With the new Stagefright vulnerability in the news right now, a lot of people are worried about their devices and information. I've been reading that Google has a patch for the bug, and that is has been applied to ASOP. Since we can't really rely on manufactures or carriers to patch this issue in a timely manner, or at all for our 2011 devices, is it possible that a flashable zip file could be created from the fix applied to ASOP that could be used on any ROM?
Related
credit to Rodderick
http://forum.xda-developers.com/showthread.php?t=977154
I hope someone will include this patch into his next rom because for the moment i'm not ready at changing for gingerbread ...
Just for reference: Z4ziggy, the guy who discovered the hack was possible from inside an app and release the exploit on his site states that Android 2.2.1 is in fact patched against this. So practically all ROMs that are here are safe because everybody has been using the 2.2.1 builds as a basis for their ROMs for at least two months.
See http://androidsec.net/
Note to moderators: Due to the content, I believe this warrants its own thread. We have a separate thread for the OTA (for manual download), and a separate thread dealing with The X/G/E 4.4.4 rollout as a whole, which has long since devolved from there. I didn't see any release notes for our specific update posted, other than the false and regurgitated 4.4.3/4 hybrid notes for carriers. If you still feel that this post should be rolled into one of those separate threads, I can respect that.
https://motorola-global-portal.custhelp.com/app/answers/prod_answer_detail/a_id/100863
ENHANCEMENTS
After installing the software update you will notice numerous enhancements and changes, including:
Android™ 4.4.4, KitKat® Android 4.4.4, KitKat, is the latest release of the Android platform and includes enhanced security updates to OpenSSL.
Click to expand...
Click to collapse
As expected, it's primarily just an OpenSSL security fix, though there are other hinted enhancements, likely bug fixes to any of Motorola's under the hood differences from AOSP.
I know that there were many people who were concerned with the delay in this update. It's because Android 4.4.4 wasn't really needed for our device, just as not all Nexus devices got 2.3.7 or 4.3.1 (device-specific changes).
The actual AOSP changes from 4.4.3 to 4.4.4 was literally one OpenSSL security fix. HTC backported this fix to their 4.4.3 software, hence why they're not rolling out 4.4.4 on their devices. Google also made changes to Google Play Services to mitigate this security issue, so any device from Android 2.3 to the present has this fix (to a degree, see * for details) with or without Android 4.4.4.
So, why did Motorola update the carrier variants to 4.4.4 ahead of the unlocked and developer editions? The unlocked/developer editions got 4.4.3 while most of the carrier variants were still on 4.4.2. Moto's 4.4.3 update provided new features for the Moto X such as pause while video recording, as well as the new Android dialer and some camera enhancements. By the time that 4.4.4 was released, most carriers delayed their update to have this security fix incorporated, while the unlocked/developer edition models were already good to go.
Most of the carrier-branded 4.4.4 variants have a Motorola software version beginning with 212, but this variant got 213. So it's likely that this update has some other Moto changes that will eventually filter out to the carriers, or be incorporated into their L-updates.
*This security fix plugs a security hole. The update to Google Play Services acts more like an anti-virus. It does two things. First, it prevents the upload of apps to the Play Store that would exploit this loophole, and it scans your devices side-loaded apps (if enabled by the user) for apps that use this. Basically, if you have Google Play services installed and up to date, you cannot be affected by this bug. If you're running a pure AOSP-based OS modified on a Chinese handset without Google Play Services, then you need 4.4.4 to avoid this security issue.
I got my 4.4.4 on Sunday. (Dev Edition)
Tapatalked from my G PAD 8.3
If it's not a major update, I'd rather wait for the next major release (L?), instead of doing all the revert to stock - reroot procedure.
Is there a way I can stop getting the OTA notifications? They are really intrusive, and it wants to install itself, but I don't see any options to not get it.
TheSaw said:
If it's not a major update, I'd rather wait for the next major release (L?), instead of doing all the revert to stock - reroot procedure.
Is there a way I can stop getting the OTA notifications? They are really intrusive, and it wants to install itself, but I don't see any options to not get it.
Click to expand...
Click to collapse
You can freeze the OTA apk its called something like moto ota or Motorola ota
it is so annoying that it prompted me to move away from stock. geez. that damn thing popup in themiddle of you typing an email!
Also, why the heck that is not available on the site? i can only download 4.4.2 and .4.2.2! not even 4.4.3... motorola support for a dev phone is sad. absolutely no help. not to mention not a word on how to integrate all the nice hardware on the custom images. sigh... sucks to be a sucker.
http://www.cnet.com/news/researcher-finds-mother-of-all-android-vulnerabilities/
Well its unlikely that an exploit will actually be used, anyone know if Asus has this under control?
cmendonc2 said:
http://www.cnet.com/news/researcher-finds-mother-of-all-android-vulnerabilities/
Well its unlikely that an exploit will actually be used, anyone know if Asus has this under control?
Click to expand...
Click to collapse
If not them, some dev will have it fixed sooner or later...
