Samsung’s July safety replace—an unlucky story of delays
Up to date on July 3 with information of Google’s newest Pixel replace.
Samsung has once more crushed Pixel to the punch in relation to issuing particulars of this month’s security release. However be warned, this replace is definitely unhealthy information to your Galaxy system—the alarming problem is what’s lacking, not what’s been fastened.
Google has now confirmed that Samsung and different Android gadgets are weak to the identical safety danger behind June’s Pixel zero-day warning. Whereas Pixels have been patched, Samsung gadgets haven’t. And that’s not addressed in any respect in July’s replace. On condition that this risk was critical sufficient to immediate a US government warning, you have to be very conscious of the publicity.
Samsung’s replace does embody 4 different essential Android safety warnings, albeit three of these patch Qualcomm vulnerabilities and have been delayed from Android’s June replace. Samsung warns customers that part updates could come later than software program and firmware patches, however once more Pixel managed to launch these extra shortly.
A minimum of the opposite essential Android replace in Samsung’s July launch is present and has been issued instantly. Google warns that CVE-2024-31320 impacts Android’s underlying framework and “may result in native escalation of privilege with no further execution privileges wanted.” Take that in itself as an replace now warning.
Past the broader Android patches, Samsung contains the same old checklist of its personal fixes, together with essential updates to deal with an enter validation danger. Samsung warns this might allow a distant attacker to execute arbitrary code by compromising safe management knowledge on the system. Whereas “person interplay is required for triggering this vulnerability,” that means be some type of UI message which the person would want to motion, this might be cloaked in any variety of alternative ways.
However the far more essential problem is the lacking Pixel zero-day repair.
Final month, Google warned Pixel customers that CVE-2024-32896 “could also be underneath restricted, focused exploitation,” and the US authorities then mandated that federal staff replace their Pixel gadgets by July 4 “or discontinue use of the product.”
This Pixel patch was the second a part of a repair from April, and GrapheneOS which was behind the disclosure warned that “there are two vulnerabilities being addressed,” GrapheneOS posted. “Neither problem is being fastened outdoors Pixels but.”
Google confirmed this, telling me “Android safety is conscious of this problem, and after additional assessment, this problem does affect Android platform… Pixel gadgets which have put in the newest safety replace are protected… we’re prioritizing relevant fixes for different Android OEM companions and can roll them out as quickly as they’re out there.”
And whereas Google assures that “further exploits can be wanted to compromise a tool,” it’s precisely this mix of a number of vulnerabilities mixed into a sequence assault that GrapheneOS has warned about. There is no such thing as a present repair for any system past Pixels, and it might be months earlier than one is made out there.
GrapheneOS additionally warns that one other vulnerability—CVE-2024-29745—stays a risk to Samsung and different Android gadgets, and has additionally solely been patched on Pixels.“CVE-2024-29745 is the extra critical problem,” I used to be informed, “ and was totally fastened in April for Pixels, however different gadgets haven’t got the safety but.” As a result of it is a firmware problem, it must be patched OEM by OEM. And that can take time.
This danger the place Pixel has patched and others haven’t is beginning to type a sample—and that’s not nice information when you’ve simply dropped $1000-plus on a brand new flagship and count on it to be totally secured. I approached Samsung for any feedback on these vulnerabilities after receiving Google’s affirmation.
In latest months, Google has trailed behind Samsung in relation to its personal Pixel replace bulletins. However not this month—not less than not by a lot. Pixel customers now have particulars of their very own July launch. In contrast to Samsung’s July fixes, this month’s Pixel-specific updates are pretty gentle contact. However there are additionally the broader Android updates, and these are extra intensive and embody essential software program and {hardware} updates that Google says are all wrapped up inside the Pixel replace.
And that in itself is a matter for Samsung customers—as a result of they don’t seem to be getting the identical well timed fixes. Placing apart the Pixel zero-day that’s nonetheless a dwell vulnerability on Samsung gadgets and will likely be till it’s patched, to say nothing of CVE-2024-29745, Pixel is subtly changing into ever extra iPhone-like in its wrap-up of {hardware} and software program right into a seemingly built-in providing. Whereas Pixel continues to be depending on carriers to push software program, it does current a extra cohesive providing.
Samsung is in one thing of a bind. Google is now stepping into its stride with Pixel, it’s not a punt. The fast-tracked addition of its personal AI onto Pixel gadgets, that are clearly optimized for that software program, guarantees a a lot keener contest in years to come back. And whereas each Pixel and (particularly) Galaxy have iPhone of their sights, Pixel’s extra rapid goal is Samsung and the a whole bunch of tens of millions of gadgets it’s already promoting to customers dedicated to the Android ecosystem managed by Google.
Even on the AI safety and privateness entrance, the place earlier within the 12 months it had appeared that Google can be very a lot cloud-based giving Samsung’s hybrid AI providing some market house, that has now modified. The market is changing into extra targeted on the privateness advantages of device-only AI, and Google is responding to that. its management of Android’s core AI choices and Pixel {hardware} is a transparent benefit.
None of this may appear acute as but—Samsung flagships are flying from the cabinets. However it is a fickle market and AI will likely be a generational change that can make this extra so. There will likely be a raft of customers switching manufacturers and even platforms.
Pixel is extra a software program play than a {hardware} play, and in that regard differs from Samsung and Apple. However AI has modified the equation for customers. And in relation to safety, the built-in {hardware}/software program ecosystem thatr Google controls offers it a capability to match Apple’s method in a approach Samsung has clearly proven it can’t.
Samsung continues to take care of its lock on the premium Android market, however Google is concentrated on catching up and has an actual benefit. That has actually come to the fore in latest months. Samsung customers have seen delays on part updates—particularly Qualcomm’s. And this contrasts with Pixel’s extra rapid launch of these fixes. This new warning—a late to the celebration admission that Pixel’s zero-day isn’t solely a Pixel problem in any case—is a serious blunder and must be addressed—quick.
Android 15 is just not too far-off, and whereas the discharge will add a raft of new security updates and enhanced user protection, it would additionally hopefully clear up a few of these excellent points. But it surely’s a very long time to attend. In the meantime, Samsung customers ought to replace as quickly as this month’s replace is obtainable to your mannequin, area and provider.
