back to article Biggest security update in history coming up: Google patches Android hijack bug Stagefright

For those of you worried about the Stagefright flaw in Android, be reassured, a patch will be coming down the line in the next few days. "My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, lead engineer for Android security at Google. "Hundreds of millions of devices are …

Page:

  1. Ben Boyle

    I'm glad the manufacturers are going to push out patches, but will the carriers help or hinder the process?

    1. Anonymous Coward
      Anonymous Coward

      Perhaps carriers might do or could find themselves on the end of a class action suit, they deserve one.

    2. twilkins

      Indeed - since my old Symbian mobiles back in the day, it has always been the carriers who hold up firmware updates.

      As I type this Sony have had a Lollipop 5.1 ROM out for my current Xperia handset for over two weeks. No sign of it on Vodafone UK anytime soon. Time for the networks to stop their crappy customisations and just do it all via apps.

    3. TheVogon

      Android - shortly to become the world's largest ever bot net!

      1. I. Aproveofitspendingonspecificprojects

        >shortly to become?

        Did you not read the article?

        the world's largest ever bot net.

        ftfy

  2. OliverJ

    Incredible!

    "Hundreds of millions of devices are going to be updated in the next few days. It's incredible." - Like as in when Apple releases a new version of iOS? It's incredible! (that the lead engineer for Android security at Google says such a thing)

    1. This post has been deleted by its author

      1. OliverJ

        Re asdf: Incredible!

        Just for the record: I made no comment on which of the ecosystems is the most secure. I was simply surprised by the statement that patching hundreds of millions of devices seems to be an "incredible achievement". Last time I checked, iOS was deployed on more than a billion devices world wide, so rolling out an update to hundreds of millions of devices doesn't seem to be an industries first...

        1. asdf

          Re: Re asdf: Incredible!

          Sorry to seem to put words in your mouth. Duly noted.

        2. John H Woods Silver badge

          Re: Re asdf: Incredible!

          "so rolling out an update to hundreds of millions of devices doesn't seem to be an industries first..." -- OliverJ

          I hear what you're saying but It's not the count, it's the diversity. The hundreds of millions of devices which got IOS8 were what, about half a dozen SKUs?

          1. OliverJ

            Re: Re asdf: Incredible!

            "I hear what you're saying but It's not the count, it's the diversity."

            Point taken. Diversity. Such as, I don't know, Microsoft Windows? :-)

        3. Anonymous Coward
          Anonymous Coward

          Re: Re asdf: Incredible!

          Hmm, Android with 85% of the market and apple with just 13% and dropping fast. Your billion sounds like usual apple hyperbole

          1. asdf

            Re: Re asdf: Incredible!

            It is pretty jaw dropping how much better the security on not only iOS but even BB and WP is compared to swiss cheese %97+ of all malware Android. Joining the generic masses is not always the best idea.

            1. oneeye

              Re: Re asdf: Incredible!

              Um.....excuse me,but the last two updates for Apple fixed over 150 vulnerabilities. Over fifty of those were for Safari alone,and because Safari is tied to the os,it always has to be a system update. All software will have exploitable bugs,but Apple treats their users like mushrooms. They keep them in the dark,and feed them bull shit (fertilizer) ! They also treat researchers like crap,and begrudgingly give credit to them,and almost never pay rewards,or bounty.

            2. CFWhitman

              Re: Re asdf: Incredible!

              The reason why the Stagefright flaw brought about the first movement toward unified patching is because it is the first serious security flaw discovered in the base system. The malware installed on the so-called "swiss cheese" Android is almost entirely Trojans, which users install themselves. The only way to prevent that is to take away installation privileges. I'd rather keep my administrative/installation privileges on my devices. Thanks. Administrative responsibility is not forced on Android users either. Sideloading apps is turned off by default.

              This is not to say that Android is great. I'm not a big fan of, come to think of it, any of the more popular phone/tablet operating systems. However, Android is not really the security nightmare that a number of people try to paint it as.

          2. Anonymous Coward
            Anonymous Coward

            Re: Re asdf: Incredible!

            "... with just 13% and dropping fast."

