Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android’s September 2024 Update Patches Exploited Vulnerability

Google has released Android security updates to patch an exploited local privilege escalation vulnerability.

Android update

Google on Tuesday announced a fresh set of Android security updates that address 35 vulnerabilities, including a local privilege escalation bug exploited in attacks.

The exploited flaw, tracked as CVE-2024-32896 (CVSS score of 7.8), is a high-severity issue affecting Android’s Framework component. A logic error in the code could lead to protection bypass, allowing a local attacker to elevate privileges.

“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in the September 2024 Android security bulletin.

The bug was initially disclosed in June, when Google warned that it had been exploited as a zero-day to target Pixel devices. The internet giant’s June 2024 Pixel security update resolved the vulnerability.

“There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” Google warns again.

CVE-2024-32896 was addressed with the first part of this month’s Android updates, which arrives on devices as the 2024-09-01 security patch level, with fixes for a total of 10 security defects.

All these issues, three in Framework and seven in the System component, are high-severity flaws, Google’s advisory reveals.

The second part of the Android security update rolls out to devices as the 2024-09-05 security patch level with fixes for 25 bugs in Kernel, Arm, Imagination Technologies, Unisoc, and Qualcomm components.

Advertisement. Scroll to continue reading.

An Android security patch level of 2024-09-05 or later resolves all these vulnerabilities and the flaws patched with previous security updates.

The September 2024 Pixel security update patches six issues, including four critical-severity bugs, all four described as elevation of privilege flaws. Google makes no mention of any of these being exploited in the wild.

While no functional patches were included in the Pixel update, devices running a security patch level of 2024-09-05 address all six vulnerabilities, as well as the security defects resolved with Android’s September 2024 update.

On Monday, Google also published a separate advisory drawing attention to 14 security defects resolved with the Android 15 update. All Android 15 devices running a security patch level of 2024-09-01 or later contain fixes for the resolved bugs.

The internet giant also announced Automotive OS and Wear OS updates. In addition to the flaws described in the September 2024 Android security bulletin, they patch one and four vulnerabilities, respectively.

Related: Google Patches Android Zero-Day Exploited in Targeted Attacks

Related: Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug

Related: Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution

Related: Qualcomm Modem Chip Flaw Exploitable From Android: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights