Sunday, November 24th

    Samsung Releases Critical Update for Millions of Galaxy Users

    img
    Samsung has released a safety update for its Galaxy devices, but it is important to note that the update is not addressing the same security risk as the June Pixel zero-day warning.

    Samsung has turned the pixel to the punch again when it comes to releasing this month's safety. But be warned that this update is actually bad news for your Galaxy device - the worrying problem is what is missing, not what is fixed.

    Google has now confirmed that Samsung and other android devices are vulnerable to the same security risk behind June’s Pixel zero-day warning. While Pixels have been patched, Samsung devices have not. The July update did not address this issue at all. Given that this threat is serious enough to warrant a warning from the US government, you should take this exposure very seriously. Samsung's update includes four other critical Android security fixes, though three of them address Qualcomm vulnerabilities and were delayed from Android's June update. Samsung warned users that component updates may lag behind software and firmware patches, but the Pixel again managed to get those updates out faster. At least the second major Android update that Samsung released in July has been updated and has been released immediately. Google warns that CVE-2024-31320 affects Android's underlying system and "may cause local privilege escalation without requiring additional execute permissions." Consider yourself an instant update alert. In addition to a wider range of Android patches, Samsung has provided its list of common fixes, including critical updates that address input validation risks. Samsung warned that this could allow a remote attacker to execute arbitrary code, compromising the device's security control data. Although "this vulnerability requires user interaction to trigger," meaning that the user must provide some form of UI notification, it can be hidden in a variety of ways. GrapheneOS, the company behind it, warned that "two vulnerabilities are being addressed." "Both of these issues have yet to be resolved outside of Pixels."

    Google confirmed this and told me "Android Security is aware of this issue and upon further review this issue affects the Android platform...Pixel devices with the latest security updates installed are protected...We prioritize working with other Android OEMs." Partners are providing appropriate fixes and we will release them as soon as they are available.

    Although Google asserts that "additional vulnerabilities are required to compromise a device", GrapheneOS warns of exactly this situation when multiple vulnerabilities are combined in a chain attack. There is currently no fix available for devices other than the Pixel, and it could take months to roll out.

    Tags :