Google has launched its security updates for Android for October 2023, which deal with 54 unique vulnerabilities, two of which are confirmed to be actively exploited. The exploited vulnerabilities are identified as CVE-2023-4863 and CVE-2023-4211. Google has indicated that these vulnerabilities might be the target of limited, specific exploitation.
The vulnerability CVE-2023-4863 is a buffer overflow issue in the widely-used open-source library libwebp, affecting a variety of software products, such as Chrome, Firefox, iOS, Microsoft Teams, and numerous others. Initially, this flaw was mistakenly allocated separate CVEs for Apple iOS and Google Chrome, while the actual issue was in the underlying library. A later effort to rectify this by assigning a new CVE (CVE-2023-5129) was not accepted.
The second vulnerability, CVE-2023-4211, is an actively exploited flaw that affects multiple versions of Arm Mali GPU drivers, used in a wide array of Android device models. This flaw is a use-after-free memory problem that could potentially enable attackers to access or manipulate sensitive data locally.
In total, the October 2023 Android update addresses 54 vulnerabilities related to Android versions 11 through 13, with five of them being rated as critical, and two concerning remote code execution issues. The update adheres to the standard practice of releasing two patch levels: the first (2023-10-01) focuses on core Android components (Framework + System), while the second (2023-10-06) targets the kernel and closed-source components. This method allows device manufacturers to selectively apply updates that are relevant to their hardware models, thereby making them available more quickly.
Users who receive the first patch level will get the current month's Android core updates as well as the updates from both levels of the previous month, in this case, September 2023. Those who see the second path level on their update screen will receive all the updates mentioned in this month's bulletin. Android versions 10 and older are no longer supported, but depending on the reach of some recently fixed vulnerabilities, they may also be affected. Consequently, users of older Android systems are advised to upgrade to a newer model or flash their device with a third-party Android distribution that provides security updates for their models.