It's even worse than that. The device manufacturers often can't update the kernel on their own; they need cooperation from their peripheral vendors. I see a lot of Android customers criticizing device vendors for fragmentation and failing to release OS updates. But Google really created the problem by failing to build in stable APIs for a hardware abstraction layer and loadable device drivers. Unfortunately the only ways they could really fix the problem would be by forking Linux or building a new kernel from scratch and those would be huge efforts.
> Unfortunately the only ways they could really fix the problem would be by forking Linux or building a new kernel from scratch and those would be huge efforts.
Or they could make their user mode pieces work with multiple kernel versions. In, say, a desktop Linux distro, it's often possible to leave the kernel at one version and upgrade other components.
I didn't say that. But the kernel (and by that I mean ring 0 only) is a small percentage of android compared to user mode code. Privilege escalations in the kernel are more rare than other issues.
So saying you cannot patch user-mode binaries (again, a majority of code in the system) because the kernel cannot be patched sounds an awful lot like throwing out the baby with the bathwater. And on Linux, the user to kernel ABI is fairly stable (see Linus's rants on the subject), which makes patching these pieces independently much more feasible.
Put another way, if someone says a vulnerability in libstagefright.so can't be patched because kernel modules, that person is lazy and making excuses, or doesn't know what a kernel is.
