back to article Biggest security update in history coming up: Google patches Android hijack bug Stagefright

For those of you worried about the Stagefright flaw in Android, be reassured, a patch will be coming down the line in the next few days. "My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, lead engineer for Android security at Google. "Hundreds of millions of devices are …

  1. Ben Boyle

    I'm glad the manufacturers are going to push out patches, but will the carriers help or hinder the process?

    1. Anonymous Coward
      Anonymous Coward

      Perhaps carriers might do or could find themselves on the end of a class action suit, they deserve one.

    2. twilkins

      Indeed - since my old Symbian mobiles back in the day, it has always been the carriers who hold up firmware updates.

      As I type this Sony have had a Lollipop 5.1 ROM out for my current Xperia handset for over two weeks. No sign of it on Vodafone UK anytime soon. Time for the networks to stop their crappy customisations and just do it all via apps.

    3. TheVogon

      Android - shortly to become the world's largest ever bot net!

      1. I. Aproveofitspendingonspecificprojects

        >shortly to become?

        Did you not read the article?

        the world's largest ever bot net.

        ftfy

  2. OliverJ

    Incredible!

    "Hundreds of millions of devices are going to be updated in the next few days. It's incredible." - Like as in when Apple releases a new version of iOS? It's incredible! (that the lead engineer for Android security at Google says such a thing)

    1. This post has been deleted by its author

      1. OliverJ

        Re asdf: Incredible!

        Just for the record: I made no comment on which of the ecosystems is the most secure. I was simply surprised by the statement that patching hundreds of millions of devices seems to be an "incredible achievement". Last time I checked, iOS was deployed on more than a billion devices world wide, so rolling out an update to hundreds of millions of devices doesn't seem to be an industries first...

        1. asdf

          Re: Re asdf: Incredible!

          Sorry to seem to put words in your mouth. Duly noted.

        2. John H Woods Silver badge

          Re: Re asdf: Incredible!

          "so rolling out an update to hundreds of millions of devices doesn't seem to be an industries first..." -- OliverJ

          I hear what you're saying but It's not the count, it's the diversity. The hundreds of millions of devices which got IOS8 were what, about half a dozen SKUs?

          1. OliverJ

            Re: Re asdf: Incredible!

            "I hear what you're saying but It's not the count, it's the diversity."

            Point taken. Diversity. Such as, I don't know, Microsoft Windows? :-)

        3. Anonymous Coward
          Anonymous Coward

          Re: Re asdf: Incredible!

          Hmm, Android with 85% of the market and apple with just 13% and dropping fast. Your billion sounds like usual apple hyperbole

          1. asdf

            Re: Re asdf: Incredible!

            It is pretty jaw dropping how much better the security on not only iOS but even BB and WP is compared to swiss cheese %97+ of all malware Android. Joining the generic masses is not always the best idea.

            1. oneeye

              Re: Re asdf: Incredible!

              Um.....excuse me,but the last two updates for Apple fixed over 150 vulnerabilities. Over fifty of those were for Safari alone,and because Safari is tied to the os,it always has to be a system update. All software will have exploitable bugs,but Apple treats their users like mushrooms. They keep them in the dark,and feed them bull shit (fertilizer) ! They also treat researchers like crap,and begrudgingly give credit to them,and almost never pay rewards,or bounty.

            2. CFWhitman

              Re: Re asdf: Incredible!

              The reason why the Stagefright flaw brought about the first movement toward unified patching is because it is the first serious security flaw discovered in the base system. The malware installed on the so-called "swiss cheese" Android is almost entirely Trojans, which users install themselves. The only way to prevent that is to take away installation privileges. I'd rather keep my administrative/installation privileges on my devices. Thanks. Administrative responsibility is not forced on Android users either. Sideloading apps is turned off by default.

              This is not to say that Android is great. I'm not a big fan of, come to think of it, any of the more popular phone/tablet operating systems. However, Android is not really the security nightmare that a number of people try to paint it as.

          2. Anonymous Coward
            Anonymous Coward

            Re: Re asdf: Incredible!

            "... with just 13% and dropping fast."

            Lets see your source. Apple's filings to SEC have indicated the opposite, so are you saying that they are committing fraud? Serious question?

        4. mathew42

          Re: Re asdf: Incredible!

          IDC Smartphone OS Market Share suggests iPhones have < 20% market share with a total of ~1.2 billion smartphones shipped each year that is 240 million iPhones. tablets show a similar picture with iPad market share of 25% with 200 million tablets shipped each year that is 40 million iPads. So yes I would guess your figure of greater than a billion is defensible depending on average lifespan of an iPhone.

