Google kicked off February with its first serious Android alert of the year — a critical vulnerability which it warned was being exploited in the wild. Put more simply, Android devices are being attacked. The good news for Pixel owners is the Android monthly security update, complete with that fix, was rushed out almost immediately.
The vulnerability — CVE-2024-53104 — affects Android’s Linux kernel, and prevents the safe handling of unexpectedly sized media files, triggering out-of-bounds memory issues. It means a crafted attack can use this to destabilize a device. Although no firm details have been released, it’s thought this is being exploited by external USB devices plugged into a phone, suggesting forensic extraction tools as used by law enforcement.
The U.S. cyber defense agency has now included this in its Known Exploited Vulnerability catalog, mandating all federal agencies and employees update their impacted devices within 21-days or “discontinue use of the product if mitigations are unavailable.” For Pixel owners that’s fine, mitigations are available, just update your phone with February’s monthly security release before February 26th.
While CISA’s legal mandate only applies to Federal staffers, the organization’s remit is “to help every organization better manage vulnerabilities and keep pace with threat activity.” The expectation is that other private and public organizations will follow CISA’s lead and apply the same “vulnerability prioritization” and urgency.
Pixel owners have a material advantage in getting access to such fixes almost as soon as they’re released by Google. There’s no excuse for a Pixel owner to miss CISA’s deadline. If your phone is no longer on support, it’s likely time to consider an upgrade. The same speediness of updates is not the case for other OEMs. Notably Samsung, which has not yet included CVE-2024-53104 in its confirmed fixes for February.
All told, this is a good time to be a Pixel owner. The fast and relatively painless release of Android 15 and then first dabs on its key security and privacy features were all very seamless. And now Android 16’s beta has been pushed first to Pixels as well. The Android world is changing rapidly as this new world order settles down.
Read the full article here
