Zero-Day Patching Updates From Apple & Goolge
It’s only a month into 2024, but Apple and Google have already patched their first zero-day flaws of the year. Enterprise firms are also gearing up for another year of bug squashing, with important fixes available from the likes of Cisco and SAP.
So what are you waiting for? Read on and take note of all the big patches issued in January so you can apply them to your systems as soon as possible.
Apple
Apple has released iOS 17.3 with its long-awaited Stolen Device Protection feature, as well as 16 security fixes, including one patch for an already exploited flaw. Tracked as CVE-2024-23222, the issue in browser engine WebKit could allow an attacker to execute code. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.
The iOS 17.3 update also fixes a further three issues in WebKit, including two that could lead to code execution. Meanwhile, CVE-2024-23208 is an issue in the kernel at the heart of the iOS operating system that could enable an app to execute code with kernel privileges.
Apple has also issued iOS 16.7.5 for users of older Apple devices, including the iPhone X and before. The update fixes the same already exploited bug alongside flaws in ImageIO, Apple Neural Engine, and Safari. Meanwhile, iOS 15.8.1 patches two WebKit code execution flaws already being used in attacks, tracked as CVE-2023-42916 and CVE-2023-42917. In both cases, Apple said it “is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.”
Apple also released Safari 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, watchOS 10.3, and tvOS 17.3.
Google Android
Google has released its January Android Security Bulletin, fixing several dozen issues in its mobile operating system, some of which are serious. The issues include four elevation-of-privilege vulnerabilities in the framework, tracked as CVE-2023-21245, CVE-2024-0015, CVE-2024-0018, and CVE-2024-0023.
Google also fixed five high-severity issues in the system, including CVE-2024-0021, an elevation-of-privilege bug. “The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed,” Google said in an advisory.
The patches come alongside Google’s Pixel Security Bulletin, which details fixes for its own devices.
The January security updates are available for Google’s Pixel as well as Samsung devices, including its Galaxy range.
Google Chrome
Google has kicked off 2024 with a fix for a serious vulnerability in Chrome that it says is already being exploited by attackers. Tracked as CVE-2024-0519 and with a CVSS score of 8.8, the out-of-bounds memory access bug in V8 could allow a remote attacker to exploit heap corruption via a crafted HTML page.
“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild,” the browser maker said.
Two other flaws in V8, tracked as CVE-2024-0518 and CVE-2024-0517, were also fixed in the mid-January update.
Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.
Obviously, these updates are important, so check and apply them as soon as you can.
Microsoft
Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.
No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.
To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it, Microsoft said.
Meanwhile, CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability rated as critical with a CVSS score of 8.8. In one scenario for this vulnerability, the attacker could convince a victim to connect to an attacker-controlled malicious application, Microsoft said. “Upon connecting, the malicious server could compromise the protocol,” the software giant added.
Mozilla Firefox
Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.
An unchecked return value in TLS handshake code tracked as CVE-2024-0743 could also cause an exploitable crash.
CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.
Cisco
Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, Cisco said an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.
SAP
SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.
Meanwhile, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege issues in SAP Edge Integration Cell.
Another notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Application Interface Framework, which has a CVSS score of 8.4. “A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly,” security firm Onapsis said. “Successful exploits can cause considerable impact on confidentiality, integrity, and availability of the application.”
Credit: Wired.com