Summary: Google has released its November 2024 security update for Android, addressing 40 vulnerabilities, including two that are actively exploited. Notably, CVE-2024-43047 is a high-severity zero-day vulnerability affecting Qualcomm chipsets, while CVE-2024-43093 poses a risk to multiple Android versions.
Threat Actor: Unknown | unknown
Victim: Android Users | Android Users
Key Point :
- Google’s November 2024 update addresses 40 vulnerabilities, including two actively exploited zero-day flaws.
- CVE-2024-43047 is a high-severity vulnerability in Qualcomm DSP that could lead to memory corruption and privilege escalation.
- CVE-2024-43093 affects Android’s framework component, impacting versions 12 through 15.
- The update is delivered in two patch levels, with a strong recommendation for users to install it promptly.
In its November 2024 security update, Google has addressed 40 security vulnerabilities in the Android operating system, two of which are flagged as actively exploited: CVE-2024-43047 and CVE-2024-43093. Google’s bulletin provides limited details regarding the nature and extent of the exploitation, stating only that “there are indications that the following may be under limited, targeted exploitation.”
Of particular concern is CVE-2024-43047, a high-severity vulnerability (CVSS 7.8) residing in the Qualcomm Digital Signal Processor (DSP) service. This zero-day flaw, discovered by researchers from Google Project Zero, Amnesty International’s Security Lab, and independent security researcher Conghui Wang, impacts numerous Qualcomm chipsets. Exploitation of this use-after-free vulnerability could lead to memory corruption, potentially enabling attackers to escalate privileges and compromise affected devices. While Qualcomm issued a patch for this vulnerability in October, its inclusion in the November Android security update ensures broader distribution and remediation.
Further emphasizing the importance of this update is the active exploitation of CVE-2024-43093, an escalation of privilege vulnerability impacting Android’s framework component. This flaw affects Android versions 12, 13, 14, and 15, potentially exposing a significant portion of the Android ecosystem to attack.
In typical fashion, Google is delivering the update in two patch levels:
- November 1 Patch Level (2024-11-01): Targets core Android components, including the framework and system.
- November 5 Patch Level (2024-11-05): Addresses vulnerabilities specific to certain hardware components, including those by Qualcomm, MediaTek, Imagination Technologies, and others.
Android users are strongly urged to install the November security update as soon as it becomes available for their devices. Given the active exploitation of these vulnerabilities, prompt patching is crucial to mitigate the risk of compromise.