2 min Security

Google fixes Android bug that hackers can abuse without privileges

Google fixes Android bug that hackers can abuse without privileges

In its recent security update for Android, Google patched a critical vulnerability that enables so-called zero-click remote code execution (RCE). In addition, 84 other vulnerabilities were addressed.

According to the tech giant, critical vulnerability CVE-2023-40088 was the most important vulnerability to fix for its December 2023 Android security update. This so-called zero-day RCE bug allows for “remote (proximal/adjacent)” execution of code in Android’s System component without requiring execution privileges or user actions.

Ultimately, this would impact an affected device. The tech giant sees this as a risk, especially when platform and service protection functionality are off for development purposes or can be bypassed.

Another 84 vulnerabilities

In addition to this critical vulnerability, Google fixed another 84 vulnerabilities and issues in this month’s Android security update. Four of these, CVE-2023-40077, CVE-2023-40076, CVE-2023-45866 and CVE-2022-40507, are also listed as critical.

These critical vulnerabilities include severe privilege escalation errors and bugs that give away information in the Android Framework and System components. The last vulnerability concerns Qualcomm’s closed-source components.

Two types of patches

Google has released two patches for the December 2023 update: 2023-12-01 and 2023-12-02. The latter set includes all fixes from the first set and adds patches for third-party closed-source and Kernel components for Android. These latest updates do not require all Android devices.

Also read: Google gives Android and Android 14 new look and feel