Vulnerability in MediaTek chipsets discovered, promptly fixed

24 November 2021

It has been patched with an October update.

?
Anonymous
pfP
28 Nov 2021

Kangal, 28 Nov 2021Well, that's a strawman. I don't have to wake up... moreBut you consider bigger OEM update the same way unknown brands did!

And you're making some confusion.
To get Play Services certification, OEM are forced to updates OS security patches...these security patches from Google bulletins...
Play services updates don't need OEM's action.
OS security's patches need.
Today, certified devices get at least 2 years of security patches not from Play Services, but from OEM.

As you can find up to 5 android's versions on mt6737 (but not on the same device), I'm agree, problem, if there is one, come from OEM...Mediatek's job is zone, even on entry Lebel!
Often, OEM behavior stay the same no matter the soc they use :
- Alldocube X Neo with Snapdragon 660 didn't get more updates than other Alldocube's devices
- Redmi Note with MTK's don't get less updates than redmi Note with Qualcomm's
- in the same price range, Nokia updates devices the same way.
- Nord 2's updates policy is the same than Nord 1 or Nord CE.
- Xiaomi's updates police is the same on 11T and 11T Pro

I'm not sure Apple's updates on some older devices are more than esthetical patches...

Kangal
D$j
28 Nov 2021

Anonymous, 26 Nov 2021Mediatek's fixes are now part of official google'... moreWell, that's a strawman.
I don't have to wake up, I never said MediaTek is only on unknown brands from China.

Secondly, the security fixes that Google removed from the OS, and implemented it into the Play Services is not all of them. The majority of security concerns come from the device's OS, then kernel, then Apps layer. The Play Services are more stable because they are responsible for fewer things.

That is why the consumer is STILL at the mercy of their Carrier, OEM, and Chipset Vendor when it comes to updates. Things have improved since 2016. But it is very vary far from the sort of update system in the iOS Ecosystem. One of the biggest offender is actually Xiaomi. They very regularly send out Blank Updates, which do very little or sometimes nothing, just to increase the number in the Settings. Developers a lot more knowledgeable than me have reported it. With that said, Xiaomi doesn't care about security or updates, not to the extent consumers do... which you can tell by the way MIUI operates, and how the company makes its money. So we have to be extra skeptical against MediaTek.

I
Inva
S3c
27 Nov 2021

Meanwhile in Google security bulletin: Snapdragon, 20+ critical security issues every month...

?
Anonymous
08B
26 Nov 2021

ABF Media, 26 Nov 2021How many people do you know that actually got affected by t... moreHow many people are affected by Mediatek's vulnerability?

I only ask people to be fair...
If they criticize this vulnerability on Mediatek's, they have to be as rude in front of Qualcomm's!

They aren't! That's dishonest!

?
Anonymous
08B
26 Nov 2021

Kangal, 26 Nov 2021Just note, that this fix is on MediaTek's side. It do... moreMediatek's fixes are now part of official google's security updates...like tons of Snapdragon's holes found every month (especially in their DSP's closed sources).

You only have to open your settings, look at your last security update and you will know!
Ok on mine, it's October, I will probably get this patch in the next update in December.

With serious brands (I mean Xiaomi, Oppo, Realme, Nokia, Realme, OnePlus, Samsung...), you've got certified devices.
To verify, open the playstore, go in settings...about...
Certified means you will have at least security updates during 2 years with a minimum of 4 updates the first year. That's the minimum...in reality, you will get updates more often and longer.

Wake up, you no longer find Mediatek's only on tiny unknown brands from Shenzhen...

?
Anonymous
08B
26 Nov 2021

Anonymous, 26 Nov 2021Unless a group of hackers specifically target you using the... moreI'm agree...risk is very small

I only find some people's behavior is funny...
A single vulnerability on Mediatek's is a nuclear danger...
At the same time, dozen or more on Qualcomm's each month aren't important!

Are they brain washed?

