back to article No, that Linux Keyrings bug isn't in '66 per cent of Android devices'

When the Linux “Keyrings” vulnerability landed yesterday, headlines said it would affect “millions” of devices, partly because it was thought to be widely present in Android as well. El Reg wondered at this, because it's not part of the recommended Android kernel configuration, so we're going to be a little bit smug: however …

  1. TeeCee Gold badge

    ".... promised a fix by March 1. That's the bad news."

    No, the bad news is somewhere around 10% of affected devices will actually get that patch.

    The rest will all be more than 12 months old and their manufacturers won't bother cutting system updates for them.

  2. Joe Montana

    Kernel config

    Looking at the kernel config, it seems CONFIG_KEYS is turned on automatically by a bunch of other kernel options...

  3. Anonymous Coward


    "We believe that no Nexus devices are vulnerable to exploitation.........Also, many devices running Android 4.4 "

    For once my Samsung is not vulnerable as it's never seen an update in it's life!

    1. Loud Speaker

      Re: Wahoo...

      If you don't get updates for your Samsung, its your fault. You bought it from that dodgy guy in the pub (O2?), instead of a reputable supplier.

      My Note 3 got updates about once a month, now down to about once every two months.

      My S3 runs Cyanogenmod, and gets updates monthly or thereabouts - there are more, but I don't install all of them, cos I'm too lazy.

      1. This post has been deleted by its author

      2. Lee D Silver badge

        Re: Wahoo...

        I, too, would call bullshit.

        I have an S4 Mini, which isn't all that old. It's probably had one update in all the time I've had it (and that cocked up my satnav apps and forced me to reinstall them all). My girlfriend's Samsung phone has exactly the same situation. And, yes, I have JUST pressed software update to check I'm right. Nothing.

        I love Samsung but the minute something is no longer "the latest", updates stop.

        My Samsung TV had updates available. For about a month after buying it. I haven't seen another in 4 years and I check quite often. I mean, it works, and it's not part of anything that I've be scared of (e.g. downloading network things, etc.) but that's still surprising that it's so perfect that an update isn't ever needed again.

        1. scudcraft

          Re: Wahoo...

          There are two issues. One is that most device companies are slow to provide what they need to to service providers. The other is that service providers are even slower to get updates to you.

          I bought a factory unlocked N6 three months ago. Put an AT&T SIM in it. No updates. A few days ago I replaced the AT&T SIM with a Google Fi SIM. Instant updates.

          1. This post has been deleted by its author

          2. TeeCee Gold badge

            Re: Wahoo...

            I cut out the middle man. I always buy sim free phones anyway, so there's no "service provider" involved (and I am rather failing to see why which SIM is in the bloody thing should make a difference on a generic device anyway).

            I pull updates directly from the manufacturer's website. Makes no difference though, each and every new device will get one (possibly two[1]) version updates[2]. That's it.

            Security patches? Never seen one. Anywhere.

            [1] If it really was the whizzbang latest thing when I bought it.

            [2] Usually at least two of each version. One for the new version and one to fix all the cockups they made implementing the new version.

  4. Anonymous Coward

    WTF *is* vulnerable?

    Has anyone actually got the exploit to "work" on a real installation?

    1. Doctor_Wibble

      Re: WTF *is* vulnerable?

      Good question given the range of tweaks and bugs added by different manufacturers.

      Fortunately the article includes version numbers for those of us who use these devices but don't live on the things and who normally have to look at the official name list to find out what version is meant by 'iced jelly cornetto with a sodding flake'.

      This definitely feels like a comment of the 'gumpy old' variety...

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF *is* vulnerable?

        I was thinking of successful rather than theoretical examples... anywhere. No one seems to have actually got it to "work" on anything.

    2. a_yank_lurker Silver badge

      Re: WTF *is* vulnerable?

      @AC - What I have read, it does not seem to an easy vulnerability to exploit on common kit. However the concern is it appears to potentially bypass various security features if it does work. Also, many distros appear not have the vulnerability as it is set as compiler option as I understand. So even if one has a nominally vulnerable kernel one may not have the needed bits compiled making the vulnerability completely theoretical.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF *is* vulnerable?

