In context: Android is often accused of being prone to various security vulnerabilities that could affect user privacy. While Google has taken numerous steps to make the OS safer, problems keep cropping up every now and then. This week, Google said it discovered a critical security vulnerability that could allow zero-click remote code execution (RCE).
Tracked as CVE-2023-40088, the flaw was found in Android’s System component and is rated by Google as ‘Critical’ severity. According to the National Vulnerability Database, the problem arises during a callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, when memory could be corrupted due to a use-after-free. This could guide to remote code execution with no additional privileges and without any user interaction.
There’s no word on whether the bug has already been exploited in the wild, but Google says it has issued a patch to fix the problem as part of the December 2023 security bulletin. According to the release notes, the fix is compatible only with newer Android versions, ranging from Android 11 to Android 14.
It is worth noting here that Google issuing a patch is only the first step towards securing end users, as each vendor or carrier still has to roll out its own update to fix the bug. Therefore, unless you’re using a Pixel, you may have to expect several weeks for the update, and some devices may never procure it.
In addition to the aforementioned bug, Google fixed 84 more security vulnerabilities as part of the December update. Three of these are rated as ‘Critical,’ while the rest are listed as ‘High’ severity. Several other vulnerabilities affect Qualcomm closed-source components and are described in detail in the latest Qualcomm security bulletin. One of these vulnerabilities is listed as ‘Critical,’ while the rest as rated as ‘High.’
With security becoming an increasingly thorny issue for Android users, Google says it is working on new ways to boost the security of its mobile OS. First off, the company is introducing compiler-based sanitizers to catch memory safety issues early on in the software development process. Next, it is working with hardware partners to add memory safety features at the firmware level. Finally, the company is implementing various measures to make it harder for hackers to exploit unknown bugs.