If you are an Android user, no matter which hardware vendor you choose, you should pay special attention to installing security update 36 to fix vulnerabilities as quickly as possible. Why worry? A high-risk vulnerability that was revealed last January has now been fixed and perhaps not surprisingly, it could be exploited in the wild. It’s a vulnerability in the Linux kernel that was given the name “Dirty Pipe” to the researcher who discovered it. In fact, we refer to it more formally as CVE-2022-0847.
CVE-2022-0847 Exploit Status Confirmed by Google and CISA
The unusual case of CVE-2022-0847 has been confirmed by Google and the US Cybersecurity and Infrastructure Security Agency has added it to its catalog of “known exploits”.
Whatever you call it, only newer Android devices are affected, mostly 2022 models running Android 12 or later, which is really the only savings. So, here is the good news. Does that mean you can relax if, like most people, you’ve been using a phone from 2021 or earlier? no, sorry. While Dirty Pipe won’t affect you, May’s security fix covers a whole bunch that will, including some high-risk vulnerabilities in the Android Framework component that could allow a privilege attack to be escalated.
No matter how old your Android device is, please apply the update urgently.
36 vulnerabilities have been fixed in the May Android security patch
In all, about 36 vulnerabilities were addressed in the May security update for Android. Just to complicate matters a bit, these two updates were rolled out via two Android Security Updates from Google: the first on May 1 and the second on May 5.
The good news is that the latter should be combined with the former, and most hardware vendors will release one full update. Google said the split is so that vendors have the flexibility to fix those vulnerabilities that are “similar across all Android devices more quickly” but confirmed that the 05-2022-20 security patch level will include all previous fixes.
Additional critical vulnerabilities for Google Pixel users have been fixed
Google Pixel phone users should be particularly time-critical in applying the update as this will include 11 other vulnerabilities unique to the device. Full details can be found here but the bottom line is that there are two critical vulnerabilities that need to be fixed. One is the remote code execution issue with the bootloader, and the other is the information disclosure issue with the Titan-M security chip.
Samsung users also need to pay attention to the security patch
If you are a Samsung smartphone user, you will not escape from being exposed to additional vulnerabilities which I fear. In all, about 18 vulnerabilities have been fixed by this update, along with Google patches. These vary in severity from low to high, at least those that have been detected. Samsung also stated that some of the vulnerabilities “cannot be detected at this time”. Although no further information is provided, this usually points to vulnerabilities of a critical nature that may already be vulnerable to exploitation in the wild. It is not unusual to withhold details about such things until the majority of users have had the opportunity to install the protective patch.
We know you’re sick of Straight Talking Cyber contributors who keep telling you to update now, but it really is the best advice when it comes to these security fixes.