Google has released its October 2023 security updates for Android, addressing a total of 54 unique vulnerabilities, including two that were actively exploited by threat actors. These vulnerabilities, known as CVE-2023-4863 and CVE-2023-4211, had indications of being under limited, targeted exploitation. CVE-2023-4863 is a buffer overflow vulnerability in the widely used open-source library libwebp, impacting various software products such as Chrome, Firefox, and Microsoft Teams.
On the other hand, CVE-2023-4211 is a use-after-free memory flaw affecting Arm Mali GPU drivers in numerous Android device models, potentially allowing attackers to manipulate sensitive data.
Furthermore, the October 2023 Android security update includes a comprehensive set of fixes, with 13 addressing issues in Android Framework, 12 in System components, two on Google Play, five related to Arm components, three concerning MediaTek chips, and one for Unisoc chips. Notably, 18 fixes are dedicated to Qualcomm components, with 15 of them targeting closed-source components. Among the 54 fixes, five are rated as critical, and two pertain to remote code execution problems.
Additionally, Google follows a two-tiered approach for releasing security updates, with the first patch level (2023-10-01) focusing on core Android components (Framework + System), and the second level (2023-10-06) addressing the kernel and closed-source components. This approach enables device manufacturers to selectively apply relevant updates to their hardware models, ensuring faster availability.
While Android versions 10 and older are no longer officially supported, users of these older systems are advised to consider upgrading to a newer model or using third-party Android distributions that provide security updates for their devices.