security vulnerability

Looks like Pixel 6 and Galaxy S22 owners may have another security vulnerability to contend with.

Security researcher and Northwestern University PhD student Zhenpeng Lin posted a video on Twitter showcasing the vulnerability. Lin claims the vulnerability can enable arbitrary read and write, privilege escalation, and disable SELinux security protections. In other words, it’s a doozy.

Android Police notes that none of the technical details about the vulnerability have been published. However, the vulnerability impacts Android devices running with Linux kernel version based on version 5.10 — namely, the Pixel 6 series, Galaxy S22 line, and some others. You can check your kernel version by heading to Settings > About phone > Android version > Kernel version.

Moreover, Android Police reports that the vulnerability appears to use some sort of memory access exploit, indicating it could be similar to the Dirty Pipe security flaw that plagued new Pixel and Galaxy smartphones earlier this year.

The latest Google Pixel 6 pwned with a 0day in kernel! Achieved arbitrary read/write to escalate privilege and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected 🙂 pic.twitter.com/UsOI3ZbN3L

— Zhenpeng Lin (@Markak_) July 5, 2022

There’s also some debate over whether Lin’s Twitter post violates Google’s disclosure rules for security bugs. Lin told Android Police that the post was a “proof of concept” and he believes it doesn’t violate the rules. Additionally, Lin said he disclosed the flaw to Google on July 5th.

However, as Android Police notes, Google’s rules request “reasonable advance notice” and that reports going against this “usually don’t qualify.” In other words, it sounds like a public disclosure before alerting Google could impact reward payouts. Typically with security exploits, researchers only issue public disclosures as a final attempt to get companies to fix the flaw. Most tech companies offer disclosure programs and bug bounties and encourage researchers to disclose exploits to them first, then go public once a fix is available. Google’s internal research division, Project Zero, has a 90-day response policy for vulnerabilities that aren’t actively being exploited, and a seven-day policy for actively-exploited flaws.

Finally, Android Police notes that given the timeline and how Google’s security patches work, the issue might not be addressed until September. However, other manufacturers might be able to pull the fix into their own patches earlier, such as what Samsung did with Dirty Pipe.

Source: Zhenpeng Lin (Twitter) Via: Android Police

Apple still hasn’t rolled out patches for two zero-day exploits found in macOS to devices running Big Sur and Catalina.

As reported by 9to5Mac, Apple previously released patches for the exploits in macOS Monterey version 12.3.1. However, similar patches were not made available to the older macOS variants, despite that Apple still supports them.

One of the exploits allowed malicious apps to execute arbitrary code with kernel privileges, while the other was an exploit found in the Intel Graphics drivers, which could lead to the disclosure of kernel memory.

Apple typically releases security patches for the current version of macOS and the last two versions of the operating system. Largely, that’s because some users can’t upgrade right away due to software compatibility. People with older Macs may not be able to upgrade to newer versions of macOS if the hardware isn’t supported.

By supported older versions of macOS with security updates, Apple effectively protects users who can’t upgrade to the newest version of macOS right away. However, the company’s failure to push out a patch for these active zero-day exploits is concerning.

Hopefully, those updates come soon, although Intego notes Apple hasn’t given any indication it will provide those updates.

Source: 9to5Mac, Intego