Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Android Security

Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones 144

An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.
This discussion has been archived. No new comments can be posted.

Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones

Comments Filter:
  • by Anonymous Coward on Saturday October 03, 2015 @03:17AM (#50650079)

    The number of exploits is increasing exponentially but the vendors are scaling back security patches across the board.

    MBA's FTW.

    • by sexconker ( 1179573 ) on Saturday October 03, 2015 @03:30AM (#50650105)

      Yup, Android is no longer a platform I can recommend.
      Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

      • by AK Marc ( 707885 ) on Saturday October 03, 2015 @04:00AM (#50650143)
        Android is safer if you root it and abandon the official versions. TouchWiz isn't that good anyway. Every other maker's UI is better than TouchWiz. My S3 was abandoned on an old version of Android, but I'd have to go boot it to see what. So Samsung has a habit of abandoning older generations. And iOS isn't any better, with less than 1 year support for my 3G, about the same as I got on my S3.

        Android has the slight edge, because I can root it and go with a generic, or use a maker like Oppo with weekly OS updates, if you want to update that often.
        • Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

          • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday October 03, 2015 @06:06AM (#50650395) Homepage Journal

            Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

            Forget CM, go to XDA and look for other ROMs for your phone. Based on a quick glance over the appropriate forum, I suggest Resurrection Remix [xda-developers.com]. Yeah, the names of these things are ridiculous. I'm running something called "KatKiss" on my Asus Transformer Prime. You can have it with a choice of three kernels, two without fsync (internal flash is abysmally slow) and one with. I am using the one with because data is more important to me than a couple more frames per second.

            • Forget CM, go to XDA and look for other ROMs for your phone.

              I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that:
              http://forum.xda-developers.co... [xda-developers.com]

              How does one "look for other ROMs" and know if those ROMs support the needed features? Especially for devices such as the Note which have exceptional hardware that may not be supported in the ROM (S-Pen).

              • I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that

                OK, here is your short short short form of how to change your ROM.

                Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonw

                • You didn't answer his second question though, which was finding out which features a rom supports. On my Galaxy Note 4, basically no AOSP roms support the fingerprint sensor (not a big loss, admittedly) they don't support call recording apps (and before somebody rants, yes, it's legal to record your own calls in 40 states even if the other party isn't aware) and they don't support amr wideband (aka HD Voice.)

                  I presently use AICP on my Note 4. It has a call record option in the dialer app, but it isn't autom

                  • You didn't answer his second question though, which was finding out which features a rom supports.

                    Yes I did. "Check inside the threads to see what is working/nonworking."

                    • Yes I did. "Check inside the threads to see what is working/nonworking."

                      That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

                    • That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

                      Sorry you've found that to be the case. For all four of my android devices covered on XDA-Developers (nobody there cares about the mk908, you have to go to freaktab) the information is quite good.

                • OK, here is your short short short form of how to change your ROM.

                  OMG, I feel like I' m taking Crazy Pills!

                  Let me get this straight: (And this is to all of those who are advocating "Custom ROMS") :

                  1. There is a Security Vulnerability in the "stock ROM" of some Device.

                  2. OEM abandons said device.

                  3. Device is on a platform with a longstanding and nearly Universal practice of doing exactly this same thing, time and again.

                  4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, un

                  • 4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

                    Who's gonna steal your antique phone?

                    Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

                    You don't think anyone would notice? I do.

                    And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

                    Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

                    • 4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

                      Who's gonna steal your antique phone?

                      WTF are you even talking about?

                      Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

                      You don't think anyone would notice? I do.

                      Maybe, maybe not. Depends on a bunch of factors, not the least of which is the User's ability to look in the right place, get the download from the right place, etc. Far too many variables for something so critical.

                      And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

                      Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

                      Ah, but that's the difference that makes ALL the difference: Almost ALL Android Devices are "Abandoned" on the day you buy them; but almost ALL, if not ALL, Apple Devices are supported for two years or more; by which time, most users are shopping for an Upgrade anyw

                    • Almost ALL Android Devices are "Abandoned" on the day you buy them;

                      Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

                      YOU brought up length-of-OFFICIAL-Support. you lose.

                      You don't even understand the argument, iFanboy

                    • Almost ALL Android Devices are "Abandoned" on the day you buy them;

                      Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

                      If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

                      YOU brought up length-of-OFFICIAL-Support. you lose.

                      You don't even understand the argument, iFanboy. The argument is that once official support is over, your iDevice is garbage. At least there's a chance that someone will support your Android device. Now go throw your old Apple devices in the landfill and shut the fuck up.

                      Well, at the expense of possibly making part of your argument for you, even after Apple ends Official support for a particular Device, which is almost always long after that device is pretty-much completely out-of-circulation, you aren't screwed. For example, Apple produced [wikipedia.org] iOS 5.1.1 in May, 2012,

                    • by JonJ ( 907502 )
                      Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.
                    • If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

                      Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

                      But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

                      Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

                    • If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

                      Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

                      Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

                      But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

                      Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

                      Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

                    • Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.

                      I defer to your superior knowledge on that subject!

                      I assume there are perfectly conscientious makers of Custom AOSP builds, and that some of them might even have good enough compatibility for a few handsets to make it tempting to load them; but even without the Trojan factor, there still are significant compatibility problems with enough Devices that it seems dangerous to mess with unofficial ROMS.

                    • Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

                      Nonsense. They will cry about things they don't like, like the Macintosh developers of old complaining about every little change Apple made, but they won't actually do something about it and leave the platform. They're not picky at all, they're just whiny.

                      Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

                      But you were happy to present incorrect information about it as if you knew what you were talking about anyway. One button 4 life!

                • OK, here is your short short short form of how to change your ROM.

                  Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonworking.

                  Thank you, I see that you really are trying to help. The issue with checking what is working/nonworking is that each thread has on average hundreds of replies, some in the tens of thousands. I _have_ gone and read them, and I still don't know what has been resolved or not. Examples, from the current first page of results:

                  XDA: DEVDB [ROM] [5.1.1] DarkLord Note 5 Full Port (Fastest, Smoothest) [03/10/2015] 1 2 3
                  Replies: 10,717

                  XDA: DEVDB [ROM][AOSP]Minimal OS HLTE Unofficial 2015/10/01 1 2 3
                  Replies: 38

      • by Lumpy ( 12016 )

        Arduino phone....

        http://www.instructables.com/i... [instructables.com]

        If you control the source.... you control the spice....

      • Android is fine if you get a Nexus device and either install something like Cyanogen or make sure you install Google's updates as they're released. I took the latter route and the updates are flowing.

        Sure, they only promise to keep those updates flowing for 18 months after they stop selling it (or 3 years from when they started, whichever is longer) but I'm likely to have already replaced this phone by that point, anyway; and if not, Cyanogen.
    • Comment removed based on user account deletion
  • What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

    Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

    KTHX BAI.

    • by TheRaven64 ( 641858 ) on Saturday October 03, 2015 @04:46AM (#50650241) Journal

      Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone.

      Sure, but the new phone I get will be from a vendor that I can trust to support it for its lifetime. I may upgrade my phone after 2-3 years, but I'll probably hand the old one off to someone else or use it as a spare. If the phone becomes useless after 1 year, then I'll factor that in when I calculate the value of the phone - if I can amortise the cost over 4 years rather than 2, then the cost of the phone is not as good.

      Your contract will be up in 2 years

      What kind of idiot signs a 2-year phone contract in 2015?

      • What kind of idiot signs a 2-year phone contract in 2015?

        Was this a rhetorical question? Because the answer is most people.

        • Really? Where on earth do you live? I'm not sure anyone in this country still offers two-year contracts. Most people are either on pre-pay or one month rolling contracts. 18 months is about the longest, and they're rarely much cheaper than the one-month version, so there's little incentive to sign up for them (especially given that you're likely to get a better deal in six months, so being locked in for 18 months doesn't make sense even if it is cheaper at the start).
          • Australia, Europe, China, a few years ago Canada. The vast majority of the people are on 2 year contracts which come with a phone. The 2 years is up (well in reality the 1 year and 11 months is up because god forbid a carrier lets a competitor offer you something first) and you get a "free" phone (which isn't really free but people believe it anyway while they keep paying). The people on pre-paid schemes are school kids who can't legally sign up to a contract but are able buy a phone and pre-pay, and the pe

    • by Threni ( 635302 )

      > What kind of dumbass company is going to spend money porting a new version of an OS to an old platform,
      > with no payday for doing so?

      Well, that's kind of the point. Companies should be forced to state up front how long the phones are going to be kept up to date (from both a security and Android version point of view) and if they don't they can be sued for breaking the terms under which people bought the phones in the first place.

      No-one expects Microsoft to provide updates for windows xp, but they d

    • These "dumbass" companies have a few more generations of device sales before this becomes a major problem. Then something has to give.

    • by jeremyp ( 130771 )

      What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

      Apple.

      Well, OK there must be a payday. Perhaps they see the fact that you can put the latest iOS onto a 4s as a selling point. i.e. if you splashed the cash for one in 2011 you would feel better knowing that, theoretically, you could still have the latest OS four years later even if unreality you replace it after two years.

    • by Lumpy ( 12016 )

      Port it? are you really that completely clueless?

      You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

      And how about just release the god-damn bootloader lock so if people want to do it themselves on out of warranty hardware, they can. HTC and Samsung HATE their customers by locking the bootloader down so hard it's insane. Latest samsung phones are deemed to never EVER be able to run a full cyanogenmod.

      • The problem is the stupid skins manufacturers are putting on top of Android to "diferentiate" themselves from the competition. Those need to be updated to work properly with whatever has changed under the hood in the new Android version. And they don't want to do it.

        Not sure what you're talking about re: HTC locking down their bootloaders, they have a developer site where you enter your IMEI and get instructions for unocking your bootloader. Unless you're on AT&T or Verizon; they *require* locked boot
      • Port it? are you really that completely clueless?

        You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

        You obviously do not *get* how Android partner companies deal with porting android. Most of the bits for various phones do *not* get integrated back into the main line sources.

        Any given android version on any given phone is generally a stable snapshot of whatever was top of tree when the work on the phone started, plus local additions for device support.

        Internally, Samsung treats each new phone as a one-off porting job. They've got an entire group that does nothing but one-off ports of whatever is a top o

    • What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

      Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

      KTHX BAI.

      Why, as shown by this chart [wikipedia.org], that most evil of evil companies [apple.com] (according to many Slashdotters), that's who!

  • by Rainbow Nerds ( 4224689 ) on Saturday October 03, 2015 @04:05AM (#50650159)

    I don't understand why phone manufacturers and carriers don't get sued for things like this. Carriers have typically required two year contracts for phone subsidies, and normally it's possible to buy a phone two years old and get it free. At least that's how it is in the US. That means you can buy a phone that's as much as three years old and have a reasonable expectation to use it for two years because that's the contract with your carrier. That means manufacturers and carriers should provide support for a minimum of five years. That means a phone released in October 2015 should have support until October 2020. I think a customer has a reasonable expectation of this. If nothing else, that should be grounds for a lawsuit against manufacturers and carriers. There's also the issue of delays in fixing vulnerabilities both with the manufacturers and then the carriers. Again, I think there's a reasonable expectation for security updates in a timely manner. Also, when phones ship with locked bootloaders and customers can't choose to unlock them, it makes it very difficult to install a patched version of the OS. This also voids the warranty if you're able to do it. Customers are screwed no matter what they do in this situation, which is why carriers and manufacturers should be sued in the absence of specific laws to protect customers.

    I can't help but wonder if the decision to not provide software updates to older phones is partly because people don't see a huge difference between models and this is one way to push people to buy newer and more expensive phones. I can't say it for certain, but it wouldn't surprise me if that's part of the decision process.

    • by AmiMoJo ( 196126 )

      There is nothing to sue over. Unless you can show that you were attacked by malware or forced to stop using the device because of proven, legitimate fears then you have nothing to sue for. What loss have you suffered from this vulnerability?

      That's the thing about most of these supposedly critical flaws in Android. They are never that bad, we never see massive botnets because of them, we never see massive identity theft or any kind of practical, in the wild exploit. The people who do become victims do it to

      • The people who do become victims do it to themselves, usually by installing some dodgy app store and disabling the Google malware protection.

        The whole point of sandboxing is to protect me whether the software is malicious or malfunctioning. If it doesn't do that, then it's defective — especially if there's a known defect with a known mechanism. I've had to go around manufacturers for fixes for these problems because Motorola is not what you would call responsible about bringing out updates, nor is Asus. A bit frustrating, really. On the other hand, I was able to do that. Can't do that with Apple.

        • by AmiMoJo ( 196126 )

          I understand your feelings but for there to be a lawsuit there has to be some harm done. You can't just sue because someone does something to don't like.

          Since there are no viruses making use of this flaw it seems entirely theoretical at this point.

          Anyway, the latest update they released fixes it. It's your own fault if you didn't install it when offered (it's OTA).

    • I don't understand why phone manufacturers and carriers don't get sued for things like this.

      They do, when they make promises to bring out updates until a date, or a certain number of updates, etc, and when the affected class is sufficiently sizable to attract leeches, I mean lawyers. But when no promises are made and no damages can be proven it's difficult to squeeze blood out of a corporation.

    • they're to put money in a lawyers pocket and a $5 off your next phone coupon in yours. It'd probably be too hard to sue over something like this. It's too hard for a jury of 50 somethings (who are the only folks that could take 6 months off for the trial) to understand. How's that joke go? 10 people too dumb to get out of jury duty...
  • Article is FUD (Score:4, Informative)

    by the Hewster ( 734122 ) on Saturday October 03, 2015 @05:37AM (#50650349)
    This article makes no sense. It says the vulnerability affects the Galaxy S4 but only if you are running an outdated firmware (like Kit kat). However, there is an official (pushed OTA) update to Jelly Bean on this device, so all you have to do to not be vulnerable is apply the update! Same as usual: if you want to avoid vulnerabilities, update your stuff regularly.
    • by msauve ( 701917 )
      You make no sense. The summary says "Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat" and the article says "Samsung just confirmed to us that the JB and KK families will not be patched and that the vulnerabilities are only patched on the LL family."

      So, explain how "an official (pushed OTA) update to Jelly Bean" fixes things.
    • ... only if you are running an outdated firmware (like Kit kat). ... update to Jelly Bean on this device ...

      You apparently did not know that Android versions are named in alphabetical order. Jelly Bean (4.1) predates Kitkat (4.4) You cannot "upgrade" to Jelly Bean from Kitkat.

      Apologies if your post was sarcasm. I interpreted it as ignorance.

    • This should not be modded up. Samsung leaves their older devices without upgrades. I'm still using an S3, and I shouldn't have to buy a new phone because the locked down device I purchased was made by a company that refuses to upgrade their older phones.
  • Considering the current version is fully patched, I don't understand how you would spin this into Samsung not patching kernel vulnerabilities.

    "Samsung has decided to patch, but only for recent devices running Android Lollipop, and not for those with Jelly Bean or KitKat."

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...