Google Project Zero, a group of security analysts employed by Google LLC to find vulnerabilities, warns that Android phone makers have failed to provide patches to several vulnerabilities discovered earlier this year in the Mali graphics processing unit.
The five medium-severity security flaws were found in Arm Ltd.’s Mali GPU driver in June and July. The five vulnerabilities include one that leads to kernel memory corruption, another that can lead to physical addresses being disclosed and three that can lead to a physical page use-after-free condition. The five vulnerabilities enable an attacker to continue to read and write physical pages after they have been returned to the system.
As explained by Ian Beer from Project Zero in a Nov. 22 blog post, the Mali vulnerabilities “collided” with vulnerabilities available in zero-day markets, dark web pages that sell exploits to hackers and attack groups.
To its credit, Arm fixed the five vulnerabilities between July and August, disclosed them as security issues on its vulnerabilities page and published the patched drivers on their developer website.
Forward to late November and surprisingly, no major vendors had pushed out patches. Smartphone makers named specifically include Samsung Electronics Co., Ltd. Ltd., Xiaomi Inc., Guangdong Oppo Mobile Telecommunications Corp. Ltd. and Pixel.
Pixel is Google’s own line of smartphones, meaning that one part of Google is saying that another part of Google has failed to provide important security updates to its users. The first of the five vulnerabilities were also found on a Pixel 6 by a Project Zero researcher, so Google found a vulnerability on one of its own phones and yet, months later, even with a publicly available patch, has yet to address the issue.
Beer argues that vendors, including Google itself, have a responsibility to provide security updates to users. “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” Beer said. “Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other downstream vendors) are blocking on this action before they can receive the security benefits of the patch.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.