Google Claims Patch Gap in Android Models Increases The Risk of n-days Vulnerabilities To The Same Level As Zero-days

Zero-day attack or vulnerability is a flaw, a gap in security where an operating system or application is rendered defenseless in opposition to exploitation attacks before a vendor knows about it and finds a way to patch it. N-day vulnerability is a software flaw with or without a patch, but the public knows about it.

It goes like this: a bug identified in Android before Google is called a zero-day vulnerability. But when Google finds out, it’s called an n-day vulnerability, with n being the number of days that have passed since the vulnerability became public knowledge.

Google has released its yearly 0-day vulnerability report, which includes data on real-world exploitation occurrences in 2022. The report emphasizes and brings attention to a persistent issue within the Android platform, highlighting the significance and utilization of disclosed vulnerabilities for long durations.

To be exact, Google’s summary emphasizes the concern of n-days in Android to be acting as equivalent to zero-days for cyber attackers. The issue arises from the intricate nature of Android’s environment, which encompasses many phases between the upstream vendor and downstream manufacturers. This complexity leads to notable variations in delays for security updates across device models, brief support time, confusion over responsibilities, and several other issues.

Google alerted that hackers might use of n-days to exploit devices without any patch by using familiar techniques or programming one themselves, even if Google or another vendor makes a patch available. This issue stems from patch gaps as vendors devise a way to combat the bug, but the manufacturers take weeks to months to release them in Android security updates.

Google’s report claims that the discrepancies between vendors and manufacturers are why publicly known vulnerabilities like n-days behave and operate as zero-days, as not a single patch is accessible or rolled out to users. They further state that users can protect their data by not using their phones in such situations. Such gaps are more evident for prolonged periods in Android devices compared to other vendor and manufacturer interactions.

A vulnerability called CVE-2022-38181 severely impacted Android back in 2022 in the ARM Mali GPU. The Android Security team was alerted about the flaw in July of that year after ARM regarded it as unfixable in October 2022. However, they included it in the security update for Android in April 2023.

The bad news is that a month after the release of the fix update, cyberattackers actively exploited the flaw.
The exploitation was uncontrollable and carried on until April 2023, when the Android security update finally released its fix, a significant time after ARM first raised concerns about it.

In December 2022, two more flaws (CVE-2022-3038 and CVE-2022-22706) were under exploitation, resulting from a series of attacks on Samsung devices containing spyware. In May 2023, Samsung announced the security update for CVE-2022-22706. The ARM fix for CVE-2022-3038 was available in the June 2023 security update. That meant the fix update was available after an alarming delay of 17 months.

It takes upstream vendors around 3 months to release the updates for models that support it, even after Google finds a patch, giving threat actors a longer duration for exploitation.

Such a patch gap makes 0-day as important as n-days for cybercriminals to exploit unprotected and unpatched devices.

In 2022, Google revealed in their active summary that zero-day flaws have reduced since 2021, with just 41 detected. They also observed a substantial reduction of those vulnerabilities in browsers, with just fifteen detected last year after discovering 26 in 2021.

What is also remarkable is that in 2022, over 40% of the 0-day flaws detected were just different versions of known flaws. Such flaws are easier to fix compared to an unknown zero-day flaw.

Read next: OCR Malware: The Cryptocurrency Heist from Image Secrets
Previous Post Next Post