Google introduced in the present day that the December 2023 Android safety updates sort out 85 vulnerabilities, together with a essential severity zero-click distant code execution (RCE) bug.
Tracked as CVE-2023-40088, the zero-click RCE bug was present in Android’s System element and would not require further privileges to be exploited.
Whereas the corporate has but to disclose if attackers have focused this safety flaw within the wild, menace actors might exploit it to realize arbitrary code execution with out consumer interplay.
“Probably the most extreme of those points is a essential safety vulnerability within the System element that would result in distant (proximal/adjoining) code execution with no further execution privileges wanted. Person interplay just isn’t wanted for exploitation,” the advisory explains.
“The severity evaluation is predicated on the impact that exploiting the vulnerability might have on an affected machine, assuming the platform and repair mitigations are turned off for improvement functions or if efficiently bypassed.”
A further 84 safety vulnerabilities have been patched this month, with three of them (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) essential severity privilege escalation and knowledge disclosure bugs in Android Framework and System parts.
A fourth essential vulnerability (CVE-2022-40507) was addressed in Qualcomm’s closed-source parts.
Android zero-days exploited in assaults
Two months in the past, in October, Google additionally patched two safety flaws (CVE-2023-4863 and CVE-2023-4211) that have been exploited as zero-days, the previous within the libwebp open-source library and the latter affecting a number of Arm Mali GPU driver variations utilized in a broad vary of Android machine fashions.
The September Android safety updates addressed one other actively exploited zero-day (CVE-2023-35674) within the Android Framework element that allowed attackers to escalate privileges with out requiring further execution privileges or consumer interplay.
As traditional, Google launched two patch units with the December safety updates month, recognized because the 2023-12-01 and 2023-12-05 safety ranges. The latter contains all of the fixes from the primary set and extra patches for third-party closed-source and Kernel parts. Notably, these different patches won’t be wanted by all Android gadgets.
Gadget distributors might prioritize the deployment of the preliminary patch degree to streamline the replace process, though this does not inherently recommend an elevated danger of potential exploitation.
It is also vital to notice that, aside from Google Pixel gadgets, which obtain month-to-month safety updates instantly after launch, different producers would require a while earlier than rolling out the patches. This delay is required for extra testing of the safety patches to make sure there are not any incompatibilities with varied {hardware} configurations.
