>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l
of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
I vote to just change the spelling to what almost everyone already thinks it is anyways.
It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.
Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.
Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.
Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.
It has to do with setting the device owner, and gaining those powers; enabling / disabling apps, remote wipe, etc.. It's a local privilege escalation attack and doesn't require user interaction.
I suspect the average person who installs apps outside of the play store is still much more likely to be infected via malware that dodged the playstore's detection than the apps they install from other sources, because there's usually considerable trust involved with the other sources.
In particular they're usually f-droid and open source apps compiled by f-droid.
Is this guy going to make a slop repo for every new CVE in a high-profile product advisory so he can rack up some stars and put this shit on his resume? Jesus fuck.
This is just polluting the namespace and making it harder for blue teamers and incident responders to share IOCs.
His repos either lack a PoC and just contain a README with more emojis than facts; try to pass a public version checker off as a PoC; or invent a non-working PoC in the absence of technical details.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
How many different models of PCs get released? How hard is it to patch any of their OSs?
Give me just the security updates please.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.
Pixel 8 here, still don't have the update. That's... not great.
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
https://source.android.com/docs/security/bulletin/2025-12-01
It has to do with setting the device owner, and gaining those powers; enabling / disabling apps, remote wipe, etc.. It's a local privilege escalation attack and doesn't require user interaction.
In particular they're usually f-droid and open source apps compiled by f-droid.
True, it says almost nothing of value about the exploit, but it does teach us that 30% is almost one in three.
This is just polluting the namespace and making it harder for blue teamers and incident responders to share IOCs.
His repos either lack a PoC and just contain a README with more emojis than facts; try to pass a public version checker off as a PoC; or invent a non-working PoC in the absence of technical details.
Bullshit asymmetry.