Google introduced right now that the December 2023 Android security updates deal with 85 vulnerabilities, together with a essential severity zero-click distant code execution (RCE) bug.
Tracked as CVE-2023-40088, the zero-click RCE bug was present in Android’s System element and would not require extra privileges to be exploited.
Whereas the corporate has but to disclose if attackers have focused this security flaw within the wild, risk actors may exploit it to realize arbitrary code execution with out consumer interplay.
“Probably the most extreme of those points is a essential security vulnerability within the System element that would result in distant (proximal/adjoining) code execution with no extra execution privileges wanted. Person interplay isn’t wanted for exploitation,” the advisory explains.
“The severity evaluation relies on the impact that exploiting the vulnerability may have on an affected gadget, assuming the platform and repair mitigations are turned off for improvement functions or if efficiently bypassed.”
An extra 84 security vulnerabilities have been patched this month, with three of them (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) essential severity privilege escalation and data disclosure bugs in Android Framework and System parts.
A fourth essential vulnerability (CVE-2022-40507) was addressed in Qualcomm’s closed-source parts.
Android zero-days exploited in assaults
Two months in the past, in October, Google additionally patched two security flaws (CVE-2023-4863 and CVE-2023-4211) that have been exploited as zero-days, the previous within the libwebp open-source library and the latter affecting a number of Arm Mali GPU driver variations utilized in a broad vary of Android gadget fashions.
The September Android security updates addressed one other actively exploited zero-day (CVE-2023-35674) within the Android Framework element that allowed attackers to escalate privileges with out requiring extra execution privileges or consumer interplay.
As common, Google launched two patch units with the December security updates month, recognized because the 2023-12-01 and 2023-12-05 security ranges. The latter contains all of the fixes from the primary set and extra patches for third-party closed-source and Kernel parts. Notably, these different patches may not be wanted by all Android units.
System distributors could prioritize the deployment of the preliminary patch degree to streamline the replace process, though this does not inherently counsel an elevated danger of potential exploitation.
It is also necessary to notice that, aside from Google Pixel units, which obtain month-to-month security updates instantly after launch, different producers would require a while earlier than rolling out the patches. This delay is required for extra testing of the security patches to make sure there aren’t any incompatibilities with numerous {hardware} configurations.