Samsung reminds me a lot of mid-1990s Microsoft, when that company became so successful that it simply started ignoring what actual end users wanted. Samsung is a lot like that with the added bonus that when someone in the bowels of the company does something that users have requested, the company treats this with indifference at bestt.
Consider, for example, the BlueBorne vulnerability announced by Armis in early September and quickly patched on Windows and iOS. Google released a patch for Android, but other than Google’s own phones, it often takes a ridiculously long time for such patches to make their way to other manufacturers’ phones (in fact, the vast majority of Android phones currently in use will likely never receive the patch).
Anyway, I and other Note 8 customers who paid $1,000 for a phone that now has a major bluetooth vulnerability were annoyed that this wasn’t patched immediately. Instead, Samsung released a patch on September 15 (the first day the Note 8 was technically on sale) with patch notes indicating the update fixed three major vulnerabilities:
- SVE-2017-9299: Arbitrary code execution with svoice privileges–basically a bug that’s been around in Samsung’s crappy voice recognition app since May that it finally bothered to fix.
- SVE-2017-9357: Email can be sent by malicious application via unprotected component–again, a bug that’s been around since May 2017 in Samsung’s crappy email client that it finally bothered to fix.
- SVE-2017-9650: Security authentication reset issue without user confirmation–apparently Samsung’s crappy code was allow hackers to register a new certificate with the user agreeing.
And that’s all that was officially announced as being fixed in the patch. FFS, Samsung. Google gave you a BlueBorne patch in early August–how hard could it be to ensure your new flagship phone was patched against the bug.
Then the rumors started that the patch might have included a fix for the bluetooth vulnerability.