It’s called a “patch gap” and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.
According to Google’s Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM “promptly” issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable.
Until there’s a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it’s up to security teams to remain “vigilant,” the Google Project Zero team advised.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the patch gap report explained. “Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”