Photo: Primakov / Shutterstock.com
Google has released the September 2023 Android security updates addressing a total of 33 vulnerabilities, with a particular focus on mitigating a high-severity zero-day vulnerability that is currently being actively exploited.
The zero-day vulnerability in question, CVE-2023-35674, is in the Android Framework and is considered high-severity. This vulnerability allows attackers to escalate their privileges without requiring a user interface or additional execution privileges. Google has issued an advisory acknowledging that there are indicators of limited and targeted exploitation of CVE-2023-35674 in the wild.
Google encourages all Android users to update to the latest version of the Android platform whenever possible, emphasising that newer versions of Android have enhanced security measures, making exploitation more challenging.
In addition to the actively exploited zero-day vulnerability, the September Android security updates address three critical security flaws in the Android System component. These vulnerabilities, identified as CVE-2023-35658, CVE-2023-35673 and CVE-2023-35681, can potentially result in remote code execution (RCE) without requiring additional execution privileges or user interaction.
Attackers could exploit these vulnerabilities for RCE attacks, particularly when platform and service mitigations are deactivated for development purposes or successfully bypassed.
Another critical bug tracked as CVE-2023-28581 and described by Qualcomm involves a WLAN Firmware memory corruption issue. This flaw could enable remote attackers to execute arbitrary code, access sensitive information, or trigger system crashes. Importantly, these attacks can occur with minimal complexity, requiring neither specific privileges nor user interaction.
Google’s security updates for September 2023 come in two sets: The 2023-09-01 and 2023-09-05 patch levels. The latter includes all the security fixes from the initial set and additional patches for third-party closed-source and Kernel components.
The choice between these patch levels, made by device vendors, doesn’t necessarily imply an increased risk of exploitation. Vendors may prioritise the initial patch level to expedite the update process.
For users not using Google Pixel devices, which receive monthly security updates immediately, it’s important to note that other vendors may require some time to deploy these updates as they conduct testing and fine-tuning for various hardware configurations.
The September Android security updates apply to versions 11, 12 and 13, potentially affecting older, unsupported OS versions.