Android Patchday: Code-smuggling loophole in system component patched

Google has patched several security vulnerabilities in Android for the October Patchday. According to the developers, a gap in the system component is the most serious. It allows attackers from the network to inject malicious code without requesting or requiring further rights.

In Google's security bulletin for Android Patchday, the developers list three vulnerabilities in the framework for patch level 2024-10-01. These were all classified as high risk and affect Android 12, 12L, 13 and 14 – and two of them even affect the new Android 15, whose source code has been available for around a month. Four of the vulnerabilities can be found in the system component of Android; three affect versions 12, 12L, 13 and 14, one of which also affects Android 15. The fourth vulnerability can only be found in Android 14.

Further security fixes

There are also security vulnerabilities in the ART runtime environment of Android and in the Wi-Fi components, which will be closed with Google Play system updates. The security patch level 2024-10-05 also fixes other vulnerabilities in the software of processor manufacturers, including Imagination Technologies, MediaTek and Qualcomm.

According to Google, smartphone manufacturers already received the source code patches four weeks ago. They have therefore already had time to develop updated firmware for their devices. Android smartphones that are still receiving support should therefore be able to expect firmware updates shortly. The firmware updates for Google's Pixel smartphones are still pending at the time of reporting. The current status there is September 2024. The same picture currently applies to Samsung's S24 flagship generation.

For the September patch day, Google has closed eleven security vulnerabilities at standard patch level 2024-09.-01. One of these has already been actively attacked.

(dmk)