Google announced today that the December 2023 Android security updates address 85 vulnerabilities, including a critical remote code execution (RCE) issue of critical severity. This vulnerability, tracked as CVE-2023-40088, was discovered in the system component of Android and does not require additional privileges to exploit.
While the company has not yet disclosed whether attackers have targeted this security flaw in the online environment, they could exploit it to achieve arbitrary code execution without user interaction.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution without the need for additional execution privileges. User interaction is not required for exploitation,” the notice explains.
In addition, 84 other security vulnerabilities were fixed this month, three of which (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) are critical privilege escalation and information disclosure issues in the Android Framework and System components. A fourth critical vulnerability (CVE-2022-40507) was addressed in Qualcomm's closed source components.
Google Announces a Very Important Update for Android
Also, two months ago in October, Google fixed two security flaws (CVE-2023-4863 and CVE-2023-4211) that were exploited as zero-days, the first in the libwebp open-source library and the the second affecting multiple versions of the Arm Mali GPU driver used in a wide range of Android device models.
The September Android security updates addressed another actively exploited zero-day vulnerability (CVE-2023-35674) in the Android Framework component that allowed attackers to escalate privileges without requiring additional execution privileges or user interaction.
As usual, Google released two sets of patches with the December security updates, identified as security levels 2023-12-01 and 2023-12-05. The latter includes all fixes from the first set and additional fixes for third-party closed-source components and the Kernel. It's worth noting that these other fixes may not be necessary for all Android devices.
Device manufacturers may prioritize the implementation of the initial level of patches to simplify the update procedure, although this does not necessarily imply an increased risk of potential exploitation.
It's important to note that with the exception of Google Pixel devices, which receive monthly security updates immediately after release, other manufacturers will need some time before releasing patches. This delay is necessary for additional testing of security patches to ensure there are no incompatibilities with various hardware configurations.
