Fix Now: Google Addresses Two Critical Vulnerabilities Exposing Android Devices to Attacks

• The November Android security bulletin includes two flaws believed to be under targeted exploitation.
• One involves memory corruption in the Qualcomm DSP and the other EoP in the Android framework component.
• These issues could expose sensitive personal and corporate data to unauthorized access.

Google has announced an imminent fix for critical vulnerabilities affecting Android devices. The vulnerabilities, identified as CVE-2024-43047 and CVE-2024-43093, are part of the November security patch update. Current indications suggest these vulnerabilities may be under limited, targeted exploitation.

CVE-2024-43047 involves memory corruption in the Qualcomm Digital Signal Processor (DSP) service. This issue affects multiple Qualcomm chipsets, potentially allowing attackers to escalate privileges and compromise devices. Qualcomm issued a patch back in October, which is now included in the broader distribution through the November Android Security Update.

CVE-2024-43093 is an escalation of privilege vulnerability impacting the Android framework component across versions 12 to 15. This vulnerability could expose significant portions of the Android system to attack.

The industry must pay immediate attention to these vulnerabilities, given their potential for exploitation. Not only do these issues pose a risk to device integrity, but they also expose sensitive personal and corporate data to unauthorized access.

Google is releasing two distinct patch levels, as per the Android security bulletin. The November 1 Patch Level addresses core Android components, including the system and framework, while the November 5 Patch Level focuses on issues with Qualcomm chipsets and other manufacturers like MediaTek and Imagination Technologies.

Until your device has received the November 5 patch, it remains vulnerable. Users are advised to regularly check for system updates and apply patches as soon as they become available to mitigate these critical issues.

To verify your device's patch level and update status, navigate to Settings > System > Software updates and check the patch level. If outdated, select System Update and then Check for Update and apply any available updates immediately.

If you receive only the November 1 patch level, continue checking daily for the November 5 update and apply it promptly upon release. Leaving these vulnerabilities unpatched increases the security risks to your Android devices.

In recent news, CISA issued an urgent alert regarding two critical vulnerabilities in PTZOptics PT30X-SDI/NDI cameras that allow potential control over cameras: authentication bypass, data exfiltration, and even remote device configuration altering.