Dirty Pipe …. Fixed or Not Fixed

[Maljunulo]

This annoys me enough to start a thread.

Why can’t/won’t Google answer the straightforward question:

“Does theApril 2022 security patch fix Dirty Pipe, or does it not fix Dirty Pipe?”

The question seems to permit a simple, straightforward, unequivocal answer, “Yes, it does/No, it does not.”

 

[patruns]

https://www.androidpolice.com/dirty-pipe-explained/

 

[bkdodger2]

Most likely bc it's not been implemented..
As they gave not confirmed with others ...


https://arstechnica.com/gadgets/202...e-to-wait-another-month-for-a-dirty-pipe-fix/

 

[Maljunulo]

I have Kernel version 5.10.6 so that should settle whether or not I am vulnerable.

The article cited is somewhat less than reassuring.

 

[David Thomas24]

nope it dos not


it will be in june patch update



https://9to5google.com/2022/04/07/android-12-june-feature-drop-beta-dirty-pipe-exploit-fix-pixel-6/

 

[Maljunulo]

nope it dos not
it will be in june patch update
https://9to5google.com/2022/04/07/android-12-june-feature-drop-beta-dirty-pipe-exploit-fix-pixel-6/

That’s contradictory, since we have been told that >5.8 is vulnerable.

 

[Mooncatt]

These news articles really need to clarify what they mean by being vulnerable. Android is quite secure and you basically have to be trying to actually get infected. I.e. Snooping around places on the web you should be and installing random apps thinking you're getting paid content for free. A person that can't swim is vulnerable to drowning, but only if they go near the water. If they stay on land, the risk is basically zero. Same with Android, don't you near the water if you don't want to drown.

 

[Maljunulo]

These news articles really need to clarify what they mean by being vulnerable. Android is quite secure and you basically have to be trying to actually get infected. I.e. Snooping around places on the web you should be and installing random apps thinking you're getting paid content for free. A person that can't swim is vulnerable to drowning, but only if they go near the water. If they stay on land, the risk is basically zero. Same with Android, don't you near the water if you don't want to drown.

An interesting and very good point.

“These articles” really need to clarify many things. Precision of thought and language is not their strong point.

 

[Mooncatt]

An interesting and very good point.

“These articles” really need to clarify many things. Precision of thought and language is not their strong point.

This article is a good counter to the fear mongering from the others.

https://www.computerworld.com/article/3411440/android-security-scares.html

 

[Maljunulo]

This article is a good counter to the fear mongering from the others.

https://www.computerworld.com/article/3411440/android-security-scares.html

Thank you for that.

I have noticed the “Install our software and you will be safe.” articles.

Generally, I ignore them, but I figure if it merits an official patch it must be significant.

 

[Mooncatt]

Generally, I ignore them, but I figure if it merits an official patch it must be significant.

Any security vulnerability should be patched, but that's just good business practice. The severity of the vulnerability can play into prioritization, but we would be hard pressed to find such a case that should make us want to be so concerned. I can only think of one time where we even came close to that line.

A researcher found a vulnerability that could allow an attacker to send malware via sms in such a way that the user wouldn't know a text came in, and it allowed data harvesting if I'm not mistaken. It's been several years, so the details are a little fuzzy. In that case, the exploit was discovered initially by the researcher, who responsibly reported it to Google. The patch was issued prior to public release of the info (you may recall many people reporting getting a surprise OS/security update well outside their phone's update period, this was why), and I don't think the exploit was ever discovered in an actual attack.

 

[Maljunulo]

Roger, thanks again.