Patchday: Starting points for attackers in Android 10, 11 and 12 closed

Google has released versions of Android 10, 11, 12 and 12L that are protected against possible attacks. The security patches are also available for other manufacturers. Android device owners should check for updates and, if so, launch an update.

The current patch levels are 2022-09-01 and 2022-09-05. The latter entry means that older patches are installed in addition to the current updates. You can check the entries in the system settings.

Various attacks possible

The successful exploitation of many vulnerabilities can give attackers more rights in the system (elevation of privilege EoP). Equipped with this, they could completely compromise devices in the worst case. In a warning message, the developers downgrade a vulnerability (CVE-2022-20218 or CVE-2022-20392 both “high“) in the framework as particularly dangerous. Attackers could start here without additional execution rights and increase their user rights.

For most of the remaining vulnerabilities, the threat level is “high“. In addition to EoP attacks, attackers could still access information that is actually inaccessible. In addition, several third-party components are affected. A “criticalVulnerability (CV-2022-25708) affects Qualcomm’s WLAN firmware. Malicious code could get onto systems at this point, the developers explain in a warning message.

critical gaps

As a post shows, Google’s Pixel series gets several extra security patches on this patch day. These include, among other things, two “critical” EoP gaps (CVE-2022-20231, CVE-2022-20364).

In the box on the right, owners of Android manufacturers such as LG and Samsung will find references to the manufacturer’s security area and the availability of current Android updates.