September Android updates Fix Zero-Day Exploited in Attacks

Cyber Security Threat Summary:
As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges. Google stated that this flaw may be under limited targeted exploitation, however, no additional details were released regarding such activity. In addition to CVE-2023-35674, Google addresses four critical vulnerabilities impacting the Android System component and Qualcomm closed-source components.

“The three critical System bugs (CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) can result in remote code execution (RCE) following successful exploitation without requiring additional execution privileges or user interaction. Attackers may leverage these vulnerabilities in RCE attacks when platform and service mitigations are deactivated for development purposes or successfully bypassed. The fourth critical bug (tracked as CVE-2023-28581) is described by Qualcomm as a WLAN Firmware memory corruption issue that could let remote attackers execute arbitrary code, read sensitive information, or trigger system crashes in low-complexity attacks that don't require privileges or user interaction” (Bleeping Computer, 2023).

Security Officer Comments:
For the September 2023 updates, Google issued two different patch levels, 2023-09-01 and 2023-09-05. so that “Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly.” Android partners have been encouraged to fix all the issues addressed in Google’s bulletin and use the latest security patch level:

  • Devices that use the 2023-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
  • Devices that use the security patch level of 2023-09-05 or newer must include all applicable patches in this (and previous) security bulletins.
To determine your device’s security patch level, see Check and update your Android version.

Suggested Correction(s):
The flaws addressed this month affect Android 11, 12, and 13, which have all received updates. Devices running unsupported versions are also at risk of e

xploitation. Users running on Android 10 or older should consider upgrading to a device running a supported version.