Samsung’s July security update has been released, but it fails to address a significant security risk that was highlighted in Google’s Pixel zero-day warning in June. The vulnerability, CVE-2024-32896, could potentially be exploited by attackers, prompting a US government warning for federal employees to update their Pixel devices by July 4 or discontinue use.
While Samsung’s update includes four other critical Android security fixes, three of these patch Qualcomm vulnerabilities that were delayed from Android’s June update. The fourth fix addresses an input validation risk that could enable a remote attacker to execute arbitrary code by compromising secure control data on the device, but user interaction is required for triggering this vulnerability.
Google has confirmed that this vulnerability, CVE-2024-31320, impacts Android’s underlying framework and could lead to local escalation of privilege with no additional execution privileges needed. Samsung has warned that component updates may come later than software and firmware patches, but Pixel has managed to release these more quickly.
GrapheneOS, a custom Android operating system, has also warned about another vulnerability, CVE-2024-29745, which remains a threat to Samsung and other Android devices. This vulnerability has only been patched on Pixels, and since it’s a firmware issue, it needs to be patched OEM by OEM, taking time to roll out.
Samsung users are advised to update their devices as soon as the July security update is available for their specific model, region, and carrier. The upcoming Android 15 release is expected to add new security updates and enhanced user protection, but it’s a long wait for the resolution of these outstanding issues.