Android drops mega patch bomb - 120 fixes, two already exploited Patch Tuesday is next week, but Android is ahead of the game, dropping its biggest patch bundle this year while attackers actively exploit two of the now-fixed flaws. This month, the world's most popular mobile operating system pushed out 120 patches, its biggest monthly dump this year. It's a far cry from July, when Android …
That's not an inherent property of the concept of a smartphone.
MS tried quite hard to standardise smartphone hardware so that one OS vendor could distribute their OS to whole swathes of hardware. Just like Linux and Windows can be rolled out across PCs. Naturally MS were hoping that this would give them a winning leg up in the race to participate in the Smartphone market, but it didn't work. Technically, it was just fine and could have gone places.
What's disappointing about the government regulators is that they do not seem interested in such things. The PC is a hardware standard (originally accidentally made by IBM, and then formalised by Microsoft for the benefit of the whole market [with them at the top of that market]), and that's benefited many. It's the primary reason Linux was able to establish a foothold. But regulators seem to have been content to let companies like Apple, Google and Samsung roll that hardware openness back. That's not been good for the consumer.
That first CVE has been in Linux from 2.6.36, best part of 16 years. That's a long, long time for such a vulnerability to be there. It's also in an area likely to have been of interest to those actively hunting exploitable opportunities; timers and their deletion feels like a ripe area for finding race conditions. If one were to be paranoid about whether this has been exploited on one's systems or not, 16 years is a long time to look back over for signs of intrusion, privilege escalation, etc.
Well hopefully since i run LineageOS I will get these patches soon, as the devs there are usually really good at pushing out updates. But that just goes to show something when a group of volunteers doing this in their free time are faster at pushing out updates than large phone manufactures than make millions of dollars a year in profit.
Is it upgrading the entire system?!
I believe that's the way Android is updated, so even a relatively quiet update cycle will have the same download size. Certainly it's what Lineage does; "updates" are actually the entire system, ready to go. They are installed alongside the running system and the reboot then swaps over to the new image a bit like updating the firmware in your network switch or router or other "appliance" type device. Lineage images for my second-hand Motorola phone are currently 0.97GB (v22.2), up from 0.92GB for v21.0 and slightly lower again (can't remember offhand) when the phone was on v20.
M.
On Pixels it's usually a differential patch against the currently installed system partition. Many patch updates are tiny (<50MB). Android version upgrades tend to be large (~1GB).
There are two system partitions, and an update writes to the one not currently in use, then at the end of a successful update process the bootloader is switched to booting from the one just written to.
Thank you El Reg, for reporting on this. Please keep up the pressure on vendors (and FOSS projects) to fix these flaws.
Might I suggest a standing feature for the site? An easily locatable link leading to an "Update Wall of Shame", listing laggards who leave 9.0+ vulnerabilities unpatched too long, with details. Might be very useful in purchase specification: vendors appearing on the list are not considered, or require high-level sign-off. Even just alerting Our Betters to a preferred vendor's presence would provide valuable CYA.
