Google has recently shed light on the gaps in the rollout of Android security patch updates, offering an explanation for the instances where timely fixes have not been made available to users. These gaps are a concern, as they leave users vulnerable to publicly known vulnerabilities, turning n-days (known vulnerabilities) into O-days (zero-day vulnerabilities) due to the absence of available patches.
Gaps in Android Security patch updates: details
One of the key issues identified by Google is the delay in downstream manufacturers implementing patches released by upstream vendors. In 2022, there were cases where the upstream vendor had issued a patch, but the downstream manufacturer had not yet made it available for users to apply. Such gaps exist across platforms, but they are more prevalent and prolonged in Android devices.
The consequences of these patch gaps are evident in the reported examples. For instance, an ARM Mali GPU vulnerability was not addressed by Android until six months after its initial release by ARM and nine months after being reported. Furthermore, it was actively exploited in-the-wild for five months before finally being included in the Android Security Bulletin.
Another case involves Samsung Internet, where vulnerabilities persisted due to the browser’s usage of a seven-month-old version of Chromium. Attackers took advantage of n-day vulnerabilities that had not been patched promptly, turning them into O-days. Despite being marked as exploited in-the-wild, these vulnerabilities were still usable by attackers months later.
Google emphasizes the urgency of getting fixes and mitigations to users swiftly to enhance their defense against potential threats. While browser zero days have reduced due to the implementation of mitigations by Chrome, Safari, and Firefox, attackers have adapted their methods, using O-click vulnerabilities targeting other parts of the OS or hardware.
Additionally, over 40% of the O-days discovered were variants of previously reported vulnerabilities, necessitating a more comprehensive examination and patching approach to prevent attackers from exploiting the same weaknesses in different contexts.
In light of these findings, Google emphasizes the importance of timely and comprehensive patching to safeguard users from potential security threats. Addressing the gaps in patch rollout is crucial to maintaining a secure and protected Android ecosystem.
To get our latest news once they’re published, please follow us on Google News, Telegram, Facebook, and Twitter. We cover general tech news and are the first to break the latest MIUI update releases. Also, you get issues-solving “How To” posts from us.