Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   bleepingcomputer[.]com/news/security/google-android-patch-gap-makes-n-days-as-dangerous-as-zero-days/

   Windows updates can be a PITA, and upgrading versions is sometimes a major chore, but the price for the less frequent, less intrusive, and usually much quicker Android updates IMHO makes for a largely insecure OS. Every OS uses software to bridge the gap between the OS and the hardware [drivers], and Microsoft's built up a database that includes the most common drivers for hardware that's for the most part designed to be interchangeable, meaning you can usually install and/or service Windows yourself whenever you want/need to. The Android OS OTOH comes as a series of parts, code that has to be assembled and tailored for the exact hardware used by a phone or tablet etc. You can't easily install it, and the only thing you can do regarding updates is generally limited to tapping the screen for yes or no. You're at the mercy of some company that is only interested in you when you've got one of their products in the shopping cart -- and that interest disappears the moment you click or tap the button to submit your order.

   If you buy a cheaper tablet or phone there's a chance it'll come with an older version of the Android OS, but even if it's the latest, that's the last version you'll ever get from the company that made it. If you buy a more expensive phone or tablet it may be supported for 2 or 3 or 4 years, meaning when there's a new version of Android, you'll *eventually* get it. When it comes to updates however, especially those fixing security vulnerabilities, your odds can get extremely slim. Google has to become aware of the vulnerability, then has to fix it. Then Google makes all of the hardware manufacturers aware of the fix, and they have to incorporate it into the versions of Android it uses for any of their products that still get support. If the phone or tablet is tied to a carrier, e.g., Verizon or AT&T in the US, then the hardware manufacturer sends their updated software to these carriers instead of you. That means you wait until the carrier checks it out, then sends it to their customers, assuming they decide to.

   In 2022, many issues of this kind impacted Android, most notably CVE-2022-38181, a vulnerability in the ARM Mali GPU. This flaw was reported to the Android Security team in July 2022, deemed as "won't fix," patched by ARM in October 2022, and finally incorporated in the Android April 2023 security update.

   This flaw was found to be exploited in the wild in November 2022, a month after ARM released a fix.

   Exploitation continued unabated until April 2023, when the Android security update pushed the fix, a whopping six months after ARM addressed the security problem.

   CVE-2022-3038: Sandbox escape flaw in Chrome 105, which was patched in June 2022, yet remained unaddressed on vendor browsers based on earlier Chrome versions, like Samsung’s ‘Internet Browser.’
   CVE-2022-22706: Flaw in the ARM Mali GPU kernel driver patched by the vendor in January 2022.

   The two flaws were found to be exploited in December 2022 as part of an attack chain that infected Samsung Android devices with spyware.

   Samsung released a security update for CVE-2022-22706 in May 2023, while the Android security update adopted ARM's fix on the June 2023 security update, recording a staggering 17-month delay.

   Even after Google releases the Android security update, it takes device vendors up to three months to make the fixes available for supported models, giving attackers yet another window of exploitation opportunity for specific devices.

   This patch gap effectively makes an n-day as valuable as a zero-day for threat actors who can exploit it on unpatched devices. Some may consider these n-days more useful than zero-days as the technical details have already been published, potentially with proof-of-concept (PoC) exploits, making it easier for threat actors to abuse them.

   Posted 1 year ago #
2. 

   Kajaldigitall
   Spammer

   It seems like you're concerned about the security aspects of the Android operating system, particularly in comparison to other systems like Windows. Your concerns mainly revolve around the fragmentation of the Android ecosystem, delays in updates, and the potential security vulnerabilities that can arise due to these factors.

   Your analysis highlights some valid points, and I'll provide a breakdown of your concerns and potential answers to the issues you've raised:

   Fragmentation and Hardware Diversity:
   You've rightly noted that Android runs on a wide variety of devices with different hardware configurations. This diversity can lead to delays in updates as manufacturers need to customize the Android OS to work optimally with their specific hardware. This contrasts with Windows, which maintains a database of common drivers. As a result, Windows updates can sometimes be more standardized.

   Delayed Updates and Security Vulnerabilities:
   Your example of CVE-2022-38181 and other security vulnerabilities highlights the delay in fixing vulnerabilities in the Android ecosystem. It's true that the Android update process involves multiple steps, including Google releasing a fix, manufacturers incorporating the fix, and carriers approving and distributing the update. These steps can introduce significant delays, leaving devices exposed to potential exploits.

   Exploitation Opportunities:
   The delays in updates can provide opportunities for threat actors to exploit known vulnerabilities on devices that haven't received patches. In some cases, the delays might even make 'n-days' (vulnerabilities that have been known for some time) as valuable as 'zero-days' (newly discovered vulnerabilities).

   Comparison with Windows Updates:
   While you've highlighted some of the challenges with Android updates, it's worth noting that Windows updates also have their own challenges, such as compatibility issues with older software or hardware and the occasional occurrence of problematic updates that cause issues for users.

   Security Practices and Mitigation:
   To mitigate the security concerns associated with Android, users can take certain measures:

   Choose Manufacturers Wisely: Some manufacturers have better track records of providing timely updates. Researching the manufacturer's update history and policy can help users make informed decisions.
   Consider Google Pixel Devices: Google's own Pixel devices often receive updates more promptly since they're directly managed by Google.
   Regularly Check for Updates: Manually check for updates on your device to ensure you're not missing critical security patches.
   Use Security Apps: Consider using reputable security apps from well-known developers to add an extra layer of protection.
   Android Security Improvements:
   Since my knowledge is limited to September 2021, I can't provide information on developments that have occurred after that date. However, Google and the Android community have been aware of the challenges with updates and security. They have been working on initiatives to improve the update process, such as Project Treble, which aims to separate the Android OS framework from vendor-specific customizations, making it easier to deliver updates.

   Remember that security concerns are valid and it's important for both users and the industry to address these issues. If you're concerned about security, keeping up to date with the latest news and developments in the Android ecosystem can help you make informed decisions about your device usage.

   Posted 1 year ago #
3. 

   Muskanuncodemy
   Blocked

   It seems like you've provided a detailed analysis of the challenges and vulnerabilities associated with Android updates and security. You've highlighted the differences between Windows and Android updates, emphasizing the complexities of the Android ecosystem, particularly in terms of hardware variations and delayed updates. The examples of CVE-2022-38181, CVE-2022-3038, and CVE-2022-22706 underscore the potential security risks and exploitation timelines that can occur due to delays in addressing vulnerabilities. The patch gap between Google's release of security updates and their availability on supported devices is also highlighted, creating a window of opportunity for threat actors.

   Overall, your provided information sheds light on the intricate nature of Android's update process and the potential security implications for users, especially in cases where vulnerabilities remain unaddressed for extended periods.

   Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.