December Android updates fix critical zero-click RCE flaw

Google announced today that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click remote code execution (RCE) bug.

Tracked as CVE-2023-40088, the zero-click RCE bug was found in Android's System component and doesn't require additional privileges to be exploited.

While the company has yet to reveal if attackers have targeted this security flaw in the wild, threat actors could exploit it to gain arbitrary code execution without user interaction.

"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation," the advisory explains.

"The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."

An additional 84 security vulnerabilities were patched this month, with three of them (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) critical severity privilege escalation and information disclosure bugs in Android Framework and System components.

A fourth critical vulnerability (CVE-2022-40507) was addressed in Qualcomm's closed-source components.

Android zero-days exploited in attacks

Two months ago, in October, Google also patched two security flaws (CVE-2023-4863 and CVE-2023-4211) that were exploited as zero-days, the former in the libwebp open-source library and the latter affecting multiple Arm Mali GPU driver versions used in a broad range of Android device models.

The September Android security updates addressed another actively exploited zero-day (CVE-2023-35674) in the Android Framework component that allowed attackers to escalate privileges without requiring additional execution privileges or user interaction.

As usual, Google released two patch sets with the December security updates month, identified as the 2023-12-01 and 2023-12-05 security levels. The latter includes all the fixes from the first set and additional patches for third-party closed-source and Kernel components. Notably, these other patches might not be needed by all Android devices.

Device vendors may prioritize the deployment of the initial patch level to streamline the update procedure, although this doesn't inherently suggest an elevated risk of potential exploitation.

It's also important to note that, except for Google Pixel devices, which receive monthly security updates immediately after release, other manufacturers will require some time before rolling out the patches. This delay is needed for additional testing of the security patches to ensure there are no incompatibilities with various hardware configurations.