          For Android on the other hand you would need to multiply those numbers by approximately 4.

          Lets just be happy that bugs are being fixed.

          1. bri

            Oranges, apples, information, lack of

            It's funny how fast people resort to calling others ignorant while doing errors on their own.

            1) This article is about Stagefright. This component is as device independent as it gets. So "variability", "different SKUs" play a very minor role. Updating some backend for widgets however, that would be a different matter

            2) Each model of every vendor comprises of multiple SKUs, often with different innards (to cater for different standards, frequency bands and so on)

            3) It is fairly possible that iOS is on more than billion devices as they have longer useful life (maket share in number of sold devices != market share in devices in operation). Coupled with the fact that iOS runs not only on iPhones, but on iPads and iPods as well, billion devices is fairly reasonable. I can still get update for device over three years old.

          2. asdf

            Re: Re asdf: Incredible!

            Android may have 4x units but iOS devices capture more profit than all the Android devices combined. Similar story in the app store. Android full disk encryption being such a joke is reason enough for me to ignore them for now.

        5. Destroy All Monsters Silver badge
          Paris Hilton

          Re: Re asdf: Incredible!

          iOS was deployed on more than a billion devices world wide

          I didn't know Apple was big in the embedded market?

    2. Anonymous Coward
      Anonymous Coward

      Re: Incredible!

      OliverJ you must be a fanboi, I haven't heard such an ignorant comment since the last time one of our Australian politicians opened their mouth. I mean really? Consider the following:

      iOS is one unmodified OS, made to run on one device controlled by one company! Even further the idiot taxing company rarely patches its OS, it forces a new version down, and immediately obsoletes a number of it own devices due to usually poor performance.

      Compare this to Android, multiple versions generally buggerised around with by carriers, running on a vast variety of hardware manufactured by large number of OEMs. The fact that Google as managed to get the major players in this market to coordinate regular PATCH updates is a massive feat! I'd love to see Apple achieve that!

      Stick to the Kiddies Pool

      All Best

      1. Anonymous Coward
        Anonymous Coward

        Re: Incredible!

        You mean Android is such a bad designed monolithic OS it can't replace easily a few libraries to get patched?

      2. Anonymous Coward
        Anonymous Coward

        Re: Incredible!

        OliverJ you must be a fanboi, I haven't heard such an ignorant comment since the last time one of our Australian politicians opened their mouth

        Well, the ad hominem was almost enough to discard your post, but you managed to actually make it worst in the very next paragraph.

        Compare this to Android, multiple versions generally buggerised around with by carriers, running on a vast variety of hardware manufactured by large number of OEMs. The fact that Google as managed to get the major players in this market to coordinate regular PATCH updates is a massive feat! I'd love to see Apple achieve that!

        You may want to lose that chip on your shoulder fast and learn to read between the lines of a press release, certainly when it comes to Google: until you know that every version of Android is going to be patched instead of only the latest few, and statement on planned obsolescence only displays your biases, not reality.

        It is as unrealistic to expect Google to patch all the way back to Android v3, for instance, as it is to expect Apple to go all the way back to iOS 7 and patch things. In that respect, economics and practically do not really differ between platforms.

        What IS different is that there are multiple barriers between a Google update and an end user receiving it because of the fragmentation of the Android market, something that Apple doesn't have to work around. Between Google and you is the manufacturer as well as the telco, each doing their own thing and consequently each having to update that "thing" before they can give you the patch. It would be cool if there was a manufacturer somewhere which could give you "raw" Android - a sort of Debian of Androids - and be allowed on air without the carrier messing things up too.

        Stick with the facts, and learn the basics of reasoned debate. It may help you when you grow up.

        1. Anonymous Coward
          Anonymous Coward

          Re: Incredible!

          Note to self: find whatever auto-correct mechanism has risen from the dead and drive a wooden stake through its heart, then give it a couple of silver bullets for good measure and drown it in Holy water. Sorry about that, the post would have made more sense if certain words hadn't been "corrected" by an auto-mistake with what is clearly a limited vocabulary.

      3. OliverJ

        @Coward: Incredible!

        At least I'm not hiding, Mr. A.C., which of course in your case seems to be a sensible approach, as you started your posting in rather bad form with pointless invectives. Usually I find that doing so doesn't improve the quality of one's argument. But I digress.

