Security News > 2023 > December > December Android updates fix critical zero-click RCE flaw
Google announced today that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click remote code execution bug.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation," the advisory explains.
An additional 84 security vulnerabilities were patched this month, with three of them critical severity privilege escalation and information disclosure bugs in Android Framework and System components.
Two months ago, in October, Google also patched two security flaws that were exploited as zero-days, the former in the libwebp open-source library and the latter affecting multiple Arm Mali GPU driver versions used in a broad range of Android device models.
The September Android security updates addressed another actively exploited zero-day in the Android Framework component that allowed attackers to escalate privileges without requiring additional execution privileges or user interaction.
As usual, Google released two patch sets with the December security updates month, identified as the 2023-12-01 and 2023-12-05 security levels.
News URL
Related news
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks (source)
- New 'Brokewell' Android Malware Spread Through Fake Browser Updates (source)
- Google now pays up to $450,000 for RCE bugs in some Android apps (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Bug hunters can get up to $450,000 for an RCE in Google’s Android apps (source)
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)