Android 10 To Fix 193 Open Vulnerabilities

[Lurick]

Looks like in addition to cutting back on the desert theme they are cutting back on quite a few open vulnerabilities as well with the latest OS, Android 10. I'm personally not surprised there are a lot of fixes going in but nearly 200 open vulnerabilities is a heck of a lot. Hopefully most or all of these, or at least the more severe ones, will be fixed with OTA patches to older versions of the OS such as Android 8 and 9 (Oreo and Pie respectively) since I'm sure most users won't be seeing Android 10 for a good while after it's release in September.

 

Quote

The bad news is that 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.

The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

 

Link: https://www.forbes.com/sites/daveywinder/2019/08/23/android-10-google-confirms-193-security-vulnerabilities-need-fixing/#6835ab38616b

https://tech.slashdot.org/story/19/08/25/023245/google-confirms-android-10-will-fix-193-security-vulnerabilities

[Guest]

I thought the title said 1903, as in Windows 10 1903.

I was actually intrigued lol.

[DrMacintosh]

Very cool. Now if only anyone would actually get the Android 10 update. 

[Lurick]

1 minute ago, DrMacintosh said:

Very cool. Now if only anyone would actually get the Android 10 update. 

I've got Android 10 already, been running it since Beta 1 dropped. Of course that's because I'm on a Pixel phone which is basically the only lineup of phones that will get the update asap as far as I know. Anyone else will probably be waiting for a year or more before they see it pushed down through their phone carrier.

[Teddy07]

1 minute ago, DrMacintosh said:

Very cool. Now if only anyone would actually get the Android 10 update. 

I would be happy when I finally get Android 9. HTC is still in the process of putting out the update

[Guest]

5 minutes ago, Lurick said:

I've got Android 10 already, been running it since Beta 1 dropped. Of course that's because I'm on a Pixel phone which is basically the only lineup of phones that will get the update asap as far as I know. Anyone else will probably be waiting for a year or more before they see it pushed down through their phone carrier.

Had beta on my Essential phone since day 1 as well.

Surprised how for a "dead phone" it has the same release schedule as they Pixel line.

[Commodus]

1 hour ago, Lurick said:

Looks like in addition to cutting back on the desert theme they are cutting back on quite a few open vulnerabilities as well with the latest OS, Android 10. I'm personally not surprised there are a lot of fixes going in but nearly 200 open vulnerabilities is a heck of a lot. Hopefully most or all of these, or at least the more severe ones, will be fixed with OTA patches to older versions of the OS such as Android 8 and 9 (Oreo and Pie respectively) since I'm sure most users won't be seeing Android 10 for a good while after it's release in September.

 

 

Link: https://www.forbes.com/sites/daveywinder/2019/08/23/android-10-google-confirms-193-security-vulnerabilities-need-fixing/#6835ab38616b

https://tech.slashdot.org/story/19/08/25/023245/google-confirms-android-10-will-fix-193-security-vulnerabilities

I hope so too, but this is one of the perpetually saddening parts of Android -- that you don't actually know if you'll even get all of the security fixes, let alone get them on time, unless you have a Google Pixel or maybe an Essential Phone.  And that there's a good chance your phone will be left permanently vulnerable to attacks if it's just two or three years old.

 

It's not as bad as it was in the Windows XP days when a large security hole virtually guaranteed that millions would be infected, but I do worry that Android is "due" for a Blaster-style worm that spreads very quickly.  And unlike then, there could be legions people who'd have no way to (officially) install the fix.

[AkatsukiKun]

Next thing should be fixing Android Studio, OTHO sadly I don't think my S8 will be getting updates once S11 releases or next Note comes out, even basic security updates are non existent on flagship devices that aren't incredibly aged say around 3 years old. A price to pay for non closed eco-system.

[Doobeedoo]

Well that's good! Will probably get a new phone with 5G and Android 10 down the line. 

[RejZoR]

By the wonders of Android, 3/4 of the world will receive these updates in about 5 years when most people will change the phone. Coz they won't see this update like ever on any of existing devices...

[Commodus]

6 hours ago, AkatsukiKun said:

Next thing should be fixing Android Studio, OTHO sadly I don't think my S8 will be getting updates once S11 releases or next Note comes out, even basic security updates are non existent on flagship devices that aren't incredibly aged say around 3 years old. A price to pay for non closed eco-system.

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

[NumLock21]

4 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

Android should get all os updates not just 3 to 4 years. Just like windows until the hardware on your phone, can't run it anymore.

[Commodus]

Just now, NumLock21 said:

Android should get all os updates not just 3 to 4 years.

