Still trying to get caught up with the postings after last week’s holiday break. We have a couple items from Google in regards to their Chrome browser and Android (mobile) operating system.
Google pushes emergency Chrome update to fix 8th zero-day in 2022. This update was pushed out late Thursday so most users if they have already restarted Chrome will already have the newest patched version. If you are in doubt click the three dots in the upper right and go to Help > About Google Chrome. If your Google Chrome is up to date you will see the below dialog. Otherwise, you will be seeing Chrome installing the update and telling you to restart the browser.
The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in GPU, discovered by Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022.
“Google is aware that an exploit for CVE-2022-4135 exists in the wild,” reads the update notice.
Google says Google should do a better job of patching Android phones. More specifically, the Android and Pixel teams, which Project Zero says aren’t dealing with bugs in the ARM GPU driver quickly enough.
In June, Project Zero researcher Maddie Stone detailed an in-the-wild exploit for the Pixel 6, where bugs in the ARM GPU driver could let a non-privileged user get write access to read-only memory. Another Project Zero researcher, Jann Horn, spent the next three weeks finding related vulnerabilities in the driver. The post says these bugs could allow “an attacker with native code execution in an app context [to] gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.”
Project Zero says it reported these issues to ARM “between June and July 2022” and that ARM fixed the issues “promptly” in July and August, issuing a security bulletin (CVE-2022-36449) and publishing fixed source code. But these actively exploited vulnerabilities haven’t been patched for users. The groups dropping the ball are apparently Google and various Android OEMs, as Project Zero says that months after ARM fixed the vulnerabilities, “all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.”
Google sued by FTC and seven states over ‘deceptive’ Pixel 4 ads. Another day, another FTC lawsuit against Google. I am sure this type of ‘deception’ has been going on for decades the only reason it has come to light now was because it involves Google.
You’re not the only one wondering if that social media star really used a hot new phone. The Federal Trade Commission and seven states have sued Google and iHeartMedia for running allegedly “deceptive” Pixel 4 ads. Promos aired between 2019 and 2020 featured influencers that extolled the features of phones they reportedly didn’t own — Google didn’t even supply Pixels before most of the ads were recorded, officials said.
iHeartMedia and 11 other radio networks ran the Pixel 4 ads in ten large markets. They aired about 29,000 times. It’s not clear how many people listened to the commercials.
