Act Now! Android October 2023 Update patches 2 actively exploited issues
Google has published the October 2023 security updates for Android. The update addresses a total of 54 different security issues. Two of the issues are exploited in the wild, according to Google's Android Security Bulletin.
The release of the update for Android is the first step in getting it to customer devices. Manufacturers, such as Google, Samsung or Motorola, need to create updates for their devices, which they then push via automatic updating services.
Google Pixel devices are usually among the first to receive new security updates. All users may want to check for Software Updates in the settings. How that is done depends on the manufacturer.
Android users may select Settings > About Phone to display the current Android version, the latest installed Android security update and the build number.
On most devices, users find options to update under Settings > System > System update. On Samsung devices, System Update is found in the root Settings menu. If the security update has been released by the manufacturer, it should be picked up and installed.
Note that it may take days, sometimes even longer, before updates are made available by manufacturers.
The Android October 2023 Security update
Google's update overview lists all security patches of the October update. These are sorted by component.
The two main security issues addressed in the update are CVE-2023-4863 and CVE-2023-4211. Both are exploited in the wild. Google notes that it is aware of "limited, target exploitation".
CVE-2023-4863 is a critical buffer overflow security issue in libwebp. This issue affects many applications, all that use libwebp, including browsers such as Google Chrome or Firefox, Microsoft Teams and image editors.
CVE-2023-4211 has a severity rating of high. It affects Android devices with ARM chips.
Here is the overview by component:
- Android Framework: 12 unique vulnerabilities, all rated high.
- Android System: 12 unique vulnerabilities, one rated critical, the rest high.
- Google Play System Updates: 2 unique vulnerabilities, no rating.
- Arm components: 5 unique vulnerabilities, all rated high. Includes the actively exploited CVE-2023-4211 vulnerability.
- MediaTek components: 3 unique vulnerabilities, all rated high.
- Unisoc components: 1 unique vulnerability, rated high.
- Qualcomm components: 3 unique vulnerabilities, all rated high,
- Qualcomm closed-source components: 14 unique vulnerabilities, three rated critical, the remaining 11 rated high.
- System: one unique vulnerability, rated critical and exploited actively.
Recommendation
Two of the security issues patched in the Android October 2023 security update are exploited in the wild already. While Google speaks of limited attacks, users may want to update their Android devices as soon as possible to protect the device against attacks.
Now You: when do you update your Android devices?
