'Patch Lag' Leaves Millions of Android Devices Vulnerable

It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.

According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  "promptly" issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. 

There is some light at the end of the tunnel: The Android and Pixel teams said this week, "The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements."

Until there's a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it's up to security teams to remain "vigilant," the Google Project Zero team advised. 

"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," the patch gap report explained. "Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch."