Monday, July 31, 2023

Known Android flaws are just as bad as zero-days, finds Google

Google’s latest annual review of zero-day exploits has claimed known vulnerabilities could be even worse than zero-day vulnerabilities.

In its report, Google asks whether zero-days are even needed on Android. Typically, a vulnerability would be most concerning before it becomes public. During this (hopefully short) period, an attacker can execute exploits without having to worry about a patch.

In the case of Android, as soon as Google becomes aware of the vulnerability, it is then an n-day flaw, regardless of patch status.

Android patches are just too slow

Google added that in some cases, patches have not been available to users for a significant amount of time across its ecosystem, which it blames on a disconnect between upstream (developer) fixes and the downstream (manufacturer) adoption.

A 2022 report entitled ‘Mind the Gap’ concluded that device vendors should be just as quick to react to patches as end users are advised to be.

A total of 41 zero-days were detected in 2022, down a staggering 40% from the previous year during which 69 had been detected, however with n-day vulnerabilities more exploitable than they should be, attackers have not been subject to the same reduction in attackable surfaces.

At the same time, Google highlighted ineffective patch methods which only serve to fix the exploit method seen being used, rather than the vulnerability as a whole, which it says is not comprehensive and doesn’t constitute a complete patch.

Moving forward, Google clearly places an emphasis on clear communication and collaboration, urging that all parties share as many technical details as possible following detailed analyses.

The company also calls for “fixes and mitigations to [get to] users quickly so that they can protect themselves.”



from TechRadar - All the latest technology news https://ift.tt/AWC8XSi

No comments:

Post a Comment

Elon Musk’s xAI supercomputer gets 150MW power boost despite concerns over grid impact and local power stability

Elon Musk's xAI supercomputer gets power boost amid concerns 150MW approval raises questions about grid reliability in Tennessee Lo...