"Android Zero-Day Patched With September 2023 Security Updates"

Google recently announced that Android's September 2023 security updates contain patches for 32 vulnerabilities, including one that has been exploited in attacks.  Tracked as CVE-2023-35674, the zero-day flaw is described as a high-severity elevation of privilege in Android's Framework component.  According to Google, no additional execution privileges or user interaction are required to exploit the bug.  Google noted that there are indications that CVE-2023-35674 may be under limited, targeted exploitation.  Five other high-severity vulnerabilities were addressed in Framework, three leading to elevation of privilege and two to information disclosure.  All six issues were resolved as part of Android's "2023-09-01 security patch level," which also addresses 14 vulnerabilities in the System component.  Of these, three are critical-severity bugs that could lead to remote code execution, while the rest are high-severity flaws, six leading to elevation of privilege, four to information disclosure, and one to denial-of-service (DoS).  Google noted that the most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed.  User interaction is not needed for exploitation.  Google also announced that two other issues were resolved in Project Mainline components with updates delivered via Google Play.  The second part of this month's security update for Android arrives on devices as the "2023-09-05 security patch level" with fixes for 12 other vulnerabilities in Qualcomm components.  Google noted that the "2023-09-05 security patch level" addresses all bugs in this month's security updates and the issues resolved with previous patch levels.

SecurityWeek reports: "Android Zero-Day Patched With September 2023 Security Updates"