If your computer runs the Linux operating system (OS), or you use Android phone, then today's blog post is for you. On Tuesday, ZD Net reported about a vulnerability that affects devices running either group of OS software:
"A new, previously undiscovered flaw that allows an attacker to escalate local user privileges to the highest "root" level is said to hit "tens of millions" of Linux PCs and servers. Because some of the code is shared, the zero-day flaw also affects more than two-thirds of all Android devices."
This is important because many consumers use Android phones:
"A patch is expected to be released on January 19 for most Linux machines... It is not known if Google was aware of the bug before Perception Point published its findings. The Android maker will likely fix the bug as part of its scheduled monthly security updates in February. A Google spokesperson did not comment."
This raises several questions. Why wait until February? Will all Android phone users receive the OS software updates that fix the vulnerability? And when? What role does your mobile service provider have in the OS update process?
You Probably paid $200 or $300 when you bought your phone and committed to a two-year contract with your mobile service provider. So, it's reasonable to expect OS software updates. Sadly, not all Android phone users get software updates. Why? How? This is not new. Android Central explained the software update process way back in 2012:
"This vicious cycle is a product of Google’s approach to its OS, combined with a mess of other factors including carriers, manufacturers and users’ own expectations. It’s one of the platform’s most significant issues, and one that’s all but impossible to solve..."
Some of the messy, ugly details in the software update process:
"But when the [updated] code is pushed out, it's not necessarily ready for every device out there. Getting a new version of Android up and running on any device with different hardware requires a significant amount of additional work, and even more effort is needed to bring across proprietary code from chip-makers... The task isn’t limited to code, though. There are often design changes to be considered... Updating an Android device isn't easy, and there's much more to it than dropping in the new code from Google and hoping for the best. It’s a hell of a lot of work... If radio changes have been made, the new code must be certified by regional authorities, as well bodies like the Bluetooth SIG and Wifi Alliance. That all takes precious time... mobile operators have great influence into what goes out on their networks, especially in markets like the U.S. and Japan. That power includes the requirement that manufacturers submit updates for approval before they’re pushed out. The carrier certification process can be lightning-fast or arduously long-winded... Carriers are generally slow moving, and they’ll always err on the side of caution. They also have limited resources when it comes to certifying smartphone software, and the priority, naturally, will always be given to approving new devices ready to go on sale... If a phone hasn’t sold well, or it's a budget model, it might just not be worth the time and money to develop and certify an update..."
What are your opinions of the Android software update process? Let us know if you received the latest OS software update that fixed this vulnerability.