Tech giants Apple, Microsoft and Google fixed major security flaws in April, many of which were already being used in real-life attacks. Other companies set to release patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.
Here you will find everything you need to know about the patches released in April.
Apple
Hot on the heels of iOS 16.4Apple has released iOS 16.4.1 update to fix two vulnerabilities that are already used in attacks. CVE-2023-28206 is a problem in IOSurfaceAccelerator that could see an application capable of executing code with kernel privileges, Apple said in its support page.
CVE-2023-28205 is a problem in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says: “Apple is aware of a report that this issue may have been actively exploited.”
The bug means that visiting a booby-trapped website could give cybercriminals control over your browser, or any application that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at the cybersecurity firm. sophos.
The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. With this in mind, Ducklin believes that the security holes could have been used to implant spyware.
Apple also released iOS 15.7.5 for users of older iPhones to fix the same flaws already exploited. Meanwhile, the iPhone maker released macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.
Microsoft
Apple wasn’t the only big tech company to issue emergency patches in April. Microsoft also released a hotfix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation of privilege error in the Windows common registry file system driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in a statement. advisory.
Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing that is tagged as having critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in remote code execution on the server side.
The fix was part of a series of patches for 98 vulnerabilities, so it’s worth checking the advisory and updating it as soon as possible.
googleandroid
Google has released multiple patches for its Android operating system, fixing several serious holes. The most serious bug is a critical security vulnerability in the system component that could lead to remote code execution without requiring additional execute privileges, Google said in its Android Security Bulletin. User interaction is not required for exploitation.
The issues patched include 10 in the framework, including eight elevation of privilege flaws, and another nine rated as high severity. Google fixed 16 bugs in the system, including two critical RCE flaws and various SoC and kernel component issues.
The update also includes several pixel specific patches, including a kernel elevation of privilege flaw tracked as CVE-2023-0266. The April Android patch is available for Google devices and models including Samsung’s Galaxy S series along with the Fold and Flip series.
Google Chrome
In early April, Google issued a patch to fix 16 problems in its popular Chrome browser, some of which are serious. The fixed flaws include CVE-2023-1810, a heap buffer overflow issue in Visuals rated as high impact, and CVE-2023-1811, a use-after-free vulnerability in Frames. The remaining 14 security bugs are classified as medium or low impact.
In the middle of the month, Google was forced to release an emergency update, this time to fix two flaws, one of which is already being used in real-life attacks. CVE-2023-2033 is a type of confusion bug in the V8 JavaScript engine. “Google is aware that there is an exploit for CVE-2023-2033,” the software giant said in its Blog.
Just a few days later, Google released another patch, which fixes issues including another zero-day bug tracked as CVE-2023-2136, an integer overflow bug in Skia’s graphics engine.
—————————————————-
Source link