Google’s Android security updates for May 2023 patch more than 40 vulnerabilities, including a kernel flaw exploited as a zero-day by a spyware vendor.
The latest Android updates patch vulnerabilities in the framework, system, kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.
A vast majority of the security holes have been assigned a ‘high severity’ rating and they can be exploited for privilege escalation, DoS attacks, and information disclosure.
The vulnerability that was exploited as a zero-day is tracked as CVE-2023-0266 and it has been described by Google as a moderate-severity kernel flaw that can be exploited for local privilege escalation without user interaction. An entry in NIST’s National Vulnerability Database describes it as a high-severity use-after-free in the Linux kernel’s ALSA PCM package.
Exploitation of the vulnerability was first mentioned by Google in late March, when the company described several Android and iOS zero-day vulnerabilities whose exploitation had been linked to commercial spyware vendors.
In the case of CVE-2023-0266, it was used as part of an exploit chain involving several vulnerabilities, including ones impacting Chrome and the Mali GPU kernel driver. The attackers delivered the exploits as links sent to the targeted individual via SMS. The hackers actually targeted the Samsung Internet Browser, which is based on Chromium but lacks some of the important mitigations present in Chrome.
The targets were users in the United Arab Emirates and the attackers’ goal was to deliver full-featured Android spyware to their devices. The attacks are believed to have been carried out by a customer or partner of a Spanish spyware vendor named Variston, whose activities were brought to light by the tech giant in November 2022.
CVE-2023-0266 was also added in late March to the Known Exploited Vulnerabilities Catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).
According to data from Google, three Android vulnerabilities that came to light this year have been exploited in attacks.
Google this week also released a security update for its Pixel phones to patch a couple of vulnerabilities. CVE-2023-0266 was patched in Pixel devices in April.
Related: Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
Related: Android’s April 2023 Updates Patch Critical Remote Code Execution Vulnerabilities
Related: Google Patches Android Zero-Day Exploited in Targeted Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
