Google fixes 52 security issues in the May 2023 security updates for Android
Google has just released the May 2023 security bulletin for its Android operating system. It addresses 52 different security issues in Android and components. The company publishes the security bulletin on the first Monday of each month. Manufacturers of Android devices may then integrate these security updates into their products.
Google's own Pixel devices are usually the first, or among the first, to receive these security updates. Third-party manufacturers, such as Samsung, Motorola or Xiaomi will release updates for their devices as well in the coming days and weeks.
Google explains that a high security vulnerability in the Framework component is the most severe issue in May 2023. It could lead to local escalation of privilege with "no additional execution privileges needed".
Patches are divided into two groups. The first lists security issues in Android and Google Play, the second vulnerabilities in Android Kernel and hardware-specific components, e.g., components from ARM or Qualcomm.
Here is the overview:
- Framework Vulnerabilities: 10 vulnerabilities. Maximum severity level is high. The most severe vulnerability could lead to local escalation of privilege and does not require user interaction for exploitation.
- System Vulnerabilities: 6 vulnerabilities. Maximum severity level is high. The most severe vulnerability could lead to local escalation of privilege without requiring user interaction.
- Google Play system update: 2 vulnerabilities in the Permission Controller.
- Kernel vulnerabilities: 2 vulnerabilities. Maximum severity is high. Most severe vulnerability could lead to local escalation of privilege and does not require user interaction.
- Kernel components: 1 vulnerability. Maximum severity is moderate. Same danger as Kernel vulnerabilities.
- Kernel LTS vulnerabilities: 5 vulnerabilities.
- ARM components: 5 vulnerabilities. The maximum severity of the vulnerabilities is high.
- Imagination Technologies: 1 vulnerability. The maximum severity of the vulnerability is high.
- MediaTek components vulnerabilities: 7 vulnerabilities. The maximum severity of the vulnerability is high.
- Unisoc components vulnerabilities. 5 vulnerabilities. The maximum severity of the vulnerability is high.
- Qualcomm components vulnerabilities. 2 vulnerabilities. The maximum severity of the vulnerability is high.
- Qualcomm closed-source components vulnerabilities: 6 vulnerabilities. The maximum severity of the vulnerability is high.
Google Pixel device owners may want to run a manual check for updates in the Settings. The update should be found during a manual check for updates and installed on these devices. It may take a could of days or even longer before devices by other manufacturers receive the update as well.
Now You: when do you install the Android security updates?
People don’t care, because they don’t know how much gets patched/fixed each month. Android is a very leaking boat to put it mildly, yet there are ridiculous amounts of phones/tablets in use with very old patches. You really should prioritize the patching policy and lenght of support when getting a new phone. By researching a bit your options diminish, sure, but the ones left standing are good options. You can skip garbage like Sony, Motorola and Nokia right away, to name just a few.. Nokia went south a few years ago and Lenovo turned Motorola to a joke, they have had a habit of straight out lying about the support their phones will receive for many years now. In the past Motorola were great phones for custom ROMs but not anymore, and Nokia are even worse by not letting one unlock their bootloaders even after their short support has ended. Like I said, garbage. Save your money, and nerves, and buy a real phone instead.
I tested yesterday the Brave browser for long hours, browsing for my favorite websites and I was quite surprised about its high quality and features, better than Edge ans so far away better than Chrome. I can’t understand why Brave has so low market numbers. Here at my classroom I am the only one that have Edge and Firefox as main browsers, mostly all of my classmates use only Chrome, and I meant only Chrome for nearly everything. Few friends also use Safari because they have MacOS. In the mobile phones all of us are using Chrome, furthermore I still haven’t found one people that use other than Chrome in Android. What does this mean? Easy, Chrome is Chrome, for bad or good it’s everywhere you look at, really, everywhere. When I share my laptop everyone ask me where is the Chrome link at desktop, LOL.
Convenience, it’s that simple.
because there is no point to use another browser. Almost all browsers are the same. They get you to browse the WWW and they all do a darn good job….most People use the most popular browser and that’s it…there is no need for another browser. I have tried all of them and always come back to Chrome…because of simplicity fast and does the job I need to do without pain.
@Nameless, and Chrome numbers could be more high considering that Edge is inside the OS like a limpet, like IE11 was inside all Windows. The forced use of one inner’s OS browser should be avoided at all cost, however the USA and the EU are so soft with Microsoft…
I think it’s because Brave’s default homepage looks like a 2000’s myspace page. Lots of scammy looking crypto being promoted. Compare that to Chrome’s cleaner and less cluttered default home page and that’s scares the “normies” away.
Bit of a rant but usefully on-subject. Consumer product security including Windows could be much better with some changes to design philosophy:
Locked source: in the days of 3.11 when local user ini file mods were a IT nightmare on one of the biggest networks in its day, I locked a refined windows copy onto a CD which was quite a good emergency solution for remote offices with work-station BSOD. Manufacturers should make their products as good as they can and then lock them from any kind of hack alteration.
Sub periscope style internet usage: Cyrix has a lot to answer for, plus that 6 mainframes quote from IBM! Consumers should either have dumb terminals with always-on broadcasting and remote processing or they should use today’s enormous processing power with local number-crunching and quick data-bursts that today’s rapidly increasing quantity of online trouble-makers would find much harder to exploit not both usage types on all products, it’s just silly. Today as one simple example you should manually enter airplane mode after you have your daily hit of news reading material on your screen, reducing your risk exposure by about 95%, try and argue that lower risk profile.
Sales: Everyone wants to buy a finished product ready to use and yet, what we have today is just marketing (Windows 10 was supposed to be the last time the world spends 30 billion man hours making changes for not much benefit) plus, it was a half-baked product when it first got distributed and may only get polished into an end product if enough customers buy into it, it’s so wrong and it needs governments who are always being screwed on IT to say enough is enough!
Android actually needs shared high-street shops for the long-term major brands, the next design iteration should have removable roms so if you want an upgrade you go to a OS shop that serves all the supported brands and you either a swap-out handset to fix a physical issue perhaps for a price, or get your new OS on a chip swap-out or you trade-in for a newer handset in a manner that bypasses s/h resale which is full of hassle and dangers and probably part of the security problem if you are unlucky.
The tech industry could do with some oversight to give it basic collective direction and I share this because globally, productivity is falling despite the drivers being in place to improve it, with security issues being a valid concern especially in this article when the bugs are all serious hi-jack level.
Why didn’t Daniel McKay find and fix all of these earlier since he thinks he knows better than 200 google security devs with a combined IQ of 5.34 trillion