Google has rolled out the September 2023 security updates for Android, resolving a total of 32 vulnerabilities, amongst which one was being actively exploited. The exploited zero-day flaw, documented as CVE-2023-35674, is a high-severity elevation of privilege vulnerability in Android's Framework component. Google's advisory indicates that no additional execution privileges or user interaction are needed for the exploitation of this bug. Google stated, “There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” without providing further details on the nature of the attacks.
In recent years, Google has identified several Android zero-days, many of which have been exploited by commercial spyware vendors. In addition to CVE-2023-35674, five other high-severity vulnerabilities in the Framework were addressed, three related to elevation of privilege and two to information disclosure. All these issues were resolved in Android’s 2023-09-01 security patch level, which also addressed 14 vulnerabilities in the System component.
These include three critical-severity bugs that could lead to remote code execution, and other high-severity flaws, six of which could lead to elevation of privilege, four to information disclosure, and one to denial-of-service (DoS). Google mentioned, “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.”
Google also announced that two other issues were resolved in Project Mainline components with updates delivered via Google Play. These updates, which target crucial Android components, are delivered in the background, without necessitating a device reboot.
The second part of this month's security update for Android, the 2023-09-05 security patch level, includes fixes for 12 other vulnerabilities in Qualcomm components. The 2023-09-05 security patch level addresses all bugs in this month's security updates and the issues resolved with previous patch levels. In this month, Google has not released any patches for Android Automotive OS. Google has not yet published a security bulletin describing the fixes released for vulnerabilities in Pixel devices.