Themes: Pagination size: Use the left or right arrow keys to navigate between pages 😉You can swipe to left or right to navigate between pages 😉

Android manufacturers fail to provide patches for Mali GPU vulnerabilities - SiliconANGLE

[]1 week ago

Google Project Zero, a group of security analysts employed by Google LLC to find vulnerabilities, has warned that Android phone makers have failed to provide patches to several vulnerabilities discovered earlier this year in the Mali graphics processing unit.

The five medium-severity security flaws were found in Arm Ltd.’s Mali GPU driver in June and July. The five vulnerabilities include one that leads to kernel memory corruption, another that can lead to physical addresses being disclosed and three that can lead to a physical page use-after-free condition. The five vulnerabilities enable an attacker to continue to read and write physical pages after they have been returned to the system.

As explained by Ian Beer from Project Zero in a blog post, the Mali vulnerabilities “collided” with vulnerabilities available in zero-day markets, dark web pages that sell exploits to hackers and attack groups.

To its credit, Arm fixed the five vulnerabilities between July and August, disclosed them as security issues on its vulnerabilities page and published the patched drivers on their developer website.

Forward to late November and surprisingly, no major vendors had pushed out patches. Smartphone makers named specifically include Samsung Electronics Co. Ltd., Xiaomi Inc., Guangdong Oppo Mobile Telecommunications Corp. Ltd. and Pixel.

Pixel is Google’s own line of smartphones, meaning that one part of Google is saying that another part of Google has failed to provide important security updates to its users. The first of the five vulnerabilities were also found on a Pixel 6 by a Project Zero researcher, so Google found a vulnerability on one of its own phones and yet, months later, even with a publicly available patch, is yet to address the issue.

Beer argues that vendors – including Google itself, have a responsibility to provide security updates to users. “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” Beer said.”Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”

Related articles:

[] ‘You need to go through crises’: Cathie Wood says this crypto crash is a massive opportunity, still sees Bitcoin soaring 6,000% to $1 million — here are her 3 big sector bets[] U.S. shoppers alone in boosting Black Friday spend as cost-of-living crisis hits Europe[] 142 arrested in global takedown of 'iSpoof' spoofing service - SiliconANGLE[] AWS IoT RoboRunner launches into general availability - SiliconANGLE[] Elon Musk Called 'Unapproachable Tyrant' in Tesla Employee Survey