The Android October security updates from Google for Android fix 54 distinct vulnerabilities, including two that are known to be actively exploited.
CVE-2023-4863 and CVE-2023-4211 are the two exploitable weaknesses, and Google has “indications that they may be under limited, targeted exploitation.”
A buffer overflow flaw known as CVE-2023-4863 affects various software programs, including Chrome, Firefox, iOS, Microsoft Teams, and many more. It is included in the widely used open-source library libwebp.
Although it existed in the underlying library, the specific bug was first incorrectly given different CVEs for Apple iOS and Google Chrome. The attempt to address it afterward by designating a new CVE (CVE-2023-5129) proved unsuccessful.
An actively exploited vulnerability known as CVE-2023-4211 affects several Arm Mali GPU driver versions used in a wide variety of Android device types.
In summary, the October 2023 Android update brings:
- 13 fixes in Android Framework
- 12 fixes in System components
- Two updates on Google Play
- Five fixes in Arm components
- Three fixes concerning MediaTek chips
- One fix concerning Unisoc chips
- 18 fixes on Qualcomm components (15 for closed-source)
Five of the 54 patches for Android 11 through 13 are classed as critical, and two of them deal with issues with remote code execution.
This update adheres to the regular practice of disseminating two patch levels: the first (2023-10-01) concentrates on core Android components (Framework + System), while the second (2023-10-06) covers the kernel and closed-source components.
With this method, device makers may choose to apply upgrades that are pertinent to the hardware models in their products, hastening their release.
The Android core updates for the current month as well as the updates from both levels of the previous month, in this case, September 2023, will be made available to users of the first patch level.
All the updates listed in this month’s bulletin will be sent to users who see the second path level on their update screen. Although they are no longer supported, Android versions 10 and earlier may still be affected, depending on the extent of some newly patched vulnerabilities.
However, it is advised for users of older Android systems to upgrade to a more recent model or to flash their device with a third-party Android distribution that provides security updates for their particular models.