Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Expert Warns of Android Browser Flaw

Soulskill posted more than 3 years ago | from the memory-leak-leading-to-robot-revolt dept.

Google 98

justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'" Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.

Sorry! There are no comments related to the filter you selected.

This is why I love iPhone (4, Funny)

Anonymous Coward | more than 3 years ago | (#34360754)

On iOS, vulnerabilities are only used for jailbreaks.

Re:This is why I love iPhone (0)

Anonymous Coward | more than 3 years ago | (#34361684)

Yet every iPhone susceptible to that exposure could be updated within 2 weeks. I would like to see Android pull that one off...

Re:This is why I love iPhone (1)

Phopojijo (1603961) | more than 3 years ago | (#34362800)

Yet every iPhone susceptible to that exposure could be updated within 2 weeks. I would like to see Android pull that one off...

If Apple gets around to it, of course.

They've been known to let vulnerabilities go until they can roll them all up into a nice 250MB-or-so patch. [pcworld.com]

Hey, what's the rush? They're not a target.

Re:This is why I love iPhone (1)

JohnGeogie (1948924) | more than 3 years ago | (#34363276)

Apple OS is also not security.

Re:This is why I love iPhone (1)

bonch (38532) | more than 3 years ago | (#34368866)

In all seriousness, this is vindication for Apple's integrated model. It's been pointed out for a while now that the Android experience is under control of the carriers [techcrunch.com] , which is why they like Android so much. With iOS, you can get your updates directly from Apple the moment you connect your device to iTunes.

This could be just the beginning of the same kind of security headaches that Microsoft endured for years with Windows. The hassle isn't just responding to vulnerabilities; it's also getting those updates installed on people's devices in the first place. From the article:

Google has developed a fix for this flaw and has stated they will fix it in a maintenance release for the upcoming Gingerbread (2.3) release. That's great, but means even the most modern of devices will be exposed to attack for a month or more and older Android phones may be vulnerable in perpetuity. Apple and RIM do not face these types of issues because they have a limited selection of hardware shipping and provide OS updates only for devices they manufacture.

Re:This is why I love iPhone (0)

Anonymous Coward | more than 3 years ago | (#34385530)

it is bad, i think that don't good.

Good enough to Jailbrake? (0)

Anonymous Coward | more than 3 years ago | (#34360756)

I'm still waiting for a NetFront browser crash that will let me Jailbrake my Sony Mylo2.

I hate when I'm not allowed to run even my software on discontinued and obsolete Internet Devices.

Re:Good enough to Jailbrake? (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34360918)

I wouldn't hold my breath for a jailbreaking/modding community for a device so popular that it doesn't even have its own wikipedia page, and only gets about a paragraph on the main Sony Mylo page.

linkbait (3, Informative)

Anonymous Coward | more than 3 years ago | (#34360768)

1. Have to know full path to a file to view it.
2. Have to download a file, presumably from someone you don't know and trust.
3. This is in all browser versions, so how exactly does fragmentation factor in?

Like everything else, buzzwords like Android fragmentation guarantee hits.

Re:linkbait (2, Informative)

Anonymous Coward | more than 3 years ago | (#34360856)

You didn't read TFA did you?

1. Many file paths are standard and known, they are set by the OS or application.
2. The download is automatic, when you visit a malicious website
3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.

Re:linkbait (1)

marcello_dl (667940) | more than 3 years ago | (#34361092)

3. Fragmentation factors in because a fix can't be rolled out quickly (or at all) to the fragmented handsets which may or may not get updates from the OEMs/Carriers.

So the problem is not fragmentation. The lazy ass OEM is not gonna help you quickly after you purchased something from it. While in the fragmented world of linux distribution you get a fix issued quickly (at least on the major distros, which are not few).

So the real problem is "depending on lazy ass OEM", or "Not Having Control Of Your Device".

Re:linkbait (2, Insightful)

Moridineas (213502) | more than 3 years ago | (#34361188)

Your description would naturally seem to be part of fragmentation.

If you have 20 vendors you can bet that some of them are going to be good about support, some are going to be ok, and some bad. If you have 50 android phones, you can bet some are going to be supported better than others. And so on. This, of course, has both positives and negatives, but it's absolutely part of being fragmented.

If google could rollout a patch to Android OSes that could be applied to any phone and any carrier instantly, then you couldn't call the situation fragmented. But Google can't do that...so...

Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4. When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone (which is now just shy of 4 years old). This system too has pluses and minuses. When apple decides a phone isn't supported, it's done.

Re:linkbait (2, Insightful)

vux984 (928602) | more than 3 years ago | (#34361318)

Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4.

And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone.

And the original ipod touch.

(which is now just shy of 4 years old)

It was launched almost 4 years ago, it wasn't DISCONTINUED almost 4 years ago.)

Given most people had to sign a 3 year contract to get one there are lots of original models still in use. There are lots of original models STILL UNDER CONTRACT.

But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage. If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??

If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores. 20 different development framekworks. Seriously. The fact that 19 out of 20 vendors chose to build on common foundations is a godsend, even if there is some variation between implementations.

Thank god we don't have 20 apples. One is quite enough.

Re:linkbait (0, Troll)

Moridineas (213502) | more than 3 years ago | (#34362058)

And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

Oh you're right, that's true, I wasn't thinking about them since Android is only now starting to expand beyond cellphones. However, my point absolutely stands -- of the 9(?) devices/generations, almost all run the exact same version of iOS.

It was launched almost 4 years ago, it wasn't DISCONTINUED almost 4 years ago.)

Given most people had to sign a 3 year contract to get one there are lots of original models still in use. There are lots of original models STILL UNDER CONTRACT.

What country are you in that requires people to sign a 3 year contract?? God, I thought American cellphone contracts were bad, and I've never seen one go beyond 2 years.

I can't say for sure, not knowing what country you are in, but for the US (and I would assume the rest of the world) you are very incorrect that there are a "lots of original" models still out there. The original hasn't been sold in about 2.5 years, and given the AT&T contract length of 2 years (and there exceptions to allow people to upgrade early), there just aren't many original users left (not to mention the original hardware's lack of 3g and other limitations). I'm judging this off analytics of sites I work with and other articles I've read...if you've got data to the contrary, let's see it.

But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage. If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??

As I very clearly stated (and you would have read/understood if you weren't clearly just a android fanboi) there are advantages and disadvantages to both system. In a way it's the cathedral and the bizarre. Android devices are NOT going to be supported (at least officially) the way iOS devices are. Some may be supported better, some may be able to be community supported, but you can bet a lot of handsets are going to be neglected not too long after release. I've seen this very complaint on slashdot even! In the end, I agree with Woz...I think Android probably will win.

