"Instead of throwing every available fix for everything from high-risk, critical vulnerabilities to low-risk bugs into a monthly ASB, Google may pivot to a focus on shipping updates for critical real-world issues within its monthly patch cycles. So, if a vulnerability is being actively exploited in the wild or is considered to be of extreme risk to user privacy and security, it will be patched more quickly than a low-risk denial-of-service memory issue, for example."
"As noted by the publication, however, there is a difference between an official "critical" rating as issued by authorities in CVSS scoring and what the tech giant could deem high risk. This means that a security issue with a low CVSS score that is used in a wider exploit chain, theoretically, may be included in monthly updates."
"According to , the new system -- dubbed the "Risk-Based Update System" (RBUS) -- will continue to protect Android users while streamlining Original Equipment Manufacturer (OEM) patching procedures."
A risk-based update system (RBUS) would prioritize shipping patches for vulnerabilities that are actively exploited or pose extreme privacy and security risks. Android Security Bulletins (ASBs) currently list all fixes, with partners and OEMs notified at least a month before public release. Under RBUS, high-risk issues would receive faster monthly updates while lower-risk problems could shift to quarterly ASB cycles. The definition of "high risk" could differ from CVSS "critical" ratings, allowing some low-CVSS issues used in exploit chains to receive faster patches. The model aims to streamline OEM patching but could lengthen exposure windows for some bugs.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]