        Please note that I made no comment on the complexity of this rollout, which is indeed a challenge, as you rightly pointed out. But if you read the quote attributed to Adrian Ludwig, you will see that this wasn't his point, either. It was simply the number of devices patched which he found "incredible".

        Obviously, my remark was half in jest, but I was indeed a little bit baffled by the naivety of this statement.

        You are really reading to much into this, lighten up! You're taking this way too serious. I mean, "ignorant", "fanboi", "kiddies pool" - really?

  3. DJV Silver badge
    Meh

    Well...

    ...as Android 5.1 turned my Nexus 7 (2012) into something that could be outraced by an injured slug, I suspect I may need to avoid this! Went back to 4.3 (4.4 was pretty dire as well, speedwise).

    1. asdf

      Re: Well...

      If you are really into S&M to yourself run 4.4 with full disk encryption lol. So slooooooowwwwww.

      1. Fred Flintstone Gold badge

        Re: Well...

        If you are really into S&M to yourself run 4.4 with full disk encryption lol. So slooooooowwwwww.

        That'll be Bruce Schneier's new book: 50 shades of crypto :)

  4. graeme leggett Silver badge

    I presume they won't be issuing the patches on the second Tuesday in the month, even if the slot is now free.

  5. Anonymous Coward
    Anonymous Coward

    "These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the DISCONTINUATION of any handset."

    Fixed that for you, Google, Samsung, LG, etc...

  6. Anonymous Coward
    Anonymous Coward

    YAGNI is all fine and good, but...

    "you-ain't-gonna-need-it" can be a useful corrective to over-designing a system, but given the stark prior examples of Windows and the *nixes discovering the need for automated post-sale patching (and the reputation damage[*] Windows took in the process) it seems delusional for the Android makers and Google to sleepwalk into this development.

    [*] a.k.a. looking like a smouldering turd

    1. asdf

      Re: YAGNI is all fine and good, but...

      Except the Android software itself is a loss leader for Google. Once they get gapps on your phone they win and thats the main thing they care about.

      1. Anonymous Coward
        Anonymous Coward

        Re: YAGNI is all fine and good, but...

        asdf,

        it's take microsoft a while to catch on but W10 is in essence the android model but with MS knickers on.

  7. Mark 85

    The weak link...

    ...is the carrier. Will they move these out to the devices? Or claim they don't have the bandwidth? Will they use these as part of the data limit cap? Or give the update a free ride? I suspect that there probably won't be as many devices updated as speculated due to carrier interference.

  8. Bloodbeastterror

    Am I being exceptionally slow again?

    I have a Nexus 6. Google releases updates to the ROM very rarely, and having a rooted phone means that I can't receive OTA updates. How exactly is this security update supposed to be delivered...?

    Have I missed the bleedin' obvious again?

    1. Mark 110

      Re: Am I being exceptionally slow again?

      Dunno. You rooted your phone . . have to work that one out for yourself :-)

    2. MrWibble

      Re: Am I being exceptionally slow again?

      Unroot and the OTA will come in the next few days.

      Or reflash the factory image (new image was released today with this update).

    3. Anonymous Coward
      Anonymous Coward

      Re: Am I being exceptionally slow again?

      If you only rooted the stock OS and left the stock recovery in place, you should still receive OTAs, although they usually remove root access, so you'll need to root again after.

      If you've replaced the ROM or recovery (i.e. CyanogenMod), you'd need to revert to stock (you did make a backup?). If not, it's a complete wipe to flash the factory images: https://developers.google.com/android/nexus/images

    4. druck Silver badge
      Unhappy

      Re: Am I being exceptionally slow again?

      I rooted my Galaxy S5 just so backup software could access the SD card, but that has saved me from the Lollipop 5.0 update which has blighted my wife's Note 3. So do unroot it and hope the security patch is delivered rather than an uwanted upgrade, or I do risk waiting god knows how long until O2 has made Lollipop 5.1 available?

  9. Anonymous Coward
    Anonymous Coward

    The first time mass Android patching will ever be tested

    If there are any glitches in the process, Google, Samsung and/or LG will have some egg on their face and negative publicity to deal with. Even if the carrier is ultimately responsible.

    With a multiple step process for the patch to go from Google to OEM to carrier to user, with the potential for each to add their own fixes or "enhancements" along the way, this could get very interesting. If I owned an Android phone I sure wouldn't be willing to install this the day my phone notified me. I'd be searching the internet for evidence few people with the same phone on the same carrier had successfully done so before proceeding given that Stagefright isn't actively being exploited.

