back to article It's that time again: Android kicks off June's patch parade with fixes for five hijack holes

Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included. This month's update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet …

  1. Pascal Monett Silver badge
    Flame

    Great news

    Now, how about we get a timetable on when our provider will be arsed to give us that update ?

    Because Google improving its mobile OS means jack shit to the majority of us who depend on our mobile operator to pull its finger out and do its job.

    Man, my retirement seems a long way off.

    1. big_D Silver badge

      Re: Great news

      I got the May updates through on my Huawei yesterday, so I'm guessing these updates will arrive at the beginning of July, if they keep to their normal timetable.

    2. Charlie Clark Silver badge

      Re: Great news

      How about lodging a complaint with your provider? Or with your consumer rights organisaion? Or even a civil suit? The only way companies will change their behaviour is if they're forced to.

    3. Waseem Alkurdi Silver badge

      Re: Great news

      Why are you relying on your provider? Why don't you have LineageOS/any custom ROM/your own builds from source (which is easy to do if you have device/kernel/vendor trees)?

      Even Google knows that Android and updates are a case closed and nailed shut - hence Fuchsia OS and its multilayer model of which Google controls the lower ones.

      1. jmecher

        Re: Great news

        >Why are you relying on your provider? Why don't you have LineageOS/any custom ROM/your own builds from source (which is easy to do if you have device/kernel/vendor trees)?

        You're probably joking, but LineageOS users will get it sooner than the average joe.

        I'm one of the former, and I currently have the May security pacth level since May 17th when I last updated.

        Building from source, though...not really. I did it once when Lineage had build system issues and haven't published a ROM update for some time, and it's not a trivial amount of effort. Ultimately, the most important issue was that my own build was using a separate signing key, and I couldn't get back to the official LOS build using OTA update. These days they publish official builds daily, with the occasional hiccup of a few days once in a while.

  2. Tony W

    "Regular" security uodates

    Android One promises regular security updates, which is a typical marketing phrase that sounds as if it means something other that what it does. For my Motorola phone it means regularly four weeks late, which is certainly better than most. But why the four week delay? And using Android One has made me realise the value of some of the alterations and additions that manufacturers make to stock Android.

    1. RyokuMas Silver badge
      Joke

      Re: "Regular" security uodates

      "Android One promises regular security updates"

      Isn't that one of the main bitching points about Windows 10?

    2. big_D Silver badge

      Re: "Regular" security uodates

      Huawei are also 4 weeks late, and I think Samsung as well.

      The problem is in the way that the manufacturers get the updates.

      1. Google fixes the code

      2. Google pushes updates to their own devices

      3. At the same time as they push the updates, they release the source to AOSP

      4. The manufacturers have to look at the newly released code.

      5. They have to integrate the changes into their base code

      6. They have to test the code

      7. They have to release the code.

      If you are unlucky and have a carrier branded phone, you might have to wait for the carrier to also do their own testing.

      That is one of the reasons why I haven't bought a carrier branded device since 2007.

      1. iron Silver badge

        Re: "Regular" security uodates

        Yup, Samsung generally deliver them 1 month late and have for years. Apart from the odd patch that ends up 2 or 3 months late and is then usually followed rapidly by the other ones you're missing.

        1. arctic_haze

          Re: "Regular" security uodates

          Yes, Samsung is not bad comparing to the rest of the field. My 2 years old phone recently received an unexpected Android 8 -> 9 upgrade which included the May patches.

      2. Robert Helpmann?? Silver badge
        Childcatcher

        Re: "Regular" security uodates

        Huawei are also 4 weeks late...

        In this case, Huawei is being affected by the US government ban. This is interfering with Google's ability to get security updates to them to pass along to consumers.

        REF:

        https://www.theverge.com/2019/6/7/18656163/google-huawei-android-security-ban-claims

        https://www.npr.org/2019/06/07/730536125/as-google-advances-its-interests-it-serves-as-huawei-emissary-to-u-s

    3. Captain Hogwash

      Re: "Regular" security uodates

      People often mistakenly think that regular means frequent.

  3. _LC_ Silver badge
    Alert

    Flash Player 2.0

    It's a safe assumption that Android's “media framework” is still vulnerable. It always is. It always was.

    I suggested calling it the “flash media framework” long time ago, but as long as people don't care about trash software Google can rejoice.

  4. Anonymous Coward
    Anonymous Coward

    Google says none of the bugs have been targeted in the wild, yet.

    I sure hope Google isn't just relying on the results of their "Play Protect" thingy for that bold statement.

    /s

  5. elvisimprsntr

    As much as some complain about iOS being proprietary, at least security updates get rolled out as soon as (or in most cases before) CVEs are disclosed. Android on the other hand, the majority will have to wait weeks/months (assuming the manufacturers/carriers bother) for security updates. Until then, miscreants have time to target those vulnerabilities. The average consumer does not take the time to make an informed decision, thus makes their choice based on initial acquisition cost without taking taking risks into consideration. The average consumer also uses social media which poses it's own set of risks to security/privacy.

  6. fishman

    Pixel 2

    My June updates for my pixel 2 came a couple of days ago.

    1. Arthur the cat Silver badge

      Re: Pixel 2

      My June updates for my pixel 2 came a couple of days ago.

      And my Pixel 3 is updating as I type.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020