            Lets see your source. Apple's filings to SEC have indicated the opposite, so are you saying that they are committing fraud? Serious question?

        4. mathew42

          Re: Re asdf: Incredible!

          IDC Smartphone OS Market Share suggests iPhones have < 20% market share with a total of ~1.2 billion smartphones shipped each year that is 240 million iPhones. tablets show a similar picture with iPad market share of 25% with 200 million tablets shipped each year that is 40 million iPads. So yes I would guess your figure of greater than a billion is defensible depending on average lifespan of an iPhone.

          For Android on the other hand you would need to multiply those numbers by approximately 4.

          Lets just be happy that bugs are being fixed.

          1. bri

            Oranges, apples, information, lack of

            It's funny how fast people resort to calling others ignorant while doing errors on their own.

            1) This article is about Stagefright. This component is as device independent as it gets. So "variability", "different SKUs" play a very minor role. Updating some backend for widgets however, that would be a different matter

            2) Each model of every vendor comprises of multiple SKUs, often with different innards (to cater for different standards, frequency bands and so on)

            3) It is fairly possible that iOS is on more than billion devices as they have longer useful life (maket share in number of sold devices != market share in devices in operation). Coupled with the fact that iOS runs not only on iPhones, but on iPads and iPods as well, billion devices is fairly reasonable. I can still get update for device over three years old.

          2. asdf

            Re: Re asdf: Incredible!

            Android may have 4x units but iOS devices capture more profit than all the Android devices combined. Similar story in the app store. Android full disk encryption being such a joke is reason enough for me to ignore them for now.

        5. Destroy All Monsters Silver badge
          Paris Hilton

          Re: Re asdf: Incredible!

          iOS was deployed on more than a billion devices world wide

          I didn't know Apple was big in the embedded market?

    2. Anonymous Coward
      Anonymous Coward

      Re: Incredible!

      OliverJ you must be a fanboi, I haven't heard such an ignorant comment since the last time one of our Australian politicians opened their mouth. I mean really? Consider the following:

      iOS is one unmodified OS, made to run on one device controlled by one company! Even further the idiot taxing company rarely patches its OS, it forces a new version down, and immediately obsoletes a number of it own devices due to usually poor performance.

      Compare this to Android, multiple versions generally buggerised around with by carriers, running on a vast variety of hardware manufactured by large number of OEMs. The fact that Google as managed to get the major players in this market to coordinate regular PATCH updates is a massive feat! I'd love to see Apple achieve that!

      Stick to the Kiddies Pool

      All Best

      1. Anonymous Coward
        Anonymous Coward

        Re: Incredible!

        You mean Android is such a bad designed monolithic OS it can't replace easily a few libraries to get patched?

      2. Anonymous Coward
        Anonymous Coward

        Re: Incredible!

        OliverJ you must be a fanboi, I haven't heard such an ignorant comment since the last time one of our Australian politicians opened their mouth

        Well, the ad hominem was almost enough to discard your post, but you managed to actually make it worst in the very next paragraph.

        Compare this to Android, multiple versions generally buggerised around with by carriers, running on a vast variety of hardware manufactured by large number of OEMs. The fact that Google as managed to get the major players in this market to coordinate regular PATCH updates is a massive feat! I'd love to see Apple achieve that!

        You may want to lose that chip on your shoulder fast and learn to read between the lines of a press release, certainly when it comes to Google: until you know that every version of Android is going to be patched instead of only the latest few, and statement on planned obsolescence only displays your biases, not reality.

        It is as unrealistic to expect Google to patch all the way back to Android v3, for instance, as it is to expect Apple to go all the way back to iOS 7 and patch things. In that respect, economics and practically do not really differ between platforms.

        What IS different is that there are multiple barriers between a Google update and an end user receiving it because of the fragmentation of the Android market, something that Apple doesn't have to work around. Between Google and you is the manufacturer as well as the telco, each doing their own thing and consequently each having to update that "thing" before they can give you the patch. It would be cool if there was a manufacturer somewhere which could give you "raw" Android - a sort of Debian of Androids - and be allowed on air without the carrier messing things up too.

        Stick with the facts, and learn the basics of reasoned debate. It may help you when you grow up.

