Samsung's latest update impacts millions of users DPA/PICTURE ALLIANCE VIA GETTY IMAGES

Zak Doffman Contributor

I cover security and surveillance

Apr 14, 2024,08:30am EDT

Millions of Samsung Galaxy users now have access to a security update that should be installed right away—especially because one critical fix has just arrived late...

Updated 04/14; originally published 04/11.

Samsung’s update merry-go-round started early this month, with its latest flagship—the S24—receiving April’s security patches as well as some eagerly anticipated camera fixes before the end of March. Now the update has reached other flagships, and is starting to become available for S23, S22 and S21 Series devices.

Users will need to watch for specific availability based on network and geography, but if it’s not there now it should be soon. As ever, users with older or less expensive devices will be waiting until later in the month, assuming those devices remain on the monthly schedule and haven't been relegated to quarterly updates.

You can check your own device’s update frequency here, while the specific details for April’s update can be found here.

Samsung’s security update contains the usual mix of Android and Samsung’s own patches, with the most critical patch sitting within the Android bundle. CVE-2023-28578 addresses a memory corruption issue in Qualcomm’s chipset.

Details—as usual—are scarce at this early stage, but the Android team says it involves “a system component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.” This suggests an attack would require a device to be operating outside normal conditions and exploitation to be part of a chain.

That critical Qualcomm patch actually appeared in Android’s March update bulletin but was missing from Samsung’s that same month and has only been made available now—at least according to the release notes.

To be frank, this combined with the four high-risk April patches on Samsung’s side—all of which potentially expose a device to arbitrary code execution—mean it’s worth updating as soon as possible, albeit there’s no suggestion that any of the Samsung vulnerabilities can be exploited without physical access to a device.

Link: https://twitter.com/GrapheneOS/status/1745506661467299946?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1745506661467299946%7Ctwgr%5E1a3a44656d2a2604dfd2125b9698c12d7717ba42%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fembedly.forbes.com%2Fwidgets%2Fmedia.html%3Ftype%3Dtext2Fhtmlkey%3D3ce26dc7e3454db5820ba084d28b4935schema%3Dtwitterurl%3Dhttps3A%2F%2Ftwitter.com%2Fgrapheneos%2Fstatus%2F17455066614672999463Fs3D6126t3DXOX7msEmeCHdTP4btKOo9Qimage%3D

Contrast this with Google’s own update for Pixel owners this month, which included two high severity threats and a warning that they “may be under limited, targeted exploitation.” That’s a much more serious “update now” warning to receive.

Those exploiting Pixel devices are thought to by forensic or spyware companies to extract data from devices, with the alarm first raised by GrapheneOS in January.

And while Samsung’s monthly update cycle always compares unfavorably to Apple’s simple one-stop-shop for iOS, it seems that iPhone users have their own “limited exploitation” problems. As reported by Kate O’Flaherty, Apple has warned users in 92 countries that they may have have been specifically targeted.

Those users with reason to fear that kind of unwanted attention can take precautions whether on Android or iPhone, with Google’s Advanced Protection Program and Apple’s Lockdown Mode offering better defenses, albeit with usability compromises.

For Samsung users this month, we await to see what further advances the company intends to make with its seamless update adoption after it trialed last month. The company is also updating its actual “Software Update” app, which will confuse many but is just the app that checks for updates—as the name might suggest.

04/14 update: Samsung’s model-by-model approach isn’t limited to just monthly security updates, we’re now seeing something similar on the Galaxy AI front, albeit this seems more inevitable, as older models try to catch up with the latest flagships which were built with Galaxy AI performance in mind.

This has security and privacy considerations, given Samsung’s focus on “hybrid AI,” which, in the company’s own words, “combines not only cloud-based but also on-device AI technology.” Localizing sensitive AI tasks—especially where private user data is being analyzed—is set to become the next privacy battlefield on our phones. We expect Apple’s approach to differ from Google’s, where a mix of different privacy policies for different products is already confusing.

Samsung is somewhere in the middle. “When integrated into phones, AI is, to put it simply, a revolution,” the company’s mobile lead TM Roh has explained. “It’s also important to raise the standards of security and privacy in this new era of data-intensive mobile experiences. That is one of the reasons we’ve taken a hybrid approach that combines on-device and cloud-based AI. Besides ensuring seamless usability, this lets users limit some features to function entirely on-device, giving them greater control over what they do with their data.”

I have reported before that Samsung seems likely to bring Galaxy AI to older phones—not just current flagships. Now this has possibly just been confirmed, with several outlets (1,2) picking up on a Samsung rep telling a Korean user forum that cut-down versions of its AI package are coming to devices dating back all the way to 2021, albeit the older your device the less features you will get.

As Android Central reports, “the Galaxy S22 series, Flip 4, Fold 4, and the Tab S8 series will receive the same Galaxy AI features as the S23 FE... This means that the devices will gain everything except for Instant Slow-mo as Samsung notably left the recent FE series out during its confirmation in February... The Galaxy S21 series, the Flip 3, and Fold 3 are in the crosshairs of only two Galaxy AI features: Google's ‘Circle to Search’ and Chat Assist.”

This isn’t just drip-feeding AI features to encourage upgrades, it’s a hardware issue. As Roh has said, “[AI] is highly impacted by hardware performance [and] a lot of resource is being invested in on-device AI given these hardware constraints.” It’s a hardware issue specifically because of that privacy-focused hybrid approach—hybrid means more AI capable processing on the device itself.

This is interesting for Galaxy users, but also for iPhone users. With heady expectations that iOS 18 will bring exciting AI upgrades to iPhones in the fall, the focus will quickly turn to Apple’s ability to develop its own hybrid approach, especially if it partners with Google and others with cloud-first AI offerings.

When Apple’s AI upgrade becomes clearer from June’s WWDC onward, we will get a sense of what’s to come and how it will upgrade (or not) older devices with limited onboard processing, designed without new AI features in mind, but with the same user privacy and security expectations.

Just as we’re now seeing with Samsung...

Source: https://www.forbes.com/sites/zakdoffman/2024/04/14/samsung-s24-ultra-s23-free-update-warning-for-galaxy-android-users/?ss=cybersecurity&sh=385ad3f39b57