Google warns of critical Android RCE flaw exploited in the wild
Google has released the October 2023 security updates for Android devices running OS versions 11, 12, and 13, fixing 53 vulnerabilities, five of which are rated critical. Two of the critical issues are actively exploited in the wild, which means that attackers are already using them to target Android devices.
At A Glance:
- 53 vulnerabilities addressed.
- 5 classified as critical.
- 2 vulnerabilities are under active exploitation.
- Updates released on October 1, 5, and 6 targeting different system components.
The Most Severe: System Component Vulnerability
Among the list of vulnerabilities, a particularly dangerous one lurks in the System component. Its severity is so critical that if exploited, it could lead to severe damage to an affected device. This assessment, according to the Android security bulletin, considers the potential harm if platform and service mitigations were off or successfully bypassed.
A Three-Tiered Update Approach
To streamline the update process, Google has segregated the October updates into three levels:
- October 1: Targets Android system and framework components.
- October 5: Focuses on kernel and third-party vendor closed-source components.
- October 6: Addresses the Android system.
Vulnerabilities Under Active Exploitation
Google’s bulletin sheds light on two vulnerabilities, specifically CVE-2023-4863 and CVE-2023-4211, believed to be under limited targeted exploitation.
CVE-2023-4863: Classified as a critical severity remote code execution flaw. in the WebP code library (libwebp). The consequences of this vulnerability vary, ranging from abrupt system crashes to the more sinister arbitrary code execution. In simpler terms, attackers can potentially take control of the affected system, creating a realm of cyber nightmares.
CVE-2023-4211: A local user, without any privileges, can manipulate GPU memory processing operations to tap into memory that has already been freed. This vulnerability was unearthed and reported to Arm by the vigilant eyes at Google’s Threat Analysis Group (TAG) and Project Zero.
Other Noteworthy Vulnerabilities
CVE-2023-40129: Another remote code execution flaw in the system component that carries a critical severity tag.
October 5, 2023 patches: Three critical flaws to note are CVE-2023-24855, CVE-2023-28540, and CVE-2023-33028. These are deeply rooted in the Qualcomm closed-source components.
Stay Safe: Update Now
If you’re an Android user running OS versions 11, 12, or 13, make it a priority to apply these updates. With vulnerabilities marked as actively exploited, it’s not just about adding new features or improving performance, it’s about securing your digital privacy and safety.
