This is the most dangerous of the 85 issues that Google is trying to fix in the December security update.
Google has released Android security updates for December that address 85 vulnerabilities, including the critical Zero-Click Remote Code Execution (RCE) vulnerability.
The Zero-Click bug, tracked as CVE-2023-40088, was detected in the Android system component and does not require additional privileges to use. Although the company has not yet revealed whether attackers took advantage of the vulnerability, they can use the flaw to execute arbitrary code without user interaction.
In December, another 84 security vulnerabilities were also fixed, three of which (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) are related to critical privilege escalation and disclosure errors in the Android Framework and system components. The fourth critical vulnerability (CVE-2022-40507 CVSS: 7.8) has been fixed in Qualcomm's closed-source components.
As usual, Google released two sets of fixes in the December security update, designated as security levels 2023-12-01 and 2023-12-05. The latter includes all fixes from the first set and additional fixes for third-party closed-source components and kernel components. It is noteworthy that other fixes may not be required for all Android devices.
Device vendors may prioritize deployment of entry-level patches to simplify the upgrade process, although this does not inherently involve an increased risk of potential exploitation.
It's also important to note that, with the exception of Google Pixel devices, which receive monthly security updates immediately after release, other manufacturers will need some time before releasing patches. This delay is necessary for additional testing of security patches to ensure that there are no incompatibilities with different hardware configurations.
Google has released Android security updates for December that address 85 vulnerabilities, including the critical Zero-Click Remote Code Execution (RCE) vulnerability.
The Zero-Click bug, tracked as CVE-2023-40088, was detected in the Android system component and does not require additional privileges to use. Although the company has not yet revealed whether attackers took advantage of the vulnerability, they can use the flaw to execute arbitrary code without user interaction.
In December, another 84 security vulnerabilities were also fixed, three of which (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) are related to critical privilege escalation and disclosure errors in the Android Framework and system components. The fourth critical vulnerability (CVE-2022-40507 CVSS: 7.8) has been fixed in Qualcomm's closed-source components.
As usual, Google released two sets of fixes in the December security update, designated as security levels 2023-12-01 and 2023-12-05. The latter includes all fixes from the first set and additional fixes for third-party closed-source components and kernel components. It is noteworthy that other fixes may not be required for all Android devices.
Device vendors may prioritize deployment of entry-level patches to simplify the upgrade process, although this does not inherently involve an increased risk of potential exploitation.
It's also important to note that, with the exception of Google Pixel devices, which receive monthly security updates immediately after release, other manufacturers will need some time before releasing patches. This delay is necessary for additional testing of security patches to ensure that there are no incompatibilities with different hardware configurations.
