Manufacturers taking too long to fix issues

July 28, 2023
495 views

Google this week released its fourth annual Year in Review of 0-days, which are completely unknown security vulnerabilities exploited in the wild. The Android patch gap was a particular area of concern in 2022.

One of the findings concerns Android and how 2022 saw a “series of cases where the upstream vendor had released a patch for the issue, but the downstream manufacturer had not taken the patch and released the fix for users to apply.” While patch gaps “exist in most upstream/downstream relationships” across platforms, Google says it’s “more prevalent and longer in Android.”

These gaps between upstream vendors and downstream manufacturers allow n-days – vulnerabilities that are publicly known – to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device.

Google cited two examples last year, starting with an ARM Mali GPU vulnerability that was not fixed by Android until April of this year, or “6 months after the initial release by ARM, 9 months after the initial report by Man Yue Mo, and 5 months after it was first found being actively exploited in-the-wild.”

July 2022: Reported to Android Security team

August 2022: Android Security labels “Won’t Fix” and sends to ARM

October 2022: Bug fixed by ARM

November 2022: In-the-wild exploit discovered

April 2023: Included in Android Security Bulletin

The other example involved Samsung Internet being vulnerable in part because the browser was using a seven-month-old version of Chromium (102).

As a part of this chain, the attackers were able to use two n-day vulnerabilities which were able to function as 0-days: CVE-2022-3038 which had been patched in Chrome 105 in June 2022 and CVE-2022-22706 in the ARM Mali GPU kernel driver. ARM had released the patch for CVE-2022-22706 in January 2022 and even though it had been marked as exploited in-the-wild, attackers were still able to use it 11 months later as a 0-day. Although this vulnerability was known as exploited in the wild in January 2022, it was not included in the Android Security Bulletin until June 2023, 17 months after the patch released and it was publicly known to be actively exploited in-the-wild.

Google says the industry “must get fixes and mitigations to users quickly so that they can protect themselves.”

Elsewhere, browser zero days are down, thanks to mitigations implemented by Chrome, Safari, and Firefox, but this is also due to attackers leveraging 0-click exploits that target other parts of the OS or hardware.

Another area of concern is how “over 40% of the 0-days discovered were variants of previously reported vulnerabilities,” thus requiring a deeper analysis and more thorough fix so that attackers cannot keep using the same issues but in different areas.

Source: 9to5Google