You may recall that in July, the U.S. government told Pixel users who work for the federal government to update their phones before July 4 or stop using them. The problem was a software bug dubbed CVE-2024-32896, which the government said at the time could be exploited “in a limited and targeted manner.” Now, Samsung Galaxy phone owners who work for the federal government are being given their own deadline to update their devices.
The update for the Galaxy phones includes a couple of bug fixes that address two nasty software vulnerabilities that Google says have been exploited in the real world. The government’s Cybersecurity and Infrastructure Security Agency (CISA) has added the two CVE entries (one for each bug) to the Catalog of Known Exploited Vulnerabilities (KEV). This action comes alongside a directive from Uncle Sam to Galaxy device owners who work for the federal government, giving them 21 days to update their phones or stop using them.
We’ll get to the dates in a moment. First, the first alert for Pixel users in July didn’t impact Galaxy users because at the time, the CVE was believed to only affect Pixel phones. When the vulnerability was expanded to all Android phones including Samsung Galaxy phones, the alert wasn’t updated to include them. But that changed with the second CISA alert on August 7, which resulted in an August 28 deadline for federal employees using a Samsung Galaxy device.
You might think the warning is really limited, as only Samsung Galaxy device users employed by the federal government are required to update their Galaxy handset by August 28 or stop using their devices. However, there are some organizations that are following the federal government’s guidelines. And there are probably many other companies that should require their employees to follow the federal government’s guidance. Millions of Galaxy smartphones have the bug, and all users should install the August security update on their Galaxy handsets as soon as possible.
The vulnerabilities that Samsung owners must fix include CVE-2024-32896 and the even more dangerous CVE-2024-29745. These vulnerabilities would allow attackers to exploit privilege escalation. Privilege escalation would allow an attacker to use an app to obtain information that would not normally be available to the attacker. This includes work-related and personal information.
