In order to eliminate zero-day security vulnerabilities, Google’s “Project Zero” team of security specialists frequently criticises negligent businesses on its blog.
Project Zero’s most recent article is a friendly-fire attempt at the Android and Pixel teams, accusing them of being too slow to address issues with the ARM GPU driver.
Project Zero says it reported these issues to ARM “between June and July 2022” and that ARM fixed the issues “promptly” in July and August, issuing a security bulletin (CVE-2022-36449) and publishing fixed source code. But these actively exploited vulnerabilities haven’t been patched for users. The groups dropping the ball are apparently Google and various Android OEMs, as Project Zero says that months after ARM fixed the vulnerabilities, “all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.”
An in-the-wild Pixel 6 attack where flaws in the ARM GPU driver could allow a non-privileged user to get write access to read-only memory was described by Project Zero researcher Maddie Stone in June. The following three weeks were devoted to Jann Horn, a different Project Zero researcher, discovering similar flaws in the driver. According to the report, these issues might enable “native code execution in an app context for an attacker to obtain complete access to the system, bypassing Android’s permissions model and providing broad access to user data.”
The affected ARM GPUs include a long list of the past three generations of ARM GPU architectures (Midgard, Bifrost, and Valhall), ranging from currently shipping devices to phones from 2016. ARM’s GPUs aren’t used by Qualcomm chips, but Google’s Tensor SoC uses ARM GPUs in the Pixel 6, 6a, and 7, and Samsung’s Exynos SoC uses ARM GPUs for its midrange phones and older international flagships like the Galaxy S21 (just not the Galaxy S22). Mediatek’s SoCs are all ARM GPU users, too, so we’re talking about millions of vulnerable Android phones from just about every Android OEM.
In response to the Project Zero blog post, Google told Engadget, “The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”
The Project Zero analysts end their blog post with some advice for their colleagues, saying, “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies. Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch. Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Suggest an edit to this article
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...
I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.
I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!
- JD Sports:Cyber Attack affects 10 million customers - 30 January 2023
- InfoSec – A Newbie Guide – InfoSecurity - 25 January 2023
- Apple is accused of censoring apps in Hong Kong and Russia - 22 December 2022
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu