TechCritical flaw in Android: Google has patched it, but this is only half of the story

Critical flaw in Android: Google has patched it, but this is only half of the story

Smartphone with Android
Smartphone with Android
Images source: © Dobreprogramy

11:39 PM EST, December 5, 2023

An acute flaw has been identified in Android, which Google has fixed with the December security bulletin. This issue affects versions 11, 12, 12L, 13, and 14 of Android, which make up a significant portion of the popular releases worldwide. However, Google's intervention does not immediately guarantee user safety.

Further details can be found in the Android security bulletin released on December 4th. Android Central highlights the most serious complication, marked with the symbol CVE-2023-40088. It allows the potential of executing a use-after-free attack following one of the stages of Android's operation when handling wireless connectivity. This could lead to the execution of arbitrary code on the phone.

Although theoretically, the flaw can be exploited remotely, in reality, the threat is somewhat limited. A connection within the same Wi-Fi network is necessary, or a proximity to the victim - to leverage a Bluetooth or NFC connection (similar to a recently identified issue with Bluetooth connectivity). Google has rated the CVE-2023-40088 flaw as critical. According to Google, it has been fixed in Android 11, 12, 12L, 13, and 14 - versions of Android that, according to data from statcounter, operate over 72 percent of the devices on the market.

Unfortunately, Google's resolution of the issue in the Android patch bulletin does not instantly provide safety to all devices on the market. Updates are still necessary from smartphone manufacturers, who distribute them using their over-the-air (OTA) update systems.

The speed of patching such flaws on end-user devices is not what Android is famous for. Consequently, users should be prepared for several weeks before the fixes reach all devices that are eligible for updates. Regrettably, some devices may never receive the required security update due to their support period ending.