I think it will be google that has to patch it. They will then release a new version of android like 5.1.2 or 5.1.3 and then asus would have to make a new build with that version of android im sure. Or they could build the patch into whatever patch they are using for that version android.
Snakes200 said:
I think it will be google that has to patch it. They will then release a new version of android like 5.1.2 or 5.1.3 and then asus would have to make a new build with that version of android im sure. Or they could build the patch into whatever patch they are using for that version android.
Click to expand...
Click to collapse
If you read the article it states that the problem in patching lies in the companies not pushing the patch out quickly or at all...
Once google releases a patch you can be assured that the patch will be made available, especially for a big problem, with the devs doing all the work.
You may need to be rooted and have xposed installed but a fix will be made available...
ZF2 uses x86 CPU. So, special exploit has to be made for x86 phones. The majority of Android phones is ARM. So, no one will write exploit just for few phones (unless it's targeted for specific person's phone). And it's unclear if this vulnerability exists in x86 (and can be easily exploited).
Hello everybody,
I'm using a Galaxy SII i9100 with an omnirom mod and just learned that Google released an update for android 4.4.4 (which is the latest omnirom mod for my phone) called "LMY49G" to fix some security issues. Does anyone know if theres a plan to develop an appropriate update for the omnirom mod (and therewith also for my Galaxy S2)?
Thanks for every answer.
Google actually did a KitKat security update?
Interesting. We did do some KK security updates, will need to talk to the team about this one for devices that never saw L or later.
Right, relying on my information that update called "LMY49G" has been released for android 4.4.4, 5.0 and 5.1.1; for version 6.0 and 6.0.1 the release is called "2016-02-01", I think its the day of the release. As far as I know the update has only been released for google nexus devices and for blackberries with android. It should fix some critical security issues. Maybe that information is helpful?
Entropy512 said:
Google actually did a KitKat security update?
Interesting. We did do some KK security updates, will need to talk to the team about this one for devices that never saw L or later.
Click to expand...
Click to collapse
That doesn't make sense on further thought...
Anything 4.4 would have a K prefix to the build. Something starting with L would be a 5.x build.
https://source.android.com/security/bulletin/2016-02-01.html says 4.4.4 for "updated versions" for some items, however - I can't find an appropriate release tag for these anywhere in AOSP.
Some of them appear to be some of the old Stagefright vulnerabilities which we already backported fixes for...
God the documentation for this update is confusing/poor...
Okay, today I got a notice, that there's been another update called "LMY49H". Again its been released for Nexus and Blackberry Android devices to fix some critical security issues. And also again its called LMY49H (obviosly just the last letter changed) for android 4.4.4, 5.0.2 (thats also different this time) and 5.1.1 but "2016-03-01" for versions 6.0 and 6.0.1. So I think this time its from the beginning of march. You're sure all of those problem have been fixed in the omnirom mod before?
Thanks for your help!
Now it appears that our beloved Z1C does not get an Android 6 Stock ROM, I am wondering how long Sony will support our device with security patches.
At least for me, my Z1C is far from "end-of-life" but I am becoming worried that Sony thinks otherwise which could mean that we end up with a vulnerable phone full of unfixed security bugs...
Does anybody know if we have any guarantee from Sony that security vulnerabilities in the Sony stock ROM for the Z1C will get patched or updated? And if so, for how long?
dvandyck said:
Now it appears that our beloved Z1C does not get an Android 6 Stock ROM, I am wondering how long Sony will support our device with security patches.
At least for me, my Z1C is far from "end-of-life" but I am becoming worried that Sony thinks otherwise which could mean that we end up with a vulnerable phone full of unfixed security bugs...
Does anybody know if we have any guarantee from Sony that security vulnerabilities in the Sony stock ROM for the Z1C will get patched or updated? And if so, for how long?
Click to expand...
Click to collapse
I believe .236 may have been the last update.
Someone correct me if I am wrong?
kxf41 said:
I believe .236 may have been the last update.
Someone correct me if I am wrong?
Click to expand...
Click to collapse
I am also running 14.6.A.1.236 and try to protect my device with
Avira Anti-Virus
and
Android Vulnerability Test Suite (AndroidVTS).
Unfortunately, the latter App is removed from Google Play because it crossed some Android OS security boundaries in some of their tests but it can still be downloaded from GitHub:
https://github.com/nowsecure/android-vts/releases
For the moment, the 14.6.A.1.236 build has no vulnerabilities known to AndroidVTS but the real test will be the day that a vulnerability is found in this build...
dvandyck said:
I am also running 14.6.A.1.236 and try to protect my device with
For the moment, the 14.6.A.1.236 build has no vulnerabilities known to AndroidVTS but the real test will be the day that a vulnerability is found in this build...
Click to expand...
Click to collapse
https://labs.duosecurity.com/xray/
This app also find vulnerabilities, and only CVE-2016-0808 is found on 14.6.A.1.236.
Really hope sony upgrade z1c to use Android security patch level.