Google has announced an October security update for all Android users that addresses more than 50 vulnerabilities and includes fixes for two zero-days already known to be exploited by malicious attackers.
CVE-2023-4863 Is The Same Vulnerability That Led To Zero-click iPhone Spyware Attacks
The first of the zero-day vulnerabilities may sound familiar to regular readers, as well it might. CVE-2023-4863 is none other than the same one impacting the libwebp open-source library that led to recent emergency updates for 1Password, Signal, Chrome, Edge and Firefox among others.
This critical buffer overflow vulnerability can lead to remote code execution and appears to be the same flaw that is addressed as CVE-2023-41064 by Apple and used in a zero-click iMessage exploit chain to install spyware onto previously fully patched iPhones.
Although there is currently no evidence that Android users are being targeted by the same iPhone spyware attack, as identified by Citizen Lab and Google’s Threat Analysis Group in September, it remains flagged as exploited in the wild. As such, all users of Android devices are urged to install the October security update as a matter of some urgency.
CVE-2023-4211 Known To Be Under Targeted Attack
The second zero-day vulnerability, CVE-2023-4211, included within the October security update, is stated, along with CVE-2023-4863, as potentially being “under limited, targeted attack” according to the Google security advisory. Arm also points to there being evidence of the same targeted attack in a security advisory to users.
There’s a lack of detailed technical information regarding CVE-2023-4211 beyond the fact that it resides in the Arm Mali GPU driver and is a use-after-free issue that could allow for data manipulation.
As Ionut Arghire reports, however, such vulnerabilities have previously been known to be connected with exploit chains leading to, you guessed it, “the delivery of commercial spyware.”
The “exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,” Google says, adding that “we encourage all users to update to the latest version of Android where possible.”