Google notifies users that five previously reported security issues affecting Android smartphones to remain unpatched despite being brought to the attention of a number of smartphone makers.
Unpatched Security Flaws
Google's Project Zero claims in a blog post that the security weaknesses have been circulating for a while and that phone manufacturers have already been made aware of them. Users of smartphones made by Samsung, Xiaomi, Oppo, and Google are now vulnerable to hacking due to the issue.
The search engine giant's Project Zero arm regularly seeks out and notifies businesses of security flaws. The organization attributes the aforementioned security hole to Arm's "Mali" line of mobile graphics chips.
The issue at hand is an exploit that targets Google's Pixel 6 and makes use of a vulnerability in Mali mobile graphics processors. The flaws might potentially allow a hacker to take complete control of a user's device and have "broad" access to the user's personal information kept on a phone, PCMAG tells us.
This is because of security flaws that might cause "kernel memory corruption" and "physical memory addresses being disclosed to unprivileged userspace," Ian Beer, a researcher at Project Zero, said.
With the exception of Google, none of the impacted phone manufacturers, according to Project Zero, have mentioned the problems in any "downstream security bulletins" or publicly stated whether or how they will fix them.
The Project also said that it informed ARM of these five vulnerabilities as soon as they were found between June and July. By that time, ARM swiftly addressed the problems, publishing the corrected driver source on their open-source developer website and listing them as security flaws on their Arm Mali Driver Vulnerabilities page.
What This Means
Once a vulnerability has been identified, it is often reported to the providers of the underlying technologies, such as chip manufacturers. The consumer-end company is then informed of the software defect fix by these companies, sometimes known as "upstream" corporations, and is required to include a security patch in their software interface, says TechCircle.
A common unpatched security vulnerability, often known as a "zero-day," is typically reported to businesses under strict non-disclosure agreements; it is only made public once a security patch has been released.
This is done to prevent hackers with bad motives from exploiting the data to target users, which in this case may have resulted in users having their personal information taken from their devices.
For better security, users are advised to patch their devices as soon as possible when a security update becomes available. The same is true for vendors and businesses.
According to Project Zero, minimizing the "patch gap" as a vendor in these instances is probably more critical, as end users are blocking this action before they can obtain the security advantages of the patch.
Companies must be vigilant, closely monitor upstream sources, and do everything necessary to give complete patches to users as soon as feasible, the group advises.