This month’s security update for Samsung Galaxy users is even more critical than we thought. We knew it fixed two actively exploited vulnerabilities which prompted U.S. government warnings, with the August 28 deadline for all federal employees to update or stop using their phones now just 72-hours away. But we now know there’s another serious vulnerability that puts millions of users at risk. And the only reason this one has not made any headlines is stupidly simple—it’s down to a typo.
First to those two government warnings. Samsung’s new update fixes two Android firmware vulnerabilities—CVE-2024-32896 and CVE-2024-36971, both of which have been exploited in the wild. The first of those was fixed for Pixels in June, but wasn’t acknowledged as a Samsung issue as well until weeks later, with the update not available until this month. The second vulnerability was fixed just this month, with both Samsung and Google immediately releasing updates. That’s why there are two tier-one fixes in this month’s single release for Samsung Galaxy users.
But there’s a third serious issue for Samsung Galaxy users—at least those with S24s and A54s. CVE-2024-31960 is a high-severity use-after-free (UAF) memory risk in Samsung Semiconductor’s Exynos 1480 and Exynos 2400, that has been quietly fixed in August’s release. It didn’t flag on searches on Samsung’s August firmware advisory because it was listed as a too-short “CVE-2024-3196,” with a critical digit missing. “Samsung Semiconductor patches are also included in this Security Maintenance Release with the following CVE item,” the company advised. “High: CVE-2024-3196.”
As Kaspersky explains, a UAF vulnerability “relates to incorrect use of dynamic memory during program operation,” warning that “an attacker can use UAFs to pass arbitrary code—or a reference to it—to a program and navigate to the beginning of the code by using a dangling pointer. In this way, execution of the malicious code can allow the cybercriminal to gain control over a victim’s system.”
Kudos to Sammy Fans for spotting the critical missing connection: “The August 2024 update changelog doesn’t mention the inclusion of a crucial patch. After digging deeper into details, I’ve found that the release brings a fix to a serious issue related to Galaxy S24, S24 Plus, and A54 5G’s Xclipse GPU driver.”
While this newly flagged issue is specific to certain models, the two critical Android fixes apply across the board, and although the U.S. cybersecurity agency’s warning to update or stop using phones by August 28 is only mandatory for federal employees, its remit is much broader. “To help every organization better manage vulnerabilities and keep pace with threat activity,” CISA says, “use the KEV catalog as an input to [your] vulnerability management prioritization framework.”
The advice now should be as simple as update your phone by the date given. But the issue for many users is that there is no update available. Samsung told me it would follow its monthly update scope and schedule, meaning many users will miss the deadline, albeit four-year-old S20s have been updated despite falling off the formal monthly rota and updates for U.S. users have been accelerated this month. All of which means most recent phones and certainly recent flagships can be patched.
Just in the last few days we have seen new Android warnings about an NFC exploit that puts “fingerprint and credit card data at risk,” and security reports come out each and every month warning users as to the growing malware risk—whether from Play Store or third-party or direct installs. This isn’t the time to fall off support.
If you are a federal employee, you need to update your phone by Wednesday or stop using it; if you’re not a federal employee you should update your phone now anyway. It’s also recommended that all public and private organizations ensure all Android devices connecting to internal systems or networks are updated on that timeline.
If you have a Samsung or any other Android device, check your phone now…