Patches and announcements
Android’s may security notices inform us that four bugs that have been known to be under active exploitation in the wild are fixed. So if you are on Android and don’t apply the patch, you will know that your phone or tablet remains vulnerable to a series of possible malicious attacks that use the weaknesses in the said bugs to do their dirty tricks. No, it’s not just a matter of principle or a theoretical possibility but a clear present and practical risk, as it’s explained in Google’s Project Zero team least of zero-days – in hacker parlance a zero-day is a trick that has just been discovered, fresh out of the oven if you will, and it’s highly sought-after because being so new, the agents responsible for an OS’ security haven’t had time to fix it.
The four bugs in question are these: CVE-2021-1905, CVE-2021-1906,CVE-2021-28663 ,CVE-2021-28664. The first two bugs have to do with Qualcomm. The first fixes a flaw in the graphics component that relies on improper handling of memory mapping of concurrent simultaneous processes. The second one fixes the improper handling of address de-registration. The third one deals with a vulnerability in the Arm Mali GPU kernel driver, which allows for privilege escalation or information disclosure to the GPU memory. The last one is also related to the Arm Mali GPU kernel that also allows for privilege escalation that allows an attack by an unprivileged user.
The good news is that you can’t have all four bugs active in a single device, because they affect Qualcomm Adreno or Arm Mali GPUs. So in the worst-case scenario, if you own one of those pieces of hardware, you need only worry about two of them.
But if Google knows what hackers were doing with these exploits, they’re not telling us very much. Shane Huntley explained on Twitter that sometimes it takes a bit of research to figure out all those details accurately, so it’s not like Google is hiding any information on purpose, but rather that they still don’t know.
The problem with Android is that it has so many users all over the globe. Yes, that’s because it’s such a huge success. It also means that the number of devices that are running the latest security patch is so low that it could make you cry if you understood the mathematics because it means that so many users remain vulnerable to the problems explained previously.
There are those smartphone vendors who support their devices by providing patches for three years. Others do so every three or six months, and some take even longer periods if they deliver anything at all. And that is why if you care about your security, you should pay attention to that little detail the next time you are shopping for a smartphone.
