Google announced today that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click remote code execution bug.
Tracked as CVE-2023-40088, the zero-click RCE bug was found in Android's System component and doesn't require additional privileges to be exploited.
While the company has yet to reveal if attackers have targeted this security flaw in the wild, threat actors could exploit it to gain arbitrary code execution without user interaction.
An additional 84 security vulnerabilities were patched this month, with three of them critical severity privilege escalation and information disclosure bugs in Android Framework and System components.
A fourth critical vulnerability was addressed in Qualcomm's closed-source components.
Two months ago, in October, Google also patched two security flaws that were exploited as zero-days, the former in the libwebp open-source library and the latter affecting multiple Arm Mali GPU driver versions used in a broad range of Android device models.
The September Android security updates addressed another actively exploited zero-day in the Android Framework component that allowed attackers to escalate privileges without requiring additional execution privileges or user interaction.
As usual, Google released two patch sets with the December security updates month, identified as the 2023-12-01 and 2023-12-05 security levels.
The latter includes all the fixes from the first set and additional patches for third-party closed-source and Kernel components.
Notably, these other patches might not be needed by all Android devices.
Device vendors may prioritize the deployment of the initial patch level to streamline the update procedure, although this doesn't inherently suggest an elevated risk of potential exploitation.
It's also important to note that, except for Google Pixel devices, which receive monthly security updates immediately after release, other manufacturers will require some time before rolling out the patches.
This delay is needed for additional testing of the security patches to ensure there are no incompatibilities with various hardware configurations.
F5 fixes BIG-IP auth bypass allowing remote code execution attacks.
New Microsoft Exchange zero-days allow RCE, data theft attacks.
3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks.
Critical RCE flaws found in SolarWinds access audit solution.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 04 Dec 2023 19:40:08 +0000