The September 2023 Android security updates have been released, addressing a total of 33 vulnerabilities. Among these vulnerabilities is a zero-day bug (CVE-2023-35674) that is currently being actively exploited in the wild. This high-severity flaw in the Android Framework allows attackers to elevate privileges without user interaction or additional execution privileges.

Google has stated that there are indications of limited, targeted exploitation of CVE-2023-35674. In an advisory, Google recommends that all users update to the latest version of Android to make it more difficult for attackers to exploit issues.

In addition to the actively exploited zero-day bug, the September Android security updates also address three critical security flaws in the Android System component (CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) and one in Qualcomm closed-source components (CVE-2023-28581). These critical vulnerabilities can lead to remote code execution without additional privileges or user interaction.

Attackers may leverage these vulnerabilities in remote code execution attacks when platform and service mitigations are disabled or bypassed. The Qualcomm bug, described as a WLAN Firmware memory corruption issue, allows remote attackers to execute arbitrary code, read sensitive information, or cause system crashes through low-complexity attacks that do not require privileges or user interaction.

Google has released two sets of patches for September 2023: the 2023-09-01 and 2023-09-05 security patch levels. The latter includes all the security fixes from the initial set and additional patches for third-party closed-source and Kernel components. Device vendors may prioritize the deployment of the initial patch level to expedite the update process, but this choice does not necessarily imply an increased risk of exploitation.

It is important to note that while Google Pixel devices receive monthly security updates immediately, other vendors may take some time to push the updates to their devices as they need to test and fine-tune the patches for each hardware configuration. Users running Android 10 and older should consider upgrading to devices running a supported version or flashing their current device with a third-party Android ROM based on a recent AOSP version.

Definition of terms:

– Zero-day bug: A vulnerability or flaw in software or hardware that is not known to the vendor or developers and has not been patched.

– Android Framework: A set of software libraries and tools provided by Google to develop applications for the Android operating system.

– Privileges: Rights or permissions granted to a user or program that allow access to certain resources or functionality.

– Remote code execution: The ability for an attacker to execute arbitrary code or commands on a remote system.

