Old Qualcomm Vulnerability Exposes Android User Data (securityweek.com) 18
Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."
time to re-buy the white album? (Score:4, Interesting)
Now it's up to the device manufacturers to push out the patch to customers.
you KNOW that, for the most part, never happens. androids are mostly abandoned after the first year of being on the market. vendors have no reason to care and they don't! they leave us all exposed to the continual android bugs and the ONLY recourse is to root and install a new os or just give in and re-re-re-buy your phone all over again, trading one bug for another.
google is 100% at fault for not seeing this and not stopping it. its a wild wild west in android land and I fucking hate how bad it is. 'just buy a nexus!'. fuck you! google abandons things too; I have a nexus one that I thought would get support but it had showstopper bugs that were there from day-1 and NEVER got fixed (screen calibration would stop every day; google never cared, etc etc).
there are so many reasons to hate google, but how they mistandled the whole android and carrier/vendor thing was one of the worst things they've ever done. and the whole architecture of android prohibits piecemeal upgrades. I can't just apt-get update and upgrade. I can't install JUST an ip stack fix or JUST a kernel fix. I have to upgrade a whole monolithic image and that's just SO STUPID its beyhond belief. linux was not that way and you had to do WORK to fuck up linux that badly. they removed the ability to do user level patching and upgrades and to make things worse, most vendors try their best to STOP users from even TRYING to upgrade their own phones.
people ask me why I don't do phone programming, since I write C code and stuff for a living. my hatred of the whole phone scene is why; its a complete disgrace and I want no part of it. let the 20 somethings mess around with this and that phone; I have no time or patience to keep up with all that crap since its such a moving target.
I really do wish 'phones' were not like they were today, but the market is ruined and I see no way around it since the carriers and vendors are so used to calling all the shots. they'll never give control back to users. it won't happen and so phones will always suck and never be YOUR computer.
Re: (Score:2)
It's pretty bad, but Google is patching essential services when it updates 'Google Play Services' in a way that most carriers would have balked at just a year or two.
The carriers suck, the forcing of signed bootloaders sucks, the update process sucks, the arrangement with MVNO's sucks, and all of it reduces overall security and functionality. Carrier profit is the primary factor that went into all of this. Yet this is exactly what is expected from such a heavily-regulated and regulatory-captured market, s
Re: (Score:2)
This is completely Google's fault for setting up Android this way. Apple doesn't have to wait on carriers to update the OS.
But if you want a better comparison, I didn't have to receive Dell's blessing (the manufacturer) or the store I bought the Dell from to update my OS and get patches from Microsoft. I was able to install Windows 7 on my Core Duo Mac Mini (
Re: (Score:2)
Nokia had their own full strength Linux OS for mobile - Maemo [wikipedia.org], which later was merged with Intel's similar venture and renamed Meego [wikipedia.org]. It was a regular Linux distro for ARM and had Nokia
Re: (Score:2)
for the end user, apple was doing the right thing. but not for the right reasons, mind you.
they are control freaks, everyone knows that. they controlled the carriers and having the shiney apple toy was all the carriers wanted; they even gave control over to apple for the pleasure of selling and including apple toys in their network.
google could have done the same thing but they didn't think about it deeply enough and now it seems too late to change the model.
google gets its eyeballs and deploys its apps t
Re: (Score:2)
for the end user, apple was doing the right thing. but not for the right reasons, mind you.
That is TOTAL conjecture on your part; you have absolutely no way to determine what Apple's "motivation" was.
You just ASSUME it is self-serving and evil. Do you have PROOF?
Re: (Score:2)
search the concept of 'if it walks like a duck...'
funny that a person with a handle 'macs4all' would AT ALL want to white knight apple. nothing strange about that at all. LOL
Re: (Score:2)
search the concept of 'if it walks like a duck...'
funny that a person with a handle 'macs4all' would AT ALL want to white knight apple. nothing strange about that at all. LOL
Ooo looky; an ad hominem attack! How terribly original...
More like: The last bastion of the "factless"...
Re: (Score:2)
To be fair your nick is essentially "shill for apple". You shouldn't be surprised if people assume that anything you say is a bit biased.
So sez the ANONYMOUS COWARD. Boy, count me IMPRESSED!
No, you INTERPRET my nick that way.
I meant it as more of a "wish" (as in "I'd like to be able to wave a magic wand and give everyone a Mac") than a "shill" (as in "In my eyes, Apple can do no wrong, and I will defend them to the death, even if I don't believe what I am saying.")
See the difference? Of course you don't; or, more correctly, won't admit it; because you will pretend that there IS no difference.
Am I biased? Of course. Just like the Free
Another Day, Another Android Vulnerability... (Score:1)
Seriously, why is that? What happened to the oft-touted Open Source advantage of "many eyes"?
I am honestly NOT Trolling here; but it does seem that most, if not all, of these vulnerabilities should be long-since discovered (and hopefully eradicated), rather than the steady drip, drip, drip of "another longstanding vulnerability discovered" many months or even years after the fact.
Re: (Score:2)
It is just you. That statement is quite an exaggeration. Just as most of the "vulnerabilities" that are found are. Companies like FireEye and Zimperium exist for situations just like this. They have a team of people scouring available source code looking for any little flaw and then when they find something like this they send out press releases and hype it up as the next big doom and gloom phone destroyer so that people will buy their security app. But, when looking into the details you find that this
Is My Device Vulnerable? (Score:2)