There is a certain point at which it would likely be too impractical to extend support (such as when Apple cut off 32-bit iOS devices); I chose four because that's both closer to where Apple is and because I figured it'd be a decent balance.  I think we can both agree that it should be comfortably longer than the length of a two-year contract, so that you don't feel like your'e forced to upgrade phones just to use recent software.

[dfsdfgfkjsefoiqzemnd]

10 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

In AkatsukiKun's case it's Samsung that doesn't push the updates to the older models.  Google isn't to blame here.

[Trixanity]

58 minutes ago, Commodus said:

I don't think we should give Google a pass here.  There's no practical excuse for why a company as large as Google cuts off updates so quickly, and why security updates are often seen as "nice to have."

 

This is one of those areas where Google should explicitly follow Apple's lead.  All Android devices should have four or more years of OS updates.  All security updates should be available over the support period no matter which device you have.  If vendors complain?  Too bad -- tell them the security of your phone isn't optional.

How do you figure Google cuts off updates? Google posts security patches monthly and feature updates yearly with no exception. The problem lies with implementing them on devices. Likewise to even make the patches they also rely on hardware vendors patching vulnerabilities and compatibilities. If a security issue is found in Android, it's up to Google to solve. If it's found in a Snapdragon 855, it's Qualcomm's job to solve etc etc. In both cases, they need to be developed and later merged into a security update. Then it's on phone manufacturers to test and implement these fixes into their own proprietary hardware and software implementation.

 

Android updates are a bigger clusterfuck than you seem to be aware of. The only way to solve it is to strip away customization. By customization I mean non-Android One implementations. Even Android One probably isn't too easy to deal with but it's certainly much better.

I agree that Google should be more strict in the requirements for compliance and therefore access to the ecosystem but I'm sure Google is afraid of the pushback and threats of cutting ties if they try to take control back. You see the same shit in their dealings with carriers. 

 

The big problem is two-fold: your average consumer hates updates for whatever reason and there is no money to be made off of long term support. Fix those and you'll probably see all parties involved willing to play ball. Even the messy clusterfuck that is Android could be dealt with if it was worth it. Alas, it just isn't.

[captain_to_fire]

1 hour ago, Commodus said:

 I think we can both agree that it should be comfortably longer than the length of a two-year contract, so that you don't feel like your'e forced to upgrade phones just to use recent software.

Makes me want to use an iPhone again.

[Commodus]

1 hour ago, Captain Chaos said:

In AkatsukiKun's case it's Samsung that doesn't push the updates to the older models.  Google isn't to blame here.

It is to blame, sorry.

 

Google only offers two years of OS feature updates, and three years of security updates.  That's even if you have a Pixel.  Moreover, it only requires that larger vendors push a few security updates per year, and that requirement isn't known to last the entire three years.  Samsung is at fault for delivering major updates months late and for skipping security updates, but it can't push software revisions that even Google's older phones will never get.

[Commodus]

1 hour ago, Trixanity said:

How do you figure Google cuts off updates? Google posts security patches monthly and feature updates yearly with no exception. The problem lies with implementing them on devices. Likewise to even make the patches they also rely on hardware vendors patching vulnerabilities and compatibilities. If a security issue is found in Android, it's up to Google to solve. If it's found in a Snapdragon 855, it's Qualcomm's job to solve etc etc. In both cases, they need to be developed and later merged into a security update. Then it's on phone manufacturers to test and implement these fixes into their own proprietary hardware and software implementation.

 

Android updates are a bigger clusterfuck than you seem to be aware of. The only way to solve it is to strip away customization. By customization I mean non-Android One implementations. Even Android One probably isn't too easy to deal with but it's certainly much better.

I agree that Google should be more strict in the requirements for compliance and therefore access to the ecosystem but I'm sure Google is afraid of the pushback and threats of cutting ties if they try to take control back. You see the same shit in their dealings with carriers. 

 

The big problem is two-fold: your average consumer hates updates for whatever reason and there is no money to be made off of long term support. Fix those and you'll probably see all parties involved willing to play ball. Even the messy clusterfuck that is Android could be dealt with if it was worth it. Alas, it just isn't.

I mean cutting off as in an arbitrary point at which it stops supporting devices with upgrades -- that two-year point for major updates, and three-year point for security updates.  Has Google ever come up with a good explanation for why it can't possibly extend support for another year or two?  I haven't seen one.

 

Customization affects when updates arrive, not whether or not you're getting them.  And Google has been implementing features like Project Treble precisely to shorten that timeframe and reduce excuses for not pushing minor updates.  I can understand it taking a few months to push a custom version of, say, Android 10, but I don't think Google has an excuse in the modern era for stopping with two major OS updates.

