Update Android Devices ASAP
This notice is intended for U-M IT staff who are responsible for university devices using Android OS, or individuals using Android devices. It is especially important for personal devices used for university business.
Summary
Google has released an important update for Android to remediate a zero-day vulnerability (CVE-2023-4863 and CVE-2023-4211) that is being actively exploited in the wild. We expect additional software vendors will also be releasing updates to fix other applications affected by this vulnerability.
Update Android devices as soon as possible.
Problem
Although there is no confirmation as of yet, an exploit could potentially enable a zero-click attack when visiting a website containing a malicious image.
Threats
The vulnerability is being actively exploited in the wild.
Affected Versions
Google Android versions prior to the 2023-10-06 security patch update.
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Update Google Android devices to the latest version as soon as possible. Update any other software impacted by the (CVE-2023-4863 and CVE-2023-4211) vulnerability.
Technical Details
- CVE-2023-4863 is a heap buffer overflow issue in vp8 encoding in libvpx. According to Google, The vulnerability affects a number of popular applications.
- CVE-2023-4211 impacts multiple versions of Arm Mali GPU drivers which are used in many Android devices.
How We Protect U-M
ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.