Google fixes critical Android flaw that could be exploited to hack your phone remotely

DragonSlayer101

Posts: 367   +2
Staff
In context: Android is often accused of being prone to various security vulnerabilities that could affect user privacy. While Google has taken numerous steps to make the OS safer, problems keep cropping up every now and then. This week, Google said it discovered a critical security vulnerability that could allow zero-click remote code execution (RCE).

Tracked as CVE-2023-40088, the flaw was found in Android's System component and is rated by Google as 'Critical' severity. According to the National Vulnerability Database, the problem arises during a callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, when memory could be corrupted due to a use-after-free. This could lead to remote code execution with no additional privileges and without any user interaction.

There's no word on whether the bug has already been exploited in the wild, but Google says it has issued a patch to fix the problem as part of the December 2023 security bulletin. According to the release notes, the fix is compatible only with newer Android versions, ranging from Android 11 to Android 14.

It is worth noting here that Google issuing a patch is only the first step towards securing end users, as each vendor or carrier still has to roll out its own update to fix the bug. Therefore, unless you're using a Pixel, you may have to wait several weeks for the update, and some devices may never receive it.

In addition to the aforementioned bug, Google fixed 84 more security vulnerabilities as part of the December update. Three of these are rated as 'Critical,' while the rest are listed as 'High' severity. Several other vulnerabilities affect Qualcomm closed-source components and are described in detail in the latest Qualcomm security bulletin. One of these vulnerabilities is listed as 'Critical,' while the rest as rated as 'High.'

With security becoming an increasingly thorny issue for Android users, Google says it is working on new ways to boost the security of its mobile OS. First off, the company is introducing compiler-based sanitizers to catch memory safety issues early on in the software development process. Next, it is working with hardware partners to add memory safety features at the firmware level. Finally, the company is implementing various measures to make it harder for hackers to exploit unknown bugs.

Permalink to story.

 
While I'm not one to generally condone being "sue happy", as a Note 11+ user I may seriously consider what it would entail to bring a class action suit against both Samsung and Verizon if this update isn't pushed out for those still using phones on Android 11.

No reason that users with still perfectly functional phones should be left to hang with an exploit like that sitting open.
 
While I'm not one to generally condone being "sue happy", as a Note 11+ user I may seriously consider what it would entail to bring a class action suit against both Samsung and Verizon if this update isn't pushed out for those still using phones on Android 11.

No reason that users with still perfectly functional phones should be left to hang with an exploit like that sitting open.
That could also apply to those on 10 and possibly 9.
 
That could also apply to those on 10 and possibly 9.

True, likely no reason those devices can't be updated to at least a newer version either, albeit with some functionality limited I'd imagine.

Oh right, planned obsolescence to sell carrier bundles/plans and slightly improved hardware at the same or higher price.
It's only slightly more dodgy than the pc market, but that's only because your GPU can't be tethered to a cellphone plan (yet).
 
When banking apps minimum requirements are Android 7, it makes the argument that users need security updates years after purchase less of a priority.
 
No reason that users with still perfectly functional phones should be left to hang with an exploit like that sitting open.
And that's why I went to the iPhone and never looked back. Hey, people complain about Apple and I'll admit, I do as well, but at least you can say that they have long-term device support down to a science. They're still even supporting old phones with iOS 16 and iOS 15.
 
And that's why I went to the iPhone and never looked back. Hey, people complain about Apple and I'll admit, I do as well, but at least you can say that they have long-term device support down to a science. They're still even supporting old phones with iOS 16 and iOS 15.

I'm not willing to go iPhone myself, I do however credit Apple for continuing to support hardware with os updates for a significantly longer time than a majority of android vendors.
 
Back