Headline
Android phones can be taken over remotely – update when you can
Android phones are vulnerable to attacks that allow a remote execution of malicious code and it requires no user interaction.
Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything.
Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.”
The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution privileges required. User interaction is not needed for exploitation.
This vulnerability, referenced as CVE-2023-40088, affects a function that is used for Bluetooth communication, so the “remote” part is limited to “close range” since the average Bluetooth range is about 30 feet (10 meters). Successful manipulation with a specially crafted input leads to a use after free vulnerability. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Another critical vulnerability (CVE-2023-40077) that looks problematic is an Elevation of Privilege (EoP) vulnerability in the Android Framework. Successful exploitation could lead to a race condition. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. In this case it could provide a successful attacker with permissions to perform actions they shouldn’t be able to.
Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device’s security patch level, see how to check and update your Android version. The updates have been made available for Android 11, 12, 12L, 13, and 14. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors. Android vendors such as Samsung and OnePlus have pledged to release security updates once a month. Google usually ships out security updates to Pixel phones within two weeks or sooner.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
Related news
Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The vulnerabilities are as follows - CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.