Updated August 17 as some older Samsung models receive critical August update.

Samsung’s latest monthly update is an absolute must-have, fixing not one but two critical security vulnerabilities that have been exploited in the wild—as confirmed by Google. And so it’s little surprise that that the company is pushing out the August security update with more haste than usual—especially in the United States.

That’s because both vulnerabilities have also triggered formal government warnings, with the U.S. cybersecurity agency, CISA, adding them to its Known Exploited Vulnerabilities (KEV) catalog, with a formal mandate for all federal employees to either update within 21-days of those warnings or stop using their phones.

The first of those CISA warnings didn’t impact to Samsung Galaxy devices, because at the time it was issued the vulnerability was thought to only apply to Google’s Pixel phones. The warning was not corrected when the vulnerability was widened to apply to other Android OEMs as well. But the second CISA warning, issued on August 7, does apply to Samsung devices, as does CISA’s update deadline which is August 28.

And that’s a serious issue for millions of Galaxy users. Because while the formal update mandate only applies to federal employees—to “apply mitigations,” meaning update, or “discontinue use of the product if mitigations are unavailable,” other organizations either do or should follow suit. This threat is real and can compromise any company—public or private—where infected devices connect.

The reason it’s an issue is that while Samsung is rushing out its August update, it is following its usual approach, and that means not all Galaxy devices receive a security update each month—some devices are on a quarterly or even bi-annual schedule.

I asked Samsung if this would change this month, with August’s update universally applied, because otherwise it would mean older devices in the hands of federal staff would need to be powered down. Their response suggests not.

And that’s a major concern as Samsung pushes out August’s critical update, with the rest of the world catching up with the (CISA-driven) early U.S. updates. As SamMobile reported on Saturday, “last week, Samsung released the security update to the Galaxy Z Flip 5 and the Galaxy Z Fold 5 in the U.S. Now, the company has released the update to those phones in several more countries worldwide.”

That list of countries includes markets in the Middle East, South East and Southern Asia, as well as places as far afield as New Zealand, South Africa, Kazakhstan and Ukraine. It’s easy to forget that while the U.S. government’s update mandate might be driving some manufacturer and user urgency here, the vulnerabilities themselves put all phones at risk—wherever they happen to be.

The update has also started to hit older flagships as well, including the S21. Even some versions of the somewhat aged S20 are being updated, albeit that gets to the cutoff point between those devices on a monthly schedule and those that are not.

For those with older Galaxy devices, which may miss the U.S. update deadline, there are other good reasons for updating your hardware. Cybernews has just published a reminder that “a horde of one billion Android devices are running on deprecated OS versions and may be vulnerable to dozens of disclosed vulnerabilities, including critical ones,” adding that these have now been joined by “Samsung flagships since 2020, with the [regular] Samsung S20 series at the forefront.”

Regarding its August release, Samsung told me it “takes security issues very seriously,” and that “to address this issue, security updates have already been rolling out since August,” but as usual, “updates may continue being released at a later date, which will vary by model and network provider.” The company added that it “always recommends that users keep their devices up-to-date with the latest software updates,” but clearly that’s only possible when and where those updates are available.

It might be that some flex in the usual schedule will become apparent towards the end of the month, but there is no sign of that thus far. And that means that if you have an older or less expensive Galaxy device in the U.S., and work for an organization that follows CISA’s mandate, then come August 28 you will have a serious issue on your hands—or in your hands, to be more precise.

Share.
Exit mobile version