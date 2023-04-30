



Tech giants Apple, Microsoft, and Google each patched major security flaws in April, many of which were already used in real-world attacks. Other companies issuing patches include privacy-focused browser Firefox and his providers of enterprise software SolarWinds and Oracle.

Here’s everything you need to know about the patch released in April.

apple

Following iOS 16.4, Apple released iOS 16.4.1 update to fix two vulnerabilities already used in attacks. CVE-2023-28206 is an issue in his IOSurfaceAccelerator that could allow apps to execute code with kernel privileges, Apple says on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to the execution of arbitrary code. In both cases, Apple is aware of reports that this issue may have been actively exploited, according to iPhone makers.

This bug means that visiting a booby-trapped website could give cybercriminals control over apps that use WebKit to render and display HTML content.

Two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty Internationals Security Lab. With this in mind, Ducklin believes the security hole may have been used to implant spyware.

Apple also released iOS 15.7.5 for users of older iPhones, fixing the same flaw already exploited. Meanwhile, iPhone makers have issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

microsoft

Apple wasn’t the only major tech company to issue emergency patches in April. Microsoft also released an emergency fix as part of this month’s Patch Tuesday. CVE-2023-28252 is a privilege escalation bug in the Windows common log file system driver. Microsoft states in an advisory that an attacker who exploits this vulnerability could gain system privileges.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as Critical. To exploit the vulnerability, an attacker would have to send malicious MSMQ packets to his MSMQ server, Microsoft said. This could lead to remote code execution on the server side.

This fix was part of a number of patches for 98 vulnerabilities, so it’s worth reviewing the advisory and updating as soon as possible.

google android

Google has issued multiple patches for the Android operating system to fix some critical issues. The most serious bug is a critical security vulnerability in a system component that could allow remote code execution without requiring additional execution privileges, Google said in its Android Security Bulletin. No user interaction is required for exploitation.

Patched issues include 10 issues in the framework, 8 of which are privilege escalation flaws and the other 9 are rated high severity. Google fixed 16 bugs in the system, including two critical RCE flaws and several kernel and SoC component issues.

This update also includes several Pixel-specific patches, including a kernel privilege escalation flaw tracked as CVE-2023-0266. His April patch for Android is available not only for Google devices, but also for models including Samsung’s Galaxy S series and Fold and Flip series.

google chrome

At the beginning of April, Google issued a patch fixing 16 issues in its popular Chrome browser. Some of them are serious. Patched flaws include CVE-2023-1810 (Visuals heap buffer overflow issue rated high impact) and CVE-2023-1811 (Frames use-after-free vulnerability) increase. The remaining 14 security bugs are rated medium or low impact.

Mid-month, Google was forced to issue an emergency update. This time he fixes two flaws, one of which he has already used in a real attack. CVE-2023-2033 is a kind of confusion flaw in the V8 JavaScript engine. Google is aware that an exploit for CVE-2023-2033 does exist, the software giant said in a blog post.

A few days later, Google released another patch to fix the issue, including another zero-day flaw tracked as CVE-2023-2136: an integer overflow bug in the Skia graphics engine.

