Tag Archive for: Pixel

CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG


CISA ADDS ANDROID PIXEL AND SUNHILLO SURELINE BUGS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Pierluigi Paganini
March 06, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel and Sunhillo SureLine vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

The Android Pixel vulnerability, tracked as CVE-2023-21237, resides in applyRemoteView of NotificationContentInflater.java. The exploitation of this vulnerability could lead to local information disclosure with no additional execution privileges needed. The exploitation doesn’t require user interaction.

Google addressed the issue in June 2023, the IT giant is aware of “limited, targeted exploitation.”

“There are indications that CVE-2023-21237 may be under limited, targeted exploitation.” reads the security bulletin published by the company.

The issue is likely chained with other flaws in an exploit used by a commercial spyware vendor or a nation-state actor.

The second issue added to the Catalog is an OS Command Injection vulnerability in Sunhillo SureLine. The exploitation of the flaw can allow to execute arbitrary commands with root privileges.

The exploitation can lead to complete system compromise.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 26, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, CISA



Source…

Google issuing new security warnings for Galaxy and Pixel users — what you need to know


A new Android Safe Browsing warning has started to appear on some Samsung Galaxy and Google Pixel devices to help combat malware and protect users while using supported apps.

According to a recent post on X by Mishaal Rahman: “Google is rolling out a new ‘Android Safe Browsing‘ page to users that lets you see which apps support the feature as well as a toggle ‘live threat protection’ which enables ‘more accurate threat detection.’” 

See more

Source…

Pixel 4a 5G and Pixel 5 get surprise final updates


Google Pixel 4a 5G standard back image

David Imel / Android Authority

TL;DR

  • There are new Android updates for the Pixel 4a 5G and the Pixel 5.
  • The update is small (just over 10MB) and likely just security updates and bug fixes.
  • This is unexpected, as both phones reached end-of-life status in November 2023.

Earlier this week, Google rolled out the latest Android security patch to active Pixel devices. As expected, the oldest phone to receive that patch was the Google Pixel 5a, which launched in August 2021. However, now there are two updates for other, older Pixel phones: the Pixel 4a 5G and Pixel 5.

You can find the two updates on Google’s list of OTA releases. However, you don’t need to download them from there if you’re not in a rush. Since this is an OTA update, you’ll get a notification on your Pixel 4a 5G or Pixel 5 in the next few days if you haven’t already.

Unfortunately, Google is being very secretive about what’s included with these updates. Thanks to a Reddit thread, we see that the update is very small at just over 10MB. It doesn’t include a new security update, as it’s still on the November 2023 patch. Being that it’s so small and doesn’t have the latest fixes, we can only imagine this is an update that specifically addresses critical bugs or security risks for these two phones. However, for what it’s worth, one Redditor does claim that their phone feels “snappier and smoother” after the update.

Google has been known to do this in the past. When incredibly critical security exploits are found, the company pulls Pixels out of update retirement to get the fix out there. However, this rarely includes new features or other dramatic changes.

Source…

What is the Titan M2 security chip in Google’s Pixel phones?


Google IO 2022 titan m2 in the pixel 6a

With the Pixel 6 series, Google began developing its in-house Tensor SoC. But that wasn’t the first time the search giant used a piece of custom silicon in its smartphones – the Pixel 2’s Pixel Visual Core was technically the first. One generation later, the company announced that Pixel 3 devices would include a hardware security module dubbed Titan M. Then, in 2021, Google followed it up with the Titan M2. The security chip has since become a selling point for Google phones like the Pixel 8 series.

So in this article, let’s take a closer look at the role of the Titan M2 in Pixel devices, how it works, and why it’s even necessary in the first place.

What is the Titan M2 chip all about?

Picture showing Google's Titan and Titan M security chip

Google’s Titan server chip (left) and first-generation Titan M security chip (right)

The Titan M2 is a dedicated security chip included in Pixel 6 and Pixel 7 series smartphones. You’ll also find it in some other Google products like the Pixel Tablet. Google designed the Titan M2 in-house so that it could exercise complete control over its feature set. The chip is based on the RISC-V CPU architecture and contains its own memory, RAM, and cryptographic accelerator.

The Titan M2 is one of the many measures Google has employed to improve smartphone security over the years. The company uses the chip in its Pixel phones to provide an additional layer of protection on top of Android’s default security measures.

Google designed the Titan M2 chip to augment Android’s default security measures.

Take Android’s mandatory full-disk encryption. On most devices, it relies on a security feature known as a Trusted Execution Environment (TEE), which is essentially the secure area of a processor. Android devices store their encryption keys within this secure area, which is in turn guarded with your pattern, PIN, or passcode. In other words, the TEE isolates cryptographic keys and never reveals them to the user or even the operating system.

Virtually all smartphone SoCs in this day and age have a TEE or similar secure environment. On Snapdragon chips, it’s commonly referred to as the Qualcomm Secure Execution Environment (QSEE). Apple’s Arm-based chips like the M1 have the Secure Enclave. With these…

Source…