Flaw found in DirtyCow patch - Fire General

I'm not sure if DirtyCow ever worked for rooting these tablets, but for those of us without root, there may be some light at the end of the tunnel.
"A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.
The flaw in the Dirty COW patch (CVE-2016-5195), released in October 2016, was identified by researchers at the security firm Bindecy. On Wednesday, they released details of the vulnerability (CVE-2017-1000405) found in the original Dirty COW patch, affecting several Linux distributions."
The number of devices affected are significantly less than those which were vulnerable before.

Not applicable to Android, hence unlikely to work on FireOS I suppose.
In terms of scope, the difference is just that the current bug is not applicable to Android and Red Hat Enterprise Linux.
Click to expand...
Click to collapse

gabosius said:
Not applicable to Android, hence unlikely to work on FireOS I suppose.
Click to expand...
Click to collapse
Totally missed that. Oh well. I guess it wouldn't hurt to try if you feel brave enough.

DragonFire1024 said:
Totally missed that. Oh well. I guess it wouldn't hurt to try if you feel brave enough.
Click to expand...
Click to collapse
I did scan mine with few CVE scanners (which were a bit outdated), nothing useful found.
However, research on LP CVEs shows a fairly large amount of LPE exploits available in Mediaserver (mostly discovered in 2017), but not sure whether its applicable for FireOS though.
EDIT: Reference

Related

QuadRooter vulnerabilities

QuadRooter allows attackers to take complete control of Android devices, potentially exposing your sensitive data to cybercrime.​
However, there is no evidence of the vulnerabilities currently being used in attacks by cyberthieves.
"I'm pretty sure you will see these vulnerabilities being used in the next three to four months," said Michael Shaulov, head of mobility product management at Checkpoint. [BBC News]
Click to expand...
Click to collapse
Play Store link:
Check Point QuadRooter Scanner​
Alternative: QuadRooter Scanner (less intrusive permissions)
CM (and other AOSPs) will get patched, but Stock 5.1? I suspect the only hope is that Motorola will release something for Moto G (2nd Gen) Stock 6.0, meaning Identity Crisis 6 can be made secure.
Why does a vulnerability check app require permissions for accounts and contacts?
Also, has anyone already created a universal rooting tool based on this vulnerability?
_that said:
Why does a vulnerability check app require permissions for accounts and contacts?
Also, has anyone already created a universal rooting tool based on this vulnerability?
Click to expand...
Click to collapse
I don't know, but an alternative is available: QuadRooter Scanner.
It's early days, nothing so far - but maybe there is now hope for those CDMA users who want root.
So I'm vulnurable to 5 "things" according to that app. This is a general situation and not device specific, right?
Penemue said:
So I'm vulnurable to 5 "things" according to that app. This is a general situation and not device specific, right?
Click to expand...
Click to collapse
Google have said it's not really a big deal - more a case of a company (Checkpoint) scare-mongering to sell their software.
The Android feature 'Verify apps' essentially protects against malicious software if not ignored.
To answer your question, it depends on the device - the degree of vulnerability - but generally speaking most handsets are 'affected.'

Qualcomm bug in Nexus 6 found by Checkpoint

According to the BBC, "Serious security flaws that could give attackers complete access to a phone's data have been found in software used on tens of millions of Android devices." This includes the Nexus 6.
Full story here: http://www.bbc.co.uk/news/technology-37005226
App from Check Point for testing whether your device is susceptible: https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter
I never worry for two reasons,
1) I watch what I download and install, trusted vendors and sources only
2) It is a Nexus device it will be patched
Don't worry, yesterday it was stagefright, now it's something else.
With Nexus we will be close to a patch
http://thetechportal.com/2016/08/08/new-android-vulnerability-quadrooter/
This one took six months of reverse engineering qual comm code to find. And that is only to outline theoretical avenue for attack...real exploit can be more challenging.
It is ranked as "high risk"...Not even the highest category (critical is highest). There are many high and critical vulnerabilities patched every month. I think the only thing unique about this one is press coverage drummed up by checkpoint to celebrate their finding and make themselves look more notable
http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter
http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter
"Google, meanwhile, says three of the four flaws tied to Quadrooter were patched in an August security update while the fourth is set to be fixed soon. "
electricpete1 said:
"Google, meanwhile, says three of the four flaws tied to Quadrooter were patched in an August security update while the fourth is set to be fixed soon. "
Click to expand...
Click to collapse
Hmmmm. I'm running MOB30W (dated 5th August), and the Checkpoint app claims that I'm vulnerable to 3 of the vulnerabilities, so either Google or Checkpoint have got something wrong...
Philip said:
Hmmmm. I'm running MOB30W (dated 5th August), and the Checkpoint app claims that I'm vulnerable to 3 of the vulnerabilities, so either Google or Checkpoint have got something wrong...
Click to expand...
Click to collapse
It needs stock kernel, because it's a kernel driver bug. I'm using my own build but with the stock kernel, and it says only one vulnerability left.
btw.. 3 of the 4 are already patched.
If you are on the August update only one of the four is still an issue. And Franco just rolled the commit in for the fourth one in his update today if yoy are using his kernel.
But as mentioned, just be careful what tou install and it is a non issue. And remember its a report of a flaw, not a report of it being used in the wild. Big difference.
The Checkpoint app is questionable I think. Lots of false positives being reported on the web.
Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.
Note that THREE of the FOUR bugs are within the closed source GPU (Adreno) drivers.
So this is a very strong argument in favor of getting this crap swapped out in favor of freedreno.
And I've applied the CAF patch to the kernel. Great, but the app still lists it as a vulnerability. So since the fix looks valid, then the app must give a false positive.
zelendel said:
Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.
Click to expand...
Click to collapse
finally a voice of reason!
thanks man, couldn't agree more. Unfortunately 95% of the people that come here don't get it..
zelendel said:
Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.
Click to expand...
Click to collapse
100% agree. Exploits usually need to be customized for different makes, models, and Android operating system versions in order for compromise to occur, really, really difficult to own an entire ecosystem.
Every year it's something new, first stagefright, now Qualcomm bug, nothing comes of it and it's packed withing a month or two, it makes you wonder why they even bother reporting on it.
did the scan and my nexus 6 is ok running the dev 5 android 7 rom

Broadpwn exploit on LG G4 and other security vulnerabilities

I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
gyrex said:
I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
Click to expand...
Click to collapse
Man. This exploit may be the next new root method. We dont want it patched but yes julys security updates for g5 included this patch. Which most devices will get patched probly quite quickly
---------- Post added at 12:33 PM ---------- Previous post was at 12:32 PM ----------
As said lg already knows about it and sprint released an update for the g5 so the sprint g4 shouldnt be far behind
But rumor has it this may be the new root method for 7.0.
TheMadScientist420 said:
Man. This exploit may be the next new root method. We dont want it patched but yes julys security updates for g5 included this patch. Which most devices will get patched probly quite quickly
Click to expand...
Click to collapse
Um, yeh, I'd like my phone patched thanks. If/when someone develops a hack to use this exploit, I'd prefer not to have my phone and information exposed at public wifi points. LG needs to provide a patch for the G4 ASAP....
gyrex said:
Um, yeh, I'd like my phone patched thanks. If/when someone develops a hack to use this exploit, I'd prefer not to have my phone and information exposed at public wifi points. LG needs to provide a patch for the G4 ASAP....
Click to expand...
Click to collapse
Um yea why not open a thread with lg and not a modding community that tries to take advantage of every exploit we can find.
Again lg has already begun patching it. On some device. Tell em to patch yours next. See how fast is happens.
---------- Post added at 09:16 PM ---------- Previous post was at 09:15 PM ----------
Or get a iphone if ure worried about security.
Haha worrying about public WiFi vulnerabilities. Best way is to turn off. You are only aware of this because of publicity. Whereas the exploits you aren't aware of or never will be aware of can still effect you when WiFi radio is still on in public. There's stuff out there that you'd never see coming and no one will discover only because of the oblivious public
dontbeweakvato said:
Haha worrying about public WiFi vulnerabilities. Best way is to turn off. You are only aware of this because of publicity. Whereas the exploits you aren't aware of or never will be aware of can still effect you when WiFi radio is still on in public. There's stuff out there that you'd never see coming and no one will discover only because of the oblivious public
Click to expand...
Click to collapse
This bug or security risk affect all wifis from what i read ad long as an attacker is in range of ure device. Again from what i read. So public or private suposedly at risk.
gyrex said:
I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
Click to expand...
Click to collapse
Much more details can be found here now: https://blog.exodusintel.com/2017/07/26/broadpwn/
successful exploitation requires the victim to either click on an untrusted link or connect to an attacker’s network and actively browse to a non-HTTPS site
Click to expand...
Click to collapse
And again another proof of what I say always and everywhere.
My following statement matches for both: Anti Malware software and installing security patches
Security patches have one exception to this though: when a security bug can be executed remotely without any user interaction.
In theory you can have a patch level of 1970 for your device as long as your device can not be remotely attacked without user interaction. The main point of I would say 90% of infections is just the user.
I do not want to offend you or anyone but I have to say it this direct hard way:
The best anti malware protection was / is / and will always be: ....YOU (your brain - think before you click)
Do not install dubious software.
Do not click on unexpected links send to you or from untrusted sources / users.
Do not open attachments which you do not expect to get (even when the sender is your friends address! keep in mind that he can be infected!).
.. or just simply: Use your brain before clicking and/or installing
Anti malware software is only a LAST RESORT and NOT your main protection!
That's what the most humans forget or just do not (WANT TO) know.
This is the same for smartphones or desktop PCs.
Click to expand...
Click to collapse
Regarding your question if LG will release that fix just take a look here:
https://lgsecurity.lge.com/security_updates.html
You will find that CVE listed in the July patch level for the G4 so yes it gets patched for this device but it depends on your carrier when.
.
steadfasterX said:
Much more details can be found here now: https://blog.exodusintel.com/2017/07/26/broadpwn/
And again another proof of what I say always and everywhere.
My following statement matches for both: Anti Malware software and installing security patches
Security patches have one exception to this though: when a security bug can be executed remotely without any user interaction.
In theory you can have a patch level of 1970 for your device as long as your device can not be remotely attacked without user interaction. The main point of I would say 90% of infections is just the user.
I do not want to offend you or anyone but I have to say it this direct hard way:
Regarding your question if LG will release that fix just take a look here:
https://lgsecurity.lge.com/security_updates.html
You will find that CVE listed in the July patch level for the G4 so yes it gets patched for this device but it depends on your carrier when.
.
Click to expand...
Click to collapse
Sorry, I have no idea what you're talking about. There's very little of what you wrote which makes any sense.
gyrex said:
Sorry, I have no idea what you're talking about. There's very little of what you wrote which makes any sense.
Click to expand...
Click to collapse
ask what you do not understand and I can explain.
.
gyrex said:
attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Click to expand...
Click to collapse
If by "execute arbitrary code within the context of an unprivileged process", you mean executing something that can unlock bootloader in non H815 or H811 models, then you're onto something.
BIG_BADASS said:
If by "execute arbitrary code within the context of an unprivileged process", you mean executing something that can unlock bootloader in non H815 or H811 models, then you're onto something.
Click to expand...
Click to collapse
nope, I believe it means root access privileges, or being able read information that for example an wifi stack would not need (like your contacts, location etc.)
Levent2101 said:
nope, I believe it means root access privileges, or being able read information that for example an wifi stack would not need (like your contacts, location etc.)
Click to expand...
Click to collapse
Interesting. I'd like to see where this goes. Someone with non H815 or H811 should take backup of their current image before this gets patched.

A new attack vector exposes almost every Bluetooth connected device

https://www.armis.com/blueborne/
Glad I got some Bullets V2 from OnePlus. My Soundpeats QY7 Bluetooth headphones are great and all, but the Bullets are just as good if not better.
Also, this bug won't affect us since it'll be fixed by the time we get Oreo, anyway.
HampTheToker said:
...
Also, this bug won't affect us since it'll be fixed by the time we get Oreo, anyway.
Click to expand...
Click to collapse
Currently that bug is fixed in various AOSP versions (from 4.4 to latest) ONLY if your security patch level is September 5. If it is not September 5 you are vulnerable and you should be concerned about it.
xclub_101 said:
Currently that bug is fixed in various AOSP versions (from 4.4 to latest) ONLY if your security patch level is September 5. If it is not September 5 you are vulnerable and you should be concerned about it.
Click to expand...
Click to collapse
Just like everyone was concerned about stagefright and Dirty COW. Yeah, they are vulnerabilities, but no real world examples of them being used maliciously.
Sent from my OnePlus 3T using XDA Labs
MrMeeseeks said:
Just like everyone was concerned about stagefright and Dirty COW. Yeah, they are vulnerabilities, but no real world examples of them being used maliciously.
Sent from my OnePlus 3T using XDA Labs
Click to expand...
Click to collapse
Stagefright was a vulnerability where you had to download a specially-crafted video and play it with the default video player, so extensive user interaction was needed. Dirty COW was seen in the wild on Linux machines but again the user needed to actively run native code from a program in order to elevate and gain root.
BlueBorne is slightly different in that the user does not need to do anything else than have his Bluetooth active, something who every Android user with a smart watch or a pair of Bluetooth headphones has.
The fact that we do not know of any exploits in the wild does not mean that such exploits do not exist, there is a limit up to where you can just fool morons into installing free wallpaper apps.

Vuneralable software should be removed from xda

Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
What's the vulnerability?
Plain and simple the software needs removed.. doesn't that apply to the devs policy's which they agreed to here on xda not to publish anything which may be a threat to someone... So you know what should of happened is the devs should of removed the software right away. That never happened so I've lost all faith in theses devs and publishers of official software threads...
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
sliding_billy said:
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
Click to expand...
Click to collapse
I ignore all posts that don't make sense like the OP's and this thread.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
First, there are no Oreo roms. Secondly, the devs who support our phones for free owe you nothing. Lastly, you need more than 12 posts to be taken seriously about anything around here. And, you can never post enough to attain the right to throw around accusations about the devs who, again, support our phone for free.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
Tell us how you really feel!
Windows people ?
Sent from my Pixel using XDA-Developers Legacy app
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
If this is the case all root and bootloader exploits need removing also.
Any bootloader exploits or method of rooting without and unlocked bootloader is a SIGNIFICANTLY large security risk.
Sent from my Pixel using Tapatalk
Are we going to remove ALL the old ROMs from XDA? SHEESH.
In before the lock.
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Pixelxluser said:
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Click to expand...
Click to collapse
Nobody hacks individual phones. They hack companies and clouds.
****! Hey, can y'all hold it for just a moment? Need to run to the store real quick. I'm out of popcorn.
Seriously, though, just simply rooting your phone is a security risk. Also, from what i've seen, the majority of ROM users are smart about what they download. It's the general public that downloads mischevious apps that spread viruses. And as someone else mentioned, the malware and viruses don't target one person's phone. They are free floating and latch onto whatever moron downloads it. Your phone is not exactly the best place to download all your porn
But seriously, there are exploits with every security patch...it's the reason we get them every month, lol. Android is great and I love it but the OS itself is full of holes that malware developers consistently take advantage of.
Couldnt say this better myself..
Security is engineered into everything we do
Our goal is to make Android the safest computing platform in the world. That's why we invest in technologies and services that strengthen the security of devices, applications, and the global ecosystem.
It's also one reason Android is open source. Being open allows us to tap into a global network of security talent full of innovative ideas that help make Android safer every day. Security experts around the world can review our code, develop and deploy new security technology, and contribute to Android’s protections.
As the Android ecosystem evolves, we continue to invest in leading-edge security ideas. And we want to share our knowledge openly with you. Explore below to learn about the latest technologies and information that help secure Android.
Adrian Ludwig
Director of Android Security
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
With some custom ROMs whether or not the have the Sept security patch is probably the least of your problems, if security is a concern of yours... you should be more concerned with things like;
- what keys are they using to sign their ROM (Apks included). Did they generate their own private signing keys and platform keys, or did they just use a devkeys or keys provided in the SDK?
- what changes have they made to aosp sources or not integrate (or revert) that could reduce security?
- have they messed with android's security or permissions model?
- have they included legacy code (like forward porting), that may have been dropped in the first place do to being insecure (legacy mediaserver without seccomp integration).
- have they modified selinux policies in ways that potentially could open up attack vectors.
- does the ROM have odexing enabled? The fact is, odexing while useful for booting/loading programs faster, also has the side benefit of making an apk harder to tamper with...
- have any changes that have been made been audited, or verified for correctness?
...and the list goes on. You are worried about a monthly security patch, with a handful or two of fixes for CVEs, yet make no mention of far bigger concerns that may be present in XYZ custom ROM.
Just saying.
contribute to Android’s protections. Is one thing which is lacking from what I see... I hope you understand that there are underaged people who don't know any better about what's best for them and come running off to try to be the cool kids by rooting or adding unsecured software on their phones.. rooting is so crazy to do now a days you're all really going to the extremes by bypassing security features just so you can have root... That's not the message the younger generation should be taught... They should be taught the importance of how security works not 50 ways to bypass it... There's not a feature out there which Google wouldn't consider adding officially but also Google doesn't go off and use unofficial code to pull features from it would look bad for their business..
And as long as there's a community of underaged people who do go off and root and install unsecured software you might wanna lead by example and provide them with the best security you can... A child with unsecured software is scary that someone would open up security holes for them to be a possible victim and the best you're actually willing to do is try to remove yourself from the responsibility of being responsible for it by saying if you install our software you are responsible for any damages. You can't just publish something then go out and say you take no responsibility when by law you're still responsible for any damages cause you never legally got you're software that way...
Since you're the ones distributing the software you're liable for damages if there was a defect in you're product which was distributed.. security flaws and security bypasses count as defects in a product..
Distributorship and Liability
Even though the distributor is not responsible for manufacturing a product, it can be held liable in the event of defects. Under strict product liability laws, the seller, distributor, and manufacturer of a defective product can be held liable if a person is injured due to the defect. Though manufacturers are typically most responsible since they created the product, the liability can also fall to those that distribute or sell the defective items.
This liability law prevents the plaintiff from the need to prove the chain of supply. In order for any entity in the line of distribution to prove it has no fault, it would need to show which entity is actually responsible for the defect
I suggest you stick with Windows dude
The only thing your posts are good for is making people spit their coffee with humour, and embarrassing yourself.
Sent from my Pixel using XDA-Developers Legacy app

Categories

Resources