Mind the Gap

- Project Zero researcher Maddie Stone found that many 2022 zero-day attacks exploited patched vulnerabilities. - ARM's Mali GPU driver vulnerability (CVE-2021-39793) was used in a real-world attack on the Pixel 6. - Project Zero researcher Jann Horn discovered five additional exploitable vulnerabilities in the Mali GPU driver. - These vulnerabilities could allow attackers to access kernel memory, disclose physical memory addresses, and bypass Android's permissions model. - ARM promptly fixed the issues, but the patches have not yet reached affected Android devices. - Vendors should prioritize timely patching to minimize the "patch gap" and protect users. - Project Zero tests patches for effectiveness and may report follow-up bugs or missing fixes. - Companies need to monitor upstream sources and provide complete patches to users promptly. - Vendors and end-users alike should apply patches as soon as possible to mitigate vulnerabilities.