Shulou(Shulou.com)11/24 Report--

CTOnews.com, Nov. 29 (Xinhua) Google's Project Zero team's ultimate goal is to eliminate all zero-day loopholes in the world, and given the recent outbreak of ARM GPU vulnerabilities, the team condemned the laziness of Android makers in its latest blog post, even Google's own Pixel. In the blog post, the Project Zero team said Android makers did not move quickly to fix ARM GPU driver vulnerabilities.

Image source Maddie Stone, a member of the PexelsProject Zero team, discovered a vulnerability in the Pixel 6 phone in June that allows unprivileged users to write to read-only memory.

Another member of the team, Jann Horn, discovered three weeks later that there were other related vulnerabilities in the ARM GPU driver. These vulnerabilities could allow "attackers who execute native code in the application to gain full access to the system, bypass the Android permissions model, and allow extensive access to user data."

The Project Zero team said it reported these issues to ARM from June to July 2022. ARM fixed these issues between July and August, issued a security bulletin (CVE-2022-36449) and released the source code for the fix.

But for consumers, these loopholes have not been fixed. The main reason for this is a variety of Android OEM makers, including Google itself. According to the Project Zero team, a few months after ARM fixed these vulnerabilities, all of our test equipment using Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream safety bulletins.

CTOnews.com learned that the list of affected ARM GPU devices is long, covering the past three generations of ARM GPU architectures (Midgard, Bifrost and Valhall), ranging from current shipments to 2016 phones. Qualcomm chips do not use ARM's GPU, but Google's Tensor SoC uses ARM GPU in Pixel 6, 6a and 7, while Samsung's Exynos SoC uses ARM GPU in its midrange phones and old international flagships such as the Galaxy S21 (just without the Galaxy S22). MediaTek's SoC is also ARM GPU users, so we're talking about millions of vulnerable Android phones from almost every Android OEM manufacturer.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.