

Why you don't have any Gingerbread - pdx
http://www.csc.ncsu.edu/faculty/jiang/nexuss.html

======
51Cards
"For responsible disclosure, I will not publish the details of the
vulnerability until an ultimate fix is out."

Is this even responsible? Even when a fix is out it's well known that most
handsets won't be able to implement it because they have no upgrade path from
their manufacturer. (Samsung Galaxy and Android 2.1, I'm looking at you) You'd
still put a huge percentage of the mobile market at risk by putting this out
there even a year after it's corrected. Why not just sit on it and be happy
you did some good for the security world.

~~~
gst
Why should full disclosure procedures be different just because it's a mobile
phone?

To quote from Wikipedia: "In the case that a vendor is notified and a fix is
not produced within a reasonable time, disclosure is generally made to the
public." (<http://en.wikipedia.org/wiki/Full_disclosure>)

I think quite a majority of the security community agrees that full disclosure
is quite a bit better than security through obscurity (where you have a
security vulnerability, but you hope that your enemies don't learn about it).

There's no reason why it shouldn't be possible to upgrade/fix the software on
handsets within a reasonable amount of time. So why treat this any different
than any other piece of software?

If you want software vendors (and handset manufacturers) to fix security holes
within a reasonable amount of time then full disclosure is one of the few ways
how you can put pressure on them.

~~~
51Cards
I don't believe the situations are all to be evaluated equally. In the case of
this market most users even if they want to upgrade, even if they know of the
problem, even if they know how to install updates, will never get them. These
are devices that function for years with OS's that are immediately abandoned
once released by the manufacturer. Android 1.6, 2.0, even 2.1 will probably
never see another OTA update, especially since this doesn't seem to just be a
quick patch issue. (considering it's not coming out until the next full
release). Pressure or not there needs to be a modicum of realism as well. I
don't care if you found a gaping hole in 1.6, no manufacturer is going to put
out the resources to fix it, only force the end user to buy newer phones.

Full disclosure policies require some level of common sense implementation too
and I don't believe they are always the best solution for a large market of
essentially embedded OS's containing personal data. It would be VERY different
if Google was ignoring this, then you could use releasing as leverage. But it
seems they are jumping on it right away so the net positive effect has already
been achieved. Why detriment the users who are HIGHLY unlikely to get an
update.

If you understand the mobile community, and you understand that a large
segment of them are not going to get a fix for this no matter how idealistic
we hope the world could be, are you not then knowingly exposing them to risk?

~~~
maggit
No. The manufacturers that fail to ship a fix are knowingly exposing them to
risk.

It is perfectly reasonable to assume that an attacker will be able to attain
knowledge about the vulnerability whether or not it is publicly exposed.

~~~
51Cards
See this is what I don't agree with. Using a vulnerability to induce action is
one thing, and a very important purpose, especially when nothing is being
done. Once all has been done that is going to be done however there is no
further net positive gain in releasing specifics of the exploit beyond what is
vulnerable.

I don't find it perfectly reasonably to assume every hacker will figure it
out. Some may, but that doesn't justify dropping the information into the
hands of those who wouldn't have but can still leverage it for negative uses.

It's like if I discovered the locks on all BMWs can be popped remotely with a
simple code. I tell BMW, and they promptly work to fix it in all cars still
under warranty. Kudo's to them. Do I then take out a front page ad in the New
York Times and say "Hey, just so you know, all old Beemers can be opened easy
as pie like this." and call that action justified? And to note, there is a
difference between raising awareness by saying "Hey Beemer owners, your older
cars have a security problem... you should consider upgrading because you're
vulnerable"... and standing on a street corner handing out instructions for
grand theft auto. One is raising awareness... the other is explicitly putting
at risk owners who might not be able to afford a new car right now... or who
might be locked into a cellular contract on old hardware.

~~~
mquander
Well, I'm sure we can argue all day about whether there's a _net_ positive
gain, but the gain is clear: By committing to make security issues public,
you're giving manufacturers a reason to continue support for products that
they sell, so that they may be less likely to engage in the irresponsible
behavior that we're discussing right here.

------
kenjackson
It's a bit ironic that this isn't being fully disclosed, yet Google devs seem
to believe that full disclosure is the only way to go...

~~~
mbrubeck
If you're talking about this story, the Google researcher's version (which
seems to be borne out by Microsoft's later responses) is that he disclosed the
vulnerability only after giving Microsoft access to his findings and tools,
and warning them several months in advance of the disclosure:

[http://arstechnica.com/microsoft/news/2011/01/internet-
explo...](http://arstechnica.com/microsoft/news/2011/01/internet-explorer-
zero-day-bug-leads-to-squabble.ars)

~~~
kenjackson
Or this one where the Google employee gave Microsoft a whole five days:
[http://threatpost.com/en_us/blogs/does-google-have-double-
st...](http://threatpost.com/en_us/blogs/does-google-have-double-standard-
full-disclosure-061010)

And who does full disclosure on New Year's Day? That's like waiting for a
natural disaster and then saying, "BTW, been sittin on this too... full
disclosure".

------
Lewisham
If I'm reading this right, this means that the fix for the problem in 2.2 was
supposed to come in 2.3, but maybe will now come in 2.4.

Except that, going with how Android upgrades have gone so far, most users on
2.2 will never see 2.3. Why is Google not pushing security updates free from
carrier/manufacturer control? This is pretty terrible.

~~~
mdwrigh2
I believe they're attempting to do this by separating some of the apps from
the Android framework so that they can update them independently.
Unfortunately, since Android is just so different from device to device, it'd
be incredibly difficult to make a single change that can be given to all
devices.

And there was a partial fix for this in 2.3 as the other poster has correctly
noted, and Google believed they had fixed it, but it turns out that it is
still exploitable.

------
pdx
I submitted this a few days ago, in off-peak HN hours, so it didn't get any
traction, but I wanted people to be aware of it, so I'm trying again.

~~~
moomba
Surprised this didn't get ranked higher. This is kind of big news, especially
since there are more android handsets than iphones nowadays.

~~~
larrik
"There are more android handsets than iphones nowadays."

Do you have source for that?

~~~
chaz
US Subscribers:

"RIM led the ranking with 31.6 percent market share of smartphones, while
Google Android maintained the #2 position with 28.7 percent, up 7.3 percentage
points versus September. Apple accounted for 25.0 percent of smartphone
subscribers (up 0.7 percentage points), followed by Microsoft with 8.4 percent
and Palm with 3.7 percent."

[http://www.prnewswire.com/news-releases/comscore-reports-
dec...](http://www.prnewswire.com/news-releases/comscore-reports-
december-2010-us-mobile-subscriber-market-share-115510674.html)

