Google devices, like the Nexus before and now the Pixel phones, have always been prided on getting patches and updates a lot earlier than even the fastest OEMs, of which there are only very few. But in this particular instance, Google will be rolling out one specific fix a lot later than some of those OEMs or even third-party Android ROM makers. Unfortunately, it’s an instance where time might even be more critical, as Nexus and Pixel devices remain vulnerable to the KRACK exploit until Google finally rolls out the fix next month.
KRACK is the latest security scare that is making waves throughout the tech industry because it potentially affects any device using Wi-Fi and any network using WPA2 authentication. Which practically means every wirelessly connected device in the world, from laptops to phones. While it might be easily exaggerated, it is still not something manufacturers and software vendors would want to sit on for too long.
Google just released its November security bulletin that did include mentions of KRACK. Looks, however, can be deceiving. Due to the way Google releases its bulletins, however, the actual fixes for the vulnerability won’t make it to this month’s updates. The actual patch was released on the 6th of November, just a day after its usual second bulletin on the 5th of the month.
This puts Nexus and Pixel devices at an unusual disadvantage, where they are getting a critical security fix almost two months after the vulnerability has been disclosed. All because Google missed a crucial window. Given the severity and the researchers’ insistence on how Android devices are particularly vulnerable, you’d think Google would try to make an exception.
Ironically, this gives manufacturers and third-parties a margin to actually beat Google to the punch. Essential, OnePlus, and NVIDIA have already released its own KRACK fix and Samsung, surprisingly, is said to do likewise soon. Custom ROMs like LineageOS, OmniROM, and Paranoid Android have also patched it on their end. Other OEMs, however, still remain silent on the matter.
VIA: Ars Technica