Google patches Android security flaw

Google and T-Mobile have begun distributing a security patch for the first Android-powered phone, the G1 built by HTC. This is the update alert message.

(Credit: Stephen Shankland/CNET News)

Google has begun distributing a patch to its Android mobile phone operating system, an early test for how nimbly the company can respond and how well the infrastructure works to distribute and install updates.

For the Android test phone I'm using, a T-Mobile G1, the update was smoother than the process by which the software problem came to light publicly on October 24.

The handset I'm testing gave me a message Saturday afternoon: "A system update is available," and a choice to update now or later. When I clicked the button to begin the update, it downloaded new software, which took a few minutes, then installed it, then resumed working with no hitches.

The patch fixes the highly publicized security problem with Android's Web browser and makes a few other minor changes, according to a Google spokesman quoted in IT World on Friday.

The researchers--Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators--called the Android Web browser flaw serious, but Google said its severity was mitigated by Android's design, which restricts each program to its own area.

Earlier, Google appealed for what it called "responsible disclosure" of security vulnerabilities--in other words, a grace period to fix problems before they're made public to reduce the likelihood an attacker will get a chance to exploit a vulnerability. There's an ages-old tension between companies that want to fix their products and security researchers who want to get the word out, in part because attackers also are trying to find the vulnerabilities.

Google didn't respond to a request for comment Saturday.

Here the G1 shows progress in downloading the update.

(Credit: Stephen Shankland/CNET News)

Once the patch is downloaded, the phone automatically installs it.

(Credit: Stephen Shankland/CNET News)

[bj70117]

Well, after all the buzz this is just fine. People expect service and this is just that.

[AppleSuxLeo]

This is a good example of fixing a problem and not denying it exists like Apple does. All devices have bugs...Apple has had hundreds of megabytes of security patches lately...what matters most is patching quickly and not denying it exists (Apple).

[FormerPCwonk]

AppleSuxLeo: Hmmm, so, what matters most is patching quickly and not denying the existence of flaws, yet by your own post, "Apple has had hundreds of megabytes of security patches lately. . ." Further, the act of patching flaws is itself an admission that there were indeed, well, flaws. So when you went to your "AppleSux" grab bag of random facts &claim in order to construct your argument, you took the "Apple isn't open" argument but used the "OS X has lots of security flaws" evidence. In other words, you're kind of a tool. Cheers.

[Mick Blackledge]

Not a month old and it has started.

Writing one software package to cover a multitude of non controlled hardware configurations will be disastrous.

You read it here first.

[sprocketwonk]

"Not a month old and it has started."

every new product has problems from coffee makers to cars to space craft. As the level of complexity increases, so does the potential for the need for fixes.

"Writing one software package to cover a multitude of non controlled hardware configurations will be disastrous."

non controlled? there's a developer standard and Google prominently worked with T Mobile and HTC on this phone.

as to one OS working on a multitude of hardware configs...you mean like Linux? (or Windows) or the myriad of devices (microwave ovens to DVD players) using lesser known embedded systems like qnx or other?

Linux has demonstrated an open OS can take on large commercial OSes and gain market share.

The real test will be to see how much market share Android phones have in 12-18 months.

My suspicion is they will be a significant competitor to iPhone and take some marketshare from Blackberry and Symbian and other business class devices.

[madirid]

That is true

[spikoman]

> Writing one software package to cover a multitude of non controlled hardware configurations will be disastrous.

Are you saying this browser (webkit) flaw won't happen on a platform with controlled hardware i.e. iphone/mac os x?

> You read it here first

Old news. Android will face the same challenges as Windows.

[mattflaschen]

What a ridiculous comment. What do you think Symbian and Windows Mobile are? Hmm, maybe software packages that work on a multitude of hardware.

You worry about "non-controlled" configurations. Yet in reality, Google, HTC, and the other Android partners are working closely together. Clearly, Google had no problem getting this bug fix downstream.

[iwtgm]

I had an update on mine around tuesday or wednesday. I am guessing this is the update. Well, whatever it was, it restarted and ran fine, just like before. One thing I do like is that when programs hang up and seize, the 'close now' option button comes up.
Another thing, this thing uses ALOT of battery when you have the gps and wi-fi, so i turn this off. I love this phone and I think that upgrades should be welcomed.

[mtnwing]

Can anyone else verify if they've tried installing this system update on a G1 that's already been unlocked from the T-Mobile network? If so did it work OK or does it cause an issues with the previous unlock?