Hacker News new | ask | show | jobs
by nl 2106 days ago
Next time Project Zero finds an iOS bug and people suggest it is a commercial hitjob, point them at this.

Qualcomm (and all Android vendors) look like they have been screwed by this. (To be clear - they are screwed because their processes are to slow to get security updates out).
2 comments
panpanna 2106 days ago
Maybe you have not used Android lately?

I have two phones and a tablet, all mid-range devices from 3 different vendors and all are on Android 10 with at least August patches.

Edit: both phones are also more than 2 years old.

link
nl 2106 days ago
I have a Pixel.

My comment referred to the timeline outlined in the post, in particular this part:

Qualcomm gives an update on the progress of a microcode based fix. The plan is that the fix will be available for OEMs by September 7, but Qualcomm will request an extension to patch integration and testing by OEMs.allow more time for patch integration and testing by OEMs.

and for their multiple subsequent requests for an extension and/or grace period.

Your August patches don't fix this - Qualcomm only notified OEMs on 4 August and their plan was to get fixes to OEMs by 7 Sep.

link
panpanna 2106 days ago
I am fine with this schedule.

Unless someone is actively exploiting devices I would prefer a well tested patch to a rushed patch.

Note that this whole issue is due a previously rushed patch.

link
nl 2105 days ago
It wasn't due to a rushed patch - the patch just gave the Project Zero researcher an idea for where he should look.

There's no real way of being sure if it is being exploited. I guess no exploits had been detected a couple of days ago, but it's not uncommon for the way it gets detected it for someone to find the exploit software somewhere. That's how Project Zero found these iOS issues for example[1].

[1] https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...

link
londons_explore 2106 days ago
For comparison, Google Chrome tries to get security patches to most users within 24 hours.

Yet most android devices are lucky to receive a patch within a few months... Don't worry though - that's only a window of a few months where an evil actor can drain your bank account and log your porn browsing sessions...

link
saagarjha 2106 days ago
As someone using iOS, does Chrome really update multiple times a week for security patches? Am I overestimating how often security fixes go in?
link
londons_explore 2106 days ago
Critical security issues 'in the wild' only come up once every few months, but yes, when they do, the Chrome team has someone on duty 24 hours per day whose responsibility is to patch the code and do a release to all users within a matter of hours.

If you submit a security issue to Chrome, they actually have a tickbox on the webform to say "this issue is important enough to get someone out of bed for", and if you tick that box, it will actually wake someone at 3am to deal with it...

link
GeekyBear 2106 days ago
You should probably wait for an example where Google didn't put off writing the issue up for a year after the initial report.
link
nl 2105 days ago
What does this mean? They (Project Zero) only started working on this in June 2020 (" However in June 2020, I noticed that the patch for CVE-2019-10567 was incomplete, and worked with Qualcomm's security team and GPU engineers to fix the issue at its root cause.... It's our understanding that Qualcomm will list this publicly in their November 2020 bulletin.")
link