Samsung releases critical update for millions of Galaxy users

Samsung has once again outpaced the Pixel when it comes to revealing details about this year’s security patch. But be warned, this update is actually bad news for your Galaxy device — the alarming issue is what’s missing, not what’s fixed.

Google has confirmed that Samsung and other Android devices are vulnerable to the same security risk that Pixel’s zero-day warning came out in June. While Pixels have been patched, Samsung devices haven’t. And it wasn’t addressed at all in the July update. Considering the threat was serious enough to warrant a warning from the US government, you should be very careful about your exposure.

ForbesMicrosoft Windows Deadline – You Must Update Your PC by July 4thBy Zak Doffman

Samsung update does include four other critical Android security patches, though three of them fix Qualcomm vulnerabilities and have been delayed from the June Android update. Samsung warns users that component updates may arrive later than software and firmware fixes, but Pixel managed to get them out faster.

At least the other critical Android update in Samsung’s July build is up to date and was released immediately. Google warns that CVE-2024-31320 affects the core Android framework and “may lead to local privilege escalation without requiring additional execution privileges.” Consider that in itself a warning to update.

In addition to the broader Android fixes, Samsung is including the usual list of its own fixes, including critical updates to address input validation risks. Samsung warns that this could allow a remote attacker to execute arbitrary code by compromising secure control data on the device. While “user interaction is required to trigger this vulnerability,” meaning some form of UI message that the user would have to follow, this could be hidden in a number of different ways.

But a much more serious issue is the lack of a zero-day patch for Pixel.

Last month, Google warned Pixel phone users that the CVE-2024-32896 vulnerability “may be subject to limited, targeted exploitation,” and the U.S. government ordered federal workers to update their Pixel devices by July 4 “or discontinue using the product.”

This Pixel patch was the second part of the April patch, and GrapheneOS, which was behind the reveal, warned that “there are two security vulnerabilities that are being fixed,” GrapheneOS wrote. “Neither issue has been fixed yet outside of Pixels.”

Google confirmed this, telling me that “Android Security is aware of this issue and after further analysis, we have determined that it impacts the Android platform… Pixel devices that have the latest security update installed are protected… we are prioritizing applicable fixes for other Android OEM partners and will deploy them as soon as they are available.”

And while Google says that “additional exploits will be needed to compromise the device,” this is exactly the combination of multiple vulnerabilities combined into a chain attack that GrapheneOS is warning about. There is currently no patch for any device other than Pixels, and it could be months before one is available.

ForbesBeware of this dangerous HR email at work – delete it immediatelyBy Zak Doffman

GrapheneOS also warns that another flaw — CVE-2024-29745 — still poses a threat to Samsung and other Android devices, and has also been patched only for Pixels. “CVE-2024-29745 is a more serious issue,” I was told, “and was fully patched in April for Pixels, but other devices do not yet have this protection.” Since it’s a firmware issue, it needs to be patched by the OEM. And that will take some time.

That risk of Pixel patching while others haven’t is starting to form a pattern — and that’s not good news if you’ve just spent more than $1,000 on a new flagship. I’ve also reached out to Samsung for comment on these vulnerabilities.

Android 15 is fast approaching, and while the release will add a slew of new security updates and improved user protection, it will also hopefully iron out some of those lingering issues. But that’s a long time coming. In the meantime, Samsung users should update as soon as this month’s update becomes available for your model, region, and carrier.