Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Google’s Project Zero team is on the front lines of digital security, analyzing code, reporting bugs, and generally making the internet safer. However, not every vulnerability gets fixed in a timely manner. A recent batch of serious flaws in Arm’s Mali GPU were reported by Project Zero and fixed by the manufacturer. However, smartphone vendors never implemented the patches, among them Google itself. So, that’s a little embarrassing.

The story starts in June 2022 when Project Zero researcher Maddie Stone gave a presentation on zero-day exploits — known vulnerabilities for which there is no available patch. The talk used a vulnerability identified as CVE-2021-39793 and the Pixel 6 as an example. This flaw allowed apps to access read-only memory pages, which can leak personal data. Following this, researcher Jann Horn started looking more closely at ARM Mali GPU code, finding five more vulnerabilities that could allow an attacker to bypass Android’s permission model and take control of the system.

Some of these issues were allegedly available for sale on hacking forums, making them especially important to patch. Project Zero reported the issues to ARM, which followed up with source code patches for vendors to implement. Project Zero waited another 30 days to disclose the flaws, which it did in August and mid-September 2022. Usually, this would be the end of the story, but Project Zero occasionally circles back to assess the functionality of fixes. In this case, the team found a “patch gap.”

Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Although ARM released the patches over the summer, vendors hadn’t integrated them into their regular Android updates. The issues affect numerous devices that run a system-on-a-chip featuring a Mali GPU, including Android phones from Samsung, Xiaomi, Oppo, and Google. Snapdragon chips are spared as they use Qualcomm’s own Adreno GPU. So, Samsung phones in North America are safe, but those sold internationally with Exynos chips are at risk.

In past years, this might not have affected Google, but the company switched from Qualcomm to the custom Tensor chips for Pixel phones in 2021. Tensor uses a Mali GPU, so Google’s security team found flaws that the Pixel team failed to add to the regular software updates. Google is not alone in making this mistake, but it’s still not a great look. Google now says that the Mali patches will be added to Pixel phones “in the coming weeks.” Other vendors haven’t offered a timetable yet.

Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Google Finds Two Zero-Day Vulnerabilities in iOS
Google Finds Two Zero-Day Vulnerabilities in iOS

Your iPhone is safe if it's updated today, but Google says the exploits were active in the wild.

Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates
Google Finds Zero-Day Vulnerability in Chrome, Urges Immediate Updates

If you haven't let Chrome update recently, take the time to do it now.

Mozilla Issues Emergency Zero-Day Firefox Patch
Mozilla Issues Emergency Zero-Day Firefox Patch

Mozilla advises all Firefox users to update to the latest version of the browser as soon as possible. The company has just become aware of a zero-day exploit affecting Firefox, meaning there are nefarious internet forces actively using it.