        Cheers ayl, exactly what I'm thinking - I wasn't meaning to play down the potential risk, just wondering what the actual exposure is. I haven't got it to work on any of my "real world" kit and, oddly, no one else seems to have either.

        Obviously it would be handy to know which (if any) real systems are actually at immediate risk.

  5. Ken 16

    at least 66.6% of iPhones not possessed by Satan

    Good news, relatively.

    1. Paul Crawford Silver badge

      Re: at least 66.6% of iPhones not possessed by Satan

      66.6 the percentage of the Beast

      Lollipop was was spawned to be released

  6. FF22

    Hyprocrisy much

    "Ludwig's not thrilled that the vulnerability landed without prior notice to the Android team"

    And yet, they (Google) have done the same thing with several Windows-vulnerabilities in the past. Karma is a btch, I guess.

    1. Black Road Dude

      Re: Hyprocrisy much

      Not true ... google have a policy to notify the company then wait a period of time (3 months I think) to give them a chance of fixing it before its revealed. That's standard practice but Google had no warning here.

      1. FF22

        Re: Hyprocrisy much

        "google have a policy to notify the company then wait a period of time (3 months I think) to give them a chance of fixing it before its revealed."

        And, yet - as already explained - , they have not done so on several occasions. Their top security researcher, Tavis Ormandy did not only release information on vulnerabilities prior to notifying Microsoft, but he also published actual exploit code alongside, and even advised others against notifying Microsoft of other vulnerabilities, because he though they "treat vulnerability researchers with great hostility, and are often very difficult to work with". Just Google it!

        1. Anonymous Coward
          Anonymous Coward

          Re: Hyprocrisy much

          False. Microsoft was always notified in advance. They just didn't get as much time as they felt they needed.

  7. fishman


    Lollipop (Android 5) uses the Linux 3.4 kernel, so it's not vulnerable.

  8. John Sanders

    This vulnerability

    Is like most Linux vulnerabilities, high in publicity and low in the number of systems that can be compromised with it.

    Guess that Linux variety/diversity/fragmentation has some positives when it comes to threat containment.

    Waiting for someone to draw a logo and plaster it all over the MSM though. :-|

    1. Anonymous Coward
      Anonymous Coward

      Re: This vulnerability

      Well, the old crap that you don't need anti-virus stuff and what not on a GNU/Linux system because it isn't MS Windows becomes real.

      But it isn't. I don't run all that crap, nor my wife, nor her sister - we all trundle along happily (me on Slack, the girls on Ubuntu).

      Most (all) of the dodgy stuff found in the Linux kernel needs either:

      a) access to the physical system as root.

      b) a third party process that is dodgy that a normal user wouldn't use/have anyway and get made to do dodgy things as root that no user is running anyway (this was sorted out years ago on *nix).

      c) be an extremely intelligent coder that knows the kernel innards inside out but impossible to deploy in the real world.

      One more point. These things only come out as the code can be audited and analysed, by anyone, and anything. In the real world, if it was closed source, I doubt this would have ever been found (AKA MS Windows world, and we know what happens when their bugs get found - but herein lies the difference - Linux kernel code is at least audited by the pack - who audits MS et al's code?).

      1. a_yank_lurker Silver badge

        Re: This vulnerability

        @Linicks - Linus noted that "many eyes makes all bugs shallow". In any open source project, anyone can review the code and potentially find bugs. With MS, they probably have a system nominally like this: code, unit test by developer, peer review, final testing. The peer review is likely to be relatively brief and that is probably the only time the code is formally reviewed.

      2. Anonymous Coward
        Anonymous Coward

        Re: This vulnerability

        'who audits MS et al's code?'

        Pretty easy to answer that:

        - NSA

        - EU gov

        - Chinese gov

        - not you

  9. chasil

    Towelroot 2

    Android users will likely hope for Towelroot 2, so admin privileges can be pried away fascist carriers and OEMs who have their (repeated) way with bootloaders.

    However, what a user can do, an app can do - system security is blown, and any app on the phone can take complete control when an unprivileged shell becomes root.

    I want control of my phone as user id zero, and I want sufficient security to prevent apps from escalating privilege without my consent.

    Android utterly fails on both counts.

    1. Anonymous Coward

      Re: Towelroot 2

      Phones utterly fail on both counts.

      T, FTFY ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021