In the latest September 2023 security update for Android, Google has promptly addressed a critical elevation of privilege vulnerability, identified as CVE-2023-35674, which was exploited in targeted attacks. This high-severity zero-day flaw resides in Android’s Framework component and does not require additional execution privileges or user interaction for exploitation.
While Google provided limited details about the observed attacks, it’s noted that this issue may have been exploited by commercial spyware vendors. The security update, dated 2023-09-01, also resolved five other high-severity vulnerabilities in Framework, three of which could lead to privilege elevation and two to information disclosure.
Furthermore, the September update addresses 14 vulnerabilities in the System component. Among these, three are rated as critical-severity, posing a risk of remote code execution without the need for additional privileges or user interaction.
Google highlighted that it has observed several Android zero-day vulnerabilities in recent years, many of which have been exploited by commercial spyware vendors. The company also addressed two issues in Project Mainline components through Google Play updates, delivering these crucial patches without requiring a device reboot. Additionally, the 2023-09-05 security patch level includes fixes for 12 vulnerabilities in Qualcomm components, encompassing all issues from previous patch levels.
It’s noteworthy that in this month’s update, Google did not release patches for Android Automotive OS. The company has yet to publish a security bulletin detailing the fixes provided for vulnerabilities in Pixel devices, underlining the importance of timely updates to mitigate security risks for Android users.
