If you are an Android user, regardless of your hardware vendor of choice, then pay particular attention to getting the 36 vulnerability-fixing May security update installed as soon as possible. Why the concern? A high-severity vulnerability that was disclosed way back in January and perhaps unsurprisingly is being exploited in the wild, has now been fixed. It’s a Linux kernel vulnerability given the name ‘Dirty Pipe‘ by the researcher who uncovered it. Actually, us boring and nerdy security types more formally refer to it as CVE-2022-0847.
CVE-2022-0847 exploit status confirmed by Google and CISA
The in-the-wild status of CVE-2022-0847 has been confirmed by Google and the US Cybersecurity and Infrastructure Security Agency has added it to the ‘known exploited vulnerabilities‘ catalog.
Regardless of what you call it only newer Android devices are affected, mostly 2022 models running Android 12 or later, which is really the only saving grace. So, that’s the good news. Does that mean you can relax if you, like most people, are using a phone from 2021 or earlier? Nope, sorry. While Dirty Pipe won’t impact you, the May security fix covers a whole bunch that will, including some high-severity vulnerabilities in the Android Framework component that could allow an escalation of privilege attack.
Regardless of your Android device age, please apply the update as a matter of urgency.
36 vulnerabilities fixed in the May Android security patch
In all, some 36 vulnerabilities have been addressed in the May Android security update. Just to complicate matters a little, these are spread across two Android security updates from Google: the first dated May 1 and the second May 5.
The good news is that the latter should be bundled with the former, and most device vendors will just issue the one complete update. Google said that the split is so that vendors have the flexibility to fix those vulnerabilities that are “similar across all Android devices more quickly” but confirmed that security patch level 2022-05-05 would include all the earlier fixes.
Additional critical vulnerabilities patched for Google Pixel users
Users of a Google Pixel phone should be especially time-critical in applying the update as this will include another 11 vulnerabilities unique to the device. The full details can be found here but the takeaway is that there are two critical vulnerabilities to be fixed. One is a remote code execution issue with the bootloader, the other an information disclosure issue with the Titan-M security chip.
Samsung users also need to pay security patching attention
If you are a Samsung smartphone user then you don’t escape getting hit with the additional vulnerabilities stick I’m afraid. In all, some 18 vulnerabilities are fixed by this update, along with the Google patches. These vary in severity from low to high, at least those that have been disclosed do. Samsung also stated that some of the security vulnerabilities “cannot be disclosed at this time.” Although no further information is offered, this would usually indicate vulnerabilities of a critical nature that may already be subject to exploitation in the wild. It’s not unusual to withhold details on such things until a majority of users have had the opportunity to install the protective patch.
We know you may get fed up with the contributors to Straight Talking Cyber keep telling you to update now, but it really is the best advice when it comes to these security fixes.