Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Patches Exploited Pixel Vulnerabilities

Google patches 28 vulnerabilities in Android and 25 bugs in Pixel devices, including two flaws exploited in the wild.

Android patches

Google on Monday announced patches for 28 vulnerabilities in Android and 25 other bugs in Pixel devices, including two issues exploited in the wild.

The exploited flaws, tracked as CVE-2024-29745 and CVE-2024-29748, impact Pixel’s bootloader and firmware, Google notes in its advisory.

The internet giant says it has indications that these two security defects “may be under limited, targeted exploitation,” without providing specific details on the observed attacks.

Google has often linked these types of vulnerabilities to commercial spyware vendors. 

A total of 24 vulnerabilities leading to elevation of privilege (EoP) and information disclosure were addressed in various Pixel components, and another was resolved in Qualcomm components.

The Pixel update resolves all these bugs, along with the 28 flaws addressed with Android’s April 2024 security patches.

The most severe of these vulnerabilities is CVE-2024-23704, an EoP defect in the System component that affects Android 13 and Android 14.

“The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in its April 2024 Android security bulletin.

Advertisement. Scroll to continue reading.

The vulnerability was addressed as part of the 2024-04-01 security patch level, which fixes a total of eight high-severity flaws in Framework and System, which could be exploited to escalate privileges, leak information, or cause a denial-of-service condition.

A total of 20 other bugs were fixed in MediaTek, Widevine, and Qualcomm components as part of the second part of the security update, which arrives on devices as the 2024-04-05 security patch level.

“Security patch levels of 2024-04-05 or later address all issues associated with the 2024-04-05 security patch level and all previous patch levels,” Google notes.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security defects.

Security updates were pushed out for Android Automotive OS and Wear OS, resolving all flaws fixed by the 2024-04-05 security patch level, but no additional vulnerabilities.

Related: Android’s March 2024 Update Patches Critical Vulnerabilities

Related: Critical Remote Code Execution Vulnerability Patched in Android

Related: Android’s January 2024 Security Update Patches 58 Vulnerabilities

Related: CISA Warns of Pixel Phone Vulnerability Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.