In its latest security bulletin, Google announced that there is evidence that CVE-2023-35674, which has a high severity, “may be subject to limited and targeted exploitation.” This particular issue is a zero-day vulnerability, meaning that it was previously unknown to anyone capable of patching it, and until developers can mitigate the issue, hackers can exploit it. exploit.
Before you get overly concerned, a few things should be noted. First of all, a vulnerability marked “High” is not the most serious problem. The “Critical” level is worse than the high level (we’ll get to that in a bit).
Second, the privilege escalation this flaw allows is not uncharted territory for Android. I’ve been covering Android for over ten years and have seen similar vulnerabilities. The good news is that Google is very good at finding and fixing them. The bad news is that you’ll have to wait until Google releases the September security update for your Android device to be protected against this vulnerability.
3 vulnerabilities marked as critical
Another good news is that your Android device will notify you when the update is ready for your smartphone and the only thing you will have to do is restart the device when prompted. This is what you should do as soon as you see the notification pop up.
If you are not sure which security patch your smartphone has, go to Settings > System > System Update, where you’ll see both the version of Android on your device and the security update that was applied. On my Pixel 7 Pro, I’m still on the August security update, but I guess the September update should be available any day now.
As for the rest of the September security update, there are three vulnerabilities marked as critical, which are as follows (listed by CVE, baseline type, severity, and Android version):
Remote Code Execution (RCE) vulnerabilities are of particular concern because they allow hackers to execute malicious code without having direct access to your device.
Lagging behind for non-Pixel smartphones
For the month of September, Google released not one but two sets of patches, but only the second (2023-09-05) addresses all security issues mentioned in the security bulletin as well as fixes for proprietary code of third party (e.g. a bug found in Qualcomm’s WLAN firmware).
It’s worth keeping in mind that if you have a non-Pixel Android smartphone, the September security patch will arrive on your device a little later. Indeed, Google sends the patches to the OEMs, who must then test them and adapt them to their hardware. Therefore, if you have a Samsung, Huawei, OnePlus, Nothing or other Android smartphone, you will have to wait a little longer before the patch arrives.
Either way, as soon as you see this update appear on your Android device (regardless of manufacturer), apply it immediately.
Source: “ZDNet.com”