Google on Tuesday announced that Android’s September 2023 security updates contain patches for 32 vulnerabilities, including one that has been exploited in attacks.
Tracked as CVE-2023-35674, the zero-day flaw is described as a high-severity elevation of privilege in Android’s Framework component.
According to Google’s advisory, no additional execution privileges or user interaction are required to exploit the bug.
“There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google notes, without providing details on the observed attacks.
Google has become aware of several Android zero-days in recent years and many of them have been exploited by commercial spyware vendors.
Five other high-severity vulnerabilities were addressed in Framework, three leading to elevation of privilege and two to information disclosure.
All six issues were resolved as part of Android’s 2023-09-01 security patch level, which also addresses 14 vulnerabilities in the System component.
Of these, three are critical-severity bugs that could lead to remote code execution, while the rest are high-severity flaws, six leading to elevation of privilege, four to information disclosure, and one to denial-of-service (DoS).
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” Google notes.
The internet giant also announced that two other issues were resolved in Project Mainline components with updates delivered via Google Play. Targeting vital Android components, these updates are delivered in the background, without forcing a device reboot.
The second part of this month’s security update for Android arrives on devices as the 2023-09-05 security patch level with fixes for 12 other vulnerabilities in Qualcomm components.
The 2023-09-05 security patch level addresses all bugs in this month’s security updates and the issues resolved with previous patch levels.
This month, Google has released no patches for Android Automotive OS. The internet giant has yet to publish a security bulletin describing the fixes released for vulnerabilities in Pixel devices.