Posted on November 28, 2022 at 4:16 PM
Google has warned that five security vulnerabilities that impact Android smartphones have remained unpatched for several months after they were brought to the notification of the phone manufacturers.
Google’s Project Zero, in a blog post, stated that the vulnerability was initially reported in June and July this year, and hasn’t been rectified yet. This has left the users of smartphones belonging to Google, Oppo, Xiaomi, and Samsung, at a high risk of hacking.
According to the report on the issues, the vulnerability is connected to semiconductor designer ARM’s ‘Mali’ graphic card processor (GPU), which is found in certain types of smartphones such as the Pixel 6.
According to Tech Circle, the issues were fixed by ARM in August, but phone brands like Google and Samsung are still carrying the vulnerability since they have not been applied yet.
The Flaw Could Lead To “Kernel Memory Corruption”
Project Zero’s researcher, Ian Beer, while commenting on the development, stated that the flaw could result in “kernel memory corruption”. Additionally, it could lead to the disclosure of physical memory addresses to unprivileged userspace.”
This means that a threat actor could exploit the vulnerability to gain complete control of the user’s device as well as full access to their data.
Beer claimed that a threat actor can have access by forcing the memory kernel to read and write pages after they have been taken back to the device.
Project Zero also noted that none of the phone manufacturers have spoken about the issues in any of their security bulletins. Apart from Google which has warned about the flaw, others have not publicly addressed it or stated how they want to solve the problem.
A Google spokesperson, while speaking to Engadget, stated that the patch made by ARM is still undergoing testing for Pixel and Android devices and will be ready in the coming weeks. However, partners of Android OEM will be needed to take the fix to comply with future SPL requirements.
The Vulnerabilities Are Variants Of Current Security Flaws
The flaws mentioned by security researchers seem to be variants of current security vulnerabilities. In a report earlier this year, Project Zero reported that 50% of the actively exploited zero-day flaws seen in the first half of the year have been actual variants of existing vulnerabilities.
Beer has urged all the major Android smartphone vendors to do what consumers are frequently asked to do, which is to patch their systems as soon as possible. As it stands now, the users are not able to apply the patches themselves, especially for an Arm Mali GPU driver, even though ARM has released patches for them months ago.
Beer, along with fellow GPZ researcher, Jann Horn, discovered five major exploitable bugs in the Mali GPU driver. They are being tracked by the researchers as 2334, 2333, 2331, 2327, and 2325.
ARM stated that the bugs were patched in July and August and the vulnerability identifier CVE-2022-36449 was assigned to them on the ARM Mali Driver flaws page. Another flaw, tracked as CVE-2022-33917, was also fixed by ARM during the same period.
Based on its policies, GPZ removed its block on public access to its five reports. This means that it is now available for anyone to have all the information they require to create exploits for the bugs, which demands urgent attention.
Fortunately, it seems that Google’s Android team and Pixel team are on the case. Earlier this week, the Android team engaged with the Android smartphone manufacturers (OEMs) and asked the latter to comply with the security patch level policy (SPL). However, patches will not be available for the Pixel team for some weeks.
Companies Have Been Advised To Apply Patches
Companies also need to remain alert and follow upstream sources closely. They should also do their best to provide complete fixes for the users’ devices as soon as possible.
Engadget has also contacted Samsung, Xiaomi, and Oppo to find out why they haven’t deployed patches to the vulnerabilities and when they would do so. As of the time of writing, the companies have not responded yet.
Although companies have been asked to provide patches to the vulnerabilities, users also have their role to play, which is to remain vigilant and provide an update when the patches are eventually made. It’s not clear whether threat actors have started exploiting the vulnerabilities in the wild.