"Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability"

Google recently announced security updates for the Android operating system to resolve over 50 vulnerabilities, including an Arm Mali GPU flaw exploited by spyware vendors.  Tracked as CVE-2022-22706, the exploited bug is a kernel driver issue that Arm fixed in January 2022 but which had been targeted in attacks before that.  Despite known exploitation, however, Google and other Android vendors took more than a year to incorporate the patches for CVE-2022-22706 in their software updates.  Last month, Google resolved another Android bug exploited by spyware vendors as a zero-day.  Tracked as CVE-2023-0266, the issue is described as a moderate-severity kernel flaw leading to privilege escalation.  The June 2023 Android update is split into two.  The first part, which arrives on devices as the 2023-06-01 security patch level, resolves 10 vulnerabilities in the Framework component and 13 bugs in the System component.  Google noted that three of these issues are critical-severity remote code execution (RCE) flaws.  They are tracked as CVE-2023-21127, CVE-2023-21108, and CVE-2023-21130.  The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth if HFP support is enabled, with no additional execution privileges needed.  Google stated that user interaction is not needed for exploitation.  The remaining 20 fixed vulnerabilities, rated "high severity," lead to escalation of privilege, information disclosure, or denial-of-service (DoS).  Arriving on devices as the 2023-06-05 security patch level, the second part of Android's June 2023 update resolves 33 flaws in Arm (3 vulnerabilities), Imagination Technologies (2), Unisoc (4), Widevine DRM (2), and Qualcomm components (22).

SecurityWeek reports: "Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability"