Google has released the December 2022 security update for Android, fixing four critical-severity vulnerabilities, including a remote code execution flaw exploitable via Bluetooth.
This month’s update addresses 45 vulnerabilities in core Android components with patch level 2022-12-01, and another 36 vulnerabilities impacting third-party components addressed in patch level 2022-12-05.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” mentions the security bulletin.
The four critical-severity vulnerabilities addressed in this month’s update are:
- CVE-2022-20472 – Remote code execution flaw in Android Framework, impacting Android versions 10 to 13.
- CVE-2022-20473 – Remote code execution flaw in Android Framework, impacting Android versions 10 to 13.
- CVE-2022-20411 – Remote code execution flaw in Android System, impacting Android versions 10 to 13.
- CVE-2022-20498 – Information disclosure flaw in Android System, impacting Android versions 10 to 13.
The rest of the fixed vulnerabilities involve elevation of privileges (EoP), remote code execution, information disclosure, and denial of service problems.
The high-severity EoP flaws are typically exploited by malware sneaking into a device via a low-privilege pathway, such as installing malicious software masquerading as an innocuous app.
That said, applying the available update as soon as it becomes available for your device is crucial, even if none of the flaws are currently reported as actively exploited.
If your device no longer receives monthly Android security updates or uses Android 9 or older, you are officially out of support.
In these cases, you are advised to upgrade to a newer device or install a custom ROM based on a later Android version, like LineageOS.
Owners of Google Pixel devices have also received an important security update this month, which addresses a total of 16 critical-severity flaws in various components.
These critical vulnerabilities enable attackers to elevate privileges or information disclosure on the target devices.
More details on the Pixel December 2022 update can be found on the dedicated security bulletin for Google’s own smartphone range.