1 year ago
36
Google's "Project Zero" squad of information analysts wants to escaped the satellite of zero-day information vulnerabilities, and that means it spends clip calling retired slacking companies connected its blog. The group's latest post is simply a spot of affable occurrence aimed astatine the Android and Pixel teams, which Project Zero says aren't dealing with bugs successful the ARM GPU operator rapidly enough.
In June 2022, Project Zero researcher Maddie Stone elaborate an in-the-wild exploit for the Pixel 6, wherever bugs successful the ARM GPU operator could fto a non-privileged idiosyncratic get constitute entree to read-only memory. Another Project Zero researcher, Jann Horn, spent the adjacent 3 weeks uncovering related vulnerabilities successful the driver. All told, the station says these bugs could let "an attacker with autochthonal codification execution successful an app discourse [to] summation afloat entree to the system, bypassing Android's permissions exemplary and allowing wide entree to idiosyncratic data."
Project Zero says it reported these issues to ARM "between June and July 2022" and that ARM fixed the issues "promptly" successful July and August, issuing a information bulletin (CVE-2022-36449) and publishing fixed root code. But these actively exploited vulnerabilities haven't been patched for users. The groups dropping the shot are seemingly Google and assorted Android OEMs, arsenic Project Zero says that months aft ARM fixed the vulnerabilities, "all of our trial devices which utilized Mali are inactive susceptible to these issues. CVE-2022-36449 is not mentioned successful immoderate downstream information bulletins."
The affected ARM GPUs see a agelong database of the past 3 generations of ARM GPU architectures (Midgard, Bifrost, and Valhall), ranging from presently shipping devices to phones from 2016. ARM's GPUs aren't utilized by Qualcomm chips, but Google's Tensor SoC uses ARM GPUs successful the Pixel 6, 6a, and 7, and Samsung's Exynos SoC uses ARM GPUs for its midrange phones and older planetary flagships similar the Galaxy S21 (just not the Galaxy S22). Mediatek's SoCs are each ARM GPU users, too, truthful we're talking astir millions of susceptible Android phones from conscionable astir each Android OEM.
In effect to the Project Zero blog post, Google told Engadget, "The hole provided by Arm is presently undergoing investigating for Android and Pixel devices and volition beryllium delivered successful the coming weeks. Android OEM partners volition beryllium required to instrumentality the spot to comply with aboriginal SPL requirements."
The Project Zero analysts extremity their blog station with immoderate proposal for their colleagues, saying, "Just arsenic users are recommended to spot arsenic rapidly arsenic they tin erstwhile a merchandise containing information updates is available, truthful the aforesaid applies to vendors and companies. Minimizing the 'patch gap' arsenic a vendor successful these scenarios is arguably much important, arsenic extremity users (or different vendors downstream) are blocking connected this enactment earlier they tin person the information benefits of the patch. Companies request to stay vigilant, travel upstream sources closely, and bash their champion to supply implicit patches to users arsenic soon arsenic possible."
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)