Google’s May 2022 updates for Android expired.
As usual, the Android core received two different versions of the patch.
The first is called 2022-05-01It contains fixes for 13 numbered vulnerabilities.
Fortunately, none of them are currently exploited, which means that there are no known zero-day holes this month; None of them directly lead to remote code execution (RCE); None of them are marked as critical.
However, at least one of these vulnerabilities could allow a completely innocent-looking app (an app that doesn’t need special privileges at all when installed) to gain root-level access.
If you’re wondering why we don’t give specific CVE numbers for the most dangerous vulnerabilities, it’s because Google itself doesn’t state which vulnerabilities represent the risks, but instead just mentions the potential side effects ‘The most dangerous weakness’ In each group of insects.
The second tranche of updates has been dubbed 2022-05-05an official identifier that covers all the patches it provides 2022-05-01as well as 23 CVE-numbered errors in several parts of the operating system.
Components affected by these bugs include the Android kernel itself, along with several closed source software modules supplied to Google by device makers MediaTek and Qualcomm.
non-uniform spots
Ideally, Google wouldn’t split monthly updates apart in this way, but would provide one unified set of patches and expect to update all Android device vendors as soon as possible.
However, as the company admits in its prospectus, there “Two levels of security patch so Android partners have the flexibility to fix a subset of similar vulnerabilities across all Android devices more quickly.”
We can understand Google’s approach, which supposedly reflects the assumption that it’s best if everyone fixes at least something and some vendors fix everything…
…than if some sellers fixed everything but others didn’t fix anything at all.
However, Google notes this publicly We encourage Android partners to fix all issues in this bulletin and use the latest security patch.
In modern vernacular, we have seen on this subject simple and clear: +1.
The sting in the machine
Although there is an open source distribution of Android known as AOSP (short for Android open source project), the Android distribution you’re running on your phone or tablet at the moment almost certainly includes many closed-source components.
Google Android, for example, is somewhat similar to Apple’s iOS in that it is based on an open source kernel and a large number of low-level open source tools, but with different proprietary modules, APIs, and applications placed on top of that.
But even third-party Android versions usually include many closed source software modules, for example to operate low-level devices in the device, such as mobile radio (the code is strictly regulated and varied in most countries), Wi-Fi, Bluetooth and so on.
Unfortunately, this month 2022-05-05 The patches include a fix called CVE-2021-35090 that is referred to criticalbut no general information is available about it.
Google says nothing more than this bug, along with ten more in 2021 from CVE errors Weak points [that] affect closed source Qualcomm components”.
Google doesn’t even seem to know what’s fixed in Qualcomm’s binary “dots”, or if it does, it doesn’t matter to them.
So we assume that any error is considered critical It involves some kind of Remote Code Execution (RCE) and thus could result in a remote attacker infiltrating spyware or other malware into your device without any kind of click or tap assistance on your part.
Viscous liquidin case you were wondering, is a lingo word from Viscous liquidwhich is a comic abbreviation for big binary objecta name meant to remind you that although you need it and use it, you probably aren’t quite sure how it works, how it’s structured, or even the purpose of actually using it.
Additional details for Pixel users
Owners who not only own Google Android, but also use Google devices (Pixel 3a and later) already have Pixel-specific updates, including patches for 11 additional CVE-numbered bugs, two of which are considered critical.
Paradoxically, the two critical pixel errors are in low-level critical components, as follows:
- CVE-2022-20120. Remote Code Execution (RCE) in the bootloader. The bootloader is a vital part of the Android system integration, and is locked by default against any kind of modification. You can unlock the bootloader on Pixel devices to install an alternative non-Google operating system, but every time you unlock (or re-lock) the bootloader, all user data is forcibly erased from the device in a so-called factory settings. This prevents the person stealing your phone from swapping the primary OS with the Trojanised version and then returning the device to you seemingly unmodified with all your original apps and data in place. An RCE error in the bootloader indicates that a determined attacker may be able to quietly and invisibly compromise an unpatched device, within a few minutes of physical access and a USB cable.
- CVE-2022-117. Information disclosure in the Titan-M component. The Titan-M chip is Google’s hardware security module, which is supposed to provide secure, tamper-proof storage for encryption keys and other confidential data. Attempting to extract the chip from a device and then extracting the raw data from the chip itself is supposed to be impossible, because the chip self-destructs or empties itself if accessed by unofficial methods. Therefore, the information disclosure error in the hardware security module is always critical, because the module is specially designed to keep secrets.
what should be done?
A bootloader bug, a data leakage hole in a custom security chip, a flaw that could allow the most innocent app to spread, and a serious security flaw in an undisclosed component used on an unknown set of Android devices mean…
… debug early, debug often. (And yes, we always say that, which is why we said it here!)
On most Google devices, including many, if not most non-Google variants of Android (we’re using GrapheneOS), you can check for and fetch updates on demand by going to System > system update > Check for updates.
To find the exact details of your current Android kernel, version number, and security patch level, go to System > about the phone > Android version.
Ideally, you are looking for a file 5 May 2022 Security update (this corresponds to a file 2022-05-05 correction level above), and the kernel displays a build date of early May 2022, as shown below.