        1. Anonymous Coward
          Anonymous Coward

          Re: Incredible!

          Note to self: find whatever auto-correct mechanism has risen from the dead and drive a wooden stake through its heart, then give it a couple of silver bullets for good measure and drown it in Holy water. Sorry about that, the post would have made more sense if certain words hadn't been "corrected" by an auto-mistake with what is clearly a limited vocabulary.

      3. OliverJ

        @Coward: Incredible!

        At least I'm not hiding, Mr. A.C., which of course in your case seems to be a sensible approach, as you started your posting in rather bad form with pointless invectives. Usually I find that doing so doesn't improve the quality of one's argument. But I digress.

        Please note that I made no comment on the complexity of this rollout, which is indeed a challenge, as you rightly pointed out. But if you read the quote attributed to Adrian Ludwig, you will see that this wasn't his point, either. It was simply the number of devices patched which he found "incredible".

        Obviously, my remark was half in jest, but I was indeed a little bit baffled by the naivety of this statement.

        You are really reading to much into this, lighten up! You're taking this way too serious. I mean, "ignorant", "fanboi", "kiddies pool" - really?

  3. DJV Silver badge
    Meh

    Well...

    ...as Android 5.1 turned my Nexus 7 (2012) into something that could be outraced by an injured slug, I suspect I may need to avoid this! Went back to 4.3 (4.4 was pretty dire as well, speedwise).

    1. asdf

      Re: Well...

      If you are really into S&M to yourself run 4.4 with full disk encryption lol. So slooooooowwwwww.

      1. Fred Flintstone Gold badge

        Re: Well...

        If you are really into S&M to yourself run 4.4 with full disk encryption lol. So slooooooowwwwww.

        That'll be Bruce Schneier's new book: 50 shades of crypto :)

  4. graeme leggett Silver badge

    I presume they won't be issuing the patches on the second Tuesday in the month, even if the slot is now free.

  5. Anonymous Coward
    Anonymous Coward

    "These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the DISCONTINUATION of any handset."

    Fixed that for you, Google, Samsung, LG, etc...

  6. Anonymous Coward
    Anonymous Coward

    YAGNI is all fine and good, but...

    "you-ain't-gonna-need-it" can be a useful corrective to over-designing a system, but given the stark prior examples of Windows and the *nixes discovering the need for automated post-sale patching (and the reputation damage[*] Windows took in the process) it seems delusional for the Android makers and Google to sleepwalk into this development.

    [*] a.k.a. looking like a smouldering turd

    1. asdf

      Re: YAGNI is all fine and good, but...

      Except the Android software itself is a loss leader for Google. Once they get gapps on your phone they win and thats the main thing they care about.

      1. Anonymous Coward
        Anonymous Coward

        Re: YAGNI is all fine and good, but...

        asdf,

        it's take microsoft a while to catch on but W10 is in essence the android model but with MS knickers on.

  7. Mark 85

    The weak link...

    ...is the carrier. Will they move these out to the devices? Or claim they don't have the bandwidth? Will they use these as part of the data limit cap? Or give the update a free ride? I suspect that there probably won't be as many devices updated as speculated due to carrier interference.

  8. Bloodbeastterror

    Am I being exceptionally slow again?

    I have a Nexus 6. Google releases updates to the ROM very rarely, and having a rooted phone means that I can't receive OTA updates. How exactly is this security update supposed to be delivered...?

    Have I missed the bleedin' obvious again?

    1. Mark 110

      Re: Am I being exceptionally slow again?

      Dunno. You rooted your phone . . have to work that one out for yourself :-)

    2. MrWibble

      Re: Am I being exceptionally slow again?

      Unroot and the OTA will come in the next few days.

      Or reflash the factory image (new image was released today with this update).

    3. Anonymous Coward
      Anonymous Coward

      Re: Am I being exceptionally slow again?

      If you only rooted the stock OS and left the stock recovery in place, you should still receive OTAs, although they usually remove root access, so you'll need to root again after.

      If you've replaced the ROM or recovery (i.e. CyanogenMod), you'd need to revert to stock (you did make a backup?). If not, it's a complete wipe to flash the factory images: https://developers.google.com/android/nexus/images

    4. druck Silver badge
      Unhappy

      Re: Am I being exceptionally slow again?

      I rooted my Galaxy S5 just so backup software could access the SD card, but that has saved me from the Lollipop 5.0 update which has blighted my wife's Note 3. So do unroot it and hope the security patch is delivered rather than an uwanted upgrade, or I do risk waiting god knows how long until O2 has made Lollipop 5.1 available?

  9. Anonymous Coward
    Anonymous Coward

    The first time mass Android patching will ever be tested

    If there are any glitches in the process, Google, Samsung and/or LG will have some egg on their face and negative publicity to deal with. Even if the carrier is ultimately responsible.

    With a multiple step process for the patch to go from Google to OEM to carrier to user, with the potential for each to add their own fixes or "enhancements" along the way, this could get very interesting. If I owned an Android phone I sure wouldn't be willing to install this the day my phone notified me. I'd be searching the internet for evidence few people with the same phone on the same carrier had successfully done so before proceeding given that Stagefright isn't actively being exploited.

    1. oneeye

      Re: The first time mass Android patching will ever be tested

      Hi,

      I have reads a few accounts that Stagefright was already in the wild,actively being exploited. There is a stagefright wiki page already,if you can believe it? Here is a quote from that page:

      stagefright,in the wild

      In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while.

      Also Trend Micro security found two NEW exploitations of stagefright. See their blog,and the Verge ha a good piece too.

  10. VeganVegan
    Meh

    Puzzled

    Granted, the manufacturer, the phone co., they all add cruft to / modify the base Android setup, but am I being too naive to think that Android was properly designed, so that users can get Android software (not the added on crap) directly from Google?

    I mean, even Microsoft manages to update various components of Windows, despite a zillion sku's, and add-on crapware.

    I suspect that the answer is: No. Android was shoved together and sent out the door, with little thought for the long term.

    1. tacitust

      Re: Puzzled

      Microsoft doesn't ship the source code for Windows to its OEMs. Android phone manufacturers get the entire source code base for Android to do with what they will (with the exception of some of the device drivers). That's a huge difference, and explains why it's a lot harder to maintain a unified update system for Android.

      1. Anonymous Coward
        Anonymous Coward

        Re: Puzzled

        I suspect apathy and the desire to flog you a new phone has a lot more to do with it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Puzzled

      The other problem to carry on from what tacitust has said is the way in which manufactures add their cruft. Instead of releasing themes/their apps as standard APKs, they give them dependencies in the underlying OS. If they didn't do this, you could run Samsung's TouchWiz on a HTC for e.g. and they don't want that - they want you to buy their hardware so tie the APKs to the OS image.

      If their apps were standard APKs, Google could update the OS under them and they wouldn't care. But because Google have no clue what each device's APKs depend on, that's out of the question and it is down to the manufacturer to do the OTA release.

      1. Anonymous Coward
        Anonymous Coward

        Re: Puzzled

        "you could run Samsung's TouchWiz on a HTC for e.g. and they you don't want that "

        ftfy

  11. Anonymous Coward
    Anonymous Coward

    Can I ask a stupid question?

    How exactly are they going to push an update to non-rooted android phones?

    Will this not open up another vuln?

    1. Anonymous Coward
      Anonymous Coward

      No, they're just standard OTA (Over The Air) updates which have been used since forever. You can read more about it here: https://source.android.com/devices/tech/ota/

      1. F0rdPrefect

        just standard OTA (Over The Air) updates

        So do I need to have my mobile data turned on to have any chance of getting this, or will it arrive via wifi?

        I hardly ever need to use mobile data as almost everywhere I go has wifi available.

        1. Charles 9

          Re: just standard OTA (Over The Air) updates

          "So do I need to have my mobile data turned on to have any chance of getting this, or will it arrive via wifi?

          I hardly ever need to use mobile data as almost everywhere I go has wifi available."

          Depends on how your device was built. Many WiFi-only tablets do a periodic phone home over the Internet to perform OTA updates. Your device may do this if on a WiFI connection even if it has mobile data.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like