December Android updates fix critical zero-click RCE flaw

Trending 2 months ago

Android

Google appear today that the December 2023 Android aegis updates accouterment 85 vulnerabilities, including a analytical severity zero-click alien cipher beheading (RCE) bug.

Tracked as CVE-2023-40088, the zero-click RCE bug was begin in Android's System basic and doesn't crave added privileges to be exploited.

While the aggregation has yet to acknowledge if attackers accept targeted this aegis blemish in the wild, blackmail actors could accomplishment it to accretion approximate cipher beheading after user interaction.

"The best astringent of these issues is a analytical aegis vulnerability in the System basic that could advance to alien (proximal/adjacent) cipher beheading with no added beheading privileges needed. User alternation is not bare for exploitation," the advising explains.

"The severity assessment is based on the aftereffect that base the vulnerability would possibly accept on an afflicted device, adventurous the belvedere and account mitigations are angry off for development purposes or if auspiciously bypassed."

An added 84 aegis vulnerabilities were patched this month, with three of them (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) analytical severity advantage accretion and advice acknowledgment bugs in Android Framework and System components.

A fourth analytical vulnerability (CVE-2022-40507) was addressed in Qualcomm's closed-source components.

Android zero-days exploited in attacks

Two months ago, in October, Google additionally patched two aegis flaws (CVE-2023-4863 and CVE-2023-4211) that were exploited as zero-days, the above in the libwebp open-source library and the closing affecting assorted Arm Mali GPU disciplinarian versions acclimated in a ample ambit of Android accessory models.

The September Android aegis updates addressed another actively exploited zero-day (CVE-2023-35674) in the Android Framework basic that accustomed attackers to amplify privileges after acute added beheading privileges or user interaction.

As usual, Google appear two application sets with the December aegis updates month, articular as the 2023-12-01 and 2023-12-05 aegis levels. The closing includes all the fixes from the aboriginal set and added patches for third-party closed-source and Kernel components. Notably, these added patches ability not be bare by all Android devices.

Device vendors may accent the deployment of the antecedent application akin to accumulate the amend procedure, although this doesn't inherently advance an animated accident of abeyant exploitation.

It's additionally important to agenda that, except for Google Pixel devices, which accept account aegis updates anon afterwards release, added manufacturers will crave some time afore rolling out the patches. This adjournment is bare for added testing of the aegis patches to ensure there are no incompatibilities with assorted accouterments configurations.