All Android devices running kernel < 3.18?
What's that in standard person's terms?
Does that mean Android 4.4.x is affected?
Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18 – we're talking millions of gadgets and handhelds, here. The vulnerability is a privilege elevation that …
So I had a quick look - it turns out that this patch has been in the 3.10 LTSI tree since June 2015, and it is in fact already in 3.10.84. The log for the relevant file at the 3.10.84 release is here;
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/fs/pipe.c?h=v3.10.84&id=f1178e991adbe6ea8a7524c8c83fa479dc26c765
The top commit is the one referenced by the Google advisory. So although Google have only just pushed a patch for this, the Sony Android 6.0 release is already covered.
To be fair, I have had to reinstall Windows a few times when things when horribly wrong - but that was back in the dark days of XP, never had that problem since Win7.
But these days, with Android and Google, I can't help but get the feeling of "meet the new boss, same as the old boss"
To fix the vulnerability in and of itself, all that is required is flashing an image containing an update to the patched kernel.
However, if the phone has been rooted using the vulnerability, you need to flash the entire Android system image to your phone to ensure all system files are restored to OEM state with no additions.
The same would be true for this type of vulnerability on iOS or Windows Phone.
The only reason my Android devices are rooted is so I can use an edited `/etc/hosts` file to block the hundreds of data-slurpers, ad-slingers and malware-peddlers infesting the internet. If Google would allow me to edit this one solitary file, I'd have no need to root Android and would happily apply their security updates.
Of course that would mean I'd have a secure kernel *AND* not be seeing adverts —and Google are determined I've got to choose one or the other. So, weighing up the pros and cons, I think I'll stick with what I've got. I reckon there's far more chance of picking up some 'nasty' running an OS with a "Welcome" mat for a hosts file, than there is of someone tricking me into running a kernel exploit.
PS: Loving the new Captcha test, El Reg. Pure genius making me do it in between each post preview and then again before submitting. Tell me. Have any of your web design team ever heard of the concept of "usability"?
I starting reading comments on CVE-2016-0805 (and 0819) last night. Trend Micro had a comment which suggested that the issues behind 0805 had been sent to manufacturers quite a while ago, and were dealt with in the patch dated Feb 2, 2016. Now first thing this morning, I read this? With no coffee in the system. This no rooting of phones is an annoying rule, if the reason to root the phone is to get security patches to the OS. Maybe if I drink my coffee, this will all go away?
There is no sense unwrapping the new phone, if it isn't going to be possible to put a secure OS on it for months, or ever.
Yay! Glad I bought one of those Google owned Motorola Moto Gs, so that it was kept up to date on OS updates until Google sold Motorola...
I'm starting to think the Apple luxury tax is worth it for the updates to the OS. At least the walled garden doesn't feel like a vacant lot. :-(
When I bought my Nexus, I figured that I'd be getting updates for a good while. Nope, nothing for Nexus 4. Android 5.1.1, and that's it. No more updates for you, go buy a new phone.
Or I could put the next OS myself, and do it every time they update that image. Or maybe I should run Cyanogen.
But what this comes down to, is that many many millions of devices are forever vulnerable. Gee, thanks, Google.
The real issue here is that the vulnerability wasn’t called out as a security fix in the Linux kernel, when it was discovered. This happens far too often (both in Linux, as well as in proprietary software and other open source projects). But for Linux - see http://yarchive.net/comp/linux/security_bugs.html - the predominant school of thought that once a security flaw is fixed (as a bug), there isn't an issue, is plainly wrong. This example is clearly showing this. The consequence is that vendors who build on top of Linux (and similar platforms) have to evaluate every bug-fix to check whether they are possibly a vulnerability they may be exposed to. That is a) wasteful and b) does not scale in projects with a high development velocity. The consequence is that issues only get discovered if a security researcher connects the dots and informs the vendor (as in this case) or when it is discovered that the issue is exploited in the wild.
First generation Moto G just got security updates! Seems it still gets support after all, just a couple months late. Latest patch brings the security patch level up to 2016-03-01!
Go Google! Go Motorola!
Oh, wait...
They sure do make Apple look good...