A Patch Gap is nothing but the time frame taken by manufacturers to roll out security patches for vendors. And in a given situation, if this time gap increases, then there is a high probability that millions of devices could be susceptible to sophisticated attacks.
Making this issue a critical point of focus, Google’s Project Zero project discovered that manufacturers are not paying in offering software updates to mobiles, after their first year of sale or else after the warranty period of phones and this is making the devices super-vulnerable to hackers.
For instance, a patch related to ARM Mali GPU drivers was issued by ARM in July this year. And there are still many devices that haven’t received the patches, as their manufacturers are showing disinterested in rolling updates at the earliest.
Concerningly, the trend to not release the patches as early as possible was also being observed on Pixel, Samsung and Xiaomi phones, that usually sell like hot cakes all over the world.
Google Project Zero says that manufacturers must show an interest in patching their already-in-use devices or else their security teams might face harsh challenges that can put their businesses in jeopardy within no time.
Full article: https://www.cybersecurity-insiders.com/patch-gap-issues-puts-millions-of-android-devices-to-vulnerability/
Commentary by Olabanji Soledayo:
" It is no surprise that of all possible teams it was Google's own Project Zero who pointed directly at the security issues that arise when available updates and patches are not applied in time, as Project Zero is specialized in finding vulnerabilities in code and hardware. Updates for hard-, soft- and firmware often do exist - not only on mobile platforms such as Android - but aren't installed or only with a long delay. To name an example: our telemetry shows constant attacks on long patched Microsoft Word and Apache vulnerabilities, which wouldn't happen if hackers wouldn't know that there's plenty of systems open for such kind of attacks. For a while now Google has not only put pressure on Android device manufacturers but also introduced system updates via Google Play to help minimize the attack surface on other devices than the Google Pixel line. Maybe it's time that also consumers and companies alike put a little more pressure on the device vendors for a sensible and contemporary patch strategy. Maybe cybersecurity can turn into a selling point of certain vendors? One may dream..."
Comments