Google has released the September 2024 Android security update to address critical security issues, including a zero-day vulnerability in the Android Framework component [1].

Description

The September 2024 Android security update from Google addresses a total of 36 security issues, with a focus on a critical zero-day vulnerability known as CVE-2024-32896 in the Android Framework component. This vulnerability allows for local privilege escalation without additional execution privileges and requires physical access to the device, interrupting the factory reset process [3]. Google has confirmed that this vulnerability is actively exploited and may be under limited, targeted exploitation [2] [5]. The vulnerability was partially mitigated in a previous fix, CVE-2024-29748 [1] [2] [3] [4] [5] [6] [7], and is now fully addressed in Android 14 QPR3 [5]. User interaction is required for exploitation [5], and additional exploits are needed to fully compromise the device [3]. In addition to CVE-2024-32896 [4], Google has patched ten high-severity vulnerabilities in the September security update for Android 14. The update for the Pixel 9 Pro is 16.06 MB [2], with factory and OTA images live and on-device updates rolling out [2]. Google is collaborating with OEMs to deploy fixes for the vulnerability across the entire Android ecosystem [3], not just limited to the Google-owned Pixel lineup. Users are strongly advised to update their devices promptly to protect against this and other high-severity vulnerabilities.

Conclusion

It is crucial for users to promptly update their devices to protect against the critical security issues addressed in the September 2024 Android security update. Google’s collaboration with OEMs to deploy fixes across the Android ecosystem demonstrates a proactive approach to enhancing device security and mitigating potential risks. By staying informed and taking necessary precautions, users can help safeguard their devices and data from potential threats.

References

[1] https://gbhackers.com/google-patchesandroid-0-day-vulnerability/
[2] https://9to5google.com/2024/09/03/android-14-september-security-patch/
[3] https://thehackernews.com/2024/09/google-confirms-cve-2024-32896.html
[4] https://www.inkl.com/news/google-warns-of-critical-cve-2024-32896-zero-day-threat-on-android
[5] https://securityaffairs.com/168047/mobile-2/google-fixed-actively-exploited-android-flaw-cve-2024-32896.html
[6] https://www.forbes.com/sites/daveywinder/2024/09/04/google-issues-android-under-attack-warning-as-0-day-threat-hits-users/
[7] https://thecyberwire.com/podcasts/daily-podcast/2143/transcript