Google says Google should do a better job of patching Android phones

The “Project Zero” team of security analysts at Google wants to rid the world of zero-day vulnerabilities, and that means they spend time calling out struggling companies on their blog. The group’s latest post is a friendly fire targeting Android and Pixel teams, which Project Zero says doesn’t handle bugs in the ARM GPU driver fast enough.

In June, Project Zero researcher Maddie Stone detailed an exploit in the wild for the Pixel 6, where a bug in an ARM GPU driver could allow a non-privileged user to gain write access to the ROM. Another Project Zero researcher, Jann Horn, spent the next three weeks looking for relevant vulnerabilities in the driver. The post says these errors could allow “an attacker with native code to execute in the application context [to] Full system access, bypassing the Android permissions model and allowing broad access to user data.

Project Zero says it reported these issues to ARM “between June and July 2022” and that ARM fixed the issues “promptly” in July and August, issuing a security bulletin (CVE-2022-36449) and publishing the stable source code. But these actively exploited vulnerabilities are not patched for users. The groups that dropped the ball seem to be Google and various Android OEMs, Project Zero says that after months of ARM fixing the vulnerabilities, “all of our test devices that used Mali are still vulnerable to these issues.” CVE-2022-No mention 36449 in any security bulletins in the final stages.

Affected ARM GPUs include a long list of the past three generations of ARM GPU architectures (Midgard, Bifrost, and Valhall), from current chargers to phones from 2016. Qualcomm chips don’t use ARM GPUs, but Tensor SoCs from Google uses ARM GPUs in the Pixel 6, 6a, and 7, and Samsung’s Exynos SoC uses ARM GPUs for its mid-range phones and older international flagships like the Galaxy S21 (just not the Galaxy S22). Mediatek’s SoCs are all ARM GPU users too, so we’re talking millions of vulnerable Android phones from almost every Android manufacturer.

In response to Project Zero’s blog post, Google told Engadget, “The patch provided by Arm is currently in testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to make the patch to comply with future SPL requirements.”

The Project Zero analysts end their blog post with some advice for their colleagues, saying: “Just as users are advised to patch as soon as possible as soon as a version containing security updates becomes available, the same is true for vendors and companies. Arguably, reducing the “patch gap” as a resource in these scenarios is even more important, as end users (or other vendors) block this action before they can obtain the security benefits of the patch. Companies need to remain vigilant, follow primary sources closely, and do their best to provide full patches to users as soon as possible.”

#Google #Google #job #patching #Android #phones

Leave a Reply

Your email address will not be published. Required fields are marked *