With the Android Security Bulletin for December, Google documents the vulnerabilities in the mobile operating system that its developers have eliminated in the disclosed source code. There are also security patches from the Linux kernel as well as security-relevant bug fixes from the chip manufacturers. The latter also closes three 0-day gaps this month.
The closed security gaps are usually spread over two so-called patch levels. The first, 2023-12-01, contains the closed AOSP (Android Open Source Project) vulnerabilities. Patch level 2023-12-05 documents the fixed gaps in the Linux kernel (as far as they affect Android) and in the chipsets of various suppliers. The latter always only affects a portion of Android devices because their manufacturers use different hardware components.
Patch level 2023-12-01 with three critical gaps
For patch level 2023-12-01, the security bulletin in December shows 33 vulnerabilities in the core components of the operating system that have been fixed. Two vulnerabilities in the framework and one in the system are classified as critical. The system vulnerability CVE-2023-40088 allows code to be injected and executed without the user’s assistance. It affects Android versions 11 to 14. All other security vulnerabilities in this patch level are designated as high risk.
The latest security updates
Patch level 2023-12-05 with three 0-day gaps
For the hardware-related patch level 2023-12-05, the December bulletin lists 61 gaps that have been filled. They are distributed across components from chip suppliers ARM (Mali GPUs), Imagination Technologies (PowerVR GPUs), Unisoc, MediaTek and Qualcomm. Most vulnerabilities are designated as high risk. In addition, there is a system gap that has been identified as critical (CVE-2023-45866). There is a vulnerability classified as critical in components from chip supplier Qualcomm (Snapdragon CPUs and other components) called CVE-2022-40507. According to Google, three additional vulnerabilities (CVE-2023-33063, CVE-2023-33106, CVE-2023-33107), which like the rest are designated as high risk, are already being exploited for attacks. Details are not yet known.
No Pixel Update Bulletin yet
The separate bulletin for Google’s Pixel devices is once again a long time coming this month. The Pixel 5a (5G) and newer models receive updates. The Pixel 5 last received updates in October, and the Pixel 4a 5G in November. The Pixel 5a (5G) will receive updates until August 2024. For newer models, Google provides security updates for five or even seven years.
The number of smartphone and tablet manufacturers that more or less regularly provide security updates for their devices has increased in recent years, but there is still a lot of room for improvement. All the more so since some manufacturers only offer monthly updates for their expensive top models. While Samsung delivers updates promptly, often even before Google, other manufacturers sometimes lag several weeks (or longer) behind.
Device update information by manufacturer:
