By successfully exploiting several vulnerabilities, attackers could gain higher user rights on Android devices. However, malicious code attacks at the kernel level are also conceivable.
The developers state in a warning messagethat the Patch level 2023-01-01 and 2023-01-05 are current. You can check the patch level in the Android settings. In addition to Google, LG and Samsung also provide certain devices with monthly security updates (see box). Unfortunately, countless smartphones and tablets based on Android still do not receive regular patches or even none at all.
In addition to Google, other manufacturers regularly release security patches – but mostly only for a few product series. Devices from other manufacturers receive the updates much later or, in the worst case, not at all.
Many closed vulnerabilities
Google classifies a framework vulnerability as the most dangerous. If attackers successfully start there, they could end up with higher user rights. Attacks should be possible without additional execution permissions. Further details are not yet known. Here the threat level applies “high“.
Most vulnerabilities affect the framework of Android 10, 11, 12, 12L and 13. System-level attacks via Bluetooth Low Energy (BLE) are also conceivable. “critical” Vulnerabilities affect the kernel. This is where attackers could, for example, attack WLAN components and run malicious code on devices.
Various components from MediaTek and Imagination Technologies, among others, are also vulnerable.
Pixel series devices are getting several this month additional security updates served. Attackers could use a vulnerability (CVE-2023-20924) in the Pixel 6a’s fingerprint sensor to gain higher rights. There are also security patches for various Qualcomm components.
(of)
