Security News > 2023 > August > Android n-day bugs pose zero-day threat

In the Android ecosystem, n-day vulnerabilities are almost as dangerous as zero-days, according to Google's review of zero-days exploited in the wild in 2022.

The problem is considerable in the Android ecosystem, since Google's Android security team often quickly pushes out patches for zero-days but downstream original equipment manufacturers may take a while to release a fix for users to apply.

"We consider a patch to be complete only when it is both correct and comprehensive. A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants," Stone explained.

"When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we see vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole. Similarly, security researchers often report bugs without following up on how the patch works and exploring related attacks."

Finally, 2022 has also been marked by threat actors discovering and exploiting the same 0-day vulnerability.

"Over the last couple of years we've become aware of a trend of a high number of bug collisions, where more than one researcher has found the same vulnerability. This is happening amongst both attackers and security researchers who are reporting the bugs to vendors," Stone noted.

News URL

https://www.helpnetsecurity.com/2023/08/01/android-zero-days/