Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Lurick

Android 10 To Fix 193 Open Vulnerabilities

Recommended Posts

Posted · Original PosterOP

Looks like in addition to cutting back on the desert theme they are cutting back on quite a few open vulnerabilities as well with the latest OS, Android 10. I'm personally not surprised there are a lot of fixes going in but nearly 200 open vulnerabilities is a heck of a lot. Hopefully most or all of these, or at least the more severe ones, will be fixed with OTA patches to older versions of the OS such as Android 8 and 9 (Oreo and Pie respectively) since I'm sure most users won't be seeing Android 10 for a good while after it's release in September.

 

Quote

The bad news is that 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.

The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

 

Link: https://www.forbes.com/sites/daveywinder/2019/08/23/android-10-google-confirms-193-security-vulnerabilities-need-fixing/#6835ab38616b

https://tech.slashdot.org/story/19/08/25/023245/google-confirms-android-10-will-fix-193-security-vulnerabilities


Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to post
Share on other sites

I thought the title said 1903, as in Windows 10 1903.

I was actually intrigued lol.


Build Logs: Cotton Candy Threads | ZEN CLARITY + | Just NCASE mITX | Noc Noc | NUC | Storage Log

 

Cotton Candy Threads - CPU AMD Threadripper 2950X | GPU EVGA FTW3 RTX 2080 Ti | MOBO Asus ROG Zenith Extreme | MEMORY 128GB (8x 16GB) Corsair Vengeance RGB 3200 | STORAGE 3x Samsung 960 Evo SSD + 4x Crucial P1 1TB + 2x Seagate Ironwolf 8TB 7.2k HDDs | PSU Corsair HX1200i w/ Cablemod Pro Extensions | COOLING Cooler Master TR4 ML360 | CASE Lian Li O11 Dynamic Black | LIGHTING 2x Corsair HD120 Fans, 4x Corsair Addressable RGB Strips, 2x Corsair Commander Pro | PCPP
 
ZEN CLARITY + - CPU AMD Ryzen 2700X | GPU Radeon VII | MOBO Crosshair VII Hero | MEMORY 32GB (4x 8GB) Corsair Vengeance RGB Pro @ 3200 | STORAGE Samsung 960 Pro SSD + 2x SanDisk Ultra II SSDs | PSU Corsair RM1000i | COOLING Corsair H150i Pro | CASE Crystal 570X | LIGHTING 6x Corsair SP120 Fans, Cablemod Addressable RGB Strip, Corsair Commander Pro | PCPP
 
Just NCASE mITX - CPU Intel Core i7 8700K @ 5.2GHz | GPU EVGA RTX 2080 Ti XC | MOBO Asus Z370-I Gaming | MEMORY 16GB (2x 8GB) G.Skill Triden-Z RGB 3000 | STORAGE Samsung 960 Evo 500GB SSD + Corsair MX500 1TB M.2 SSD | PSU Corsair SF600 | COOLING Noctua NH-U9S w/ Redux Push/Pull Fans | CASE NCase M1v5 | LIGHTING 2x Cablemod Addressable RGB Strips | PCPP
 
Noc Noc, Who's There? - CPU AMD Threadripper 1950X | GPU ASUS RTX 2080 Ti OC | MOBO ASRock X399M Taichi | MEMORY 32GB (4x 8GB) GSkill Trident-Z 3200 | STORAGE Samsung 970 Evo SSD | PSU Corsair HX1000i w/ Cablemod Pro B&W Kit | COOLING Noctua U9 TR4 w/ 2x Redux 92mm | CASE Corsair 280X White | FANS 6x Noctua 140mm Redux | PCPP
Link to post
Share on other sites

Very cool. Now if only anyone would actually get the Android 10 update. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 8 Plus 64GB | Wearables: Apple Watch Sport Series 2 | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: Sapphire Nitro+ RX 580 4GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p, Samsung SyncMaster 940BX 19" 1024p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, DrMacintosh said:

Very cool. Now if only anyone would actually get the Android 10 update. 

I've got Android 10 already, been running it since Beta 1 dropped. Of course that's because I'm on a Pixel phone which is basically the only lineup of phones that will get the update asap as far as I know. Anyone else will probably be waiting for a year or more before they see it pushed down through their phone carrier.


Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to post
Share on other sites
1 minute ago, DrMacintosh said:

Very cool. Now if only anyone would actually get the Android 10 update. 

I would be happy when I finally get Android 9. HTC is still in the process of putting out the update

Link to post
Share on other sites
5 minutes ago, Lurick said:

I've got Android 10 already, been running it since Beta 1 dropped. Of course that's because I'm on a Pixel phone which is basically the only lineup of phones that will get the update asap as far as I know. Anyone else will probably be waiting for a year or more before they see it pushed down through their phone carrier.

Had beta on my Essential phone since day 1 as well.

Surprised how for a "dead phone" it has the same release schedule as they Pixel line.


Build Logs: Cotton Candy Threads | ZEN CLARITY + | Just NCASE mITX | Noc Noc | NUC | Storage Log

 

Cotton Candy Threads - CPU AMD Threadripper 2950X | GPU EVGA FTW3 RTX 2080 Ti | MOBO Asus ROG Zenith Extreme | MEMORY 128GB (8x 16GB) Corsair Vengeance RGB 3200 | STORAGE 3x Samsung 960 Evo SSD + 4x Crucial P1 1TB + 2x Seagate Ironwolf 8TB 7.2k HDDs | PSU Corsair HX1200i w/ Cablemod Pro Extensions | COOLING Cooler Master TR4 ML360 | CASE Lian Li O11 Dynamic Black | LIGHTING 2x Corsair HD120 Fans, 4x Corsair Addressable RGB Strips, 2x Corsair Commander Pro | PCPP
 
ZEN CLARITY + - CPU AMD Ryzen 2700X | GPU Radeon VII | MOBO Crosshair VII Hero | MEMORY 32GB (4x 8GB) Corsair Vengeance RGB Pro @ 3200 | STORAGE Samsung 960 Pro SSD + 2x SanDisk Ultra II SSDs | PSU Corsair RM1000i | COOLING Corsair H150i Pro | CASE Crystal 570X | LIGHTING 6x Corsair SP120 Fans, Cablemod Addressable RGB Strip, Corsair Commander Pro | PCPP
 
Just NCASE mITX - CPU Intel Core i7 8700K @ 5.2GHz | GPU EVGA RTX 2080 Ti XC | MOBO Asus Z370-I Gaming | MEMORY 16GB (2x 8GB) G.Skill Triden-Z RGB 3000 | STORAGE Samsung 960 Evo 500GB SSD + Corsair MX500 1TB M.2 SSD | PSU Corsair SF600 | COOLING Noctua NH-U9S w/ Redux Push/Pull Fans | CASE NCase M1v5 | LIGHTING 2x Cablemod Addressable RGB Strips | PCPP
 
Noc Noc, Who's There? - CPU AMD Threadripper 1950X | GPU ASUS RTX 2080 Ti OC | MOBO ASRock X399M Taichi | MEMORY 32GB (4x 8GB) GSkill Trident-Z 3200 | STORAGE Samsung 970 Evo SSD | PSU Corsair HX1000i w/ Cablemod Pro B&W Kit | COOLING Noctua U9 TR4 w/ 2x Redux 92mm | CASE Corsair 280X White | FANS 6x Noctua 140mm Redux | PCPP
Link to post
Share on other sites
1 hour ago, Lurick said:

Looks like in addition to cutting back on the desert theme they are cutting back on quite a few open vulnerabilities as well with the latest OS, Android 10. I'm personally not surprised there are a lot of fixes going in but nearly 200 open vulnerabilities is a heck of a lot. Hopefully most or all of these, or at least the more severe ones, will be fixed with OTA patches to older versions of the OS such as Android 8 and 9 (Oreo and Pie respectively) since I'm sure most users won't be seeing Android 10 for a good while after it's release in September.

 

 

Link: https://www.forbes.com/sites/daveywinder/2019/08/23/android-10-google-confirms-193-security-vulnerabilities-need-fixing/#6835ab38616b

https://tech.slashdot.org/story/19/08/25/023245/google-confirms-android-10-will-fix-193-security-vulnerabilities

I hope so too, but this is one of the perpetually saddening parts of Android -- that you don't actually know if you'll even get all of the security fixes, let alone get them on time, unless you have a Google Pixel or maybe an Essential Phone.  And that there's a good chance your phone will be left permanently vulnerable to attacks if it's just two or three years old.

 

It's not as bad as it was in the Windows XP days when a large security hole virtually guaranteed that millions would be infected, but I do worry that Android is "due" for a Blaster-style worm that spreads very quickly.  And unlike then, there could be legions people who'd have no way to (officially) install the fix.

