December 4, 2023 at 02:46PM
Google’s December 2023 Android update fixes 85 vulnerabilities, including a critical zero-click RCE bug in the System component and other high-severity issues. The most severe flaw allows remote execution without privileges or user interaction. Two zero-days were previously patched in October. Updates are released in two sets, with rollout times varying by manufacturer.
Meeting Takeaways:
1. Google has addressed 85 vulnerabilities in the December 2023 Android security update.
2. A critical zero-click remote code execution bug (CVE-2023-40088) in Android’s System component was patched, which allowed for code execution without user interaction and without additional privileges.
3. Details about whether this zero-click RCE bug has been exploited in the wild have not been disclosed.
4. Three additional critical vulnerabilities (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) were fixed. These were related to privilege escalation and information disclosure in the Android Framework and System components.
5. Another critical issue (CVE-2022-40507) in Qualcomm’s proprietary components has also been rectified.
6. In October, two previously exploited zero-days (CVE-2023-4863 and CVE-2023-4211) were patched in the open-source libwebp library and Arm Mali GPU driver versions, respectively.
7. In September, an actively exploited zero-day (CVE-2023-35674) in the Android Framework component, allowing for privilege escalation, was addressed.
8. Google has released two sets of patches for December: 2023-12-01 (everything essential) and 2023-12-05 (additional third-party and Kernel component fixes).
9. Not all Android devices will need additional patches for third-party and Kernel components issued with the 2023-12-05 security level.
10. While Google Pixel devices receive updates promptly, other manufacturers may need additional time to test and roll out the patches to avoid hardware compatibility issues.