Google has confirmed a serious new zero-day vulnerability affecting Android devices, prompting immediate action for its own Pixel line while leaving Samsung Galaxy users in limbo. This growing security disparity between Pixel and Galaxy devices is becoming more pronounced.
“There are indications that CVE-2024-36971 may be under limited, targeted exploitation,” Google warns. This critical Android kernel vulnerability “could lead to remote code execution with System execution privileges needed,” and a fix is included in Android’s August security update.
Samsung Issues Critical Update For Millions Of Galaxy Users—Google Warns Attacks Underway https://t.co/fRVyYjCJMa pic.twitter.com/hItCFdEE22
— PC Geeks (@GeorgiaPCTECH) August 6, 2024
Ironically, Samsung announced its own August security firmware update around the same time as Google’s warning, addressing other critical issues but not this latest zero-day threat. However, Samsung’s update does include the long-awaited fix for June’s Pixel zero-day vulnerability. Google has stated that “source code patches will be released to the Android Open Source Project (AOSP) repository in the next 48 hours,” suggesting that Galaxy users may not receive this crucial update until September, unless Samsung takes unusual steps—confirmation has been requested from Samsung.
As is customary, Samsung’s update will roll out device by device and region by region, rather than all at once. Flagship and newer devices will likely receive updates within the same month the fix is released, while others will follow a slower schedule.
Google warns Samsung Galaxy users of security risks: Disable 2G now!#Samsung #OneUi7 #GalaxyS24Ultra #Google pic.twitter.com/nJP9F4i7pH
— choqao (@choqao) August 4, 2024
Details about the new threat are scarce. However, the involvement of Google TAG’s Clement Lecigne in disclosing the vulnerability suggests it could be an advanced persistent threat (APT) or state-level exploit.
Key Points:
- Critical Vulnerability Identified: Google confirms a new zero-day vulnerability (CVE-2024-36971) affecting Android devices, potentially leading to remote code execution.
- Immediate Patch for Pixel: Google’s Pixel devices are expected to receive an immediate patch, included in the August security update.
- Delayed Response for Galaxy: Samsung’s August security update, announced simultaneously, does not address the new threat, raising concerns about delayed protection for Galaxy users.
- Future Updates: Google plans to release source code patches to the AOSP repository within 48 hours, likely delaying Galaxy updates until September.
- Security Disparity: The incident highlights a growing security gap between Google’s Pixel devices and Samsung’s Galaxy line, emphasizing the need for timely updates across all Android devices.
Charles William III – Reprinted with permission of Whatfinger News
