Samsung has once more crushed Pixel to the punch on the subject of issuing particulars of this month’s safety launch. However be warned, this replace is definitely dangerous information on your Galaxy machine—the alarming problem is what’s lacking, not what’s been fastened.
Google has now confirmed that Samsung and different android gadgets are susceptible to the identical safety threat behind June’s Pixel zero-day warning. Whereas Pixels have been patched, Samsung gadgets haven’t. And that isn’t addressed in any respect in July’s replace. Provided that this menace was severe sufficient to immediate a US authorities warning, you ought to be very conscious of the publicity.
Samsung’s replace does embody 4 different essential Android safety warnings, albeit three of these patch Qualcomm vulnerabilities and have been delayed from Android’s June replace. Samsung warns customers that element updates might come later than software program and firmware patches, however once more Pixel managed to launch these extra rapidly.
A minimum of the opposite essential Android replace in Samsung’s July launch is present and has been issued instantly. Google warns that CVE-2024-31320 impacts Android’s underlying framework and “may result in native escalation of privilege with no further execution privileges wanted.” Take that in itself as an replace now warning.
Past the broader Android patches, Samsung contains the same old checklist of its personal fixes, together with essential updates to handle an enter validation threat. Samsung warns this might allow a distant attacker to execute arbitrary code by compromising safe management information on the machine. Whereas “consumer interplay is required for triggering this vulnerability,” that means be some type of UI message which the consumer would wish to motion, this might be cloaked in any variety of alternative ways.
However the way more essential problem is the lacking Pixel zero-day repair.
Final month, Google warned Pixel customers that CVE-2024-32896 “could also be beneath restricted, focused exploitation,” and the US authorities then mandated that federal workers replace their Pixel gadgets by July 4 “or discontinue use of the product.”
This Pixel patch was the second a part of a repair from April, and GrapheneOS which was behind the disclosure warned that “there are two vulnerabilities being addressed,” GrapheneOS posted. “Neither problem is being fastened exterior Pixels but.”
Google confirmed this, telling me “Android safety is conscious of this problem, and after additional evaluation, this problem does impression Android platform… Pixel gadgets which have put in the most recent safety replace are protected… we’re prioritizing relevant fixes for different Android OEM companions and can roll them out as quickly as they’re accessible.”
And whereas Google assures that “further exploits could be wanted to compromise a tool,” it’s precisely this mix of a number of vulnerabilities mixed into a series assault that GrapheneOS has warned about. There is no such thing as a present repair for any machine past Pixels, and it might be months earlier than one is made accessible.
GrapheneOS additionally warns that one other vulnerability—CVE-2024-29745—stays a menace to Samsung and different Android gadgets, and has additionally solely been patched on Pixels.“CVE-2024-29745 is the extra severe problem,” I used to be informed, “ and was totally fastened in April for Pixels, however different gadgets do not have the safety but.” As a result of this can be a firmware problem, it must be patched OEM by OEM. And that can take time.
This threat the place Pixel has patched and others haven’t is beginning to kind a sample—and that’s not nice information if you happen to’ve simply dropped $1000-plus on a brand new flagship. I additionally approached Samsung for any feedback on these vulnerabilities.
Android 15 is fast-approaching, and whereas the discharge will add a raft of latest safety updates and enhanced consumer safety, it is going to additionally hopefully clear up a few of these excellent points. However it’s a very long time to attend. In the meantime, Samsung customers ought to replace as quickly as this month’s replace is out there on your mannequin, area and provider.