Like I explicitly said in my previous post, with some Android phones you can lucky and keep the upgrade train rolling (either officially or community). With Apple they're going to keep the train rolling for awhile, but once it's done (ie, original iPhone) it's done.

Thank god we don't have 20 apples. One is quite enough.

Right, so we get you're a operating system fanboi...great.

Re:linkbait (1)

vux984 (928602) | more than 3 years ago | (#34363180)

What country are you in that requires people to sign a 3 year contract?

Canada.

(and you would have read/understood if you weren't clearly just a android fanboi)

While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.

Some may be supported better, some may be able to be community supported, but you can bet a lot of handsets are going to be neglected not too long after release.

Yep. But its really a question of each manufacturer, and has very little to do with "Android".

That's my point, comparing iOS to Android is a false comparison. Compare Apple to Motorola to HTC to Samsung to LG to whatever. Its the manufacturer that decides what support is going to be like, not the platform.

Re:linkbait (1)

Moridineas (213502) | more than 3 years ago | (#34363296)

Canada

And 3-year contracts are really common in Canada? I had never heard this before...

While I have plenty of issues with Apple as a company, I actually went with a 32GB iPhone 3GS. The fanboi comments are a bit misplaced.

Fair enough. Usually when people make comments like "One is quite enough" re: Apple, they come across as fanbois. My mistake for assuming.

Yep. But its really a question of each manufacturer, and has very little to do with "Android".

That's my point, comparing iOS to Android is a false comparison. Compare Apple to Motorola to HTC to Samsung to LG to whatever. Its the manufacturer that decides what support is going to be like, not the platform.

I think that's utterly irrelevant. Think about windows. Who sells PCs? Not Microsoft -- think Dell, Gateway, Acer, Asus, HP, Compaq, and so on. Who does the support? Well, it's a little bit more complicated, but basically the vendors and not Microsoft. Yet Windows/Microsoft is what has a horrible reputation. This is of course not directly analogous to Android, but if you think that crappy implementations -- or crappily supported implementations -- of Android are not going impact the popular opinion of Android, I would bet against you. Other than the two cathedral phone developers (RIM and Apple) people don't really seem to have very much loyalty to individual brands of phones. Personally, in the decade before I got an iPhone, I had a motorola, LG (x2), kyocera, and Samsung phones. I would say my experience of brand hopping was fairly typical. I think this is clearly changing now that smartphones and the platform-centric nature of cellphones are becoming predominant, but how many people are really going to be loyal to HTC-Android over Whoeverelse-Android? They're going to be loyal to Android (or iOS, RIM, etc), if anything!

The bottom line is this -- each vendor is responsible for supporting (modifying! etc) Android on their own. That's the very definition of fragmentation. You're absolutely right that it's up to the manufacturers to fight that, but as I already said (and as many others -- even Android fans on slashdot) support for some phones is going to be lacking. As more and more handsets come out running different revisions, I think the impact of fragmentation will get worse. The fact that you say "Its the manufacturers that decide" what Android is going to be like on their phones is rather telling!

My bet would be that google somehow intervenes to try to get manufacturers to keep up their end better.

Re:linkbait (1)

vux984 (928602) | more than 3 years ago | (#34367006)

And 3-year contracts are really common in Canada? I had never heard this before...

Yes. Very common. Usually you can take any of a 1 year 2 year or 3 year contract, but with iphone's it was 3-year only.

But even then the pricing structure is typically heavily skewed to induce the consumer into 3 year contracts. Here's an example from Telus:

529.99 - no contract
479.99 - 1 year
429.99 - 2 year
149.99 - 3 year

That's still pretty messed up.

http://www.telusmobility.com/en/BC/samsung_fascinate/index.shtml [telusmobility.com]

Well, it's a little bit more complicated, but basically the vendors and not Microsoft.

Its divided. vendors support the hardware, and deal with the end users. But Microsoft still actually does -all- the OS support. You go to windows update, and get your patches direct from microsoft. OEMs rebrand the OS a bit, but Dell Windows 7 isn't really any different from Acer Windows 7.

With androids the situation is a bit different. The vendors are doing more than simply rebranding them, and the vendors are taking responsibility for pushing software updates in addition to hardware / customer support.

I see your argument vis a vis Microsoft Windows, but I think the android situation is markedly different.

I think the impact of fragmentation will get worse. The fact that you say "Its the manufacturers that decide" what Android is going to be like on their phones is rather telling!

Fair enough. But it -is- the handset manufacturers not android now who are responsible.

each vendor is responsible for supporting (modifying! etc) Android on their own. That's the very definition of fragmentation.

I'm not saying fragmentation isn't occurring. It has occurred. Because it has occurred its invalid to say that android has a problem updating its software, because its not androids problem.

Its Motorola's problem. Its HTC's problem. Its Samsung's problem. And its up to each of them individually how well they address it.

If a defect is found in webkit, we don't say 'webkit' has a problem due to fragmentation. Its simply up to Apple to update Safari, Google to update Chrome, etc.

And we certainly don't go around lauding Microsoft's Trident engine as a superior model, exclaiming that if a bug is found in Trident only Microsoft has to fix it, and everyone who relies on it can get the update via windows update and how much better that is.

Re:linkbait (1)

Moridineas (213502) | more than 3 years ago | (#34376706)

I'm not saying fragmentation isn't occurring. It has occurred. Because it has occurred its invalid to say that android has a problem updating its software, because its not androids problem.

Ok, I think we're in almost complete agreement then. As I said in my original post, some Android phones are going to have great support, some ok, some bad, and so on. Having an Android doesn't guarantee bad support, but neither does it guarantee good support! MY feeling is that -- like MS Windows -- Microsoft is going to get blamed, as the most visible party, for such issues, rather than HTC, Samsung, LG, etc. And thus the problem with fragmentation. There's the potential for bad experiences with one vendor to sour the entire platform.

Re:linkbait (1)

vux984 (928602) | more than 3 years ago | (#34377110)

And thus the problem with fragmentation. There's the potential for bad experiences with one vendor to sour the entire platform.

If there was a problem with webkit, we wouldn't buy it for a second if Microsoft tried to exploit the fact one vendor dropped the ball with updates to paint all the droids, and ios devices as a fragmented browser platform that was difficult to keep updated. Right?

Why do even entertain the notion that "Android fragmentation" is a "problem" in the first place? We should reject blaming Android fragmentation in the same way we (including Steve Jobs) would reject "Webkit fregamentation" as a problem.

Re:linkbait (1)

Moridineas (213502) | more than 3 years ago | (#34378614)

That's true, however the key difference is visibility. Is it unfair that Microsoft is blamed for slowed down systems when it's vendors that install bundles of crapware from day one? Sure. Is it unfair that a bad experience with one Android device might sour somebody on other Android devices? I guess?

Additionally, here's a huge difference between a rendering engine that most people have never heard and is totally behind the scenes, and a highly marketed operating system and brand. Google is very much interested in the Android marketing and branding! Part of having a brand is that the good reflects positively and the bad reflects negatively, no matter whose "fault" it is.

I do happen to think that Android fragmentation is a net negative.

Re:linkbait (1)

BrokenHalo (565198) | more than 3 years ago | (#34365714)

What country are you in that requires people to sign a 3 year contract?

Here in Australia, the standard contract is 24 months. Given that I tend to keep my handsets for about double that term, I'm happy enough with that...

Wrong, just 1st gen Touch and iPhone (2, Insightful)

SuperKendall (25149) | more than 3 years ago | (#34362346)

Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.

And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...

Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can be patched by jailbreaking, which happened within a few days of the PDF exploit.

Given most people had to sign a 3

No iPhone has ever had more than a two-year contract.

But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage.

Right, because the fact this vulnerability will take months to fix for 80% of Android users vs. something like it days to fix for 80% of iOS users, means nothing. Sure, you just keep saying that.

If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??

In some ways, yes, because then they would each be on the hook to fix vulnerabilities, or not even have them with so many diverse implementations. But the simple truth is that they ALSO would have been better using Android in a way that Google would be the one pushing updates for things like the browser. That would have been the sane model, but Google decided to bow to the will of carriers and device makers and let them have all the control over updates.

If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores.

How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?

The real issue with fragmentation is that you don't HAVE Android anymore, all you have are variants with Android at the core.

Thank god we don't have 20 apples. One is quite enough.

Unfortunately, the market and consumers really need two but Google decided to take themselves out of the running; with any luck Microsoft has learned and can be the Other Apple.

Re:Wrong, just 1st gen Touch and iPhone (1)

vux984 (928602) | more than 3 years ago | (#34363150)

No iPhone has ever had more than a two-year contract.

"Fido, Rogers to offer iPhone with 3-year contracts"

http://www.cbc.ca/technology/story/2008/06/12/fido-iphone.html [www.cbc.ca]

From first hand experience:
3 year contract, or you buy the phone outright.
1 and 2 year contracts were not options.

How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?

It will never get -THAT- bad. Some manufacturers will surely do some stupid things, but not all of them will.

Right, because the fact this vulnerability will take months to fix for 80% of Android users vs. something like it days to fix for 80% of iOS users, means nothing. Sure, you just keep saying that.

The point is that its a meaningless comparison.
Motorola might have theirs fixed in days, or it might take them months or it might take them months or never to get around to it.
HTC might have theirs fixed in days, or it might take them months or never to get around to it. ...or if the defect were with ios...
Apple might fix theirs in days, or it might take them months or never to get around to it.

Your right that an android defect might take longer before all the 'other' manufacturers fix, but how is that relevant?

If you have brand-x it doesn't really matter what brand-y does, regardless of what platform the handset is.

If you have a Motorola all that matters is how long motorola does it. If you have an apple all that matters is how long apple takes...

Re:Wrong, just 1st gen Touch and iPhone (1)

SuperKendall (25149) | more than 3 years ago | (#34371412)

Ok, I admit it, I had not heard Rodgers had three year contracts. I stand corrected. But I have not heard of three year contract lengths in any other country; I'm pretty sure that's an aberration and the original post said nothing about Canada, making the complaint sound generic.

I'd probably have to bite down an buy an unlocked phone before I went for a three year contract. That's pretty crazy. I can only hope Canadians got better iPhone prices as a result, but I doubt it.

Re:Wrong, just 1st gen Touch and iPhone (1)

IamTheRealMike (537420) | more than 3 years ago | (#34365534)

You're assuming that the benevolent dictator model results in better security. But we have that in the desktop/laptop OS space in which Microsoft and Apple duke it out between them. Guess what - Apples track record of patching security flaws is absolutely atrocious. They have a reputation for leaving bugs unpatched for months. Microsoft do a lot better these days, but even then, there are so many exploits, and enough users who don't get the online updates, that the OS is a piece of Swiss cheese.

Today, HTC/Motorola/Samsung etc aren't that great about distributing updates quickly. But they're new to this game, much newer than Apple or Microsoft are. There's nothing to say that in future, HTC won't be the fastest gun in town when it comes to security ..... if they begin to see it as a competitive advantage rather than a hidden cost.

Re:Wrong, just 1st gen Touch and iPhone (1)

SuperKendall (25149) | more than 3 years ago | (#34371382)

You're assuming that the benevolent dictator model results in better security.

No, I'm not. I'm assuming only that the "benevolent dictator" model is better at being able to deploy security patches. And that is true.

Better security results in a better security model, with appropriate layers. I personally think the iPhone has a slightly better base model than Android does - here we see the effects of fragmentation on being able to patch an issue, but beyond that the iPhone would not have this risk because there is no SD card that has to have a less secure file system than the internal storage.

Furthermore I've always found the Android permission model weaker - it's finer grained but asking up front for application capabilities before you know how you will use an application is I think a mistake, it's too far removed from point of use of a protected resource. The iPhone asks when you wish to access something like the phone, or GPS, so that you can decide at that point if what the application is doing makes sense to you.

Apples track record of patching security flaws is absolutely atrocious. They have a reputation for leaving bugs unpatched for months.

Right - in things like the Flash player. Which is not on the iPhone you'll notice... the record on the iPhone has been decent, better than the desktop.

Today, HTC/Motorola/Samsung etc aren't that great about distributing updates quickly. But they're new to this game, much newer than Apple or Microsoft are.

I call bullshit; HTC at least has been distributing Windows Mobile phones for quite some time with the same kind of patch requirements.

Re:linkbait (1)

jrumney (197329) | more than 3 years ago | (#34369850)

iOS 4.0 and 4.1 did not apply to the iPad either. Its past time for the Apple fanbois to drop the fragmentation non-argument.

Re:linkbait (1)

camperslo (704715) | more than 3 years ago | (#34362832)

The Android platform is quite fragmented (many forks, without source available), because so many vendors have had so many different phones and they've generally all made CLOSED proprietary changes. The Apache license doesn't require the carriers to make their user-space code available to users or Google or anyone. (The Linux part is still GPLed, but that is only part of Android).

http://arstechnica.com/old/content/2007/11/why-google-chose-the-apache-software-license-over-gplv2.ars [arstechnica.com]

Users generally have crippled control of their devices since generally only the carrier has the source to what they're using. Building from other source is possible, but will likely introduce other problems and cause loss of features added by the carrier. It's not the same as with the many Linux distributions because those generally each have the full source available.

Some carriers wouldn't like the openness, but if Google switched to the GPL for future releases, users could likely see community fixes/enhancements long after the carriers moved on.

Carriers CAN release under the GPL. Users should demand it. The current situation also makes it unlikely that work done by each carrier will go upstream to improve things for everyone.

Re:linkbait (1)

Stan92057 (737634) | more than 3 years ago | (#34365426)

So,what else ya want? they are using a free FOSS and now you want then to patch it??? hahahahaha :} There goes that free theory

Re:linkbait (1)

marcello_dl (667940) | more than 3 years ago | (#34370686)

>free FOSS...

and that constitutes the only part of your post that makes some sense.

care to troll in a more refined way?

And as best I can tell many cannot update (1)

niftymitch (1625721) | more than 3 years ago | (#34370332)

If I click on the update phone my Android phone fails to connect to the update site and demands that I wait another 24 hours to try.

At least my service provider is very nearly the beginning of the American alphabet which should put my up-date first in the list.

There are also a lot of files that normal permissions will not let me see to backup....

At least I do not have my personal TSA full body scan images on the phone.

Re:linkbait (4, Informative)

node 3 (115640) | more than 3 years ago | (#34360860)

Fragmentation affects the creation and distribution of the patch.

Re:linkbait (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34360946)

Even if fragmentation is an issue, it still easier to distribute than iphone, where it's up to the user to manually plug in their phone and apply the patch. Most of the fragmentation people talk about is because there are older Androids. Iphone has fragmentation to if you consider people that are still on iOs 3. Now stop with the FUD!

Re:linkbait (1)

PenguSven (988769) | more than 3 years ago | (#34361094)

Most of the fragmentation people talk about is because there are older Androids. Iphone has fragmentation to if you consider people that are still on iOs 3.

I would argue that Android fragmentation is caused by OEMs releasing handsets that are running old versions, with zero upgrade path.

Apple don't sell hardware that's running an older version of iOS with no upgrade path.

Re:linkbait (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34361132)

The original iPhone no longer receives updates, so if you have a classic iPhone then you're shit out of luck should security exploits arise unless you jailbreak the device, but then you can do that on Android devices too- root them if necessary and stick a newer version of Android on.

Apple's platform suffers exactly the same problem, there are just less device types (although possibly as many actual devices) out there that don't get updated.

Re:linkbait (1)

vlueboy (1799360) | more than 3 years ago | (#34361726)

The GP is right, but you seem to be missing the big final point: Android phones come out with 1.6 when version 2.0 and 2.1 are out.

To most people fragmentation doesn't mean "security flaws" --it means "oh, no! I paid $200 and got stuck in a contract for many more hundreds, and now I can't run X new free app." Compare that to Apple, as the GP said: November 28, 2010 some new OS X comes out? not a single PC at the store will sell you a box with the old one.

Hmm, contrast that with Windows XP and see why it's so hard for any company [ie: Microsoft] to be leader in a user environment when your own OS fragmentation (XP, Vista, Seven and even 2000) is out of your control.

Re:linkbait (1)

hairyfeet (841228) | more than 3 years ago | (#34361772)

Don't forget the NEW toys still being released with OLD versions of Android. Go check out Chinamart or any of the bazillion places that sell CCC (cheap Chinese crap) and look at which Android they are running...damned near every single one is running 1.6. I don't know what it is about 1.6 but you see the thing everywhere and I doubt seriously most of these devices will be given updates at all.

While I personally don't care for Steve's walled garden you do have to admit so many cheapo devices being dumped on the market running such an out of date version is gonna cause some headaches. After all the average Joe ain't gonna know WHICH Android he has, all he'll be able to tell you is it is the cute little green robot thingie.

Re:linkbait (1)

twidarkling (1537077) | more than 3 years ago | (#34362940)

I got my phone less than a year ago, and it's running 1.5. And it's made by Samsung. And there's no plans on updating it. Samsung dropped all support for it as soon as they released a slightly newer version of the phone. It's not even supported in their "New PC Studio" software that's supposedly the only way to update the phone. Or at least it wasn't 3 months ago.

Re:linkbait (1)

hairyfeet (841228) | more than 3 years ago | (#34363360)

Which just proves my point, thanks. While I like the idea behind Android, the implementation has frankly been one gigantic clusterfuck. pretty much the ONLY thing you can do with Android is make sure you are happy with the version that comes with the device, because otherwise in all likelihood you are screwed. Between devices that can't update and OEMs that won't update I'm afraid Google walked Android right into old Steve Job's talking points. Pretty much the Android "market" is gonna be this giant mish mash of devices spread from 1.5- to the latest version, and most will NOT get any kinds of updates.

Hell walking into Walgreen's during Black Friday (don't look at me like that, I needed sinus medication) I came across a "$99 Android Pad!" which of course was a 7 inch iPad knockoff, with the big old Android bot right on the cover. Guess which version this "brand new" device was running? 1.5, just like your phone. It is gonna be a total mess, and I predict that despite the slow start if Google don't pull their shit together it is gonna be WinPhone 7 and iOS, simply because both control the ability to update, MSFT through strict hardware rules and Apple by making the device, whereas Google is letting the version mess spiral out of control.

They NEED to put their foot down and say ALL devices get 1 year of updates minimum, and ALL devices must be running a less than 6 month old version at release. Otherwise 3 years from now we'll still be seeing Android 1.5 devices being released with that big old Droid logo on them, just muddying up the waters and confusing consumers.

Re:linkbait (0)

Anonymous Coward | more than 3 years ago | (#34361034)

Uh huh - funny.

I think that something goes up - which is why you are running your cell phone on your computer and wondering why your Android frags the hard drive.

It sounds like you already knew.

Update Woes (1)

nurb432 (527695) | more than 3 years ago | (#34361082)

It could make it nearly impossible to patch, for off-brands that run Android.

Linus T. pulled ANDROID code from kernels, so... (0)

Anonymous Coward | more than 3 years ago | (#34362056)

He did well it appears thusfar.

I say that, because this is the 2nd ANDROID security hole I've heard about in this one, & the other was at most a week ago also.

I also formerly recall ANDROID code in the kernel being part of the normal family distros you see here http://distrowatch.com/ [distrowatch.com] usually, but I have recently heard it was gone now for awhile!

So... Per my subject above, maybe this is for the best, as again, this the 2nd security hole I have seen in ANDROID this past 2 weeks now in fact as I stated above...

APK

P.S.=>

"Fragmentation affects the creation and distribution of the patch." - by node 3 (115640)
on Saturday November 27, @06:18PM (#34360860)

Security also, per the above, @ least lately...

However, this DOES show you "Pro-*NIX" Penguins out there that yes, Linux can & does have "holes" in it, especially when its changed/ported (etc./et al, you know what I mean, in comparing ANDROID to other LINUX kernel builds)... apk

not Linux (1)

DrYak (748999) | more than 3 years ago | (#34410986)

for the last time : Linux is a kernel.
this bug isn't in the kernel. Linux isn't afected.

this bug isn't even in the GNU userland which is used in most distribution (and which android lacks as it relies on busybix instead)

this bug is in the browser, which has nothing to do with your regular distributions. At most, it's a distant cousin from Chrome (another browser done by google) and perhaps Webkit (the frame work used by all browsers by Google, Apple and KDE)

luckily it's opensource (1)

DrYak (748999) | more than 3 years ago | (#34411064)

luckily androidbis free/open source under apache licence. So even if HTC and the like don't publish their own fixes, you can expect to find up-too-date firmware from 3rd parties like Cyanogen.

the only part i don't like is that replacing the firmware requires to root the phone. One shouldn't hack his/her *own* phone to replace free/libre open software !

(i type that on a palm pre running a custom kernel,which was installed using nothing more than the officially doocumented "dev mode", no exploit required).

Re:linkbait (1)

bonch (38532) | more than 3 years ago | (#34368734)

You're a fanboy. We know this because you obviously didn't even read the article, where your points are refuted. Instead, you didn't like that Android was being criticized, so you immediately posted an anonymous comment to dismiss the story as linkbait.

I suspect you're one of the many anonymous posters who suddenly shows up in every article critical of Google or Google products.

Upgrade to iPhone time :) (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34360776)

Time to upgrade to an iPhone bitches.

Re:Upgrade to iPhone time :) (0)

Anonymous Coward | more than 3 years ago | (#34360930)

Just because there's only one vendor for the iOS does not mean Apple is fixing every bug as it shows up.

Abuse of "zero-day" term? (5, Informative)

ciaran_o_riordan (662132) | more than 3 years ago | (#34360806)

"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.

TFA says Cannon gave Google prior warning, so this isn't zero-day, right?

http://en.wikipedia.org/wiki/Zero-day_attack [wikipedia.org]

I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.

Re:Abuse of "zero-day" term? (-1)

Anonymous Coward | more than 3 years ago | (#34360886)

It's a zero-day flaw, not a zero-day attack.

Re:Abuse of "zero-day" term? (-1)

Anonymous Coward | more than 3 years ago | (#34360892)

"Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.

TFA says Cannon gave Google prior warning, so this isn't zero-day, right?

Depends on how much prior warning he gave them. If it was less than 24 hours, it still counts as zero-day.

Re:Abuse of "zero-day" term? (0)

Anonymous Coward | more than 3 years ago | (#34361856)

True but since there is currently no fix then it's "zero days since a fix has been released." In other words, it can be exploited and there is no fix for it.

Because of this I consider it zero-day, whatever the Wikipedia says (because we all know that is a definitive source).

Re:Abuse of "zero-day" term? (0)

Anonymous Coward | more than 3 years ago | (#34364094)

No, zero-day exploits are exploits, found in the wild, against an unpatched vulnerability. For example, a "5-day" is an exploit found in the wild 5 days after the respective patch came out.

The point the summary at least is making is that because of Android's fragmentation, even if Google were to release an update, it wouldn't be rolled out to all the handsets (immediately or at all), and therefore there would be zero-day exploits against those handsets.

Chester Wisniewski's point is invalid, IMO (1)

Weaselmancer (533834) | more than 3 years ago | (#34360840)

Chester says:

Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating system to meet their needs.

This sounds like a good thing, right? It is awesome if you are a consumer and want the maximum amount of choice and flexibility. The problem comes in when you have to patch or maintain the software that drives these devices when they only have the most basic components in common. This is the security nightmare that Android is beginning to face. Every device on every carrier has a slightly unique configuration that requires that phone's manufacturer and carrier to update its software independent of what Google may have provided.

My question is, why is that a problem?

You don't go to Apple and ask for Windows patches. You don't ask Windows to patch your iWhatever. Each company maintains its own patches. If the common point in between two devices happens to be Android, how can this be some kind of nightmare? It's SOP. The company that sells you the gadget gives you the patches. In short, so what?

Re:Chester Wisniewski's point is invalid, IMO (2, Interesting)

bhtooefr (649901) | more than 3 years ago | (#34360894)

But you do go to Microsoft and ask for Windows patches for your Dell or HP (or even for your iWhatever, if your iWhatever is an iMac, and you're running Windows on it.)

This is a nightmare because you have to go to the company that sells you the gadget... and it can take months for the phone manufacturer to validate a new ROM for your phone based on Google's code, and then a few more months for your carrier to validate that ROM.

Re:Chester Wisniewski's point is invalid, IMO (1)

bmo (77928) | more than 3 years ago | (#34360934)

As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?

How's that Windows Home Server goin' for ya?

"ANDROID HAS BUGS! BE AFRAID! BE VERY AFRAID! FRAGMENTATION! FRAGMENTATION! BOO!"

--
BMO

Re:Chester Wisniewski's point is invalid, IMO (1, Insightful)

thetartanavenger (1052920) | more than 3 years ago | (#34361048)

As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?

At least then you're only waiting on MS to get off it's ass, not MS and then the manufacturer..

Re:Chester Wisniewski's point is invalid, IMO (2, Informative)

F.Ultra (1673484) | more than 3 years ago | (#34361156)

I cant recall a single windows phone on which I could install patches directly from Microsoft. Yes there where a Windows Update button but it always timed out after 15 minutes telling me that it couldn't connect and I still had to wait for the phome manufacturer to release the patch (if ever). This on SE phones, perhaps there where other winphones where this worked better?

Re:Chester Wisniewski's point is invalid, IMO (0)

Anonymous Coward | more than 3 years ago | (#34362102)

In "Windows Mobile", Microsoft allowed a similar level of customization to the base OS as Android, and therefore updates have to come from the handset manufacturer (which means updates came never).

In "Windows Phone 7", Microsoft locked down the OS layer, any per-manufacturer or per-carrier cusotmization is required to be done at the application level. That means all Windows Phone 7 devices will get OS updates directly from Microsoft, similar to iOS and Apple.

Re:Chester Wisniewski's point is invalid, IMO (1)

bjartur (1705192) | more than 3 years ago | (#34364090)

One downloads updates from one's distro's repos. That will be Windows Update if you can't be bothered to choose an distro on your own.

Re:Chester Wisniewski's point is invalid, IMO (4, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34360910)

His point is arguably more valid for some types of problems than for others...

Some things are inherently difficult in an environment with numerous hardware variations that cannot be depended upon(designing UIs that work nicely across multiple screen sizes/keyboards vs. softkeys only, etc, substantial differences in proccessing power, RAM, storage); but most security bugs, unless apocalyptically foundational in some ugly way, generally don't qualify. Nor are security fixes(unlike new features, or issues related to custom skins and other OEM differentiation crap) generally something that carriers are likely to be conflicted about from a marketing perspective. Lots of carriers are doing a lousy job of updating existing handsets to newer android versions because they would really rather just sell you the Model N+1 and another two year contract. Doing that with an obscure bug is harder.

Re:Chester Wisniewski's point is invalid, IMO (1)

thetartanavenger (1052920) | more than 3 years ago | (#34361018)

You don't go to Apple and ask for Windows patches. You don't ask Windows to patch your iWhatever. Each company maintains its own patches. If the common point in between two devices happens to be Android, how can this be some kind of nightmare? It's SOP. The company that sells you the gadget gives you the patches. In short, so what?

However, you do go to Microsoft for windows patches even when your laptop is made by Acer. That's the point he's making, in previous OS situations you would go to Google for the patch, but you can't, you have to go to the device manufacturer instead.

Re:Chester Wisniewski's point is invalid, IMO (4, Insightful)

Peganthyrus (713645) | more than 3 years ago | (#34361022)

So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.

Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.

That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.

Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.

Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.

So tell me, why is this a problem?

Re:Chester Wisniewski's point is invalid, IMO (0)

Anonymous Coward | more than 3 years ago | (#34361374)

We lose sight of how good the PC industry actually is, because we spend so much time (deservedly) bashing Microsoft, without ever considering how much worse it could be. As a registered Google Fanboi (tm), even I can admit disappointment in Google over 3 offenses: popularizing Java again, founding the OHA and transferring control of Android over to it (even if this is the only reason Android became competitive), and its open collaboration policy to (1) allow Google-branded firmware to be shipped while modified, (2) allowing carrier regulated firmware updates, and (3) permitting just anyone to fork the source code and call the fork Android (or Android-compatible).

It's terrible. I bet in 3 years, carrier Android phones will have video advertisements embedded on the home screen. And no one will do anything about it.

Re:Chester Wisniewski's point is invalid, IMO (1)

bjartur (1705192) | more than 3 years ago | (#34364204)

Yes we will. We'll distribute custom images and install them onto our phones.
First one buys the phone, then one buys the OS. Android seems like a fine choice.

The only problem is manufacturers not specifying interfaces to the hardware. Do not buy hardware for which full specifications are not available as you won't be able to utilize the hardware is you wish.

Re:Chester Wisniewski's point is invalid, IMO (1)

bjartur (1705192) | more than 3 years ago | (#34364154)

That's why everything is standardized. That way you can patch your kernel and win32 and unix subsystems without braking your window manager and web browser.
Imagine if OEMs bundled Opera and dwm with their hardware.

I'm sorry, but if you've bought a computer that brakes horribly when you try to use it and make it execute code, you've been ripped off. Check if your warranty's expired.

Re:Chester Wisniewski's point is invalid, IMO (2, Informative)

PhrostyMcByte (589271) | more than 3 years ago | (#34361148)

They just don't want to spend any more money on it. Android code gets released, then the OEM customizes it, and then the carrier finally customizes it. That's a lot of work -- the 10 or so current phones they've got out, plus their entire back catalog. They've already got your money. So long as it doesn't affect their network, why do they need to bother? It only takes one of the OEM or carrier to decide it's not important.

Chester was entirely wrong about Windows Phone, too, unless he is confusing it with Windows Mobile (the pre-7 stuff). Windows Phone 7 is the complete opposite of how Android is doing it: Microsoft is basically trying to create an iPhone competitor in every way, but allowing for multiple devices. To do this they made very stringent hardware and software requirements -- all the phones are basically exactly alike on the inside. Samsung couldn't even use their own Hummingbird processor, because Microsoft only allows the Snapdragon. They also don't allow OEMs or carriers to modify the OS -- the most they can do is pre-install some apps, which act like every other app, so they can be fully removed and are automatically updated.

Because of this, updating the OS is very very easy. There is no fragmentation, and Microsoft plans to push out all the updates themselves, exactly like Apple does. There might be a short delay between carriers to certify that it won't bork their network, but that's all. (Apple can hide this because they only have to do it with one carrier)

Re:Chester Wisniewski's point is invalid, IMO (1)

dswskinner (630472) | more than 3 years ago | (#34361340)

1 carrier in the US. Many more than that globally.

Slightly unique? (1)

cyber-vandal (148830) | more than 3 years ago | (#34361558)

I wish people would learn what unique actually means.

Android cloud computing rates (4, Funny)

MillionthMonkey (240664) | more than 3 years ago | (#34360848)

Tired of Amazon S2 prices piling onto your organization's IT expenses? Thinking of running large distributed apps on your own equipment? We offer cloud computing services for cheap!

Standard on-demand instances:
Small (1000 Android cellphones): $0.05 per hour
Large (5000 Android cellphones: $0.20 per hour
Extra large: call

Get a 10% discount if you sign up before zero day is over.

The real problem is... (5, Interesting)

jimpop (27817) | more than 3 years ago | (#34360888)

The real problem is that there is no easy way to patch this. Seriously, Android/Google should have long ago known that this situation (i.e. vulnerability with no quick way to patch) could be possible.

Re:The real problem is... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34360944)

I suspect that they knew about it, in theoretical terms; but how do you respond to such knowledge? Asserting the amount of control needed to push quick patches to 3rd party embedded devices would make the 3rd parties run screaming. Delivering perfect software on anything resembling a budget isn't really a happening thing.

