security

Bug-squashing summer: A month’s worth of 0-day fixes among tech giants – Ars Technica


Bug-squashing summer: A month’s worth of 0-day fixes among tech giants

The summer patch cycle shows no signs of slowing down, with tech giants Apple, Google, and Microsoft releasing multiple updates to fix flaws being used in real-life attacks. July also saw serious bugs squashed by enterprise software firms SAP, Citrix, and Oracle.

Here’s everything you need to know about the major patches released during the month.

Apple iOS and iPadOS 16.6

Apple had a busy July after issuing two separate security updates during the month. The iPhone maker’s first update came in the form of a security-only Rapid Security Response patch.

It was only the second time Apple had issued a Rapid Security Response, and the process was not as smooth as the first. On July 10, Apple released iOS 16.5.1 9 (a) to fix a single WebKit flaw already being used in attacks, but the iPhone maker quickly retracted it after discovering that the patch broke several websites for users. Apple reissued the update as iOS 16.5.1 (c) a few days later, at last fixing the WebKit issue without breaking anything else.

Later in the month, Apple’s major point upgrade iOS 16.6 appeared with 25 security fixes, including the already exploited WebKit bug patched in iOS 16.5.1 (c), tracked as CVE-2023-37450.

Among the other bugs squashed in iOS 16.6 are 11 in the Kernel at the core of the iOS operating system, one of which Apple said is already being used in attacks. The Kernel flaw is the third iOS issue discovered by security outfit Kaspersky as part of the zero-click “Triangulation spyware” attacks.

Apple also released iOS 15.7.8 for users of older devices, as well as iPadOS 16.6, Safari 16.6, macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6, and watchOS 9.6.

Microsoft

Microsoft’s July Patch Tuesday is an update to look out for because it fixes 132 vulnerabilities, including multiple zero-day flaws. First things first: One of the bugs detailed in the patch update, tracked as CVE-2023-36884, has not yet been fixed. In the meantime, the tech giant has offered steps to mitigate the already exploited flaw, which has apparently been used in attacks by a Russian cybercrime gang.

Readers Also Like:  Purdue signs landmark U.S.-Japan agreement in semiconductors at ... - Purdue University

Other zero-day flaws included in Microsoft’s Patch Tuesday are CVE-2023-32046, a platform elevation of privilege bug in the MSHTML core Windows component, and CVE-2023-36874, a vulnerability in the Windows Error Reporting service that could allow an attacker to gain admin rights. Meanwhile, CVE-2023-32049 is an already exploited vulnerability in the Windows SmartScreen feature.

It goes without saying that you should update as soon as possible while keeping an eye out for the fix for CVE-2023-36884.

Google Android

Google has updated its Android operating system, fixing dozens of security vulnerabilities, including three it says “may be under limited, targeted exploitation.”

The first of the already exploited vulnerabilities is CVE-2023-2136, a remote code execution (RCE) bug in the System with a CVSS score of 9.6. The critical security vulnerability could lead to RCE with no additional privileges needed, according to the tech firm. “User interaction is not needed for exploitation,” Google warned.

CVE-2023-26083 is an issue in Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, rated as having a moderate impact. The vulnerability was used to deliver spyware to Samsung devices in December 2022.

CVE-2021-29256 is a high-severity flaw that also impacts Bifrost and Midgard Arm Mali GPU kernel drivers.

The Android updates have already reached Google’s Pixel devices and some of Samsung’s Galaxy range. Given the severity of this month’s bugs, it’s a good idea to check whether the update is available and install it now.

Google Chrome 115

Google has issued the Chrome 115 update for its popular browser, fixing 20 security vulnerabilities, four of which are rated as having a high impact. CVE-2023-3727 and CVE-2023-3728 are use-after-free bugs in WebRTC. The third flaw rated as having a high severity is CVE-2023-3730, a use-after-free vulnerability in Tab Groups, while CVE-2023-3732 is an out-of-bounds memory access bug in Mojo.

Readers Also Like:  Munich Security Attendees Microsoft, Google, Apple, Amazon ... - Bloomberg

Six of the flaws are listed as having a medium severity, and none of the vulnerabilities are known to have been used in real-life attacks. Even so, Chrome is a highly targeted platform, so check your system for updates.

Firefox 115

Hot on the heels of Chrome 115, rival browser Mozilla has released Firefox 115, fixing several flaws it rates as having high severity. Among these are two use-after-free bugs tracked as CVE-2023-37201 and CVE-2023-37202.

The privacy-conscious browser maker also fixed two memory safety bugs tracked as CVE-2023-37212 and CVE-2023-37211. The memory safety flaws are present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12, Mozilla said in an advisory, adding: “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

Citrix

Enterprise software giant Citrix has issued an update warning after fixing multiple flaws in its NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) tools, one of which has already been used in attacks.

Tracked as CVE-2023-3519, the already exploited flaw is an unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that’s so severe it’s been given a CVSS score of 9.8. “Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix said. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The flaw was also the subject of an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which warned that the bug was used in attacks on a critical infrastructure organization in June.

Readers Also Like:  CircleCI incident adds to SecOps toil - TechTarget

SAP

SAP, another enterprise software firm, has issued its July Security Patch Day, including 16 security fixes. The most severe flaw is CVE-2023-36922, an OS command injection vulnerability with a CVSS score of 9.1.

The bug allows an authenticated attacker to “inject an arbitrary operating system command into a vulnerable transaction and program,” security firm Onapsis said. “Patching is strongly recommended, since a successful exploit of this vulnerability has a high impact on confidentiality, integrity, and availability of the affected SAP system,” it warned.

Meanwhile, CVE-2023-33989 is a directory traversal vulnerability in SAP NetWeaver with a CVSS score of 8.7, and CVE-2023-33987 is a request smuggling and request concatenation vulnerability in SAP Web Dispatcher with a CVSS score of 8.6.

Oracle

Software company Oracle has released its July Critical Patch Update Advisory, fixing 508 vulnerabilities in its products. Among the fixes are 77 new security patches for Oracle Communications. Oracle warned that 57 of these vulnerabilities could be remotely exploited over a network without user credentials. One of the worst flaws is CVE-2023-20862, which has been given a CVSS score of 9.8.

Meanwhile, 147 of the Oracle patches were for Financial Services, and Fusion Middleware received 60 fixes.

Oracle said it continues to receive reports of attempts to exploit vulnerabilities it has already patched. In some cases, attackers were successful because targeted customers had failed to apply available Oracle patches, it said. “Oracle, therefore, strongly recommends that customers remain on actively supported versions and apply Critical Patch Update security patches without delay.”

This story originally appeared on wired.com



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.