There has been a nervy silence from Samsung in the last fortnight, as owners of its premium Galaxy devices await the critical updates first announced at the beginning of July. The good news is that the release is finally deploying more widely. The bad news is that it’s still missing the most critical update of all—and here Samsung’s continued silence is a much bigger problem for millions of users.

While July’s update has been issued for some devices since its first release for the S24, it’s only really this week that we’ve seen a raft of headlines (1,2,3) as a wider array of S22s and S21s received their fixes. As users know, it’s always something of a lottery when it comes to the monthly timetable, with updates applied by model, region and carrier. It remains a serious gap to iPhone and increasingly even Pixel.

The update patches four critical Android security issues—albeit three of those were delayed from June and shore up security on Qualcomm hardware. Samsung warns users that third-party hardware updates might be delayed in this way, albeit Google seems able to get them out more efficiently. The fourth critical update which impacts Android’s core framework has been released back-to-back with Android.

As for the catch, there’s still no timing news on when Galaxy devices can expect to see security releases for CVE-2024-32896, which is the actively exploited vulnerability behind Pixel’s June “zero-day” warnings and the US government’s mandate for all federal employees to apply the update or stop using their devices.

Some weeks ago, when I asked Google about the risk to other Android devices beyond Pixel, the company told me “Android security is aware of this issue, and after further review, this issue does impact Android platform… Pixel devices that have installed the latest security update are protected… we are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available.”

But still no confirmation from Samsung that I’ve seen—and I’ve asked several times. The same is true for CVE-2024-29745, which has also been fixed for Pixels but not yet for any of Galaxy smartphones. Google can’t patch devices beyond its own here, as this vulnerability needs to be addressed OEM by OEM. GrapheneOS, which was behind the disclosure, told me “other vendors could add the same zeroing to each of their firmware boot modes and should, but we can’t easily get them to do it.”

It’s now mid-July and Pixel users are a month ahead. The risk for Samsung is that Pixel becomes more iPhone-like given Google’s control of hardware and software, and Samsung can’t easily do the same. Its Galaxy devices are flying from shelves worldwide at the moment, but this space is about to heat up with new Pixels and iPhones on the way. The Premium segment looks set to see a new level of competition come the fall, and to my mind asking users to drop $1500 or more on a flagship will drive expectations of transparency, security and privacy that need to be met.

In the meantime, all Samsung users should make sure they update as soon as July’s release is available. As and when there is news on on fixes for the two outstanding security issues, bringing Galaxy level with Pixel, I’ll provide an update.

Share.
Exit mobile version