Google announced Project Zero back in 2014 in a quest to make the internet more secure by researching software exploits and informing affected developers about them. The company soon adopted a 90-days public disclosure deadline in order to speed up the patching process. In 2020, this policy will change just a little bit. Previously, vulnerabilities were published as soon as developers fixed them, but now, Google will always wait the full 90 days until it reports to the public. That's meant to ensure that patches have rolled out to more users before potential bad actors know about the exploits, thus leaving fewer people vulnerable. Read More
Another month is just starting, and that means it's time for the latest round of Pixel and Nexus patches to roll out. Google has posted both the system images and the OTA files, so you can get the latest version on your device without waiting for the update. You might actually want to go out of your way this time as there are some functional updates for Pixel devices. Read More
It's time again for another update to Android, and it's rolling out to Google devices starting now. If you just can't wait for the OTA to reach you, there are some files you can download to skip the wait. It looks like most devices just have a single build this month, which will make things much easier. Read More
Google is still working on getting the September security patches out the door, but it has posted a security bulletin detailing the changes. Several of the flaws noted in the bulletin are part of an enormous Bluetooth vulnerability discovered by Armis Labs, which bills itself as an IoT security firm. The "BlueBorne" attack exposes billions of Android devices to complete takeover by hackers, but it's not only Android. The same flaw exists in Windows, Linux, and some versions of iOS. Read More
Google has been releasing monthly security patches like clockwork ever since it revamped the Android security model in the wake of Stage Fright. Samsung and LG are also trying to keep up with the monthly patches, but not always with the most success. LG's getting the jump on Google today, though. It has posted the January security bulletin a little early with information on Google and LG-specific patches. Read More
There's an OTA update rolling out to Google devices today, but what sort of holes have been patched? Now you can find out with Google's latest security bulletin. Like the last few months, this one has multiple patch levels that you might see on devices going forward. Read More
This week the latest batch of over-the-air security updates started rolling out to Nexus devices, most going under version LMY48M. Google also posted the goods online in the form of factory images. The company then went on to provide a list of the security fixes.
Eight make the list, with one having actually been exploited in the wild. Though whether this was used maliciously or just someone rooting their own device is unclear. None of the vulnerabilities are newly disclosed. Read More
Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
According to the patch rewards guidelines, rewards can range from $500 to $3,133.70, with higher rewards going to solutions with unusually high impact or solutions to exceedingly complex issues. Read More