Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Security Updates Patch 3 Exploited Vulnerabilities

Google’s July 2023 security updates for Android patches 43 vulnerabilities, including three exploited in the wild.

Security updates that Google released this week for Android resolve 43 vulnerabilities, including three that have been exploited in attacks.

The exploited flaws, tracked as CVE-2023-2136, CVE-2023-26083, and CVE-2021-29256, impact Android’s System and Arm Mali components.

The internet giant says “there are indications” that these security defects “may be under limited, targeted exploitation”.

CVE-2023-2136 was disclosed in April as a zero-day vulnerability in the Chrome browser, and is described as an integer overflow issue in Skia.

The bug allows “a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” a NIST advisory explains.

According to Google’s July 2023 Android security bulletin, the vulnerability can be exploited to achieve remote code execution on Android devices.

Devices running a 2023-07-01 security patch level or later are patched against this vulnerability and 22 other security defects in the platform’s Framework and System components, including a critical-severity remote code execution issue tracked as CVE-2023-21250.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” the internet giant says.

Advertisement. Scroll to continue reading.

The two exploited Arm bugs were addressed as part of Android’s 2023-07-05 security patch level, which resolves a total of 20 flaws in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components.

The first of the vulnerabilities, CVE-2021-29256, is a privilege escalation vulnerability impacting the Midgard, Bifrost, and Valhall Mali GPU kernel drivers.

“A non-privileged user can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm explains in its advisory.

The second exploited Arm issue, CVE-2023-26083, is described as a memory leak vulnerability in Midgard, Bifrost, Valhall, and 5th gen Mali GPU kernel drivers.

“A non-privileged user can make valid GPU processing operations that expose sensitive kernel metadata,” Arm’s advisory reads.

The chip maker warned of this flaw’s exploitation at the end of March and CISA added it to its Known Exploited Vulnerabilities catalog on April 7.

Google reported in late March that CVE-2023-26083 was one of the vulnerabilities exploited by commercial spyware vendors to hack Samsung devices. It’s possible that all of the flaws have been exploited by companies offering surveillance solutions. 

This week, Google also announced security updates for Pixel devices, to address 14 vulnerabilities in Kernel, Pixel, and Qualcomm components. Two of the flaws, leading to elevation of privilege and denial-of-service (DoS), are rated ‘critical’ severity.

Pixel devices running a 2023-07-05 security patch level are patched against all these vulnerabilities and the bugs described in the July 2023 Android security bulletin.

Google’s July 2023 Android Automotive OS security update contains patches for only one specific vulnerability, but also addresses the issues resolved with the July 2023 Android security update.

Related: Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability

Related: Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones

Related: Google Announces New Rating System for Android and Device Vulnerability Reports

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.