Urgent Security Patch for Google Android, Ongoing Attacks, Samsung, Pixel
If you are an Android user, regardless of your hardware vendor of choice, be especially careful to install the May 36 security update that fixes the vulnerabilities as soon as possible. Why the worry? A high-severity vulnerability that was disclosed in January and which, unsurprisingly, is being exploited in the wild, has now been patched. This is a Linux kernel vulnerability named “Dirty Pipe” by the researcher who discovered it. In fact, we boring, nerdy security types call it more formally CVE-2022-0847.
CVE-2022-0847 exploit status confirmed by Google and CISA
The wild status of CVE-2022-0847 has been confirmed by Google and the US Cybersecurity and Infrastructure Security Agency has added it to the catalog of “known exploited vulnerabilities”.
Whatever you call it, only newer Android devices are affected, mostly 2022 models running Android 12 or later, which is really the only saving grace. So that’s the good news. Does that mean you can relax if, like most people, you’re using a phone from 2021 or earlier? No, sorry. While Dirty Pipe won’t affect you, May’s security patch covers a whole host of issues, including some very serious vulnerabilities in the Android Framework component that could allow escalation of privilege attacks.
No matter how old your Android device is, please apply the update urgently.
36 vulnerabilities fixed in May Android security patch
In total, some 36 vulnerabilities were patched in the May Android security update. To complicate matters a bit, these are spread across two Android security updates from Google: the first dated May 1 and the second May 5.
The good news is that the latter should be paired with the former, and most device vendors will only release one full update. Google said the split was intended to give vendors the ability to fix “similar vulnerabilities across all Android devices” faster, but confirmed that the 2022-05-05 security patch level would include all prior patches.
Additional critical vulnerabilities fixed for Google Pixel users
Google Pixel phone users should be particularly urgent when applying the update, as it will include 11 more device-specific vulnerabilities. Full details can be found here, but the takeaway is that there are two critical vulnerabilities that need to be patched. One is a remote code execution issue with the bootloader, the other is an information disclosure issue with the Titan-M security chip.
Samsung users should also pay attention to security patches
If you’re a Samsung smartphone user, you won’t escape the stick of additional vulnerabilities I’m afraid. In total, some 18 vulnerabilities are fixed by this update, along with patches from Google. These range in severity from low to high, at least the ones that have been leaked. Samsung also said some of the security vulnerabilities “cannot be disclosed at this time.” While no further information is offered, this would generally point to vulnerabilities of a critical nature that may already be exploited in the wild. It’s not uncommon to withhold details about such things until a majority of users have had a chance to install the protection patch.
We know you might be sick of Straight Talking Cyber contributors who keep telling you to update now, but that’s really the best advice when it comes to these security patches.