Google recently released its fourth annual Year in Review report on 0-day vulnerabilities – undisclosed security flaws exploited in the wild. The report emphasizes the Android patch gap as a major concern during 2022.
One significant finding focuses on the relationship between upstream vendors and downstream manufacturers in the Android ecosystem. Throughout 2022, there were several cases where upstream vendors had released patches for security issues, but the downstream manufacturers had not promptly applied these fixes for their users.
While patch gaps are not uncommon in upstream/downstream relationships across various platforms, Google points out that such gaps are more prevalent and tend to persist longer in the Android ecosystem.
These delays in patch deployment create situations where n-day vulnerabilities, which are publicly known but not yet patched, function similarly to 0-day vulnerabilities, leaving users with no immediate remedy, except to cease using the vulnerable devices.
Google cited two specific examples from last year. Firstly, an ARM Mali GPU vulnerability was addressed by Android only in April of the following year. This fix came six months after ARM’s initial patch release, nine months after the initial report by Man Yue Mo, and five months after the vulnerability was first detected in the wild.
Secondly, a vulnerability in Samsung Internet was linked to the use of a seven-month-old version of Chromium (102). This vulnerability chain allowed attackers to exploit two n-day vulnerabilities as 0-days: CVE-2022-3038, which had been patched in Chrome 105 in June 2022, and CVE-2022-22706 in the ARM Mali GPU kernel driver. Despite ARM’s patch release for CVE-2022-22706 in January 2022, attackers were still able to exploit it as a 0-day 11 months later. Although the vulnerability was known to be exploited in the wild since January 2022, it was only included in the Android Security Bulletin in June 2023, a delay of 17 months from the initial patch release.
Google emphasizes the urgent need for the industry to expedite the delivery of fixes and mitigations to users, enabling them to protect themselves effectively.
In other findings, Google noted a decline in browser zero-day exploits, largely due to mitigations implemented by Chrome, Safari, and Firefox. However, attackers are now leveraging 0-click exploits to target other parts of the operating system or hardware.
Another area of concern involves the discovery of over 40% of 0-day vulnerabilities as variants of previously reported issues, necessitating in-depth analysis and comprehensive fixes to prevent attackers from exploiting the same vulnerabilities in different contexts.