Samsung Galaxy users – install this update urgently before this week’s deadline.
This month’s security update for Samsung Galaxy users is even more critical than we thought. We knew it fixed two vulnerabilities that were actively exploited and prompted warnings from the US government, with the August 28 deadline for all federal employees to update or stop using their phones now just 72 hours away. But now we know that there is another serious vulnerability that is putting millions of users at risk. And the only reason this hasn’t made headlines is stupidly simple – it’s a typo.
First on these two government warnings. Samsung’s new update fixes two Android firmware vulnerabilities—CVE-2024-32896 and CVE-2024-36971, both of which have been exploited in the wild. The first of these was fixed for Pixels in June, but wasn’t identified as a Samsung issue until weeks later, with the update not available until this month. The second vulnerability was patched just this month, with Samsung and Google immediately releasing updates. That’s why there are two tier one fixes in this month’s single release for Samsung Galaxy users.
But there’s a third serious issue for Samsung Galaxy users—at least those with the S24 and A54. CVE-2024-31960 is a high-severity unused-after-free (UAF) memory vulnerability in Samsung Semiconductor’s Exynos 1480 and Exynos 2400 that has been quietly patched in the August release. It didn’t flag searches in Samsung’s August firmware warning because it was listed as the very short “CVE-2024-3196,” without a critical digit. “Samsung Semiconductor patches are also included in this Security Maintenance Release with the following CVE component,” the company advises. “High: CVE-2024-3196.”
Unfortunate typo in the August security alert
As Kaspersky explains, a UAF vulnerability “is related to incorrect use of dynamic memory during program operation,” warning that “an attacker can use UAF to pass arbitrary code—or a reference to it—into a program and navigate to beginning of the code using a dangling pointer. In this way, the execution of the malicious code can allow the cybercriminal to gain control of the victim’s system.”
Congratulations to Sammy Fans to identify the missing critical link: “The August 2024 update changelog does not mention the inclusion of a critical patch. After digging into details, I found that the release fixes a serious issue related to Xclipse GPU driver of Galaxy S24, S24 Plus and A54 5G.
While this new issue highlighted is specific to specific models, the two critical Android fixes are generally applicable and even though the US Cybersecurity Agency’s warning for update or stop using phones by August 28th is only mandatory for federal employees, its remit is much broader. “To help every organization better manage vulnerabilities and keep pace with threat activity,” says CISA, “use the KEV catalog as input for [your] vulnerability management prioritization framework’.
The tips now should be as simple as updating your phone by the date given. But the issue for many users is that there is no update available. Samsung told me it will follow the monthly update scope and schedule, which means many users will miss the deadline, though four year old S20 have been updated despite falling from the official monthly rotation and updates for US users have been accelerated this month. All this means that the latest phones and certainly recent flagships can be fixed.
Just in the last few days we’ve seen new Android warnings about an NFC exploit that puts “fingerprint and credit card data at risk,” and security reports come out every month warning users about the growing risk of malware—either from the Play Store, third-party installations, or directly. It’s not time to lose support.
If you’re a federal employee, you must update your phone by Wednesday or stop using it. If you’re not a federal employee, you should update your phone now anyway. Also recommended all public and private organizations ensure all Android devices connected to internal systems or networks are updated on this schedule.
If you have a Samsung or any other Android device, check your phone now…
