Tech giant Apple, Microsoft and Google each patched major security flaws in April, many of which were exploited in real-life attacks. Other firms releasing patches include privacy-focused browser Firefox and enterprise software vendors SolarWinds and Oracle.
Here’s everything you need to know about the patches released in April.
Fresh on iOS 16.4, Apple announced the iOS 16.4.1 update to fix two vulnerabilities used in attacks. CVE-2023-28206 is an issue in IOSurfaceAccelerator that could allow an application to execute code with kernel privileges, Apple said on its support page.
CVE-2023-28205 An issue in WebKit, the engine that powers the Safari browser, could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of reports that this issue has been actively exploited.”
The flaw means that visiting a Bubby-ridden website could put cybercriminals in control of your browser — or any application that uses WebKit to render and display HTML content, said Paul Daklin, a security researcher at cybersecurity firm Sophos.
The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. With this in mind, Duclin thinks the security holes were used to install spyware.
Apple has released iOS 15.7.5 to older iPhone users to fix the previously exploited flaws. Meanwhile, the iPhone maker released Macross Ventura 13.3.1, Safari 16.4.1, Macross Monterey 12.6.5 and Macross Big Sur 11.7.6.
Apple wasn’t the only major tech company to issue emergency patches in April. Microsoft has released a hotfix as part of this month’s Patch Tuesday update. CVE-2023-28252 is a high-vulnerability bug in the Windows shared log file system driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in the advisory.
Another significant flaw, CVE-2023-21554, has a critical impact of a remote code execution vulnerability in Microsoft Message Queuing. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to the MSMQ server, Microsoft said, which could lead to remote code execution on the server side.
The fix was part of a patchwork of kills for 98 vulnerabilities, so it’s worth checking the recommendation and updating as soon as possible.
Google has released several patches for the Android operating system, fixing several serious bugs. The most serious bug is a critical security vulnerability in a system component that could lead to remote code execution without additional execution privileges, Google said in an Android security bulletin. No user interaction is required for exploitation.
Corrected cases included 10 in the framework, eight with height-priority defects and nine others rated as high-severity. Google fixed 16 bugs, including two critical RCE flaws and several issues in the kernel and SOC components.
The update includes a number of pixel-specific patches, including a higher resolution flaw in the kernel that is tracked as CVE-2023-0266. The Android April patch is available for Google devices as well as models including the Samsung Galaxy S series alongside the Fold and Flip-series.
In early April, Google released a patch to fix 16 issues in the popular Chrome browser, some of them serious. Defects fixed include CVE-2023-1810, a stack buffer overflow issue in Visual that is considered high-impact, and CVE-2023-1811, an exploit-in-frame vulnerability. The remaining 14 security flaws were rated as medium or low impact.
Just days later, Google released another bug, including another zero-day flaw tracked as CVE-2023-2136, which fixed problems including integer overflow in the Skia graphics engine.