You might recall that back in July, the U.S. government told Pixel users working for the federal government to
update their phones before July 4th or stop using them. The issue was a software flaw cataloged as CVE-2024-32896 that the government said at the time “may be under limited, targeted exploitation.” Now, Samsung
Galaxy phone owners working for the federal government are being given their own deadline to update their devices.
The update for the Galaxy phones contains a pair of bug fixes
that will exterminate two nasty software vulnerabilities that
Google says have been exploited in the real world. The government’s Cybersecurity and Infrastructure Security Agency (CISA) added the two CVE listings (one for each bug) to the Known Exploited Vulnerabilities (KEV) catalog. This action comes with an order from Uncle Sam to Galaxy device owners working for the federal government giving them 21 days to update their phones or stop using them.
We will get to the dates in one second. First, the first warning for Pixel users in July didn’t impact Galaxy users because, at the time, the CVE was thought only to affect Pixel phones. When the vulnerability was expanded to include all
Android phones including Samsung Galaxy phones, the warning was not updated to include them. But this was changed with the second CISA warning issued on August 7th which resulted in an August 28th deadline for federal government workers using a Samsung Galaxy device.
You might think that the alert is really limited since only Samsung Galaxy device users employed by the federal government are forced to update their Galaxy handset by August 28th or discontinue using their devices. However, there are some organizations that follow federal government guidelines. And there are probably many other corporations that should demand that their employees follow the federal government’s mandate. Millions of Galaxy smartphones have the flaw and all users should install the August security update on their Galaxy handsets ASAP.
The flaws that Samsung owners need to patch include CVE-2024-32896 and the even deadlier CVE-2024-29745. These vulnerabilities would allow attackers to take advantage of privilege escalation. Privilege escalation would allow an attacker to use an app to capture information that normally would not be available to the bad actor. That includes information related to work and personal information.
Source: www.phonearena.com