    1. oneeye

      Re: The first time mass Android patching will ever be tested

      Hi,

      I have reads a few accounts that Stagefright was already in the wild,actively being exploited. There is a stagefright wiki page already,if you can believe it? Here is a quote from that page:

      stagefright,in the wild

      In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while.

      Also Trend Micro security found two NEW exploitations of stagefright. See their blog,and the Verge ha a good piece too.

  10. VeganVegan
    Meh

    Puzzled

    Granted, the manufacturer, the phone co., they all add cruft to / modify the base Android setup, but am I being too naive to think that Android was properly designed, so that users can get Android software (not the added on crap) directly from Google?

    I mean, even Microsoft manages to update various components of Windows, despite a zillion sku's, and add-on crapware.

    I suspect that the answer is: No. Android was shoved together and sent out the door, with little thought for the long term.

    1. tacitust

      Re: Puzzled

      Microsoft doesn't ship the source code for Windows to its OEMs. Android phone manufacturers get the entire source code base for Android to do with what they will (with the exception of some of the device drivers). That's a huge difference, and explains why it's a lot harder to maintain a unified update system for Android.

      1. Anonymous Coward
        Anonymous Coward

        Re: Puzzled

        I suspect apathy and the desire to flog you a new phone has a lot more to do with it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Puzzled

      The other problem to carry on from what tacitust has said is the way in which manufactures add their cruft. Instead of releasing themes/their apps as standard APKs, they give them dependencies in the underlying OS. If they didn't do this, you could run Samsung's TouchWiz on a HTC for e.g. and they don't want that - they want you to buy their hardware so tie the APKs to the OS image.

      If their apps were standard APKs, Google could update the OS under them and they wouldn't care. But because Google have no clue what each device's APKs depend on, that's out of the question and it is down to the manufacturer to do the OTA release.

      1. Anonymous Coward
        Anonymous Coward

        Re: Puzzled

        "you could run Samsung's TouchWiz on a HTC for e.g. and they you don't want that "

        ftfy

  11. Anonymous Coward
    Anonymous Coward

    Can I ask a stupid question?

    How exactly are they going to push an update to non-rooted android phones?

    Will this not open up another vuln?

    1. Anonymous Coward
      Anonymous Coward

      No, they're just standard OTA (Over The Air) updates which have been used since forever. You can read more about it here: https://source.android.com/devices/tech/ota/

      1. F0rdPrefect

        just standard OTA (Over The Air) updates

        So do I need to have my mobile data turned on to have any chance of getting this, or will it arrive via wifi?

        I hardly ever need to use mobile data as almost everywhere I go has wifi available.

        1. Charles 9

          Re: just standard OTA (Over The Air) updates

          "So do I need to have my mobile data turned on to have any chance of getting this, or will it arrive via wifi?

          I hardly ever need to use mobile data as almost everywhere I go has wifi available."

          Depends on how your device was built. Many WiFi-only tablets do a periodic phone home over the Internet to perform OTA updates. Your device may do this if on a WiFI connection even if it has mobile data.

          1. F0rdPrefect

            Re: just standard OTA (Over The Air) updates

            "Depends on how your device was built. Many WiFi-only tablets do a periodic phone home over the Internet to perform OTA updates. Your device may do this if on a WiFI connection even if it has mobile data."

            It is a Moto G 2nd gen. but I have no idea if it has been updated since I bought it. And as I bought it SIM free I'm not sure who would push the update.

            1. Charles 9

              Re: just standard OTA (Over The Air) updates

              You're lucky, then. You've got a pretty bare-bone Android device, so there's little to interfere. It's also primed for a Lollipop update. Both would likely come from Motorola.

  12. CAPS LOCK

    Will this reach my Acer Iconia B1-A71 (bought March 2013)?

    Thought not...

    1. dotdavid

      Re: Will this reach my Acer Iconia B1-A71 (bought March 2013)?

      Silly consumer, you should be buying a new tablet every year-to-18-months to ensure you stay up to date with security patches. No company could ever update software that was older than that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Will this reach my Acer Iconia B1-A71 (bought March 2013)?

        Silly vendor, if that kind of attitude were to pervade other areas of the consumer world (appliances, cars, etc.) there would be a heated argument in the legislatures. There's a reasonable expectation of a device being fit for purpose for some extended duration which is usually somewhat longer than the warranty. After all, a 2-year-old Galaxy S4 is still quite useable. As is an Asus Google Nexus 7 tablet (the 2013 version that recently got the Lollipop update).