Link to post
Share on other sites

Next thing should be fixing Android Studio, OTHO sadly I don't think my S8 will be getting updates once S11 releases or next Note comes out, even basic security updates are non existent on flagship devices that aren't incredibly aged say around 3 years old. A price to pay for non closed eco-system.

Link to post
Share on other sites

Well that's good! Will probably get a new phone with 5G and Android 10 down the line. 


Ryzen 7 3800X | X570 Aorus Elite | G.Skill 16GB 3200MHz C16 | Radeon RX 5700 XT | Samsung 850 PRO 256GB | Mouse: Zowie S1 | OS: Windows 10

Link to post
Share on other sites

By the wonders of Android, 3/4 of the world will receive these updates in about 5 years when most people will change the phone. Coz they won't see this update like ever on any of existing devices...

Link to post
Share on other sites
6 hours ago, AkatsukiKun said:

Next thing should be fixing Android Studio, OTHO sadly I don't think my S8 will be getting updates once S11 releases or next Note comes out, even basic security updates are non existent on flagship devices that aren't incredibly aged say around 3 years old. A price to pay for non closed eco-system.

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

Link to post
Share on other sites
4 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

Android should get all os updates not just 3 to 4 years. Just like windows until the hardware on your phone, can't run it anymore.


Intel Xeon E5 1650 v3 @ 3.5GHz 6C:12T / CM212 Evo / Asus X99 Deluxe / 16GB (4x4GB) DDR4 3000 Trident-Z / Samsung 850 Pro 256GB / Intel 335 240GB / WD Red 2 & 3TB / Antec 850w / RTX 2070 / Win10 Pro x64

HP Envy X360 15: Intel Core i5 8250U @ 1.6GHz 4C:8T / 8GB DDR4 / Intel UHD620 + Nvidia GeForce MX150 4GB / Intel 120GB SSD / Win10 Pro x64

 

HP Envy x360 BP series Intel 8th gen

AMD ThreadRipper 2!

5820K & 6800K 3-way SLI mobo support list

 

Link to post
Share on other sites
Just now, NumLock21 said:

Android should get all os updates not just 3 to 4 years.

There is a certain point at which it would likely be too impractical to extend support (such as when Apple cut off 32-bit iOS devices); I chose four because that's both closer to where Apple is and because I figured it'd be a decent balance.  I think we can both agree that it should be comfortably longer than the length of a two-year contract, so that you don't feel like your'e forced to upgrade phones just to use recent software.

Link to post
Share on other sites
10 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

In AkatsukiKun's case it's Samsung that doesn't push the updates to the older models.  Google isn't to blame here.

Link to post
Share on other sites
58 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

How do you figure Google cuts off updates? Google posts security patches monthly and feature updates yearly with no exception. The problem lies with implementing them on devices. Likewise to even make the patches they also rely on hardware vendors patching vulnerabilities and compatibilities. If a security issue is found in Android, it's up to Google to solve. If it's found in a Snapdragon 855, it's Qualcomm's job to solve etc etc. In both cases, they need to be developed and later merged into a security update. Then it's on phone manufacturers to test and implement these fixes into their own proprietary hardware and software implementation.

 

Android updates are a bigger clusterfuck than you seem to be aware of. The only way to solve it is to strip away customization. By customization I mean non-Android One implementations. Even Android One probably isn't too easy to deal with but it's certainly much better.

I agree that Google should be more strict in the requirements for compliance and therefore access to the ecosystem but I'm sure Google is afraid of the pushback and threats of cutting ties if they try to take control back. You see the same shit in their dealings with carriers. 

 

The big problem is two-fold: your average consumer hates updates for whatever reason and there is no money to be made off of long term support. Fix those and you'll probably see all parties involved willing to play ball. Even the messy clusterfuck that is Android could be dealt with if it was worth it. Alas, it just isn't.

Link to post
Share on other sites
1 hour ago, Commodus said:

 I think we can both agree that it should be comfortably longer than the length of a two-year contract, so that you don't feel like your'e forced to upgrade phones just to use recent software.

Makes me want to use an iPhone again.🧐


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
1 hour ago, Captain Chaos said:

In AkatsukiKun's case it's Samsung that doesn't push the updates to the older models.  Google isn't to blame here.

It is to blame, sorry.

