Google Undertaking Zero, a bunch of safety analysts employed by Google LLC to seek out vulnerabilities, warns that Android cellphone makers have failed to offer patches for a number of vulnerabilities found earlier this 12 months in Mali’s graphics processing unit.
5 safety flaws of average severity had been discovered within the Arm Ltd. GPU driver. of Mali in June and July. The 5 vulnerabilities embrace one which causes kernel reminiscence corruption, one other that may trigger location addresses to be uncovered and three that may trigger a post-free web page situation. These 5 vulnerabilities allow an attacker to proceed studying and writing actual pages after they’re returned to the system.
As described by Ian Beer from Undertaking Zero in a November 22 weblog put up, Mali’s vulnerability “collided” with vulnerabilities present in zero-day markets, darkish internet pages that promote exploits to hackers and assault teams.
To its credit score, Arm mounted the 5 vulnerabilities between July and August, disclosing them as safety points on its vulnerability web page and posting the patched drivers on its developer web site.
Quick ahead to late November and surprisingly, not one of the main distributors had launched patches. Smartphone makers particularly talked about embrace Samsung Electronics Co. Ltd., Xiaomi Inc., Guangdong Oppo Cell Telecommunications Corp. Ltd. and Pixel.
Pixels are Google smartphones, which signifies that one a part of Google says that one other a part of Google has failed to offer necessary safety updates to its customers. The primary of the 5 vulnerabilities was additionally discovered on the Pixel 6 by a Undertaking Zero researcher, so Google discovered the vulnerability on considered one of its telephones and but, months later, even with a publicly obtainable patch, it nonetheless hasn’t addressed the problem.
Beer argues that distributors, together with Google itself, have an obligation to offer safety updates to customers. “Simply as customers are suggested to patch as quickly as doable as soon as a model with safety updates is obtainable, the identical applies to distributors and firms,” Beer stated. “Mitigating the ‘patch hole’ as a vendor in these conditions is much more necessary, as finish customers (or different downstream distributors) block this step earlier than receiving the safety advantages of the patch.”