Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.


It's an easy fix if you know what you're doing: nine lines of code prevent malicious apps from skipping the signature verification built into Android. But it's a significant enough bug for the version bump in CyanogenMod, and the 10.1.2 initial release includes only this fix. Builds have already appeared on the CyanogenMod download page for dozens of devices, and should propagate through all the officially-supported phones and tablets throughout the day. The immediate risk is relatively minor (unless you're in the habit of installing shady apps on your device) and Google has probably already incorporated the patch for this exploit into its Play Store vetting procedure, but it's nice to see the most visible of the major community ROMs respond so quickly.

From the CyanogenMod Google+ account:

Some of you may have noticed some details emerging yesterday about a new apk-level issue in Android (bug 9695860) . Google has already released a patch for it, so 10.1.2 is a minor upgrade on top of 10.1.1 to add that change.
Even though it's minor, all users running 10.1.0.x or 10.1.1 are advised to upgrade. Stay safe!

New builds are appearing on Get.CM, and should be available through the CM10.1 integrated over-the-air update function as well.

Source: CyanogenMod Download Page via CyanogenMod Google+

Jeremiah Rice
Jeremiah is a US-based blogger who bought a Nexus One the day it came out and never looked back. In his spare time he watches Star Trek, cooks eggs, and completely fails to write novels.
  • Alex Flynn

    So this should appear as an OTA for Nexus devices soon?

    • http://pctonic.net/ Ashutosh Mishra

      It already has (at least on my Nexus S).

      • kh5

        I guess he means as an OTA for stock Android, not CM.

      • Elizabeth M. Lane

        as Albert responded I'm shocked that a single mom able to earn $8633 in 4 weeks on the computer. have you read this link w­w­w.K­E­P­2.c­o­m

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      The odds seem pretty good that there won't be another OTA in the 4.2 branch (which is at 4.2.2, of course). I'm pretty sure Google won't push another OTA until the next version bump, which we expect to be 4.3.

      • Alex Flynn

        I guess that is (another) indication that 4.3 is around the corner...

        Its been there for what seems like a long time...

        • stylez

          4.3 has been available for week or 2 on SGS4 GE, it's just a matter of time being an N4 so google experience should see it pretty soon along with many flagship devices rolling out after, again not all handsets will be able to update, carrier models will take that extra time as always, it's good to see CM updating over security flaws and also the future to evolve regarding private messaging.

          • blunden

            That was a leak, not an official release. We don't know finished that leak was but yes, there have been other indications that it will be released soon too.

  • Drootz

    This is why I love CM, vulnerability exposed, vulnerability patched. New OS pushed out! I wish carriers were this efficient.

  • Fellwalker

    CM 10.1.2 isn't a patch, is a full 60 minute, 180MB download. A patch is what Microsoft issue on Tuesdays - a small file that is inserted into the existing code. This is a replacement which is installed over the existing OS.

    • Fellwalker

      Ah well. After 30 minutes the download aborted. When I restarted it, it worked faster, but the time to finish increased from 4 to 6 minutes, and finally finished in 5.

  • Jim Dowell

    Is anyone having problems when flashing 10.1.2 when you try to reboot or if the phone turns off for any reason, when you try to turn it back on it gets stuck on the cm rotating logo? Thank you so much!