Samsung’s July security update – a nasty story of delays
Samsung has once again outdone the Pixel when it comes to releasing details about this month’s security release. But be warned, this update is actually bad news for your Galaxy device – the worrisome issue is what’s missing, not what’s fixed.
Now Google has confirmed that Samsung and other Android devices are vulnerable to the same security risk behind the Pixel zero-day warning from June. While Pixels have been patched, Samsung devices have not. And it’s not addressed at all in the July update. Given that this threat was serious enough to trigger a warning from the US government, you should be very careful about exposure.
Samsung update does include four other critical Android security warnings, although three of those fixes Qualcomm’s vulnerabilities and were delayed by the June Android update. Samsung warns users that component updates may come later than software and firmware patches, but again, the Pixel managed to get them out faster.
At least the other critical Android update in Samsung’s July release is current and released immediately. Google warns that CVE-2024-31320 affects the core Android framework and “may lead to local privilege escalation without requiring additional privileges to run.” Take this in itself as an update alert.
Beyond the broader Android fixes, Samsung is including the usual list of proprietary fixes, including critical updates to address input validation risk. Samsung warns that this could allow a remote attacker to execute arbitrary code by compromising secure control data on the device. Although “user interaction is required to trigger this vulnerability,” meaning some form of user communication that the user must take, this can be disguised in a variety of ways.
But the much more critical issue is the missing Pixel zero-day patch.
Last month, Google warned Pixel users that CVE-2024-32896 “may be under limited, targeted exploitation,” and then the US government ordered federal officials to update their Pixel devices by July 4 “or stop using the product “.
This Pixel patch was the second part of a patch since April, and GrapheneOS, which was behind the disclosure, warned that “there are two vulnerabilities that are being addressed,” GrapheneOS posted. “No issues have been fixed outside of Pixels yet.”
Google confirmed this by telling me, “Android security is aware of this issue and upon further review this issue affects the Android platform… Pixel devices that have installed the latest security update are protected… we give will prioritize applicable fixes for other Android OEM partners and release them as soon as they are available.”
And while Google assures that “additional exploits will be required to compromise a device,” it’s this combination of multiple vulnerabilities combined in a chain attack that GrapheneOS has warned about. There is no current patch for any device outside of Pixels, and it could be months before one is available.
GrapheneOS also warns that another vulnerability – CVE-2024-29745 – remains a threat to Samsung and other Android devices and has also only been patched on Pixels. “CVE-2024-29745 is the more serious issue,” I’m told, “and was fully fixed in April for Pixels, but other devices still don’t have the protection.” Since it’s a firmware issue, it needs to be fixed by the OEM by OEM. And that will take time.
This risk of a Pixel being patched and others not is starting to form a pattern — and that’s not good news if you’ve just dropped $1,000-plus on a new flagship. I’ve also reached out to Samsung for any comments on these vulnerabilities.
Android 15 is fast approaching, and while the release will add a slew of new security updates and improved user protection, we hope it also clears up some of these outstanding issues. But it’s a long time to wait. In the meantime, Samsung users should update as soon as this month’s update is available for your model, region and carrier.