 

Google only offers two years of OS feature updates, and three years of security updates.  That's even if you have a Pixel.  Moreover, it only requires that larger vendors push a few security updates per year, and that requirement isn't known to last the entire three years.  Samsung is at fault for delivering major updates months late and for skipping security updates, but it can't push software revisions that even Google's older phones will never get.

Link to post
Share on other sites
1 hour ago, Trixanity said:

How do you figure Google cuts off updates? Google posts security patches monthly and feature updates yearly with no exception. The problem lies with implementing them on devices. Likewise to even make the patches they also rely on hardware vendors patching vulnerabilities and compatibilities. If a security issue is found in Android, it's up to Google to solve. If it's found in a Snapdragon 855, it's Qualcomm's job to solve etc etc. In both cases, they need to be developed and later merged into a security update. Then it's on phone manufacturers to test and implement these fixes into their own proprietary hardware and software implementation.

 

Android updates are a bigger clusterfuck than you seem to be aware of. The only way to solve it is to strip away customization. By customization I mean non-Android One implementations. Even Android One probably isn't too easy to deal with but it's certainly much better.

I agree that Google should be more strict in the requirements for compliance and therefore access to the ecosystem but I'm sure Google is afraid of the pushback and threats of cutting ties if they try to take control back. You see the same shit in their dealings with carriers. 

 

The big problem is two-fold: your average consumer hates updates for whatever reason and there is no money to be made off of long term support. Fix those and you'll probably see all parties involved willing to play ball. Even the messy clusterfuck that is Android could be dealt with if it was worth it. Alas, it just isn't.

I mean cutting off as in an arbitrary point at which it stops supporting devices with upgrades -- that two-year point for major updates, and three-year point for security updates.  Has Google ever come up with a good explanation for why it can't possibly extend support for another year or two?  I haven't seen one.

 

Customization affects when updates arrive, not whether or not you're getting them.  And Google has been implementing features like Project Treble precisely to shorten that timeframe and reduce excuses for not pushing minor updates.  I can understand it taking a few months to push a custom version of, say, Android 10, but I don't think Google has an excuse in the modern era for stopping with two major OS updates.

 

I'd also disagree vehemently with the notions that people don't like updates, and that there's no money in long-term support.  People love updates, they just want good updates that run reasonably well.  They've been conditioned to dread updates in part because many vendors have been bad at it.  And Apple's iPhone business is built in no small part on delivering long-term support or phones.  You know your phone will keep getting new features well after your contract/instalment plan is up; hell, Apple even improved performance on its oldest supported devices with iOS 12.  I don't think it's unreasonable to tell Google that it can and should do better, especially as mobile security threats are intensifying.

Link to post
Share on other sites
9 minutes ago, Commodus said:

 

 

 

Consistent, long term updates have been an ongoing problem with Android since it's inception about a decade ago. You'll forgive my lack of optimism that this will change anytime in the foreseeable future, if ever. Tbh, you'd probably do better to write off Android entirely if long term updates are a deciding factor. 


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
Just now, Zodiark1593 said:

Consistent, long term updates have been an ongoing problem with Android since it's inception about a decade ago. You'll forgive my lack of optimism that this will change anytime in the foreseeable future, if ever. Tbh, you'd probably do better to write off Android entirely if long term updates are a deciding factor. 

To some extent, I have -- my main is an iPhone.  I just think Google needs to treat long-term updates as a much greater priority as phone update cycles get longer and mobile security threats become more serious.  It's ridiculous to think that someone with a modest income could be 'punished' with security risks simply because they can't justify buying a new phone every two to three years. Microsoft learned the hard way about the importance of timely, sustained security updates, and Google ought to address this before it finds itself in a Blaster-like mess of its own.

Link to post
Share on other sites
1 minute ago, Commodus said:

It is to blame, sorry.

 

Google only offers two years of OS feature updates, and three years of security updates.

That would only be an issue if any of the manufacturers would actually support their phones for more than 18 months. 

 

Google releases a completely new version of Android every year or so.  That's a core OS without drivers or device-specific firmware, which gets the 3 years worth of security updates. 

Any manufacturer can use that on all their devices, but instead they pick a small number of the most modern ones.  That's not Google's fault, it's entirely the manufacturers' choice. 

Link to post
Share on other sites
55 minutes ago, Commodus said:

I mean cutting off as in an arbitrary point at which it stops supporting devices with upgrades -- that two-year point for major updates, and three-year point for security updates.  Has Google ever come up with a good explanation for why it can't possibly extend support for another year or two?  I haven't seen one.

