patch patch your Android device

6 Jun 2016 at 20:37, Iain Thomson

It’s the first Monday of the month, and that means another batch of patches for Android, fixing flaws that can be exploited by apps and webpages to hijack devices.

As usual, if you’re not using a Google Nexus device, you’re at the mercy of your manufacturer and phone carrier to approve and distribute these updates, which may take some time. Although Google Play Services on Android gadgets can install updates quietly in the background direct from Google, it can’t reach the lowest levels of the operating system – which is precisely where these bugs lurk. Nexus devices get their updates straight from Google.

Of the eight critical flaws fixed this month, six are present in Qualcomm-powered phones and fondleslabs: two in each of its sound and GPU drivers, and a one in each of the firm’s video and Wi-Fi drivers. All six allow apps installed on the devices to either enter kernel space and completely hijack the gadget to steal passwords and spy on victims.

If a handheld is infected with malware via one of these vulnerabilities, you’ll need to do a complete wipe and reflash of the firmware to remove the software nasty.

The other two critical patches this month, as well as the bulk of lesser-severity patches, cover Android’s Mediaserver and libwebm code. Specially crafted audio and video files viewed on a vulnerable device – imagine receiving an MMS text or viewing a web page bobby-trapped with an evil video – can exploit these holes to execute malicious code with high privileges on the device.

Ten of the remaining 32 high- and moderate-severity flaw fixes also cover Qualcomm kit, with Broadcom’s dodgy Wi-Fi drivers contributing another couple and Nvidia’s camera driver also showing problems. These holes can be potentially abused by apps to gain extra permissions to snoop on owners or cause trouble.

Twelve of these lower-ranked flaws in Mediaserver cover malicious apps being able to gain Signature or SignatureOrSystem privileges on the device, as does one flaw in the SD card emulation layer of Android. This could allow a specially crafted app with the right system image certification to run code without asking the user first.

Google is well aware of the problems with its Mediaserver. The Chocolate Factory is addressing the problem in the forthcoming Android N by rewriting and siloing media handling components in the operating system in the new build.

This month’s security bugs are present in Android versions 4.4.4 (32.5 per cent of devices), 5.0.2 (16 per cent), 5.1.1 (19 per cent), 6.0 and 6.0.1 (7.5 per cent). Earlier builds are no longer supported. Although Google only lists which Nexus models are affected in its security advisory, other manufacturers’ phones are also affected.

Android does feature various mechanisms – such as ASLR – to block the exploitation of security bugs, although they can be potentially sidestepped.

google drop chrome support

2 Dec 2015 at 00:26, Simon Sharwood

Google has quietly announced it will end support for its Chrome browser on 32-bit Linux. This doesn’t affect the 64-bit build.

“To provide the best experience for the most-used Linux versions, we will end support for Google Chrome on 32-bit Linux, Ubuntu Precise (12.04), and Debian 7 (wheezy) in early March, 2016,” writes Googler Dirk Pranke on the Chromium developers list.

“Chrome will continue to function on these platforms but will no longer receive updates and security fixes,” he writes, adding: “We intend to continue supporting the 32-bit build configurations on Linux to support building Chromium. If you are using Precise, we’d recommend that you to upgrade to Trusty.”

Thus, the open-source version of Chromium isn’t impacted by this decision, so those who really want to keep using a Chrome-family browser on 32-bit Linux can continue to do so.

Those who want to kick up a fuss about this decision are also, of course, free to do so. But with Linux owning a tiny desktop market share, it’s not hard to see why Google would focus its energies elsewhere when considering the packaged version of Chrome.