Android March 2023 update fixes two critical code execution flaws


Google has released March 2023 security updates for Android, fixing a total of 60 flaws, and among them, two critical-severity remote code execution (RCE) vulnerabilities impacting Android Systems running versions 11, 12, and 13.

The flaws fixed this time are delivered via two separate security patch levels, namely 2023-03-01 and 2023-03-05. The first pack contains 31 fixes for core Android components like Framework, System, and Google Play.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” reads the security bulletin.

“User interaction is not needed for exploitation.”

The two flaws are tracked as CVE-2023-20951 and CVE-2023-20954, while Google has withheld all information about them to prevent helping attackers from engaging in active exploitation before users can apply the available updates.

The remaining 29 fixes on the first patch level concern high-severity escalation of privilege, information disclosure, and denial of service problems.

Patch level 2023-03-05 contains 29 fixes for the Android Kernel and third-party vendor components from MediaTek, Unisoc, and Qualcomm.

The most severe issues fixed this month are two critical-severity flaws on closed-source Qualcomm components, tracked as CVE-2022-33213 and CVE-2022-33256.

The rest of the flaws for this patch level are all high-severity vulnerabilities of undefined type.

To update your Android device, head to Settings → System → System Update and click on the “Check for updates” button. Alternatively, you can navigate to Settings → Security&Privacy → Updates → Security update.

If you’re running Android 10 or older, your device has reached the end of life (EoL) since September 2022 (for v10), and it will not receive fixes for the above flaws.

However, some important security fixes may reach them via Google Play system updates, accessible through Settings → Security & privacy → Updates → Google Play system update.

Users of older devices that are still functional are recommended to switch to an active third-party Android distribution, like LineageOS or GrapheneOS, that offers up-to-date OS images for devices no longer supported by their OEMs.



Source link