Project Zero, the Google team dedicated to investigating and finding security flaws, has published several Android vulnerabilities in smartphones that use Mali graphics accelerators, which are present, for example, in SoC Exynos models. Project Zero usually gives a grace period before making its findings public, but in this case the situation seems to be more bizarre than usual.
Mali graphics accelerators are created by ARM Holdings itself, the creator and matrix of the processor architecture. ARM did its part in the months of July and August when it came to patching the vulnerabilities, but smartphone manufacturers such as Samsung, Xiaomi, Oppo and even Google itself (yes, this complaint comes from within) did not proceed to do the same. , and apparently Project Zero gave them time until the beginning of this week.
Researchers discovered five new security flaws in June and July that directly pointed to ARM as responsible for having to fix them. And the truth is that such failures are quite serious, since one leads to problems like kernel memory corruption, another that physical memory addresses were revealed to user space, and the remaining three are of the type to use after freeing the physical page in memory.
Use-after-free flaws allow an attacker to continue reading and writing physical pages after they have been returned to the system, and not only that, but by forcing the kernel to reuse those pages as page tables, an attacker can even gain complete access to the systembypassing Android’s permissions mechanisms and gaining broad access to user data.
Three months after ARM fixed the security flaws, the Project Zero team discovered that all of their test devices were still vulnerable. As of Tuesday, the problems were not mentioned in any subsequent security bulletins from Android smartphone makers, so it is assumed that they remain open to potentially catastrophic attacks.
At the moment it seems that Samsung, Google, Oppo and Xiaomi (and possibly many more) have not released a corresponding security update to fix vulnerabilities affecting the driver used by Android for Mali graphics accelerators. Unfortunately, here we find ourselves with the usual scenario, and that is that Android smartphones, in general, tend to be poorly maintained by the responsible companies, with security patches that are delivered late and support times that are laughable.