?
Anonymous
p%S
26 Nov 2021

Anonymous, 24 Nov 2021Have you ever read Google's security bulletin? It... moreUnless a group of hackers specifically target you using the security hole or vulnerability (if it exists) which is not fixed through a security patch, you have nothing to worry about. The likelihood of such a thing happening is 0.00001%.

So lack of security patches don't affect the end user in the real world.
Ppl and several businesses used Intel chipsets for years without issues despite the Spectre & Meltdown vulnerabilities. As I said, unless a team of hackers specifically target you exploiting that security loophole, you are safe.

Ppl continue to fall for marketing gimmicks where they feel if they don't have the latest security patch, they are vulnerable or worse the phone becomes unusable after 2 years. These are the same people that can be hacked using a simple phising link and they are worried about vulnerabilities in the system that are less likely to be a threat.

A
ABF Media
pkQ
26 Nov 2021

Anonymous, 24 Nov 2021Have you ever read Google's security bulletin? It... moreHow many people do you know that actually got affected by these vulnerabilities?

D
Dudenoway
6p{
26 Nov 2021

Anonymous, 25 Nov 2021Snapdragon is always worth it. New chipsets are super. Even... more*always worth it*
I guess you never knew sd 888 and sd 480 and sd 810 existed bud.

D
Dudenoway
6p{
26 Nov 2021

Anonymous, 25 Nov 2021Most people in here LOVE Chinese manufacturers and their bi... moreHonestly yall sayin numbers don't matter, but if they don't, then isn't 1mp cam, sd 215 and 60hz tft press to touch screen is enough right?

Kangal
D$j
26 Nov 2021

Just note, that this fix is on MediaTek's side.
It doesn't mean that MediaTek has sent the OEMs an updated kernel and drivers.
Even if they did, it doesn't mean the OEMs have repackaged those fixes into an OS update.
And even if they did make the update, it doesn't mean the update was pushed by the vendors and carriers to people's handsets.

Lastly, even if the problem was identified, notified, patched, fixed into an update, and finally the update was pushed to individual's handsets.... that does NOT mean the user has applied the update to their phone!

I find it quite unlikely that this problem is fixed. If it was Apple, sure.
And if we're talking about a security problem that was reported for flagship phones from the likes of Google Pixel, Sony, LG, or Samsung.... then it would sooner or later get fixed. But more than likely this affects millions of users now and for the foreseeable future, as this affects cheaper devices from lesser established brands. Call me skeptic, but I'll believe it when I see it.

f
foo
svZ
25 Nov 2021

MediaTek don't upstream is currently a black box avoid

?
Anonymous
3@f
25 Nov 2021

Anonymous, 25 Nov 2021Who needs security fixes when you can have 108 Mpix camera ... moreMost people in here LOVE Chinese manufacturers and their big numbers.

?
Anonymous
xq5
25 Nov 2021

AnonD-1027450, 25 Nov 2021But it worth the price easily Like the difference between ... moreSnapdragon is always worth it. New chipsets are super. Even 6 series are already good.

D
AnonD-1027450
gLn
25 Nov 2021

FatShady, 24 Nov 2021just a bit more expensive? yeah, right! they cost way too m... moreBut it worth the price easily
Like the difference between xiaomi 11T and 11T pro
Same cores, both flagship but night and day

?
Anonymous
puk
25 Nov 2021

Anonymous, 24 Nov 2021Have you ever read Google's security bulletin? It... moreWho needs security fixes when you can have 108 Mpix camera and 12GB of RAM yo! Literally everyone on GSMArena...

?
Anonymous
99A
25 Nov 2021

Anonymous, 24 Nov 2021Have you ever read Google's security bulletin? It... more"Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site."

Lmao

?
Anonymous
LaL
25 Nov 2021

Well done MediaTek team, if this was Snapdragon it would've taken months to fix an exploit

?
Anonymous
xq5
25 Nov 2021

Anonymous, 24 Nov 2021Have you ever read Google's security bulletin? It... moreNever faced any security issues.

?
Anonymous
7X1
24 Nov 2021

EoL MediaTek SoCs wont have this patch since they are closed source.

1 of 2