More

    Samsung July security patch update fails to address critical Pixel zero-day exploit, leaves devices vulnerable

    It seems Samsung has again outgunned Google with the release of information about this month’s security update ahead of Pixel. Forbes reports on how the new update contains troubling news that affects Samsung users; it’s not about what’s fixed but about what’s missing.

    - ADVERTISEMENT -

    Google has confirmed (via PhoneArena) today that the same security threat responsible for its Pixel zero-day warning in June also impacts Samsung units and more Android devices. While Pixel devices have already patched their systems, Samsung devices remain exposed as July’s update fails to address this critical vulnerability. Subsequently, the US government made clear the seriousness of the threat by warning users to be very cautious about potential attacks.

    Delayed fixes from Qualcomm

    Samsung’s July update also addresses four other high-impact Android security vulnerabilities, including three Qualcomm-based issues delayed from the June round of Android updates. Since individual components of a user’s phone might complete the patching process at different times, Samsung did caution that it might be a day or two after the phone receives an update before all elements fully protected. However, Google Pixel was able to deploy these much faster.

    - ADVERTISEMENT -

    Critical updates from Samsung

    Among the critical updates from Samsung this month, one resolves a flaw in the Android framework, CVE-2024-31320, which could permit local privilege escalation without requiring additional execution rights. This alone is an issue that warrants immediate attention from users.

    In addition to these Android patches, Samsung has included hundreds of its own. These also include a patch for a critical update addressing an input validation vulnerability that could permit remote attackers to execute arbitrary code by hijacking secure control data on the device. Although this vulnerability would be dependent on user action, that action can be.

    Missing fix for Pixel zero-day exploit

    One thing that’s notably lacking from the package is a fix for the Pixel zero-day exploit (CVE-2024-32896). Google itself warned users of the Pixel lineup last month, telling them that it “may be under limited, targeted exploitation.” At this point in time, the US government is warning federal employees to update their Pixel phones or stop using them by July 4.

    - ADVERTISEMENT -

    The patch for the Pixel represented a second wave of fixes initiated in April, representing a second wave of a fix initiated in April. GrapheneOS, which disclosed the vulnerabilities, said that “there are two vulnerabilities being addressed.” Google said “Android security is aware of this issue” and highlighted that “Pixel devices with the latest updates are not vulnerable.” Working on this is being done for other Android OEM partners, but these will take time to roll out.

    Trend of timely patches for Pixel devices

    Though Google asserts that several exploits would be necessary to take over a device successfully, the threat posed by chained vulnerabilities is significant. As it stands, no devices beyond Pixels have received a fix and there might not be one until months later.

    Another vulnerability, CVE-2024-29745, stays unpatched on Samsung and other Android devices, patched only on Pixels. The firmware issue requires an OEM-specific patch, which will take some time to deploy.

    The worrying part is that this is setting a trend where Pixel devices get timely patches, while others lag behind. Moreover, this is going to affect the people who have spent a lot on high-end flagship devices. Samsung has not yet commented on these vulnerabilities.

    Potential solutions with Android 15

    The hope lies with the launch of Android 15 and its many new major security and enhanced protected updates, which may be able to address all these outstanding issues. In the meantime, users of Samsung devices should install new updates whenever they become available for the respective models, regions, and carriers.

    Stay in the Loop

    Get the daily email from Oneily News that makes reading the news actually enjoyable. Join our mailing list to stay in the loop to stay informed, for free.

    Latest stories

    - Advertisement -

    You might also like...