Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Michael Goff

Suspended
Original poster
Jul 5, 2012
13,329
7,422
https://m.androidcentral.com/numerous-android-oems-discovered-be-lying-about-security-patches

Once a month, Google updates the Android Security Bulletin and releases new monthly patches to fix vulnerabilities and bugs as soon as they pop up. It's no secret that many OEMs are slow to update their hardware with said patches, but it's now been discovered that some of them claim to have updated their phones when, in fact, nothing's changed at all.

Wow. I really don’t know what else to say other than wow.
 
I have said this many times before about patches and what they are supposedly patching.
How do you know what they are patching is actually a known exploit/security threat?
If Google or Apple sends out an security patch how do you know its validity?

If a company says they are up to date on security patches and threats....how do we know?
How do we know they are not skipping some security exploits?
 
I have said this many times before about patches and what they are supposedly patching.
How do you know what they are patching is actually a known exploit/security threat?
If Google or Apple sends out an security patch how do you know its validity?

If a company says they are up to date on security patches and threats....how do we know?
How do we know they are not skipping some security exploits?

I wouldn’t drag Google and Apple into this, they’re doing good. It’s cheap OEMs that are messing up.
 
  • Like
Reactions: AustinIllini
How do you know? I agree that some of the low cost OEMs will skip steps in security patching.

But we shouldn't just blindly take others word for things....

Because they both state everything they patch and are easily tested. And if you think people wouldn’t be leaping at the chance to call out Apple and Google, you live in a much better world than I do.
 
  • Like
Reactions: AustinIllini
Missing some patches, did you say? Pookie says this is an outrage.

Thanks for the heads up.

041362B2-13D4-468A-A502-5F32B12ABAB7.jpeg
(No, not my cat. I have one that looks like that but minus the orange).
 
  • Like
Reactions: Michael Goff
Because they both state everything they patch and are easily tested. And if you think people wouldn’t be leaping at the chance to call out Apple and Google, you live in a much better world than I do.
I think you are giving them too much benefit of doubt.
Did you think Facebook wasn't selling your information to whomever came calling?
Do you think they have your best interest at heart too?

Not all security exploits are published to the masses. Companies only patch for published exploits.

Some exploits are sent to these companies to get bounties and then they are paid and sign an NDA. Then it is up to the company as to whether they patch it or not....or whether they publish the exploit


Edit:
Here is one on the Mac side
15-year-old Unpatched Root Access Bug found in Apple’s macOS
https://www.hackread.com/15-year-old-root-access-bug-in-apple-macos/
 
Last edited:
  • Like
Reactions: rafark
I think you are giving them too much benefit of doubt.
Did you think Facebook wasn't selling your information to whomever came calling?
Do you think they have your best interest at heart too?

Not all security exploits are published to the masses. Companies only patch for published exploits.

Some exploits are sent to these companies to get bounties and then they are paid and sign an NDA. Then it is up to the company as to whether they patch it or not....or whether they publish the exploit


Edit:
Here is one on the Mac side
15-year-old Unpatched Root Access Bug found in Apple’s macOS
https://www.hackread.com/15-year-old-root-access-bug-in-apple-macos/

That’s not even what this topic is about. The article in question says they’re saying they’re patching things and not actually patching them. :|
[doublepost=1523554022][/doublepost]
Missing some patches, did you say? Pookie says this is an outrage.

Thanks for the heads up.

View attachment 758013
(No, not my cat. I have one that looks like that but minus the orange).

Cats make my day 100000x better.
 
  • Like
Reactions: 5105973
That’s not even what this topic is about. The article in question says they’re saying they’re patching things and not actually patching them. :|
[doublepost=1523554022][/doublepost]

Cats make my day 100000x better.
agreed...they are lying. But what are they lying about? Patches that are known and published...what about exploits they know about but aren't patching or publishing.
We are only taking their word for it that they are up to date on the security patches they release. We really don't if there are more they don't patch for.
 
agreed...they are lying. But what are they lying about? Patches that are known and published...what about exploits they know about but aren't patching or publishing.
We are only taking their word for it that they are up to date on the security patches they release. We really don't if there are more they don't patch for.

No, we know there are a thousand thousand problems in every OS that isn’t patched. And no, I didn’t accidentally put the word thousand twice, I meant to.
 
I have said this many times before about patches and what they are supposedly patching.
How do you know what they are patching is actually a known exploit/security threat?
If Google or Apple sends out an security patch how do you know its validity?

If a company says they are up to date on security patches and threats....how do we know?
How do we know they are not skipping some security exploits?
Because Apple actually releases the security corrections on their patch notes website. I’m not sure if Samsung does the same but they should if they don’t.
 
Could someone successfully sue manufacturers in the US and win? Maybe this could compel Congress to create a law requiring 2 years of software updates and 2 year warranties with each new phone.
 
Because Apple actually releases the security corrections on their patch notes website. I’m not sure if Samsung does the same but they should if they don’t.
They release notes for security patches that they are patching. What about known exploits or security patches they are not telling you about? What if there are more than they are publishing? Are you just taking their word for it? If so then that is your choice to make.
 
Not saying Apple and Google are saints, but if you care more about software, go towards those devices. The Essential Phone, Nokia, and OnePlus are others that update phones more frequently than Samsung too.
 
They release notes for security patches that they are patching. What about known exploits or security patches they are not telling you about? What if there are more than they are publishing? Are you just taking their word for it? If so then that is your choice to make.
I can’t possibly know about known exploits that they might not be telling us.
 
They release notes for security patches that they are patching. What about known exploits or security patches they are not telling you about? What if there are more than they are publishing? Are you just taking their word for it? If so then that is your choice to make.

It really sounds like you’re trying to obscure the issue here.
 
I can’t possibly know about known exploits that they might not be telling us.

Exactly, none of us are security experts in the loop about known exploits. Which is why it's mind-boggling why some users are so demanding to have the most recent security update. Some users treat updates like a false security blanket. Not saying security updates don't take care of exploits, but it's the most obvious and hyped up exploits that get patched. I'm pretty sure there are many exploits in existence for some time now that are not getting the attention to be patched.
 
  • Like
Reactions: jamezr
Exactly, none of us are security experts in the loop about known exploits. Which is why it's mind-boggling why some users are so demanding to have the most recent security update. Some users treat updates like a false security blanket. Not saying security updates don't take care of exploits, but it's the most obvious and hyped up exploits that get patched. I'm pretty sure there are many exploits in existence for some time now that are not getting the attention to be patched.
I highly doubt any company can patch undiscovered exploits, of course they will always exist but in order for a company to fix them, they first need to be found by some 3rd party. No code is perfect.
 
I highly doubt any company can patch undiscovered exploits, of course they will always exist but in order for a company to fix them, they first need to be found by some 3rd party. No code is perfect.

Myself and jamezr are not speaking about undiscovered.
 
Exactly, none of us are security experts in the loop about known exploits. Which is why it's mind-boggling why some users are so demanding to have the most recent security update. Some users treat updates like a false security blanket. Not saying security updates don't take care of exploits, but it's the most obvious and hyped up exploits that get patched. I'm pretty sure there are many exploits in existence for some time now that are not getting the attention to be patched.

Why is it mind boggling for customers to want their product to be taken care of? We wouldn’t be okay with this on PC land, why are we coming up with excuses just because it’s mobile?

I don’t understand this. It’s not a good idea to come up with these excuses. We should be holding companies accountable.
 
  • Like
Reactions: MEJHarrison
Then what are you talking about? You can’t know exploits if they aren’t discovered even if you coded the whole OS yourself.

They’re trying to pull attention from the actual issue. It’s a type of cheerleading.
 
  • Like
Reactions: FFR
Why is it mind boggling for customers to want their product to be taken care of? We wouldn’t be okay with this on PC land, why are we coming up with excuses just because it’s mobile?

I don’t understand this. It’s not a good idea to come up with these excuses. We should be holding companies accountable.

Excuses for what? I myself have not gave any of these manufacturers a pass. But I'm challenging the mentally of many users having damn near temper tantrums for not having the latest security update, especially since they know next to nothing about the exploits.

And no, us PC users don't have a security patch obsession. Many like myself even do the temporary update opt out, or edit services to update manual only.

Then what are you talking about? You can’t know exploits if they aren’t discovered even if you coded the whole OS yourself.

There are many KNOWN/DISCOVERED exploits of operating systems, apps, and hardware that haven't been patched for whatever given reason.


They’re trying to pull attention from the actual issue. It’s a type of cheerleading.

There isn't much to talk about. Some manufacturers lied about security patches, big whoop. Should it be corrected? YES!!! Are Android users under an imminent security threat, NO!!!! Now if that's cheerleading, then so be it. Don't know what type of insane panic you were expecting. :cool:
 
  • Like
Reactions: jamezr
Excuses for what? I myself have not gave any of these manufacturers a pass. But I'm challenging the mentally of many users having damn near temper tantrums for not having the latest security update, especially since they know next to nothing about the exploits.

And no, us PC users don't have a security patch obsession. Many like myself even do the temporary update opt out, or edit services to update manual only.



There are many KNOWN/DISCOVERED exploits of operating systems, apps, and hardware that haven't been patched for whatever given reason.




There isn't much to talk about. Some manufacturers lied about security patches, big whoop. Should it be corrected? YES!!! Are Android users under an imminent security threat, NO!!!! Now if that's cheerleading, then so be it. Don't know what type of insane panic you were expecting. :cool:

Insane panic is how you refer to it as. I refer to it as holding companies accountable for providing actual service. And you’re trying to downplay complaints about bad service. It’s not bitching, it’s not insane panic, it’s not throwing temper tantrums.

It’s everyone having a small computer with their bank account information, credit cards, and every other piece of information on it. And it’s about wanting that to be as secure as humanly possible. Google is even doing the work for these companies.

Everyone complains about the prices of Pixels and iPhones by as it turns out you’re paying for that cheaper phone through not being actually secure. And yes, a several month old patch phone is less secure than a Pixel on the current month.
 
  • Like
Reactions: FFR
Insane panic is how you refer to it as. I refer to it as holding companies accountable for providing actual service. And you’re trying to downplay complaints about bad service. It’s not bitching, it’s not insane panic, it’s not throwing temper tantrums.

It’s everyone having a small computer with their bank account information, credit cards, and every other piece of information on it. And it’s about wanting that to be as secure as humanly possible. Google is even doing the work for these companies.

Everyone complains about the prices of Pixels and iPhones by as it turns out you’re paying for that cheaper phone through not being actually secure. And yes, a several month old patch phone is less secure than a Pixel on the current month.

1) I already stated I'm not giving companies a pass. There is nothing to downplay, they got caught lying about security patches. Since this is now out in the open, manufacturers that continue to do such will lose out on sales and reputation.

2) The high majority of personal info is got through phishing and exploits on company's sever setups.

3) Security is not even in the top 5 factors of pricing.
 
  • Like
Reactions: jamezr
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.