Sophos Cloud Optix
If you have an Android, keep an eye out for updates from your vendor or carrier – there are some critical security patches out.
Google has fixed 12 vulnerabilities affecting Android versions 4.4.4 through 6.0.1, including five rated as “critical” – the designation for the worst kind of security bug.
The most serious vulnerability in this batch is a remote code execution (RCE) bug, designated CVE-2015-6636, in Android’s mediaserver component.
Mediaserver is often used to render remotely-supplied multimedia content, so Google is warning that an attacker could exploit the bug to run malware hidden in booby-trapped media files delivered via multiple methods, including email, web browsing and MMS.
Mediaserver is a “core part of the operating system,” with access to video and audio streams as well having run-time privileges that third-party apps don’t.
If this sounds familiar, that’s likely because Google has now patched 30 vulnerabilities in mediaserver since monthly Android security updates began in August 2015, according to InfoWorld’s Fahmida Y. Rashid.
This mediaserver bug is also similar to the major vulnerability known as “Stagefright” that affected up to 95% of Android devices, which could have allowed crooks to implant malware in a similar way.
Fortunately, to mitigate the bug, Google has made changes to the default Android messaging apps, Google Hangouts and Messenger, so that they “[no longer] automatically pass media to processes such as mediaserver.”
Google said it made the security update available to partners on 7 December 2015 “or earlier.”
Google and Samsung have been quicker at getting security fixes out since Stagefright, but unfortunately, carriers haven’t pushed out updates for every type of Android device affected by this latest set of vulnerabilities.
Sprint and Verizon have updated their Nexus 5 and 6 devices, according to Softpedia, which also reports that other Android devices are expected to get the updates soon, including BlackBerry PRIV, Samsung Galaxy S6, Galaxy Note 5 and “some Motorola and HTC smartphones.”
When you see a notification that the update is ready on your device, you should accept it and upgrade to the latest version of Android “wherever possible,” Google recommends.
Until you can apply the security update, be very cautious about downloading or playing media files.
Don’t accept media messages from unknown senders, and make sure the setting to Automatically retrieve MMS messages in both Hangouts and Messenger is turned off.
💡 Make your Android safe against unwanted MMSes ►
💡 Improve security and privacy on your phone ►
Image of smartphone transmitting data courtesy of Shutterstock.com.
All of which I suspect is pretty irrelevant to the majority (?) of us who have devices where the vendor / manufacturer / carrier (whatever) are not pushing out updates.
Given that Android is to a degree “free”, can anyone point towards a reliable source for forcing an upgrade from say Android 2.3.x or 4.4.x to 5.x or even 6.x – together with instructions on applying said upgrade?
Thanks
There isn’t a standard way to go for “free Android,” and some devices are locked down to inhibit it anyway (though you may be able to jailbreak them, which is called “rooting in the Android world). Some devices can’t run the more recent versions. Anyway, if you go for AOSP (Android Open Source Project), you may be disappointed at the non-free parts it doesn’t have, like most of the Google Apps, like Play and others. And your phone might not work, and so on and so on. Even Google’s firmware suppoirt for its own Nexus devices is all over the place. For example, my 2012 Nexus 7 3G device doesn’t have any 6.x firmware images at all, and doesn’t even seem to have thhave the latest 5.1.1 firmware build with these fixes, either.
I just don’t know what to suggest, short of [a] take the risk of outdated firmware [b] take the risk of “home cooked” firmware from someone you have never heard of [c] pretend Android is a well-managed ecosystem and do nothing, [d] buy a cool new Android or [d] get a phone from Microsoft or Apple instead 🙂
If only there were a clean, clear, crisp answer to your question…
“you may be disappointed at the non-free parts it doesn’t have, like most of the Google Apps, like Play and others.”
Well I’m looking for a p h o n e
“And your phone might not work, ”
Oh, that is fundamental!
[d] Or go Ubuntu Touch or CyanogenMod?
Similar issues of course apply to updating Routers!
I love my Android phone and would never switch to Apple because of its limitations… I just find it frustrating to be so far down the chain in the “Google > Manufacturer > Carrier > Device” update ecosystem. I use a Samsung device through Verizon, and my carrier recently committed to supplying monthly security updates – of which I have received one in the last three months. Politely-worded emails to Samsung and Verizon thus far have not seen so much as an auto-reply.
Droid asks “can anyone point towards a reliable source for forcing an upgrade from say Android 2.3.x or 4.4.x to 5.x or even 6.x – together with instructions on applying said upgrade?”
Duck responds “There isn’t a standard way to go for “free Android,…”
Fortunately Duck isn’t quite on target. The CyanogenMod project specializes in providing releases and updates for those orphan devices. There are even updates for my backup phone, an original Samsung Galaxy, that’s at least five years old. Most are updates to Android 5 (CyanogenMod calls it “12”). Although the old Galaxy is still at 4.4.4 it’s getting updates–the most recent is December 15.
Installation instructions are readily available as well as online forums. I’ve never been able to get the “automatic installer” to work on the old phone but there are various alternatives which do work. It’s hard to “brick” an Android device.
As Duck notes “if you go for AOSP (Android Open Source Project), you may be disappointed at the non-free parts it doesn’t have, like most of the Google Apps (GApps), like Play and others.” To translate: Android comes in two pieces: the open source part that manufacturers can customize and the proprietary parts that Google owns and distributes only as binaries. These include, for example, the Chrome browser, Play Store, Play Services (automatic updates for apps from Play Store), and Gallery. There’s a different version of GApps for each Android version, so the update sequence has to be:
–Download the Android update and GApps update
–Install Android update and reboot
–Install GApps update and reboot
Two quick remarks: CyanogenMod is one of many alternative firmwares, but I wouldn’t describe it as “specialising in orphan devices.” Your device may or may not be supported. And, as for Gapps, you’re adding proprietary components that are pulled out of one of Google’s firmware builds (not sure of the legality of this) and assembled into an unofficial bundle that was almost certainly not tested – neither for correct functionality, nor for security – with your firmware or your device.
In four words, “Good luck with that.”
Unexpectedly received my security update to my Sprint Galaxy S4 last night..