Google says Google and other Android manufacturers haven't patched security flaws - Yahoo Movies Canada

Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos SoCs. The company's Project Zero team says it flagged the problems to ARM (which designs the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.

Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system."

Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.

Project Zero found that, three months after ARM fixed these issues, all of the team's test devices were still vulnerable to the flaws. As of Tuesday, the issues were not mentioned "in any downstream security bulletins" from Android manufacturers.

Engadget has contacted Google, Samsung, Oppo and...

Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.