Samsung is now accelerating the rollout of its critical November security release. This protects devices against a range of serious threats, some of which are known to to be under active attack. This week we have seen more Galaxy S24 users receive their updates, as well as those with older flagships and newer Folds and Flips.
And so, this is a timely reminder that the US government deadline to apply this update is now fast approaching. The Android Framework “contains an unspecified vulnerability that allows for privilege escalation,” CISA warned this month, mandating users “apply mitigations per vendor instructions” by November 28, “or discontinue use of the product if mitigations are unavailable.” In other words, update your phone by that date or stop using it until you do.
While CISA’s formal mandate applies just to federal employees, the US cybersecurity agency’s remit is much broader, helping “every organization better manage vulnerabilities and keep pace with threat activity.” It maintains its Known Exploited Vulnerability (KEV) catalog for the benefits of all organizations, “as an input to their vulnerability management prioritization framework.”
There was a strong push for Samsung’s November security update earlier in the month, with Android Police reporting that “just a day after releasing the November 2024 update for the Galaxy S24, Samsung has rolled out the same security patch for Galaxy S23 users in the US. It’s impressive to see Samsung delivering updates so promptly — especially before Google’s own Pixel devices.”
Whether deliberate or not, we have seen accelerated US update schedules before where the government has mandated fixes be applied, and so one would expect all US users with a current monthly update schedule to be able to update on time. There still remains a separate issue, of course, with Qualcomm’s zero-day patch from last month not making it into Samsung’s November release—unlike Pixels. It is unclear whether this has been applied or not—and CISA separate October deadline for this has already been missed by all, but Samsung assures that this is being rolled out to devices, despite the fix missing from their November security update bulletin.
“We are aware of the report regarding potential vulnerabilities in some of Qualcomm’s chipsets and have been working with Qualcomm to address this issue,” the company told me when I asked about CVE-2024-43047. “We have started rolling out security updates since October, but updates may continue being released at a later date, which will vary by network provider or model. We always recommend that users keep their devices up-to-date with the latest software updates.”
As regards CISA’s November 28 update mandate, Google warned at the beginning of the month that CVE-2024-43093 “may be under limited, targeted exploitation,” albeit no other details were provided. This was patched for all Android devices, which contrasts with the similar CVE-2024-32896, which was infamously originally applied just to Pixels but then later widened to all Android OEMs, including Samsung.
Zimperium’s 2024 Global Mobile Threat Report warns that 82% of organizations allow employees to bring their own devices (BYOD) into the office and connect to enterprise systems. This raises the bar for corporate security teams, which brings us back to the wider applicability for CISA’s update mandates.
The vulnerability enables an attacker to access restricted storage on devices, which is a clear risk, especially given Zimperium finding that 70% of organizations “fail to adequately secure personal devices used for work purposes,” with “90% of successful cyberattacks originate from endpoint devices [and] 71% of employees admitting to engaging in actions they knew were risky.”
Also this week, we have seen a reports of an unexpected additional Samsung update making its way onto some flagships. Per SammyFans, “Samsung pushed an urgent new software update for select Galaxy devices. Many users received a home screen pop-up, recommending they install the latest update… The nature of this update seems regular, but it may have included noteworthy stuff for your Galaxy.”
All told, heed CISA’s advice and deadline and ensure that all updates are applied to your phone, especially if you take it into work and/or connect to company systems. You can check whether your model is due this release here. If not, it might be time to consider an upgrade to a phone with a monthly security update schedule.
