Today Google has released an Android security update, which reportedly fixes 46 security vulnerabilities. It also includes a zero-day vulnerability.
For those unfamiliar, a zero-day vulnerability is a security flaw in software, hardware, or firmware that threat actors exploit before the vendor can identify and fix it. The term “zero-day” comes from the amount of time the vendor has to prepare a patch, which is zero days because the vulnerability has already been discovered or exploited.
Google released two batches of patches in the August security update to fix the vulnerabilities
This particular zero-day vulnerability (which is a use-after-free type vulnerability) marked as CVE-2024-36971 reportedly exists in the Linux kernel used by the Android system to manage network routing. Even though exploiting this vulnerability requires system-level execution privileges, Google pointed out in its security bulletin that there are signs that this zero-day vulnerability may be subject to limited, targeted attacks.
Once a bad actor has successfully exploited this vulnerability, he should be able to execute arbitrary code on unpatched devices without any input from the user. The zero-day vulnerability was discovered by Clément Lecigne, a security researcher at Google, in the Threat Analysis Group (TAG).
Google did not disclose the specific details of the vulnerability in order to give Android phone users enough time to update and repair their devices.
As mentioned before, there were 45 other vulnerabilities as well. To address all the vulnerabilities, Google released two batches of patches in the August security update, which are marked as 2024-08-01 and 2024-08-05. Notably, the second batch of patches includes fixes for third-party closed-source components and kernel components alongside all the fixes in the first batch. Therefore users are advised to install the patches once they are available. While Google’s Pixel devices get the updates quickly, it may take a while for other manufacturers to push the update to certain models.
(Source)
Comments