Google on Monday announced the release of patches for 51 vulnerabilities as part of the October 2023 security updates for Android, including fixes for two zero-day flaws exploited in malicious attacks.
The first of the exploited issues is CVE-2023-4863 (CVSS score of 8.8), a heap buffer overflow in the Libwebp library that leads to an out-of-bounds memory write and remote code execution (RCE).
In the Android security bulletin for October 2023, Google explains that the vulnerability impacts the System component and assesses it with a ‘critical’ severity rating.
While the tech giant does not provide specific information on the observed in-the-wild exploitation, the issue was identified and reported by Apple and the Citizen Lab group at The University of Torontoʼs Munk School, which often details attacks linked to commercial spyware vendors. The flaw had been exploited to deliver spyware to iPhones.
Over the past weeks, vendors have been scrambling to assess the impact of CVE-2023-4863 and address the bug. To date, Palo Alto Networks, 1Password, Microsoft, and others have released advisories.
It’s worth noting that while CVE-2023-4863 has been reportedly exploited in the wild, there are no details on attacks beyond the ones aimed at iPhones.
Typically, Google splits Android security bulletins into two different patch levels, based on the affected components, but this month’s bulletin has a third part, the 2023-10-06 security patch level, which specifically addresses CVE-2023-4863.
The second zero-day flaw addressed in Android this month is CVE-2023-4211, a bug in the Arm Mali GPU driver that allows a local non-privileged user to make “improper GPU memory processing operations to gain access to already freed memory”.
“There is evidence that this vulnerability may be under limited, targeted exploitation,” Google and Arm note in their advisories.
No information is available on these attacks. However, in the past, Google reported seeing Arm Mali GPU driver vulnerabilities being included in sophisticated exploit chains whose ultimate goal was the delivery of commercial spyware. This might be the case with CVE-2023-4211 as well, considering that Google researchers have been credited by Arm for reporting the flaw.
CVE-2023-4211 was addressed as part of the 2023-10-05 security patch level, which resolves a total of 26 issues in Arm, MediaTek, Unisoc, and Qualcomm components.
For Pixel devices, patches for the Mali GPU driver vulnerability were released on September 18, with an out-of-band Pixel update bulletin.
The first part of this month’s Android update, the 2023-10-01 security patch level, addresses 24 flaws in the platform’s Framework and System components.
All 51 vulnerabilities are addressed on devices running a security patch level of 2023-10-06 or higher.