Broken cord on a computer chip

Android bugs going unfixed thanks to a double patch gap

If you are a regular reader here you will know that we like to keep you posted about all kinds of vulnerabilities, and when patches for them are released. And you may have learned along the way that the time between the patch being released and it actually getting installed, the so called “patch gap”, is critically important.

Most cybercriminals aren’t smart enough to find their own vulnerabilities, so they reverse engineer patches after they are released to find out what’s getting fixed. The patch gap is criminals’ window of opportunity to exploit that knowledge. Which is why when it comes to applying patches it’s a case of the sooner, the better.

But this patch gap is not entirely under the control of the user.

Mind the gap

In organizations, the patch gap has been growing steadily over the years. This is partly due to the sheer complexity of it, and partly due to the shortage of IT staff. Figuring out what computers they have, what software they’re running, what patches are available, and when they can be rolled out, has become part of the daily grind for IT folk. Many have also learned that it is important to test patches first, away from the production environment, in case they are unstable or have unexpected side effects.

The patch gap exists for consumers too, but for a different set of reasons. Often they rely on the devices and software they use to install patches automatically, or at least to alert them when an update is available. Software that doesn’t do this tends to be left alone. Sometimes because of an “if it ain’t broke, don’t fix it” attitude, and sometimes becasue users simply aren’t aware of how important updates are. (For example, look at the numerous problems with Network Attached Storage devices sometimes causing an uproar when a vendor decides to push out a forced firmware update because of a rampant ransomware infection.)

No, the other gap

There is another, less well known gap that exists when software patches have to wait for a second vendor to incorporate them into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android.

So, much like our organizations above, a vendor has to test the effects of the patch on the other components they supply before they can give it to their end users, and they may have to modify their patch or their other software as a result. And even if they don’t have to change anything, the patch has to pass through the vendor’s own workflow, software release, and QA processes, while users are left waiting and vulnerable.

The size of the gap this process creates can be huge, as illustrated by a recent blog post by Google’s Project Zero. It sets out a timeline for some specific issues they discovered. Several months after patches for the issues were released they conducted follow-up tests to see how many devices had been fixed:

  • Between June and July 2022 Project Zero found issues in the ARM Mali driver
  • ARM fixed the issues promptly in July and August 2022
  • The issues were publicly disclosed between late August and mid-September 2022
  • Testing showed all the test devices are still vulnerable

Now consider that the ARM Mali graphics processing unit (GPU) chip is present in over one billion different consumer devices…

Closing the second gap

As I’m sure some of you will point out in the comments, one way to make sure that you can install patches for your phone as soon as they are released is to buy an iPhone. Or a Google Pixel for that matter. But those are not for everyone. Other vendors however should be made aware that this second gap is something we take seriously, and they may lose customers when they don’t do their utmost to keep the extra gap as small as possible.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.