Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Posted Aug 9, 2016 9:00 UTC (Tue) by jrnorris (subscriber, #74233)In reply to: Check Point's "QuadRooter" vulnerabilities by clump
Parent article: Check Point's "QuadRooter" vulnerabilities
As a Nexus 6P user I can confirm that 3 of the 4 vulnerabilities have been patched already on patch level 5th August. The September list referred to is likely to be the one released at the start of September like the other patches, so at worst around 4 weeks not 2 months. For example the August patch was released on the first of August (with a second one update done the 5th).
This compared to other Android phones I've had that I've bought through carriers that haven't received updates (security or otherwise) for 12 months or more at a time. So while retarded might be a bit strong, I can see the point being made about supporting Android manufacturers that update regularly.
Posted Aug 9, 2016 14:29 UTC (Tue)
by clump (subscriber, #27801)
[Link] (8 responses)
I don't believe the situation is "better" for non-Nexus devices, but that's not saying much.
Posted Aug 10, 2016 7:51 UTC (Wed)
by thestinger (guest, #91827)
[Link] (7 responses)
They started publishing full over-the-air updates (all of the actual over-the-air updates are delta updates) at https://developers.google.com/android/nexus/ota for manually installing them.
Posted Aug 10, 2016 14:59 UTC (Wed)
by dany (guest, #18902)
[Link] (6 responses)
Imagine you have Windows security updates not from Microsoft, but from your ISP or PC maker (Dell, Lenovo,...). Funny right? Well its reality in Android world.
Posted Aug 10, 2016 15:08 UTC (Wed)
by pizza (subscriber, #46)
[Link] (4 responses)
For example, my work-supplied Lenovo laptop gets quite a few updates from the manufacturer -- the "Lenovo Updater" tool grabs updates for everything that Lenovo bundled with the system -- including Windows updates, device drivers, machine-specific applications, etc.
The other point is that PCs running Windows have commodity hardware with (very) standard interfaces capable of using a generic, off-the-shelf operating system installed by an end-user.
That's not the case with the overwhelming majority of Android devices.
Posted Aug 11, 2016 9:00 UTC (Thu)
by dany (guest, #18902)
[Link] (3 responses)
Posted Aug 11, 2016 19:05 UTC (Thu)
by Jonno (subscriber, #49613)
[Link] (2 responses)
Remember that none of the four vulnerabilities discussed here are actually in Android proper: three are in OEM provided drivers, and one is in an OEM provided replacement for a stock driver. In the Windows ecosystem you wouldn't get security updates to such drivers through Windows Updates, so without something like the Lenovo updater you would have to manually poll the OEM homepage to see if they have released an update in order to get security updates.
Posted Aug 12, 2016 0:29 UTC (Fri)
by Fowl (subscriber, #65667)
[Link] (1 responses)
Posted Aug 12, 2016 1:40 UTC (Fri)
by Jonno (subscriber, #49613)
[Link]
> 2.3.1.1. The driver is among the top 20 Online Crash Analysis (OCA) driver issues report for an OEM’s systems over the last 90 days; or
[1]: http://download.microsoft.com/download/9/c/5/9c5b2167-801...
Posted Aug 10, 2016 17:46 UTC (Wed)
by excors (subscriber, #95769)
[Link]
Like when you have to manually download an update from Lenovo to fix a BIOS vulnerability (in code originally from Intel and modified by some BIOS vendor)? On Windows I've got graphics drivers downloaded directly from NVIDIA, some other graphics card utilities from the card manufacturer, BIOS updates from the motherboard manufacturer, my SSD needed a firmware update from Crucial to stop it BSODding every hour after it was a couple of years old. My monitor and printer and keyboard came with driver CDs. My ISP offers me cloud storage software, my bank offers me security software. Web browsers and Flash etc have their own auto-updaters (some more irritating than others), most other applications can only be updated manually. Android has a far more coherent model than that: the Play Store updates your apps, the device vendor is responsible for updating all the platform software and firmware and drivers, and that covers absolutely everything. (The only problem is that "is responsible for" != "actually does".)
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Only for security updates to components found in Windows proper, not for additional stuff installed by the OEM.
Check Point's "QuadRooter" vulnerabilities
Check Point's "QuadRooter" vulnerabilities
Yes, though the limits are quite restrictive (for example a Windows Update supplied driver are no allowed to include any feature not included in the driver boxed with the hardware as sold), and if there is a security vulnerability in the driver the OEM is screwed, as updated versions of drivers are only allowed under even more restrictive conditions (and a security vulnerability is not one of them [1]):
> 2.3.1.2. The previous version of the code causes 10% or 10,000 (whichever is lower) of an OEM's systems to stop unexpectedly during driver installation over a two-week period or lose basic device or system functionality. Examples of this include: sound cards no longer emit sounds; a mouse cannot move the cursor; a storage unit cannot be accessed; or
> 2.3.1.3. At the sole discretion of Microsoft, the existing code results in excessive product support calls by OEMs, IHVs, or Microsoft.
Check Point's "QuadRooter" vulnerabilities