. Updating just the gallery and browser to look for these pngs would eliminate 90% of the attack vectors faster than even Apple did with their patches.
I am sure you read that somewhere, but wherever you read that, I would not trust them as a source anymore. What phone can get past the bootloader, have a custom ROM installed, and then can't use the radio?
"First they came for the slanderers and i said nothing."
MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...
U IMITATING me means ya WISH ya were me! Imitation IS the sincerest form of FLATTERY you know...
* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES, lunatic!
APK
P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk
See subject & https://yro.slashdot.org/comme...
APK
P.S.=> Of course, I also KNOW it's you doing the initial impersonating me too (you can't beat me on tech or fact so you pull PUSSY bullshit like impersonating me OR stalking me by UNIDENTIFIABLE anonymous posts like the LOSER you are)... apk
The custom ROMs use the binary blob radio drivers from the official ROMs.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Android people like you that defend this inexcusable flaw are the worst kind of scum.
Laying it on a bit thick don't you think? Being a platform apologist is bad, but I wouldn't rank it as "worst kind of scum", even if just limiting to the tech industry or even more so to just mobile OS platforms. Save some room for the real criminals who are making money off your data.
Apk obviously has taken you down decisively in his favor over you at some point since you hide by unidentifiable anonymous trollings from him.
Look it is APK's even more retarded friend AlecStaar here to defend him. Even APK won't defend himself because he knows his is a loser and gets his ass beaten every time he pipes up because all the criticisms of him and his work are true,
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
Yep. So much for a "hand computer" [rollseyes]
You can't defend yourself hiding behind unidentifiable anonymous harassment of apk you do. You only prove you're an obsessed nut. I reply that way so you don't stalk me like the obsessed mentalcase you are doing that to apk.
Hm. My iPhone 3GS didn't get the update to ios12. As a matter of fact, I think I had to stop updating it around IOS 5 or so. The newer versions of IOS slowed it down to unusability.
Yeah, yeah. I know. I didn't buy hardware, I bought access to ios and the hardware that came along with that purchase was not fit for duty 3 years after purchasing said access to ios. I was supposed to know even if it wasn't printed on the side of the box: This hardware will become unusable after 3 years and there is NOTHING (other than block further software upgrades) you can do about it. Have a nice day.
But yeah, feel smug about your IOS always being up to date.... completely ignoring the fact that you have to keep paying for hardware every couple years in order to keep your ios up to date.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
One of the Firefox for Android developers confirmed that they're using their own built-in libpng (with a link to its place in the source), so Firefox is likely unaffected. I didn't check separately on Firefox Focus, but I suspect it shares much of the code base.
I saw a reference to Chrome also having its own built-in PNG code (how could it not given its 51+MB download size?) but don't have the same details on it.
This mostly leaves email, messaging and social media as likely vectors for a malicious PNG.
fencepost
just a little off
That can still get you far, though.
iOS 12 runs on 5 year old hardware. Being smug is not necessary to understand the benefits of that.
Your 3GS is not susceptible to this bug.
Custom ROMs typically get all the drivers from the available update ROMs.
Aside the radio drivers, the camera drivers are often not open source.
That is not by coincidence the one aspect of smartphones that phone makers are still trying to differentiate in.
Project treble, on phones that got released with Oreo / Android 8 or later, should have all drivers sit on one partition, the Android OS should be on another, leading to a much easier update path.
Then, it's up to the manufacturer.
I know from experience that Nokia is doing well, one security update each month, 2 system version updates per device at least.
Support (chat) via built in app, also available when the phone is started with the pure system image, which I know from first hand experience.
Reason 2 for me to recommend Nokia.
Reason 3 is that they are newly set up to unlock boot loaders. Haven't tried yet.
Hope this helps,
aRTee
That's funny! My captcha image was %#*(@NO CARRIER
Sent from my Android
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels
This is what RIL is for. Cell phones communicate with baseband processor using a standardized interface so the argument makes no sense on its face as the OS does not have the capability to command baseband to do something it isn't willing to.
The argument is further frustrated by the fact anyone can buy a USB stick with a GSM radio in it or a laptop with similar hardware to communicate over cellular networks. Yet the presence of such hardware does not preclude the successful installation of generic Linux distros nor detract from the ability to communicate with said radio.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.
The FCC explicitly rejected this assertion. Systems need to be designed such that the radio interface cannot be commanded to exceed limits / bypass TDR detection..etc. They never said the entire operating system has to be locked down to achieve this.
Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly
No, Google play cannot update the operating system. They can only update shit that used to be part of Android but got moved into proprietary Google play malware stack as part of Google's never ending bid to own everything.
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
In what year I will be able to install a generic Linux or Android distro on my cell phone?
No I don't think so. My reading is that it ONLY works if the process that triggers it is already privileged. It won't work on an unprivileged process at all.
On the other hand, universal root exploit!
Android also requires device maps to give you state-of-the-1980s base memory addresses for device MMIO.
There's no PCI(e) interface on your phone, or any other "safe" means of software discovering what hardware is in the device. Just like any 8-bit microcomputer you grew up with, hardware control is done by writing memory values to various hardcoded memory addresses. If the sound driver, for example, doesn't know the exact base address of the sound controller, it won't init the sound at all and may even accidentally crash the system if it ends up feeding the wrong commands into the wrong hardware subsystem.
Remember when Windows 95 and 98 would do auto-detect for non-PnP hardware and the ever-present warning that the process could hang the machine was present? Yep, exact same story here.
Why can't I just apt install libpng and get a non-broken libpng.so in /usr/lib?