 

Customization affects when updates arrive, not whether or not you're getting them.  And Google has been implementing features like Project Treble precisely to shorten that timeframe and reduce excuses for not pushing minor updates.  I can understand it taking a few months to push a custom version of, say, Android 10, but I don't think Google has an excuse in the modern era for stopping with two major OS updates.

 

I'd also disagree vehemently with the notions that people don't like updates, and that there's no money in long-term support.  People love updates, they just want good updates that run reasonably well.  They've been conditioned to dread updates in part because many vendors have been bad at it.  And Apple's iPhone business is built in no small part on delivering long-term support or phones.  You know your phone will keep getting new features well after your contract/instalment plan is up; hell, Apple even improved performance on its oldest supported devices with iOS 12.  I don't think it's unreasonable to tell Google that it can and should do better, especially as mobile security threats are intensifying.

I can see you didn't read my post properly. Google is not connected to the problem you describe. I'll repeat they release monthly security updates and yearly feature updates. Your phone getting the update is not on Google. If Samsung wanted to support your phone for five years they could do it right now; Google can't prevent that. However Google can't make Samsung do it nor can they do it themselves. 

As it is right now Google extended Linux LTS support to 6 years but that in itself is technically not a limitation. It is technically possible to migrate to a newer kernel version although a lot more work. Those timelines you list are basically Google's guidelines that they could get some (not all) partners to commit to after a lot of negotiations.

 

I didn't comment on vendor implementations and if or when updates arrive. I said they're part of the reason Google can't push updates directly to your device like Microsoft does to Windows.

 

Many people hate updates. Even iPhone updates. They care little for them. They just want their device to run perpetually as is. 

 

The premise of your comments is wrong so I don't know what else to say.

Link to post
Share on other sites
1 hour ago, Commodus said:

To some extent, I have -- my main is an iPhone.  I just think Google needs to treat long-term updates as a much greater priority as phone update cycles get longer and mobile security threats become more serious.  It's ridiculous to think that someone with a modest income could be 'punished' with security risks simply because they can't justify buying a new phone every two to three years. Microsoft learned the hard way about the importance of timely, sustained security updates, and Google ought to address this before it finds itself in a Blaster-like mess of its own.

My next phone will probably be an iPhone as well (buy whatever happens to be the latest model, hold onto it for years), though upgrading my phone isn't exactly top priority at the moment, so will probably be awhile. My current phone is going on two years old, and shows startlingly little sign of wear, even on the battery. 😛

 


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
1 hour ago, Trixanity said:

I can see you didn't read my post properly. Google is not connected to the problem you describe. I'll repeat they release monthly security updates and yearly feature updates. Your phone getting the update is not on Google. If Samsung wanted to support your phone for five years they could do it right now; Google can't prevent that. However Google can't make Samsung do it nor can they do it themselves. 

As it is right now Google extended Linux LTS support to 6 years but that in itself is technically not a limitation. It is technically possible to migrate to a newer kernel version although a lot more work. Those timelines you list are basically Google's guidelines that they could get some (not all) partners to commit to after a lot of negotiations.

 

I didn't comment on vendor implementations and if or when updates arrive. I said they're part of the reason Google can't push updates directly to your device like Microsoft does to Windows.

 

Many people hate updates. Even iPhone updates. They care little for them. They just want their device to run perpetually as is. 

 

The premise of your comments is wrong so I don't know what else to say.

Google can't push updates directly, but that doesn't mean the current arrangement is acceptable.  It already has agreements for a minimum number of updates; it's a matter of expanding those requirements to offer more updates for longer.  And Google can't just cave every time a vendor says "no thanks."  You can't commit a sliver of resources to ensuring that you release every security update, even if customization and carrier headaches mean it takes a couple of weeks longer to reach users?  Fine, then you don't get an official Android license.

 

And I really don't think you grasped the point about people's perception of updates.  They're leery of updates and interested in consistency in part because they've had bad experiences (yes, including iPhone updates until relatively recently).  You'd have to go out of your way to show that they're averse to the very concept of updates as opposed to the execution of those updates, and I don't think you can.  It's far easier to point to people who complain that update X slowed their phone down, made it buggy or added a confusing new UI.  Folks want new features and security updates -- they just don't want to be bewildered or frustrated.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×