Several critical vulnerabilities in the Android system and Qualcomm chips have been patched
Almost like clockwork, Google releases security patches for Android and its Pixel phones shortly after 10 a.m. Pacific on the first Monday of each month. Pixel owners have been eagerly awaiting this month’s update as it includes the QPR2 Pixel Feature Drop, where Google is seeding fun new features for its devices. The problem is that the Pacific came and went hours ago at 10 a.m. and there’s no update in sight – but at least there’s some movement now.
Google published its March Android security bulletin at 10:27 a.m. PDT, which lists all the patches it submits to the Android Open Source Project to fix security vulnerabilities. This brings Android’s latest security patch level on March 5, 2023, though Google has said it could take up to 48 hours for all code changes to be uploaded to the AOSP repository.
There are two sets of security patches included in this bulletin: March 1, 2023 and March 5, 2023. 18 system vulnerabilities and 8 framework vulnerabilities have been fixed in the March 1 update, and an additional 5 vulnerabilities will be patched via Google Play System Updates. The March 5 update mainly contains fixes for vendor-specific vulnerabilities: 21 for Qualcomm, 4 for Unisoc, and 3 for MediaTek, although there is also a patch for a CVE in the Android kernel.
The frustrating message Pixel users see today
Google notes that the worst issue being patched is a critical vulnerability in the Android system that could lead to remote code execution. Most of the vulnerabilities were marked as very serious, but a total of four were considered critical: CVE-2023-20951 and CVE-2023-20954 in the Android system, as well as CVE-2022-33213 and CVE-2022-33256 in Qualcomm Closed – sourced components.
While it’s nice that the security patches have been submitted to AOSP, the delayed Pixel update is particularly disappointing with all the changes Google made to the beta versions of QPR2. Beta 1 included a redesigned quick settings panel with a new animation on the media player and a larger clock. Beta 2 had an option to theme all your home screen icons, and Beta 3 brought customizable lock screen shortcuts, so there’s a lot to look forward to.
A reliable place to find out about Pixel updates as they are released is the Google Pixel community. If you look back at the post history for Pixel updates on that forum, you’ll see that almost every recent monthly update was announced no later than 10:08 a.m. Pacific. An exception was the update that came on January 3, which was not announced until Tuesday at 1:19 PM PDT, but this was somewhat expected given that it was the first post-holiday update.
We hope we see QPR2 tomorrow, but right now Pixel fans are definitely getting a little tired of checking for updates.