 

I'd also disagree vehemently with the notions that people don't like updates, and that there's no money in long-term support.  People love updates, they just want good updates that run reasonably well.  They've been conditioned to dread updates in part because many vendors have been bad at it.  And Apple's iPhone business is built in no small part on delivering long-term support or phones.  You know your phone will keep getting new features well after your contract/instalment plan is up; hell, Apple even improved performance on its oldest supported devices with iOS 12.  I don't think it's unreasonable to tell Google that it can and should do better, especially as mobile security threats are intensifying.

[Zodiark1593]

9 minutes ago, Commodus said:

 

 

 

Consistent, long term updates have been an ongoing problem with Android since it's inception about a decade ago. You'll forgive my lack of optimism that this will change anytime in the foreseeable future, if ever. Tbh, you'd probably do better to write off Android entirely if long term updates are a deciding factor. 

[Commodus]

Just now, Zodiark1593 said:

Consistent, long term updates have been an ongoing problem with Android since it's inception about a decade ago. You'll forgive my lack of optimism that this will change anytime in the foreseeable future, if ever. Tbh, you'd probably do better to write off Android entirely if long term updates are a deciding factor. 

To some extent, I have -- my main is an iPhone.  I just think Google needs to treat long-term updates as a much greater priority as phone update cycles get longer and mobile security threats become more serious.  It's ridiculous to think that someone with a modest income could be 'punished' with security risks simply because they can't justify buying a new phone every two to three years. Microsoft learned the hard way about the importance of timely, sustained security updates, and Google ought to address this before it finds itself in a Blaster-like mess of its own.

[dfsdfgfkjsefoiqzemnd]

1 minute ago, Commodus said:

It is to blame, sorry.

 

Google only offers two years of OS feature updates, and three years of security updates.

That would only be an issue if any of the manufacturers would actually support their phones for more than 18 months. 

 

Google releases a completely new version of Android every year or so.  That's a core OS without drivers or device-specific firmware, which gets the 3 years worth of security updates. 

Any manufacturer can use that on all their devices, but instead they pick a small number of the most modern ones.  That's not Google's fault, it's entirely the manufacturers' choice. 

[Trixanity]

55 minutes ago, Commodus said:

I mean cutting off as in an arbitrary point at which it stops supporting devices with upgrades -- that two-year point for major updates, and three-year point for security updates.  Has Google ever come up with a good explanation for why it can't possibly extend support for another year or two?  I haven't seen one.

 

Customization affects when updates arrive, not whether or not you're getting them.  And Google has been implementing features like Project Treble precisely to shorten that timeframe and reduce excuses for not pushing minor updates.  I can understand it taking a few months to push a custom version of, say, Android 10, but I don't think Google has an excuse in the modern era for stopping with two major OS updates.

 

I'd also disagree vehemently with the notions that people don't like updates, and that there's no money in long-term support.  People love updates, they just want good updates that run reasonably well.  They've been conditioned to dread updates in part because many vendors have been bad at it.  And Apple's iPhone business is built in no small part on delivering long-term support or phones.  You know your phone will keep getting new features well after your contract/instalment plan is up; hell, Apple even improved performance on its oldest supported devices with iOS 12.  I don't think it's unreasonable to tell Google that it can and should do better, especially as mobile security threats are intensifying.

I can see you didn't read my post properly. Google is not connected to the problem you describe. I'll repeat they release monthly security updates and yearly feature updates. Your phone getting the update is not on Google. If Samsung wanted to support your phone for five years they could do it right now; Google can't prevent that. However Google can't make Samsung do it nor can they do it themselves. 

As it is right now Google extended Linux LTS support to 6 years but that in itself is technically not a limitation. It is technically possible to migrate to a newer kernel version although a lot more work. Those timelines you list are basically Google's guidelines that they could get some (not all) partners to commit to after a lot of negotiations.

 

I didn't comment on vendor implementations and if or when updates arrive. I said they're part of the reason Google can't push updates directly to your device like Microsoft does to Windows.

 

Many people hate updates. Even iPhone updates. They care little for them. They just want their device to run perpetually as is. 

 

The premise of your comments is wrong so I don't know what else to say.

[Zodiark1593]

1 hour ago, Commodus said:

To some extent, I have -- my main is an iPhone.  I just think Google needs to treat long-term updates as a much greater priority as phone update cycles get longer and mobile security threats become more serious.  It's ridiculous to think that someone with a modest income could be 'punished' with security risks simply because they can't justify buying a new phone every two to three years. Microsoft learned the hard way about the importance of timely, sustained security updates, and Google ought to address this before it finds itself in a Blaster-like mess of its own.

My next phone will probably be an iPhone as well (buy whatever happens to be the latest model, hold onto it for years), though upgrading my phone isn't exactly top priority at the moment, so will probably be awhile. My current phone is going on two years old, and shows startlingly little sign of wear, even on the battery.

 

[Commodus]

1 hour ago, Trixanity said:

I can see you didn't read my post properly. Google is not connected to the problem you describe. I'll repeat they release monthly security updates and yearly feature updates. Your phone getting the update is not on Google. If Samsung wanted to support your phone for five years they could do it right now; Google can't prevent that. However Google can't make Samsung do it nor can they do it themselves. 

As it is right now Google extended Linux LTS support to 6 years but that in itself is technically not a limitation. It is technically possible to migrate to a newer kernel version although a lot more work. Those timelines you list are basically Google's guidelines that they could get some (not all) partners to commit to after a lot of negotiations.

 

I didn't comment on vendor implementations and if or when updates arrive. I said they're part of the reason Google can't push updates directly to your device like Microsoft does to Windows.

 

Many people hate updates. Even iPhone updates. They care little for them. They just want their device to run perpetually as is. 

 

The premise of your comments is wrong so I don't know what else to say.

Google can't push updates directly, but that doesn't mean the current arrangement is acceptable.  It already has agreements for a minimum number of updates; it's a matter of expanding those requirements to offer more updates for longer.  And Google can't just cave every time a vendor says "no thanks."  You can't commit a sliver of resources to ensuring that you release every security update, even if customization and carrier headaches mean it takes a couple of weeks longer to reach users?  Fine, then you don't get an official Android license.

 

And I really don't think you grasped the point about people's perception of updates.  They're leery of updates and interested in consistency in part because they've had bad experiences (yes, including iPhone updates until relatively recently).  You'd have to go out of your way to show that they're averse to the very concept of updates as opposed to the execution of those updates, and I don't think you can.  It's far easier to point to people who complain that update X slowed their phone down, made it buggy or added a confusing new UI.  Folks want new features and security updates -- they just don't want to be bewildered or frustrated.

[Trixanity]

6 minutes ago, Commodus said:

Google can't push updates directly, but that doesn't mean the current arrangement is acceptable.  It already has agreements for a minimum number of updates; it's a matter of expanding those requirements to offer more updates for longer.  And Google can't just cave every time a vendor says "no thanks."  You can't commit a sliver of resources to ensuring that you release every security update, even if customization and carrier headaches mean it takes a couple of weeks longer to reach users?  Fine, then you don't get an official Android license.

 

And I really don't think you grasped the point about people's perception of updates.  They're leery of updates and interested in consistency in part because they've had bad experiences (yes, including iPhone updates until relatively recently).  You'd have to go out of your way to show that they're averse to the very concept of updates as opposed to the execution of those updates, and I don't think you can.  It's far easier to point to people who complain that update X slowed their phone down, made it buggy or added a confusing new UI.  Folks want new features and security updates -- they just don't want to be bewildered or frustrated.

They simply don't want updates. I didn't misunderstand anything. People just want it to be like it always is. Even if it's a perfect update. People don't like change. So no, most people don't want all those things. It's an inconvenience to them. Best case scenario it's a silent update mechanism like Chrome but still: any change that affects their daily use - good or bad - they'll hate it. Granted, if every update is perfect they'd be more receptive in general. The less impact it has on them and the less friction there is in the process - the better the reception. However people just don't like change. Too bad for them that it's often forced upon them anyway. If updates mattered to your average consumer, the very same people wouldn't buy another Samsung phone - yet they do. Of course they're arguably locked in but still: thinking people like updates is a very techy way of thinking. I've yet to hear of an update model that makes the average consumer happy so if you know one I'd gladly hear it. Not even Apple is free from complaints.

 

Google's biggest partners already have options ready to deal with any Google attempt to pressure them. So it's not as easy as just saying "do as we say". Android is unfortunately open enough that they can thwart Google.

 

Google is slowly changing Android to be more modular. For example with Q (or 10 as they call it) some system components can be updated through the Play Store. Their intent it so keep expanding the list of components. However that still leaves out feature updates.

Google would piss off some of their biggest partners if they went on stage next year and said "now it's 5 years of updates or GTFO" or if they said "Android can't be customized. It will be standardized in hardware and we'll push the updates". 

 

The fact of the matter is that Android has a lot of technical debt and ancient business agreements that you can't change or at least can't change very quickly. It'll take a while to pivot Android towards a better model. It has taken Google the last five years or so to even get this far. It's possible they'll try to kill Android in favor of their work with Fuschia/Zircon and whatever else codenames are attached to the project. However I'm not so sure the likes of Samsung or Huawei are onboard with a more closed ecosystem. Like everyone else, they don't want change.