Android has updated its May security notice to acknowledge that four vulnerabilities have been exploited in-the-wild — although the perennial lack of detail from Google has left security professionals frustrated.
The bugs exploited are a brace apiece in firmware for GPUs from ARM and Qualcomm respectively and include the ability — for a non-priveleged user who knows how to exploit them — to make “improper operations on GPU memory to enter into a use-after-free scenario [and gain] root privilege, and/or disclose information”.
The security update for May includes three remote code execution (RCE) bugs: CVE-2021-0473/0474/0475: “The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” the security advisory noted.
It was not those more obviously critical bugs being actively atttacked, however. Rather, Qualcomm GPU: (CVE-2021-1905, CVE-2021-1906) and ARM Mali GPU (CVE-2021-28663, CVE-2021-28664) vulns “may be under limited, targeted exploitation” Android’s security advisory said.
Some frustration has been bubbling in the security community for some time over vague advisories from Android as well as Chrome, with Google’s security teams often pointing to active exploitation but not providing IOCs or further details. As this spilled over on Twitter anew, Google Threat Analysis Group (TAG)’s Shane Huntley moved to justify the limited disclosures. As he noted: “I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here.
“Firstly not all ‘In The Wild’ reports mean that we know exactly the target set. ‘In The Wild’ could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known. We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization. We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”
Users, meanwhile, should just update as fast as they can.