The September 2023 Android security updates tackle 33 vulnerabilities, including a zero-day bug currently targeted in the wild.
This high-severity zero-day vulnerability (CVE-2023-35674) is a flaw in the Android Framework that enables attackers to escalate privileges without requiring user interaction or additional execution privileges.
“There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in an advisory issued on Tuesday.
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.”
Besides this actively exploited zero-day bug, the September Android security updates also address three critical security flaws in the Android System component and one in Qualcomm closed-source components.
The three critical System bugs (CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) can result in remote code execution (RCE) following successful exploitation without requiring additional execution privileges or user interaction.
Attackers may leverage these vulnerabilities in RCE attacks when platform and service mitigations are deactivated for development purposes or successfully bypassed.
The fourth critical bug (tracked as CVE-2023-28581) is described by Qualcomm as a WLAN Firmware memory corruption issue that could let remote attackers execute arbitrary code, read sensitive information, or trigger system crashes in low-complexity attacks that don’t require privileges or user interaction.
Two security patch levels
As usual, Google issued two sets of patches for September 2023, tagged as the 2023-09-01 and 2023-09-05 security patch levels.
The latter patch level encompasses all the security fixes in the initial set and additional patches for third-party closed source and Kernel components that may not be relevant to all Android devices.
Your device vendor may opt to prioritize the deployment of the initial patch level to expedite the update process, with this choice not necessarily implying an increased risk of exploitation.
It’s also worth mentioning that, except for Google Pixel devices, which receive every month’s security updates immediately, other vendors will require some time to push them to their devices as they need time to test and fine-tune the patches for each hardware configuration.
The Android security updates for this month target versions 11, 12, and 13, and they may also affect older, unsupported OS versions.
Those using Android 10 and older should consider upgrading to devices running a supported version or flash their current one using third-party Android ROM based on a recent AOSP version.