Google has recently released a security bulletin for December that addresses a total of 85 vulnerabilities, with one of them being a critical zero-click remote code execution (RCE) vulnerability. This particular vulnerability, known as CVE-2023-40088, was found in an Android component that does not require additional privileges for exploitation. While it is not confirmed whether attackers have taken advantage of this vulnerability, they could potentially execute arbitrary code without any user interaction.
In addition to the critical zero-click vulnerability, Google has also fixed 84 other security vulnerabilities in December. Three of these vulnerabilities (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866) are associated with critical privilege escalation and information disclosure errors in Android Framework components and systems. The fourth critical vulnerability, CVE-2022-40507, was eliminated in closed components with closed source code.
Google has released two sets of security patches in December, designated as security levels 2023-12-01 and 2023-12-05. The latter includes all the fixes from the first set as well as additional fixes for third-party components with closed source code and kernel components. It is important to note that not all Android devices may require all the available fixes.
Device suppliers may prioritize the deployment of the initial level of fixes to simplify the update process. However, this does not necessarily imply an increased risk of potential exploitation.
It is worth mentioning that devices other than Google Pixel may experience a delay in receiving the security updates. Manufacturers need time to test the compatibility of the security fixes with various hardware configurations to ensure there are no compatibility issues.