UPDATED 17:37 EST / NOVEMBER 24 2022

SECURITY

Android manufacturers fail to provide patches for Mali GPU vulnerabilities

Google Project Zero, a group of security analysts employed by Google LLC to find vulnerabilities, warns that Android phone makers have failed to provide patches to several vulnerabilities discovered earlier this year in the Mali graphics processing unit.

The five medium-severity security flaws were found in Arm Ltd.’s Mali GPU driver in June and July. The five vulnerabilities include one that leads to kernel memory corruption, another that can lead to physical addresses being disclosed and three that can lead to a physical page use-after-free condition. The five vulnerabilities enable an attacker to continue to read and write physical pages after they have been returned to the system.

As explained by Ian Beer from Project Zero in a Nov. 22 blog post, the Mali vulnerabilities “collided” with vulnerabilities available in zero-day markets, dark web pages that sell exploits to hackers and attack groups.

To its credit, Arm fixed the five vulnerabilities between July and August, disclosed them as security issues on its vulnerabilities page and published the patched drivers on their developer website.

Forward to late November and surprisingly, no major vendors had pushed out patches. Smartphone makers named specifically include Samsung Electronics Co. Ltd., Xiaomi Inc., Guangdong Oppo Mobile Telecommunications Corp. Ltd. and Pixel.

Pixel is Google’s own line of smartphones, meaning that one part of Google is saying that another part of Google has failed to provide important security updates to its users. The first of the five vulnerabilities were also found on a Pixel 6 by a Project Zero researcher, so Google found a vulnerability on one of its own phones and yet, months later, even with a publicly available patch, has yet to address the issue.

Since this article was published, Google has announced that a patch will be available in the coming weeks. In addition, Google said that its Android OEM partners will be required to take the patch to comply with future SPL requirements.

Beer argues that vendors, including Google itself, have a responsibility to provide security updates to users. “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” Beer said. “Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”

Image: Google

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU