Three weeks after Google released the May 2021 Android security update, the Google Project Zero team has revealed that four of the vulnerabilities patched were already under attack.
“There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” Google said in a note on its May 2021 bulletin, which was published on May 1.
Google Project Zero security researcher Maddie Stone flagged that these were zero-day or previously unknown flaws in a tweet.
The four flaws affect Qualcomm’s GPU (CVE-2021-1905, CVE-2021-1906) and the Arm Mali GPU (CVE-2021-28663, CVE-2021-28664).
As Project Zero notes in its “0day ‘in the wild'” spreadsheet, the Arm bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free memory flaw in the GPU. The Qualcomm bugs include improper error handling and a use-after-free flaw in the GPU.
Google copped flack from security reporter Dan Goodin for saying the bugs “may be under limited, targeted exploitation” because it was “vague to the point of being meaningless”.
Shane Huntley from Google’s Threat Analysis Group (TAG), who in November revealed three zero-day flaws in Apple’s iOS, defended Google’s phrasing, highlighting that Google doesn’t always have the information at hand to say whether a vulnerability is under attack. TAG also discovered and disclosed the zero-day flaws in Apple’s WebKit browser that prompted Apple to issue the emergency iOS 14.4.2 update in March. Apple even updated older iOS devices to version 12.5.2 to address those issues.
“I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here,” he wrote, referring to indicators of compromise (IOC).
“Firstly not all “In The Wild” reports mean that we know exactly the target set. “In The Wild” could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known.
“We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization.
“We are working to provide more information where possible on what we observe but it is a trade-off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”
Qualcomm says in its advisory that CVE-2021-1905 was reported to on 17 November 2020 and rates it as a high-severity flaw. CVE-2021-1906 is a medium-severity flaw reported to it on 7 December 2020.
The flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited, according to the chipmaker.
Samsung only yesterday started rolling out the May 2021 Android security patch to flagship Galaxy S21 phones, as Sammobile reports. But Samsung’s hugely popular A-series smartphones have not received this update yet.