It's sort of like knowing that you are going to die. The number of things you can do isn't zero; but you can never really "react usefully" to this knowledge because there just isn't anything that you can do about it. I assume that Google encourages 3rd parties to follow the mainline with the same enthusiasm that some individuals reserve for eating healthy foods and getting exercise; but both are facing an ultimately futile exercise.

Re:The real problem is... (0)

jimpop (27817) | more than 3 years ago | (#34361008)

> but how do you respond to such knowledge?

You implement a Patch Tuesday solution, at least.

Re:The real problem is... (3, Funny)

froggymana (1896008) | more than 3 years ago | (#34362216)

Shouldn't they think outside of the box? Why not have a patch Monday so they can be one step ahead of microsoft?

Re:The real problem is... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34373294)

"Patch Tuesday solution" basically implies "Asserting the amount of control needed to push quick patches to 3rd party embedded devices".

Unfortunately, patching embedded devices is something of a problem industry wide: many of them are weird/customized enough that 1st party patching would be truly heroic, for any issues that aren't isolated near the top of the stack, and many of the 3rd parties who made them are basically uncaring, incompetent, or both. PCs, by contrast, are both fairly heavily standardized(their are oddities; but if it won't boot Windows, or freaks out if you pop in a card with an option ROM, it is going to have market problems) and are typically free to patch themselves. Embedded devices are often somewhat odd, architecturally, and in ways that may not be public knowledge(even Microsoft, not exactly a big OSS fan, had to start distributing large portions of WinCE as source, albeit under a proprietary licence, because binaries were too inflexible for embedded developers). You see much the same thing regardless of OS. PCs running NT-derived OSes are generally patched, unless the user is a pirate, already compromized, or an idiot, or the PC is in some tightly locked-down and change averse IT shop(where, at least, it probably has firewalls an IDSes and stuff). PCs running linux are generally the same way. Devices running WinCE or NT embedded and derivatives, or embedded devices running Linux, are frequently dependent on the vendor for fixes(either cryptograhpically enforced, or because they are weird enough that you need dev skills and dev tools in the respective OS to update them) and are typically woefully out of date and vulnerable.

In this specific context, Google's blessed Android devices, or devices sufficiently well understood for 3rd party ROMs to be a valid alternative, will probably be the "PCs" of the android world, running code close to new, and as secure as is available. The problem is the ones that deviate from that. Google has fair leverage over prominent telcomm devices(in the sense that proprietary google software, app store, navigation, etc. are seriously important selling points for expensive smartphones); but telcos have serious pushback power. Random pacific rim crapgadget guys have zero power; but they are generally just shipping digital photoframe hardware running a compile of the OSS elements, along with some terrible custom software. Google has no leverage, and they aren't exactly to be trusted for timely software updates and general code quality.

It is a large, and general, problem now that embedded devices of all sorts are internet-connected(y hello thar, stuxnet worm...)

Apple has "solved" the problem by simply eliminating all 3rd party vendors. This does solve the 3rd party vendor issue; but has some downsides.

The best case that I can imagine for Android, would be for Google to move as much as possible into safely-updateable modules(rather like linux with a package manager, rather than updates only by writing an entire firmware lump) to make it easier to push updates between point releases or to devices that will never receive point releases(this still won't save them if Vendor X's shitty custom skin depends on, say, the vulnerable version of the browser and won't work with the updated one; but it will at least help devices whose hardware or vendor's commercial considerations keep them at some obsolete release forever.

Second, it is to be hoped that, eventually, the market will settle down a bit into two camps: A)Relatively high profile devices, shipped by major telcos and the like, which are either produced by outfits willing to do their own security work, or willing to stay very near stock and adopt Google's security work. B) "Relatively-best-of-breed" cheapy tablets and mysteriously brandless-countlessly rebadged hardware whose relative superiority over other such hardware, and relative low cost and weak tivoization vs. telco locked gear, attract sufficiently large communities of cheapskates and freedom enthusiasts that their custom ROMs will become the de-facto standard firmware(possibly even with the company's blessing. If I'm some pacific rim hardware assembler with razor thin margins and no real software, UI, or localization expertise, the existence of a bunch of enthusiasts who are, purely voluntarily, making my otherwise near-unusable-in-English-language-markets device the most popular in its class is an outright gift...

If that happens, things should be OK. If there remains a whole bunch of phones that are cryptographically bound to a vulnerable ROM shipped by a company that just doesn't care, then we have issues...

Re:The real problem is... (0)

Anonymous Coward | more than 3 years ago | (#34361002)

Google has been putting "stock" apps like Gmaps and Gmail into the android market lately allowing you to update individual apps without your carrier having to do anything.

I expect the browser to show up in the market soon and this will all blow over. This shouldn't discourage people from claiming the sky is falling though.

Re:The real problem is... (0)

Anonymous Coward | more than 3 years ago | (#34361036)

No easy way to patch this? How so? They can get a patch out which can be picked up by vendors and pushed out as an OTA update. It's not for a lack of way, rather it is for a lack of will perhaps on the vendors part.

The situation is actually better than Apple - it would not have to be a full OS update, just a small OTA update in Android's case.

Wondering what the case is with iPhone 2G devices - does it still get updates if someone discovered a flaw in OS 3.x ?

Microsoft might end up looking good compared to Android and Google if they execute their updates per plan.

Re:The real problem is... (1)

Merk42 (1906718) | more than 3 years ago | (#34374428)

Given many phones are still on Android 2.1 or earlier, the question is if Google gets a patch made, would the vendors/telcos bother to apply it and push it out to their phones?

Re:The real problem is... (1)

Tacvek (948259) | more than 3 years ago | (#34361068)

There is a very easy way to patch it. Don't let public pages redirect to "content://com.android.htmlfileprovider/*".

While it is fully intended that public pages be able to access other content providers, there is no valid need for them to be able to access html files stored on the device, especially since local html files are trusted higher than public html files.

In the attack, the server forces an html page to be downloaded by using an incorrect content-type. It then redirects to that local page via the content provider. Given the higher trust of local html pages, it an load the targeted file, and posts it to the malicious server.

Re:The real problem is... (0)

Anonymous Coward | more than 3 years ago | (#34361088)

Now describe rolling the patch out to all of the different hardware Android is running on, including the stuff stuck in 1.x, which is what the original poster was talking about.

Re:The real problem is... (1)

Tacvek (948259) | more than 3 years ago | (#34364706)

Still easy for the vast majority of devices. Just place a patch in the market. The trick would be distributing different versions of the new browser executable to each android version. However, the way the market works makes that entirely possible.

Then the only devices that remain are those without the market. Google can contact the OEMs of such devices, and give them the source code patch. It is then no longer Google's responsibility, but rather the OEM's responsibility to actually issue the patch.

Hope it hits a lot of users (1)

witherstaff (713820) | more than 3 years ago | (#34362624)

If it hits big enough maybe the carriers will wake up and offer a stock image with all the various crap as add ons. Seriously, I don't want Sprint TV, or sprint Nascar's app. But I do want my few months old phone to be upgradable past 2.1.

If enough pages hit that make it unusable then either the phone companies will have to push an update or give new phones to anyone claiming breach of contract.

Browser will be an App soon (0)

Anonymous Coward | more than 3 years ago | (#34365906)

Apps like the browser are planned to become normal apps soon, which can easily be updated via Android Market. So hopefully problems like this will be less dramatic in the future.

Re:The real problem is... (1)

ViViDboarder (1473973) | more than 3 years ago | (#34375418)

And then there are those of us running AOSP ROMs like CyangoenMod who will likely have fixes on our phones in no time. Hopefully manufacturers see how well Open Source responds to issues like this and realize that what they are doing puts a lot of phones at risk by making the process so tedious for updates that they move from "releasing source code" to maintaining a Git/SVN server that regularly pulls in updates from their team as well as the Android trunk. I think TMobile is already moving towards this. Last step would be to actually allow users to compile and install the ROMs of their choosing without having to worry about gaining root access.

Why cant google offer... (1)

novar21 (1694492) | more than 3 years ago | (#34361032)

a free browser upgrade via the android market place? It's just a program like firefox is. I don't believe that HTC modifies the browser. Device drivers yes, but the browser? I could be wrong, I haven't looked at any of the code for the different manufacturers,

Re:Why cant google offer... (0)

Anonymous Coward | more than 3 years ago | (#34361056)

Google is going this direction. Maps and Gmail are updated independently of the OS through the market. It's only a matter of time before all core apps are updated through the market.

What about an app? Is not root cause SD access? (1)

SuperKendall (25149) | more than 3 years ago | (#34361108)

I don't see how downloading a file has anything to do with the exploit other than being a means to trigger file access Javascript.

What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?

If so, fixing the browser alone is not necessarily a fix though certainly a great improvement.

Fragmentation is at issue not so much in the vulnerability, as in the patch - because all sorts of vendors have different update schedules it's going to take a while for a fix to propagate everywhere and may never reach some older devices like the G1 (and to be fair iOS has that issue currently with the original iPhone and the PDF flaw, which you must jailbreak to fix).

Whoa.. (1)

novar21 (1694492) | more than 3 years ago | (#34361164)

You mean Iphone users have similar problems as Android users? Wow, we should all convert over to wp7 then. It's so secure, it doesn't even have cut n paste. sorry for the sarcasm.

Re:What about an app? Is not root cause SD access? (1)

TBBle (72184) | more than 3 years ago | (#34361778)

What I'd like to know is, can any app read any file from an SD card if it knows the path of an existing file? From a previous Slashdot story (a few months back, cannot find the link) I had thought each Android application directory on an SD card was somehow isolated, but for this flaw to work at all that cannot be the case. What is to stop a rogue app from accessing any arbitrary application data at a known path on the SD card?

When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)

But the actual data on the sdcard is completely open to all applications. It's basically a large dumping ground for data.

The issue of this exploit is that you never need to grant anything permission to become vulnerable, whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.

Re:What about an app? Is not root cause SD access? (1)

SuperKendall (25149) | more than 3 years ago | (#34361952)

When you put applications on the SD card, their binary directories are isolated from each other, yes. (Through encrypted loop-mounts, I believe)

That's how I understood things from before...

whereas a rouge app does need to be given permission to be installed, and (I believe) permission to access data on the SD card.

Right, I can see an app needing to ask for access to be installed, possibly the SD card access - but who would think twice about granting that, if for no other reason than to store preferences?

The question I had is if from there, if an application has those permissions, if it can see any application data from other applications that resides on the SD card. I thought not (thought all app data would be part of individual mounts) but if it can be done, that seems like an awfully big opening for apps to secretively mine all kinds of information from a user.

OH NO (0, Troll)

AnAdventurer (1548515) | more than 3 years ago | (#34361224)

The perfect phone OS has a security flaw!!! DOOM DOOM, it's DOOM!

So what? (0)

Anonymous Coward | more than 3 years ago | (#34361934)

Nobody uses the stock web browser.

Android's main weakness is the carriers (1)

erroneus (253617) | more than 3 years ago | (#34362030)

Personally, I know I can get the latest fixes and updates fairly quickly, but that is only because I have rooted my phone and installed a few utilities and follow the updates and fixes provided by some pretty smart people. That's just about as up-to-date as I can hope to be. But that won't work for the rest of the users out there. They have to wait for a very long time, forever or even longer (such as never) before t-mobile, at&t, sprint or verizon to push out an update to fix a vulnerability. And what's more, they will never acknowledge a vulnerability but will instruct their support people to run you through ridiculous paces and eventually ask you to exchange the phone for a refurb even though the problem will undoubtedly be software.

This is all typical behavior from carriers because keeping firmware or software up-to-date is not something they have EVER done. Doing so now would be very unusual.

Android going to be like microsoft? (1)

adriel (875943) | more than 3 years ago | (#34362642)

Is it just me or android seems to be following microsoft path? wonder if there be a bsod for android in the near future lol

What makes this special? (1)

mauriceh (3721) | more than 3 years ago | (#34362782)

So what?
I do not understand what makes this an "interesting piece of news"

We see Windows security updates weekly.
IOS? regularly.

Is this some "special" weakness?

Re:What makes this special? (1)

robosmurf (33876) | more than 3 years ago | (#34363762)

It's special because most Android phones are NOT getting a security update for the known flaw.

Re:What makes this special? (1)

mauriceh (3721) | more than 3 years ago | (#34365748)

Most phones on most OS types do not get security updates.
Not a function of the OS, and Is a function, or lack thereof, by the phone provider, who are usually the telco for wireless services.
And their argument often is:
"We provided the phone, as is, and "free" to you.
We owe you nothing."

Again, not unusual.

Re:What makes this special? (1)

bonch (38532) | more than 3 years ago | (#34368824)

Whether or not you think it's unusual, it's still news.

Nice info (1)

rick001 (1948902) | more than 3 years ago | (#34363070)

Good to know , thanks for sharing
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?