Android devices remain susceptible to potential security breaches that could grant unauthorised access to a device remotely, circumventing the need for any action from the device owner,

The latest updates addressing these vulnerabilities and more are detailed in Google’s Android security bulletin for December. This comprehensive update encompasses patches for 94 vulnerabilities, among which five have been classified as 'Critical.'

One of the most severe vulnerabilities is identified within the System component, posing a risk of remote code execution (RCE) without requiring additional execution privileges. Notably, user interaction is unnecessary for exploitation.

This particular vulnerability, denoted as CVE-2023-40088, affects a Bluetooth communication function, limiting its 'remote' aspect to 'close range' due to the typical 30-feet range of Bluetooth. Successful manipulation through a specifically crafted input exposes a 'use after free' vulnerability. Referencing memory after its release can lead to program crashes, unexpected value usage, or code execution.

Another critical concern is the Elevation of Privilege (EoP) vulnerability (CVE-2023-40077) within the Android Framework. Exploitation of this flaw could trigger a race condition, wherein system behaviour relies on the sequence or timing of uncontrollable events. When events occur out of the intended order, it results in a bug, potentially granting a successful attacker unauthorised permissions.

All these issues are addressed in security patch levels from 2023-12-05 onwards. To verify a device's security patch level, users can follow the guidelines on checking and updating their Android version. The updates are accessible for Android versions 11, 12, 12L, 13, and 14. However, it's important to note that although Android partners receive notifications of these issues at least a month prior to publication, patches might not be universally available across devices from all vendors.

Sources and further reading.

Android Security Bulletin—December 2023. (2023, December 1). Android Open Source Project. https://source.android.com/docs/security/bulletin/2023-12-01

CVE - CVE-2023-40088. (n.d.). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40088

CVE - CVE-2023-40477. (n.d.). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40477

Arntz, P. (2022, November 23). Android bugs going unfixed thanks to a double patch gap. Malwarebytes. https://www.malwarebytes.com/blog/news/2022/11/android-users-are-facing-a-double-patch-gap/amp