        Some are of the opinion if you're not ready to support the device somewhat longer than you anticipated because it is that darn good, you shouldn't be selling it on the market. IOW, Planned Obsolescence = UNFAIR (not to mention wasteful).

  13. Al_21

    Call me cynical

    Monthly security updates sound good... although I suspect it'll be for vulns identified months before a fix actually reaches devices.

    I don't have much faith in Android devices staying updated.

    1. James 100

      Re: Call me cynical

      I would like to think this would mean Google pushing out updates to their own parts directly, bypassing both handset manufacturers and telcos, in the same way Windows Update pulls in new patches straight from MS without consulting Dell first. With proper demarcation - regulatory/technical approval of the baseband bit, the manufacturer providing some Linux device drivers and maybe some apps to run on top - that wouldn't be too difficult.

      I went for a SIM-free Nexus for exactly this reason last time; maybe it's time the other handset brands got better update support too?

      1. Charles 9

        Re: Call me cynical

        "I went for a SIM-free Nexus for exactly this reason last time; maybe it's time the other handset brands got better update support too?"

        Why should they? Why do you think the term "Planned Obsolescence" exists? Unless it's blocked by law, phone manufacturers have no interest in updating all but the newest devices (and only to avoid defect/fitness of purpose suits).

  14. Mikedx

    Lg arent updating rooted devices

    Since LG think we are leasing our devices from them and we dont own the device, they refuse to update rooted devices. Incredibly poor attitude from the company that gave us the woman who had her hands cut off by the machinery in their factory.

    So if you are uaing an LG device and have rooted your device for any reason you have to stay vulnerable

    1. Anonymous Coward
      Anonymous Coward

      Re: Lg arent updating rooted devices

      > Since LG think we are leasing our devices from them and we dont own the device, they refuse to update rooted devices

      Seeing as *you* *own* the device, what business is it of LG to interfere with it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Lg arent updating rooted devices

        By LG's logic, you DON'T own the device. And like it or not, the software's not yours, either, due to copyright. So by their logic, they can dictate terms. That's the ultimate aim of big business selling non-perishable goods: to remove the sale model and change it to a rent/lease model so they never lose control of their goods.

  15. CrosscutSaw

    Opportunity

    Great, now my carrier will probably push some bloatware with the update. IF it ever trickles down to the customers. First they have to eff it up and brand it.

  16. Stuart Halliday
    Coffee/keyboard

    Getting to the Root of the problem.

    Funny that. I've rooted my phone (Just so I can use fonts) and now it refuses to update. What's the point of that? Let the customer decide what they want to do.

    1. Charles 9

      Re: Getting to the Root of the problem.

      The manufacturer can no longer trust the device. It's in the EULA: they will only update unmodified (in the /system sense) devices. It's like the "warranty void if removed" stickers.

  17. Simon Lynch

    SO when then?

    My Nexus 5 broke in the summer (not sure, but think software not hardware), so I schelped off to a shop to get something else. Found out they had nothing recent in stock (small town in NW Spain), so got what seemed to the least worst solution on offer - an LG G2. It's still today on 4.4.2 of Android and I am very happy I just got back a Nexus 5 in working order. I am not even happy to give it to someone else... never mind the drawer full of half-dead/dying/dead androids I have already....

    I understand why Google did what they did to get into the market, but they ended up with a Microsoft situation MINUS control. If they don't bring out another sensible Nexus I will have to go to Apple (and believe me that is really not something I want to do) or be really dumb and take a Ubuntu phone (big fan of desktop, but first generation anything is sh1t).

    So, Google, please fix the downstream process with partners...

    1. Charles 9

      Re: SO when then?

      "So, Google, please fix the downstream process with partners..."

      How can they when the partners don't want to cooperate? They're the ones that LIKE the status quo, even if it's at Google's expense.

      That's why Google's only solution to avoid potential litigation is to go the Apple route and take full control of the OS, thus why Andromeda is set up the way it is.

  18. Anonymous Coward
    Anonymous Coward

    Software Update for Motorola

    Hi

    Thanks for sharing this article with us. Nice Post.

    A good number of Moto users have reported the random reboot / restart issue in their Moto, and the critical thing is that it can occur at any time. This is surely not an application issue, as this thing happens at any time even if the Moto is placed idle. But now, we can’t be certain, as sometimes even when the application is closed it keeps on running at the back end and it might be making such types of issues.

    We are servicing How to Software Updation for all moto mobile devices.

    Regards

    Moto Service

    motorolaservicecenterchennai.co.in/mobile-software-update-for-motorola.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like