Update your Android now.
Hot on the heels of Google issuing a warning that cybercrime must be treated as a national security threat, so comes news, also from Google, that two vulnerabilities within Android are under “limited, targeted exploitation,” and, as is always the case with such so-called zero-day exploits, must be considered critical enough to warrant an immediate update to mitigate the risk. According to the latest Android Security Bulletin, published Mar. 3, the exploited vulnerabilities are CVE-2024-43093 and CVE-2024-50302. The former can, Google said, allow restricted access to “Android/data, Android/obb and Android/sandbox directories and its sub-directories,” by replacing the path’s pattern match check with a file equality check. In other words, bypassing file path filtering protections in the Android framework component. The end result of a successful exploitation is privilege escalation for the attacker. The latter, meanwhile, is a zero-initialize issue in the Linux kernel core, specifically the report buffer used by
“all kinds of drivers in various ways,” and which could lead to memory leaks.
Does This Android Zero Day Sound Familiar?
CVE-2024-43093 sounded very familiar to me, and for good reason: this is the second time that Google has patched the darned thing, on both occasions warning it is under limited and targeted exploitation but without releasing any more details than that. Come on Google, I know that some things have to be kept close to the chest, to enable the majority of users to apply the updates for protection, but this was meant to have been fixed in November and now we are getting the same warning again? More transparency is required on this one, methinks. If CVE-2024-50302 also sounds familiar, it’s because it appears to be the zero-day that was exposed by Amnesty International in a Feb. 28 report about an attack against a Serbian political activist.
Update Your Android Device Now
“Google’s disclosure of CVE-2024-43093 and CVE-2024-50302 serves as a stark reminder of the perils lurking in our pockets,” Javvad Malik, lead security awareness advocate at KnowBe4, said; “These vulnerabilities, affecting over a billion Android devices, highlight the importance of deploying patches in a timely manner.” Of course this isn’t helped by the fragmented Android ecosystem. “With dozens of manufacturers and carriers,” Malik warned, “patching becomes a logistical nightmare, leaving countless devices vulnerable long after fixes are available. Unfortunately, many cheaper Android devices running older versions of the operating system can’t be updated at all.”