Android's September security update fixes actively exploited zero-day and more
Google releases monthly security updates for Android. Every so often those updates include patches for issues that have been assigned the highest severity rating.
In its most recent security bulletin, Google announced that there is evidence that CVE-2023-35674, rated High severity, "may be under limited, targeted exploitation."
Also: Google just gave Android's most frustrating widget an AI facelift, and it's a relief
This particular issue is a zero-day vulnerability, which means it was previously unknown to anyone capable of fixing it and, until developers can mitigate the issue, threat actors can exploit it.
This zero-day vulnerability makes it possible for bad actors to escalate privileges without requiring user interaction.
Before you get too concerned, there are a couple of things to note. First, a vulnerability marked High is not the most severe issue. Critical is worse than High (more on that in a bit).
The second thing is that privilege escalation is not unfamiliar territory for Android. I've been covering Android for well over a decade and I've seen similar vulnerabilities come and go like clockwork. The good news is that Google is very good at finding and patching them.
The bad news is that you'll have to wait until Google releases the September security update until your Android device is patched against the vulnerability.
Also: Why I no longer use third-party Android launchers
Another bit of good news is that your Android device will let you know when the update is ready for your phone and the only thing you'll have to do is restart the device when prompted. You should immediately do so as soon as you see the notification popup.
If you are unsure as to what security patch your phone has, go to Settings > System > System Update, where you'll see both the version of Android on your device and the security update that has been applied. On my Pixel 7 Pro, I'm still on the August security update but I assume the September update should be available any day.
As far as the rest of the September security update, there are three vulnerabilities marked Critical, which are as follows (listed by CVE, Reference Type, Severity, and Android version):
- CVE-2023-35658 A-274617156 RCE Critical 11, 12, 12L, 13
- CVE-2023-35673 A-273966636 RCE Critical 11, 12, 12L, 13
- CVE-2023-35681 A-271335899 RCE Critical 13
RCE (Remote Code Execution) vulnerabilities are of particular concern because they make it possible for threat actors to execute malicious code without having direct access to your device.
For September, Google has issued not one but two sets of patches but only the second patch (2023-09-05) addresses all of the security issues found in the security bulletin as well as patches for third-party, proprietary code (such as a bug found in the Qualcomm WLAN firmware).
Also: Google's next Pixel hardware event will be on October 4, and it's go big or go home
One thing to keep in mind is that if you have a non-Pixel phone, the September security patch will arrive on your device a bit later. That's because Google sends the patches to the OEMs and they then have to test and tune the patches for their hardware. So, if you have a Samsung, Huawei, OnePlus, Nothing, or another Android phone that's not from Google, you'll have to wait a bit longer for the patch to arrive.
Either way, as soon as you see that update appear on your Android device (whoever the manufacturer may be), apply it immediately.