Android October security update fixes zero-days exploited in attacks

Google has released the October 2023 security updates for Android, addressing 54 unique vulnerabilities, including two known to be actively exploited.

The two exploited flaws are CVE-2023-4863 and CVE-2023-4211, for which Google has "indications that they may be under limited, targeted exploitation.

CVE-2023-4863 is a buffer overflow vulnerability in the ubiquitous open-source library libwebp, which impacts numerous software products, including Chrome, Firefox, iOS, Microsoft Teams, and many more.

The particular flaw was initially erroneously assigned separate CVEs for Apple iOS and Google Chrome, although it was actually in the underlying library. A subsequent attempt to fix it by assigning a new CVE (CVE-2023-5129) was rejected.

CVE-2023-4211 is an actively exploited flaw impacting multiple versions of Arm Mali GPU drivers used in a broad range of Android device models.

This flaw is a use-after-free memory issue that could allow attackers to locally access or manipulate sensitive data.

In summary, the October 2023 Android update brings:

• 13 fixes in Android Framework
• 12 fixes in System components
• Two updates on Google Play
• Five fixes in Arm components
• Three fixes concerning MediaTek chips
• One fix concerning Unisoc chips
• 18 fixes on Qualcomm components (15 for closed-source)

Of the 54 fixes concerning Android 11 through 13, five are rated critical, and two concern remote code execution problems.

This update follows the standard system of releasing two patch levels: the first (2023-10-01) focuses on core Android components (Framework + System), while the second (2023-10-06) addresses the kernel and closed-source components.

This approach enables device manufacturers to selectively apply updates relevant to their hardware models, thus making them available faster.

Recipients of the first patch level will obtain the current month's Android core updates as well as the updates from both levels of the preceding month, in this instance, September 2023.

Those who see the second path level on their update screen will get all the updates mentioned in this month's bulletin.

Android versions 10 and older are no longer supported, yet depending on the scope of some recently fixed vulnerabilities, they might also be impacted.

That said, users of older Android systems are recommended to upgrade to a newer model or flash their device with a third-party Android distribution that offers security updates for their models.