December Android Updates Fix Critical Zeroclick RCE Flaw
Google announced today that the December 2023 Android security update will address 85 vulnerabilities.
The RCE no-click bug, identified as CVE-2023-40088, is found within the Android system and does not require additional permissions to use.
While the company has not yet disclosed whether attackers targeted this vulnerability, attackers could use it to execute arbitrary code without user interaction.
The most serious of these issues is a critical security vulnerability in a system component that could lead to remote code execution without the need for additional execution privileges. No user interaction is required to operate,” the statement said.
"The severity level is based on the impact of the vulnerability exploit on the affected device, whether platform and service protections have been disabled or successfully bypassed for development purposes."
An additional 84 vulnerabilities were fixed this month, three of which (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) are related to privilege escalation and information disclosure flaws in the Android environment and related system components. .
The fourth critical vulnerability (CVE-2022-40507) was fixed in proprietary Qualcomm components.
Two months ago, in October, Google also patched two zero-day vulnerabilities (CVE-2023-4863 and CVE-2023-4211): the first in the open source libwebp library and the second in several Arms Evils. . Versions of GPU drivers used by different Android device models.
The September Android Security Update addresses another actively exploited zero-day vulnerability (CVE-2023-35674) in a component of the Android framework that allows attackers to elevate their privileges without requiring additional executing privileges or user interaction.
As usual, Google released two patches during the security update month of December, marked with security levels 2023-12-01 and 2023-12-05. The latter includes all fixes from the first set, as well as additional fixes for closed source components and third-party kernels. Notably, these other fixes may not be required on all Android devices.
Device manufacturers may prioritize implementing the first step to simplify the update process, although this in itself does not pose a high risk of exploitation.
It's also worth noting that other than Google's Pixel devices, which receive monthly security updates shortly after release, other manufacturers take time to install patches. This delay is important to test for additional security patches to ensure there are no incompatibilities with different hardware configurations.
