Google fixes critical Android security issues in the March 2023 update
Google published the monthly Android Security Bulletin today. The March 2023 security bulletin provides information on the patched security issues that affect Android devices.
Android devices have security patch levels. The information is found in the Settings, usually under About phone or System Update. Most Android devices display the security patch level as a date, e.g., 1 February 2023. This indicates that the device has all security patches that were released on February 1, 2023 or earlier. Google publishes monthly updates, which manufacturers use to create updates for their devices.
The March 2023 security updates include two critically rated security issues that affect the System component. One of them could "lead to remote code execution with no additional privileges needed" according to Google. In other words: the exploit works without requiring specific user activity on the device.
The two critical vulnerabilities are CVE-2023-20951 and CVE-2023-20954. Additional information about the two vulnerabilities is not yet available. The record database list both CVEs as reserved, but provide no information on them at this point in time.
Google lists the following vulnerabilities in the Android security bulletin for March 2023. Note that some of the vulnerabilities affect only devices that have these components:
- Framework: 8 different security issues, all with the severity high.
- System: 18 different vulnerabilities, 2 rated critical, the remaining 16 rated high.
- Google Play system updates: 5 vulnerabilities.
- Kernel: one vulnerability listed with a high severity rating.
- MediaTek components: three listed vulnerabilities, all rated high.
- Unisoc components: four vulnerabilities, all rated high.
- Qualcomm components: three vulnerabilities, all rated high.
- Qualcomm closed source components: 18 different vulnerabilities, 2 rated critical, 16 rated high. The two issues are also remote code execution vulnerabilities.
Android device owners need to wait until the device manufacturer releases a security patch for the device. It may take just a few days for that to happen, or longer. This depends on a number of factors, and varies from manufacturer to manufacturer. Older devices may receive updates after newer devices have received them, depending on the manufacturer's policy in this regard. Google Pixel devices are usually among the first Android devices to receive security updates.
Android users may check the updates option in the Settings of their device to run manual checks for updates. Updates do not get installed automatically on Android, usually, which means that users either have to run manual checks to get the update installed on their device, or wait for the official update notification to appear, to install the security update then on it.
I wonder when these fixes will arrive to Samsung. Some months ago I wrote to Samsung about a certain security bug inmo that allow an external user to turn off the sound of the phone with no need at all to enter the password to access to configuration. I am still waiting for an answer and after some time I found a way to prevent disabling the sound by other people (e.g. thieves, children and so forth). I also wrote them to ask why a medium-high phone like the A52 5G received updates only each two months while some mobiles of the S-series (with the same price) received monthly updates. I trust Samsung phones however its management with Android security updates and also the misleading sensation of improvement of the One UI, that is getting worse and worse every single upgrade. Thanks for the article by the way.