Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Google’s Project Zero team is on the front lines of digital security, analyzing code, reporting bugs, and generally making the internet safer. However, not every vulnerability gets fixed in a timely manner. A recent batch of serious flaws in Arm’s Mali GPU were reported by Project Zero and fixed by the manufacturer. However, smartphone vendors never implemented the patches, among them Google itself. So, that’s a little embarrassing.

The story starts in June 2022 when Project Zero researcher Maddie Stone gave a presentation on zero-day exploits — known vulnerabilities for which there is no available patch. The talk used a vulnerability identified as CVE-2021-39793 and the Pixel 6 as an example. This flaw allowed apps to access read-only memory pages, which can leak personal data. Following this, researcher Jann Horn started looking more closely at ARM Mali GPU code, finding five more vulnerabilities that could allow an attacker to bypass Android’s permission model and take control of the system.

Some of these issues were allegedly available for sale on hacking forums, making them especially important to patch. Project Zero reported the issues to ARM, which followed up with source code patches for vendors to implement. Project Zero waited another 30 days to disclose the flaws, which it did in August and mid-September 2022. Usually, this would be the end of the story, but Project Zero occasionally circles back to assess the functionality of fixes. In this case, the team found a “patch gap.”

Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones

Although ARM released the patches over the summer, vendors hadn’t integrated them into their regular Android updates. The issues affect numerous devices that run a system-on-a-chip featuring a Mali GPU, including Android phones from Samsung, Xiaomi, Oppo, and Google. Snapdragon chips are spared as they use Qualcomm’s own Adreno GPU. So, Samsung phones in North America are safe, but those sold internationally with Exynos chips are at risk.

In past years, this might not have affected Google, but the company switched from Qualcomm to the custom Tensor chips for Pixel phones in 2021. Tensor uses a Mali GPU, so Google’s security team found flaws that the Pixel team failed to add to the regular software updates. Google is not alone in making this mistake, but it’s still not a great look. Google now says that the Mali patches will be added to Pixel phones “in the coming weeks.” Other vendors haven’t offered a timetable yet.

Continue reading

Nvidia: RTX 3000 GPUs Will Remain Hard to Find Into 2021
Nvidia: RTX 3000 GPUs Will Remain Hard to Find Into 2021

There's no hope for a near-term improvement in RTX 3000 GPU availability. Shortages will likely continue through the end of this year and into the beginning of 2021.

Mass Effect: Legendary Edition Remaster Debuts on May 14
Mass Effect: Legendary Edition Remaster Debuts on May 14

The remastered Mass Effect series, Mass Effect: Legendary Edition, drops on May 14. We've got details on what's changing and what isn't.

Blizzard’s Diablo II Remaster Will Support 20-Year-Old Save Files
Blizzard’s Diablo II Remaster Will Support 20-Year-Old Save Files

Blizzard is working on a remastered version of Diablo II, and it will be very faithful to the original. How faithful? Blizzard producer Matthew Cederquist confirms save files from the original game will work with the remaster, allowing you to finish the quest you started two decades ago.

NASA’s Mars Helicopter Remains Grounded Awaiting Software Fix
NASA’s Mars Helicopter Remains Grounded Awaiting Software Fix

NASA previously said the Ingenuity helicopter would take to the Martian skies over the weekend, but the agency announced late Friday that liftoff was delayed until at least April 14 because of a software issue.