Tech
Samsung Issues Critical Update For Millions Of Galaxy Users
Samsung has again beaten Pixel to the punch when it comes to issuing details of this month’s security release. But be warned, this update is actually bad news for your Galaxy device—the alarming issue is what’s missing, not what’s been fixed.
Google has now confirmed that Samsung and other android devices are vulnerable to the same security risk behind June’s Pixel zero-day warning. While Pixels have been patched, Samsung devices have not. And that is not addressed at all in July’s update. Given that this threat was serious enough to prompt a US government warning, you should be very mindful of the exposure.
Samsung’s update does include four other critical Android security fixes, albeit three of those patch Qualcomm vulnerabilities and were delayed from Android’s June update. Samsung warns users that component updates may come later than software and firmware patches, but again Pixel managed to release these more quickly.
At least the other critical Android update in Samsung’s July release is current and has been issued immediately. Google warns that CVE-2024-31320 impacts Android’s underlying framework and “could lead to local escalation of privilege with no additional execution privileges needed.” Take that in itself as an update now warning.
Beyond the wider Android patches, Samsung includes the usual list of its own fixes, including critical updates to address an input validation risk. Samsung warns this could enable a remote attacker to execute arbitrary code by compromising secure control data on the device. While “user interaction is required for triggering this vulnerability,” meaning be some form of UI message which the user would need to action, this could be cloaked in any number of different ways.
But the much more critical issue is the missing Pixel zero-day fix.
Last month, Google warned Pixel users that CVE-2024-32896 “may be under limited, targeted exploitation,” and the US government then mandated that federal employees update their Pixel devices by July 4 “or discontinue use of the product.”
This Pixel patch was the second part of a fix from April, and GrapheneOS which was behind the disclosure warned that “there are two vulnerabilities being addressed,” GrapheneOS posted. “Neither issue is being fixed outside Pixels yet.”
Google confirmed this, telling me “Android security is aware of this issue, and after further review, this issue does impact Android platform… Pixel devices that have installed the latest security update are protected… we are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available.”
And while Google assures that “additional exploits would be needed to compromise a device,” it’s exactly this combination of multiple vulnerabilities combined into a chain attack that GrapheneOS has warned about. There is no current fix for any device beyond Pixels, and it could be months before one is made available.
GrapheneOS also warns that another vulnerability—CVE-2024-29745—remains a threat to Samsung and other Android devices, and has also only been patched on Pixels.“CVE-2024-29745 is the more serious issue,” I was told, “ and was fully fixed in April for Pixels, but other devices don’t have the protection yet.” Because this is a firmware issue, it needs to be patched OEM by OEM. And that will take time.
This risk where Pixel has patched and others have not is starting to form a pattern—and that’s not great news if you’ve just dropped $1000-plus on a new flagship. I also approached Samsung for any comments on these vulnerabilities.
Android 15 is fast-approaching, and while the release will add a raft of new security updates and enhanced user protection, it will also hopefully clean up some of these outstanding issues. But it’s a long time to wait. Meanwhile, Samsung users should update as soon as this month’s update is available for your model, region and carrier.