Illustration showing open windows a lock password and a security icon with several patches over it.
ILLUSTRATION: WIRED STAFF

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.

Here’s everything you need to know about the patches released in April.

Apple

Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already being used in attacks. CVE-2023-28206 is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”

The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.

The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.

Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

Microsoft

Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in remote code execution on the server side.

The fix was part of a slew of patches for 98 vulnerabilities, so it’s worth checking out the advisory and updating as soon as possible.

Google Android

Google has issued multiple patches for its Android operating system, fixing several serious holes. The most severe bug is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin. User interaction is not needed for exploitation.

The patched issues include 10 in the framework, including eight elevation-of-privilege flaws, and nine others rated as having a high severity. Google fixed 16 bugs in the system including two critical RCE flaws and several issues in the kernel and SoC components.

The update also includes several Pixel-specific patches, including an elevation-of-privilege flaw in the kernel tracked as CVE-2023-0266. The Android April patch is available for Google’s devices as well as models including Samsung’s Galaxy S-series alongside the Fold and Flip-series.

Google Chrome

At the start of April, Google issued a patch to fix 16 issues in its popular Chrome browser, some of which are serious. The patched flaws include CVE-2023-1810, a heap buffer overflow issue in Visuals rated as having a high impact, and CVE-2023-1811, a use-after-free vulnerability in Frames. The remaining 14 security bugs are rated as having a medium or low impact.

Mid-month, Google was forced to issue an emergency update, this time to fix two flaws, one of which is already being used in real-life attacks. CVE-2023-2033 is a type of confusion flaw in the V8 JavaScript engine. “Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the software giant said on its blog.

Just days later, Google released another patch, fixing issues including another zero-day flaw tracked as CVE-2023-2136, an integer overflow bug in the Skia graphics engine.

Given the number and seriousness of the issues, Chrome users should prioritize checking that their current version is up to date.

Mozilla Firefox

Chrome rival Firefox has fixed issues in Firefox 112, Firefox for Android 112, and Focus for Android 112. Among the flaws is CVE-2023-29531, an out-of-bound memory access in WebGL on macOS rated as having a high impact. Meanwhile, CVE-2023-29532 is a bypass flaw affecting Windows, which requires local system access.

CVE-2023-1999 is a double-free in libwebp that could result in memory corruption and a potentially exploitable crash, Firefox owner Mozilla wrote in an advisory.

Mozilla also fixed two memory safety bugs, CVE-2023-29550 and CVE-2023-29551. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” the browser maker said.

SolarWinds

IT giant SolarWinds has patched two high-severity issues in its platform that could lead to command execution and privilege escalation. Tracked as CVE-2022-36963, the first issue is a command-injection flaw in SolarWinds’ infrastructure monitoring and management product, the firm wrote in a security advisory. If exploited, the bug could allow a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Another high-severity issue is CVE-2022-47505, a local privilege escalation vulnerability that a local adversary with a valid system user account could use to escalate privileges.

The latest SolarWinds patch fixes several more issues rated as having a medium impact. None have been used in attacks, but if you are impacted by the flaws, it makes sense to update as soon as possible.

Oracle

April has been a big month for enterprise software maker Oracle, which has issued fixes for 433 vulnerabilities, 70 of which are rated as having a critical severity. These include issues in the Oracle GoldenGate Risk Matrix, including CVE-2022-23457, which has a CVSS base score of 9.8. The issue may be remotely exploitable without authentication, Oracle said in its advisory.

The April fixes also contain six new patches for Oracle Commerce. “All of these vulnerabilities may be remotely exploitable without authentication,” Oracle warned.

Due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply Critical Patch Update security fixes as soon as possible.

Cisco

Software firm Cisco has released fixes for vulnerabilities that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

CVE-2023-20121, which affects Cisco EPNM, Cisco ISE, and Cisco Prime Infrastructure, is a  command-injection vulnerability. An attacker could exploit the flaw by logging in to the device and issuing a crafted CLI command. “A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device,” Cisco said, adding that the attacker must be an authenticated shell user to exploit the flaw.

Meanwhile, CVE-2023-20122 is a command-injection vulnerability in the restricted shell of Cisco ISE that could allow an authenticated, local attacker to escape the restricted shell and gain root privileges on the underlying operating system.

SAP

It’s been another busy Patch Day for SAP, which saw the release of 19 new Security Notes. Among the fixes are CVE-2023-27497, comprising multiple vulnerabilities in SAP Diagnostics Agent. Another notable patch is CVE-2023-28765, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. A missing password protection enforcement allows an attacker to access the lcmbiar file, according to security firm Onapsis. “After successful decryption of its content, the attacker could gain access to a user’s passwords,” the firm explained. “Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.”