Project Zero Flags ‘Patch Gap’ Problems on Android

Google Project Zero vulnerability researchers draw attention to the ongoing “patch gap” problem in the Android ecosystem and warn that downstream vendors remain late in delivering security fixes to Android devices.

In a research note documenting the discovery in the wild of an Android exploit targeting a flaw in the ARM Mali GPU driver, Project Zero hacker Ian Beer said that security updates available since August 2022 still not pushed to affected Android devices.

Beer identified his own company’s pixel alongside devices from Samsung, Xiaomi and Oppo, which remain exposed to exploitable software vulnerabilities that have been public knowledge for several months.

Beer said Project Zero initiated a security audit of the ARM Mali GPU driver after viewing an internal presentation prior to Maddie Stone’s FirstCon22 speech that detailed the exploitation of low-level memory management code used in millions of Android devices is used.

[ READ: Microsoft Finds Major Flaws in Pre-Installed Android Apps ]

Over the course of a few weeks, Beer said his team uncovered five more exploitable vulnerabilities in ARM code and warned that memory security issues could lead to code execution and privilege model bypass attacks.

“We reported these five issues to ARM when they were discovered between June and July 2022. ARM promptly fixed the issues in July and August 2022 and identified them as security issues on the Arm Mali Driver Vulnerabilities page (attribution of CVE-2022-36449) and published the patched driver source on their public developer website,” Beer explained.

Per its disclosure policy, Project Zero waited an additional 30 days before going public with the discoveries.

“When time permits and as an additional check, we test the effectiveness of the patches provided by the vendor. This sometimes results in follow-up bug reports where a patch is incomplete or a variant is discovered, and sometimes we find that the fix isn’t there at all,” added Beer.

[ READ: Mobile Platforms ‘Actively Obstructing’ Zero-Day Research ]

In this case, he said Project Zero test devices that used Mali are still prone to these issues. “CVE-2022-36449 is not mentioned in any downstream security bulletin,” he explained.

“Just as users are advised to patch as soon as a release with security updates is available, the same is true for vendors and enterprises. Minimizing the “patch gap” as a provider in these scenarios is arguably more important, since end users (or other downstream providers) will block that action before they can reap the security benefits of the patch,” added Beer.

The Android and Pixel security teams say the fix provided by ARM is scheduled to be deployed “in the coming weeks.”

“The fix provided by ARM is currently being tested for Android and Pixel devices and will ship in the coming weeks. Android OEM partners must adopt the patch to meet future SPL requirements,” reads a bug-tracking update.

See also: The cost of sandboxing is driving the move to memory-safe languages. Too late?

See also: Project Zero flags high-risk Zoom vulnerability

See also: Mobile platforms actively hinder zero-day malware hunters

view counters

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is an experienced cybersecurity strategist who has built security programs for major global brands including Intel Corp., Bishop Fox and GReAT. He is co-founder of Threatpost and the global SAS conference series. Ryan’s previous career as a security journalist has included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the non-profit organization Security Tinkerers, a consultant to young entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine: