Google's "Project Zero" team of security analysts wants to rid the world of zero-day security vulnerabilities, and that means it spends time calling out slacking companies on its blog. The group's latest post is a bit of friendly fire aimed at the Android and Pixel teams, which Project Zero says aren't dealing with bugs in the ARM GPU driver quickly enough.
In June 2022, Project Zero researcher Maddie Stone detailed an in-the-wild exploit for the Pixel 6, where bugs in the ARM GPU driver could let a non-privileged user get write access to read-only memory. Another Project Zero researcher, Jann Horn, spent the next three weeks finding related vulnerabilities in the driver. All told, the post says these bugs could allow "an attacker with native code execution in an app context [to] gain full access to the system, bypassing Android's permissions model and allowing broad access to user data."
Project Zero says it reported these issues to ARM "between June and July 2022" and that ARM fixed the issues "promptly" in July and August, issuing a security bulletin (CVE-2022-36449) and publishing fixed source code. But these actively exploited vulnerabilities haven't been patched for users. The groups dropping the ball are apparently Google and various Android OEMs, as Project Zero says that months after ARM fixed the vulnerabilities, "all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins."
Read 3 remaining paragraphs | Comments
Google's "Project Zero" team of security analysts wants to rid the world of zero-day security vulnerabilities, and that means it spends time calling out slacking companies on its blog. The group's latest post is a bit of friendly fire aimed at the Android and Pixel teams, which Project Zero says aren't dealing with bugs in the ARM GPU driver quickly enough.
In June 2022, Project Zero researcher Maddie Stone detailed an in-the-wild exploit for the Pixel 6, where bugs in the ARM GPU driver could let a non-privileged user get write access to read-only memory. Another Project Zero researcher, Jann Horn, spent the next three weeks finding related vulnerabilities in the driver. All told, the post says these bugs could allow "an attacker with native code execution in an app context [to] gain full access to the system, bypassing Android's permissions model and allowing broad access to user data."
Project Zero says it reported these issues to ARM "between June and July 2022" and that ARM fixed the issues "promptly" in July and August, issuing a security bulletin (CVE-2022-36449) and publishing fixed source code. But these actively exploited vulnerabilities haven't been patched for users. The groups dropping the ball are apparently Google and various Android OEMs, as Project Zero says that months after ARM fixed the vulnerabilities, "all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins."
Read 3 remaining paragraphs | Comments
November 28, 2022 at 11:53PM
Post a Comment