Photo: Rafapress / Shutterstock.com
Google has issued patches for more than 40 security vulnerabilities in Android, including two previously exploited in attacks. The patches are part of the Android maker’s November 2022 security update.
The first exploited vulnerability, CVE-2024-43047, was a Qualcomm bug reported in October by Amnesty International and Google’s Threat Analysis Group (TAG). The disclosure warned of possible zero-day attacks and described a high-severity use-after-free bug in the Digital Signal Processor (DSP) service. Qualcomm issued a patch quickly, warning that the issue affected dozens of chipsets.
Although there’s no concrete proof of the vulnerability being exploited in the wild, the fact that Google’s TAG and Amnesty discovered it does make it likely that a commercial spyware vendor was using it against Androids. Both the aforementioned CVE-2024-43047 and CVE-2024-43093 may be under “limited, targeted exploitation;” however, Google hasn’t provided any information as usual.
CVE-2024-43093, the second vulnerability suspected to be under exploitation, is a high-severity elevation of privilege bug in Android’s Framework component, also affecting the Documents UI component of Project Mainline, updated through Google Play.
While both vulnerabilities are patched, the software updates fixing them are arriving separately. The first part of Android’s November 2024 security update, released on November 1, addresses CVE-2024-43047 and 17 other high-severity vulnerabilities in the Framework and System components.
The second part arrives on November 11 as the 2024-11-05 security patch level. This update addresses the other exploited vulnerability, CVE-2024-43093, in addition to 23 other vulnerabilities, while also updating Android kernel versions. A full list of patched vulnerabilities can be found in Google’s security advisory. Android isn’t the only Google-made OS that getting bug fixes either. The November 2024 security update on WearOS devices patches two additional bugs in addition to those fixed in the primary update.
In the News: Canada arrests hacker linked to major Snowflake data breaches