Android security: Google vs Google

Pixel 7, 7 Pro, 6A. © Google.

In a blog post, security analysts on Google’s Project Zero team stress that their company should make more of an effort to promptly issue security patches for zero-day vulnerabilities. Worrisome bugs in the ARM GPU driver, which Google has known about for months, still haven’t been fixed and are being actively exploited, even after ARM quickly moved to publish some fixed source code as soon as it was aware of the problem. The bug involves a long list of the past three generations of ARM GPU architectures, including Midgard, Bifrost and Valhall. We’re talking about millions of vulnerable devices produced by nearly all Android OEMs, ranging from current releases to phones dating back to 2016.

Project Zero analysts conclude their blog with this advice to their colleagues: “Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies. […] Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”

⇨ Ars Technica, Ron Amadeo, “Google says Google should do a better job of patching Android phones.”

2022-11-28