> These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device. While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android.
Ouch. Maybe acknowledging it means that they can act on improving that ecosystem with their downstreams?
The downstream vendors just don’t give a hoot. It’s been more than 10 years now and their behavior hasn’t changed. Google has moved mountains to throw as much as they can into userspace which can be patched by Google directly, but that effort has hit its limits. The rest will just never get better, because phone manufacturers love forced obsolescence, and when any exploit causes a serious issue they can just disingenuously point their finger at Google and say “well they made the software”.
Now hold on.. Google made not just the software but the structure that makes it practical for Google and hardware makers like Qualcomm to get their cake and the vendors to somehow be responsible for the gap it causes when every vendor has to integrate drivers separately into orphans of the Linux kernel.
Many vendors happily joined Android One which Google seems to have silently killed, so I don't think they are that happy losing reputation to sell Android phones they can't properly support.
It's not even just downstream vendors. Google itself only supports its devices for three years. I bought a Pixel 4a on release in 2020 and next month will be my last security update.
I've been using third party ROMs on Pixel 3. They receive monthly security updates to some extent, but obviously the hardware specific "vendor binaries" are still outdated. Frankly, I cared more about the open nature of the ROM than about security/privacy. These days, I assume all my data is available for sale everywhere anyways.
The delay in updates is what originally pushed me to move from Android to iOS a while back, and years later it’s still an issue. You would think at least Nexus/Pixel would get updates quickly, but that still isn’t always the case. It seems like even within Google there are some issues that need to be addressed before they can lead other manufacturers by example.
The situation on Android is utterly insane. I bought a Pixel via my carrier a few years back only to find out that my _carrier_ was responsible for software updates, and they held them back so they could add their own bullshit to the OS. I was months waiting for a major Android OS version on a flagship Google device.
Google have been quite irresponsible on some of their own devices too. For example the Chromecast With Google TV is actively being sold (and new product revisions released), yet it is still running Android TV 12 despite 13 coming out in December 2022.
Apparently even they are struggling to update the device because of its lacklustre storage (8GB, only 4.4GB usable) which means there simply isn’t enough space for large OTA updates.
While I agree that Google and manufactures needs to do better, the article shows that the amount of detected in the wild zero days are higher for iOS than Android in the newest stat (2022) while it used to be higher for Android.
Microsoft Exchange being listed alongside entire operating systems with comparable numbers of ITW vulnerabilities is somewhat something I relate to after running such systems.
FWIW, I filed a bug a few days ago for the issue I was seeing. A profile showed that Firefox was spending all of its time evaluating a regex. Which is weird because Chrome uses the same regex engine. https://bugzilla.mozilla.org/show_bug.cgi?id=1845775
Took a while to load in mobile Safari as well, but it did eventually when I waited a while. Interestingly it works almost immediately in desktop Safari?
> The Android security team then decided that they considered the issue a “Won’t Fix” because it was “device-specific”. However, Android Security referred the issue to ARM. [...] While ARM had released the fixed driver version in October 2022, the vulnerability was not fixed by Android until April 2023
What's going on there? If bug is in Android's source repo, where it has to be fixed and released by the Android team, it seems like a valid bug in Android. Marking it "Won't Fix" seems inappropriate since they did eventually fix it.
Readit News
Ouch. Maybe acknowledging it means that they can act on improving that ecosystem with their downstreams?
Many vendors happily joined Android One which Google seems to have silently killed, so I don't think they are that happy losing reputation to sell Android phones they can't properly support.
https://support.google.com/nexus/answer/4457705
Can you imagine if Apple or Microsoft stopped making OS updates for CPUs more than three years old?
Apparently even they are struggling to update the device because of its lacklustre storage (8GB, only 4.4GB usable) which means there simply isn’t enough space for large OTA updates.
https://2542116.fls.doubleclick.net/activityi;src=2542116;ty...?
I just tested this on v114, v115, and nightly (117.0a1 (2023-07-31) (64-bit)) and couldn't reproduce.
On nightly, I tried setting Enhanced Tracking Protection to strict and installing uBlock Origin, and still couldn't get it to show a blank screen.
(MacOS 13.4.1)
What's going on there? If bug is in Android's source repo, where it has to be fixed and released by the Android team, it seems like a valid bug in Android. Marking it "Won't Fix" seems inappropriate since they did eventually fix it.
Deleted Comment
Dead Comment