If you use a device with a Qualcomm chip, Good NEWS!!!
This week, Qualcomm, a prominent US chip manufacturer, made an important announcement regarding the security of its products. They revealed that they have addressed over twenty vulnerabilities identified in their products. Notably, among these vulnerabilities, three were classified as "zero-days," which means they were previously unknown and actively exploited, and these were reported to Qualcomm by Google's cybersecurity units.
Qualcomm received information about these vulnerabilities from two key units within Google: the Threat Analysis Group and Google Project Zero. Specifically, the vulnerabilities were tracked under the following Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071. It was indicated that these vulnerabilities might be currently subject to limited, targeted exploitation.
However, it's important to note that only three of these vulnerabilities are true "zero-days" because CVE-2022-22071 had already been addressed by Qualcomm in May. Details regarding the specific attacks exploiting these vulnerabilities have not been publicly disclosed. Nevertheless, the fact that Google reported them raises concerns that they might have been used by commercial spyware vendors.
Google has previously conducted investigations into exploit chains associated with spyware vendors in recent years. Threat actors have been observed utilizing such exploit techniques to deliver spyware onto devices running Android or iOS, both of which can include Qualcomm chips.
The majority of the other vulnerabilities that Qualcomm addressed this week have been categorized with 'critical' and 'high' severity ratings. These vulnerabilities were discovered internally by Qualcomm's security team. They primarily affect various components, including modems, WLAN (Wireless Local Area Network) firmware, and automotive products. These issues have been characterized as memory-related bugs and information disclosure problems. Memory-related bugs typically have the potential to allow unauthorized execution of arbitrary code or result in a denial of service (DoS) situation.
In parallel with Qualcomm's announcement, Google also released Android security updates this week. These updates included patches for two zero-day vulnerabilities, one of which is identified as CVE-2023-4211. This particular vulnerability pertains to a bug within the Arm Mali GPU (Graphics Processing Unit) driver, and it is known to have been targeted in attacks that aimed to deliver spyware.
In summary, Qualcomm has taken proactive steps to address a significant number of vulnerabilities in its products, with some of them being actively exploited zero-days. The involvement of Google in reporting these vulnerabilities highlights potential security concerns, particularly in relation to commercial spyware activities targeting devices with Qualcomm chips.