You really need to update Firefox and Android right now

Microsoft
By Microsoft 8 Min Read

Here’s everything you need to know about the security fixes released in January.

Apple iOS

Apple has released iOS 16.3 along with a new feature that lets you use security keys as an extra layer of protection for your Apple ID. Apple’s latest update also includes 13 security fixes, including three in WebKit, the engine that powers the Safari browser, two of which could allow code execution.

Three other issues have been fixed in the iPhone kernel at the heart of iOS. One of the vulnerabilities, tracked as CVE-2023-23504, is quite serious: if exploited, it could allow an app to execute code with kernel privileges.

Apple also released iOS 15.7.3 for users of Older iPhones, fixing six security issues including the fixed kernel code execution bug in iOS 16.3. None of the issues fixed in iOS 15.7.3 or iOS 16.3 are believed to have been used in actual attacks. However, Apple released iOS 12.5.7 for older devices to fix an already exploited WebKit vulnerability, CVE-2022-42856. The creator of the iPhone fixed the same bug for smartphones using iOS 15 in December.

Apple’s January updates also include tvOS 16.3, Safari 16.3, macOS Big South 11.7.3, macOS Monterey 12.6.3, watchOS 9.3, and macOS Ventura 13.2.

Google Chrome

It’s been a busy start to the year for Google, which it has fixed 17 vulnerabilities in its Chrome browser, two of which are classified as high impact. The first of the two issues, tracked as CVE-2023-0128, is a use-after-free bug in Overview mode.

Meanwhile, CVE-2023-0129 is a bunch bumper overflow problem in network service. Eight of the patched vulnerabilities are marked as medium impact, including CVE-2023-0130, an inappropriate implementation bug in Fullscreen, and CVE-2023-0137, a heap buffer overflow issue in platform apps.

During the month, Google patched six Chrome issues, including two classified as high impact. CVE-2023-0471 is a use-after-free bug in WebTransport and CVE-2023-0472 is a use-after-free bug in WebRTC.

Chrome’s first patches from 2023 don’t include already exploited issues, so while the update is important, it’s not as urgent as some of Google’s recent releases. Last yearthe browser manufacturer fixed nine zero day vulnerabilities.

GoogleAndroid

Google has published its Android Security Bulletin including a number of patches for Android devices. The most serious flaw is a security vulnerability in the Framework component that could lead to local privilege escalation without the need for additional privileges. CVE-2022-20456 is classified as having a high severity level and affects Android versions 10 to 14. Meanwhile, CVE-2022-20490 is another local privilege escalation bug that does not require user interaction to be exploited.

Google also fixed vulnerabilities in the kernel, including three remote code execution (RCE) flaws marked critical. CVE-2022-42719 it is a use-after-free bug that could be used by attackers to crash the kernel and run code. Google has fixed several issues in the system, the most serious of which could lead to local privilege escalation.

The Android security patch is available for Google’s Pixel devices, which have their own specific updatesand Samsung’s Galaxy range, including the Samsung Galaxy Note 10, Galaxy S21 and Galaxy A73. You can check the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a whopping 98 security issues in its first Patch Tuesday of the year, including one previously exploited vulnerability: CVE-2023-21674 It is an elevation of privilege flaw that affects Windows Enhanced Local Procedure Call which could lead to escaping the browser sandbox.

By exploiting the bug, an adversary could gain system privileges, Microsoft wrote, confirming that the flaw has been found in real attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager user interface, CVE-2023-21726, is relatively easy to exploit and requires no user interaction.

January’s Patch Tuesday also saw Microsoft patch nine Windows kernel vulnerabilities, eight of which are elevation-of-privilege issues and an information disclosure vulnerability.

MozillaFirefox

Software company Mozilla has released major updates to its Firefox browser, the most serious of which have been the subject of an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA).

Among the 11 flaws fixed in Firefox 109 are four classified as high impact, including CVE-2023-23597, a logical bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla She said its security team found memory security bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption, and we assume that with enough effort, some could have been exploited to execute arbitrary code,” he wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its statement advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 And Firefox 109 for more information and apply the necessary updates.

vmware

Enterprise software maker VMWare has released a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 baseline score of 9.8. By exploiting the flaw, an unauthenticated malicious actor could inject files into an affected appliance’s operating system, resulting in RCE, VMWare says.

Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 baseline score of 9.8. It goes without saying that those affected by these vulnerabilities should patch as soon as possible.

Oracle

Software giant Oracle has issued patches for 327 security vulnerabilities, 70 of which are classified as having a critical impact. Worryingly, 200 of the issues fixed in January could be exploited by an unauthenticated remote attacker.

Oracle recommends that people update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some cases, attackers were reported to have succeeded because targeted customers had failed to apply available Oracle patches, he says.

SAP

of SAP January Patch Day saw the release of 12 new and updated Field Safety Notices. With a CVSS score of 9.0, CVE-2023-0014 it is classified as the most serious bug by the security company Onapsis. The flaw affects the majority of all SAP customers, and mitigating it is a challenge, says Onapsis.

The capture-replay vulnerability is a risk because it could allow attackers to gain access to a SAP system. “The full vulnerability fix includes the application of a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” explains Onapsis.

Share This Article
Leave a comment