Broken cord on a computer chip
Exploits and vulnerabilities | News

Android bugs going unfixed thanks to a double patch gap

Posted: November 24, 2022 by Pieter Arntz

If you are a regular reader here you will know that we like to keep you posted about all kinds of vulnerabilities, and when patches for them are released. And you may have learned along the way that the time between the patch being released and it actually getting installed, the so called “patch gap”, is critically important.

Most cybercriminals aren’t smart enough to find their own vulnerabilities, so they reverse engineer patches after they are released to find out what’s getting fixed. The patch gap is criminals’ window of opportunity to exploit that knowledge. Which is why when it comes to applying patches it’s a case of the sooner, the better.

But this patch gap is not entirely under the control of the user.

Mind the gap

In organizations, the patch gap has been growing steadily over the years. This is partly due to the sheer complexity of it, and partly due to the shortage of IT staff. Figuring out what computers they have, what software they’re running, what patches are available, and when they can be rolled out, has become part of the daily grind for IT folk. Many have also learned that it is important to test patches first, away from the production environment, in case they are unstable or have unexpected side effects.

The patch gap exists for consumers too, but for a different set of reasons. Often they rely on the devices and software they use to install patches automatically, or at least to alert them when an update is available. Software that doesn’t do this tends to be left alone. Sometimes because of an “if it ain’t broke, don’t fix it” attitude, and sometimes becasue users simply aren’t aware of how important updates are. (For example, look at the numerous problems with Network Attached Storage devices sometimes causing an uproar when a vendor decides to push out a forced firmware update because of a rampant ransomware infection.)

No, the other gap

There is another, less well known gap that exists when software patches have to wait for a second vendor to incorporate them into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android.

So, much like our organizations above, a vendor has to test the effects of the patch on the other components they supply before they can give it to their end users, and they may have to modify their patch or their other software as a result. And even if they don’t have to change anything, the patch has to pass through the vendor’s own workflow, software release, and QA processes, while users are left waiting and vulnerable.

The size of the gap this process creates can be huge, as illustrated by a recent blog post by Google’s Project Zero. It sets out a timeline for some specific issues they discovered. Several months after patches for the issues were released they conducted follow-up tests to see how many devices had been fixed:

  • Between June and July 2022 Project Zero found issues in the ARM Mali driver
  • ARM fixed the issues promptly in July and August 2022
  • The issues were publicly disclosed between late August and mid-September 2022
  • Testing showed all the test devices are still vulnerable

Now consider that the ARM Mali graphics processing unit (GPU) chip is present in over one billion different consumer devices…

Closing the second gap

As I’m sure some of you will point out in the comments, one way to make sure that you can install patches for your phone as soon as they are released is to buy an iPhone. Or a Google Pixel for that matter. But those are not for everyone. Other vendors however should be made aware that this second gap is something we take seriously, and they may lose customers when they don’t do their utmost to keep the extra gap as small as possible.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

RELATED ARTICLES

TikTok logo
News | Personal

TikTok comes one step closer to a US ban

April 24, 2024 - The US Senate has approved a bill that will ban TikTok, unless it finds a new owner, bringing it one step closer to being signed into law.

CONTINUE READING 0 Comments
UnitedHealth Group logo
News | Personal

“Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach

April 23, 2024 - UnitedHealth has made an announcement about the stolen data in the ransomware attack on subsidiary Change Healthcare.

CONTINUE READING 0 Comments
The Lock and Code logo, which includes the Malwarebytes Labs insignia ensconced in a pair of headphones
Podcast

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

April 22, 2024 - This week on the Lock and Code podcast, we speak with Justin Brookman about past consumer wins in the tech world, and how to avoid despair.

CONTINUE READING 0 Comments
Discord logo
News | Privacy

Billions of scraped Discord messages up for sale

April 22, 2024 - An internet scraping platform is offering access to a database filled with over four billion Discord messages and combined user profiles.

CONTINUE READING 0 Comments
week in security
News

A week in security (April 15 – April 21)

April 22, 2024 - A list of topics we covered in the week of April 15 to April 21 of 2024

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams