Return to list of client alerts
The bug, which was patched this month, allows a hacker to achieve remote escalation of privilege with no user interaction at all. Since this patch is just now being rolled out, Google is not saying very much about how the bug works.
There are, apparently, two patch bundles this month. According to Google:
These flaws are addressed in the 2022-02-01 update bundle. There’s a separate set of patches, dated 2022-02-05, that close a high-severity hole in System; a high-severity hole in Amlogic’s Fastboot component; five high-severity bugs in MediaTek code; three in Unisoc code; and 10 high-severity and one critical in Qualcomm code. Your device will only need these hardware-specific patches if it has the relevant chipset.
Critical Android 12 bug fixed in February security patches • The Register
The challenge with Android phones is that there are so many makers and there are so many phones out there that are no longer receiving patches – if they ever did – that the users are exposed and probably don’t even know it.
Many companies have a rule that if the phone is no longer supported, you cannot connect to company apps or company data, including email. While this may annoy some corporate users, it also reduces the risk to the company.
With Android phones you also have to understand the patch lifecycle. Phones which were released ORIGINALLY with an OS earlier than 10 rely on the phone carrier to do the patching. This varies a lot from phone to phone and carrier to carrier. With Android 10 (but only if the phone originally shipped with 10), the carrier could choose to let Google push the base OS patches and the carrier could still push the feature patches. Each carrier made their own decision on this.
Over the last many years I have been buying only Google phones because security is important to me. For my phone, the February patches are already installed. For me, that is a huge win. Other people have other criteria.
But this month is the last month that Google will be patching the Pixel 3 family and the Pixel 3A family reaches end of life in May. Apple has similar rules. After end of life there are no patches, so it is kind of like running with scissors – not necessarily a great idea.
But when it comes to protecting your corporate assets, you have to make some decisions about the minimum acceptable level of security.
While this is also true for iPhones, since there is only one maker and in the entire history of iPhones there have been less models released than are released in a month for Androids, it is much less of a problem.
Business leaders need to understand the risk and make some decisions.
Credit: The Register