Newsletter
The Android Security Bulletin just updated with the release notes for December. This resource is great for staying informed about the spectrum of issues, whether critical or low-impact, affecting Android devices. In this update, Android addressed over 80 vulnerabilities, with many being of critical severity.
If a software bug allows any of the following to occur, it is considered critical: arbitrary code execution, bypass of software mechanisms, remote access to sensitive credentials, remote bypass, remote persistent DoS, or remote secure boot bypass. The bulletin emphasizes, “The most severe vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”
Google issues monthly updates for Android to ensure that devices stay protected against the latest threats. Using an outdated phone may not pose any major threats, but it represents a security risk that one can easily avoid. In the latest round of updates, Android dealt with over 80 threats; among these were 4 critical vulnerabilities.
The critical threats are tracked as CVE-2023-40077, CVE-2023-40088, CVE-2023-40076, and CVE-2023-45866. CVE stands for Common Vulnerabilities and Exposures and functions as a naming convention to help security professionals track and refer to specific threats. We won’t get too technical breaking down these critical vulnerabilities, but let’s see what each one is.
CVE-2023-40077 is a security issue within the MetaDataBase.cpp functions. This issue is a Use-After-Free (UAF) write vulnerability stemming from a race condition. In simpler terms, a race condition arises when software behavior hinges on the timing of events, introducing unpredictable outcomes.
Android critical vulnerabilities could lead to remote escalation of privilege with no additional execution privileges needed
CVE-2023-40076 exposes an avenue for unauthorized access to credentials from other users. Moreover, the root cause lies in a permissions bypass that can potentially pave the way for local escalation of privileges.
CVE-2023-40088 is a zero-click RCE bug. This threat, if exploited, could allow unauthenticated remote users to execute code on a device. CVE-2023-45866 poses a threat to Android, Linux, macOS, and iOS devices. This vulnerability allows for an authentication bypass, potentially leading to code execution on the victim’s end. The exploit uses a bug in the pairing mechanism in Bluetooth, tricking the target into accepting a connection with a Bluetooth keyboard.
The Android December update addressed 84 security vulnerabilities, with four of them (CVE-2023-40077, CVE-2023-40088, CVE-2023-40076, and CVE-2023-45866) being critical.