



Summer software updates are rolling in, with Apple, Google and Microsoft issuing multiple patches for critical security flaws in June. Enterprise software companies have also been busy releasing fixes for the horrific holes in his MOVEit product from VMWare, Cisco, Fortinet and Progress Software.

A good number of security bugs squashed this month have been used in real-world attacks, so read on, take notes, and patch affected systems as soon as possible.

apple

Shortly after iOS 16.5, iOS 16.5.1, an emergency upgrade for the iPhone, was released in June. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that powers Safari, and the core kernel of the iOS system.

Apple said on its support page that they are tracked as CVE-2023-32439 and CVE-2023-32434, both of which are code execution bugs that are being used in real-world attacks.

While details about the flaws that have already been exploited are limited, security firm Kaspersky has revealed how a kernel issue was used to carry out an iOS Triangulation attack against its own staff. This high-impact, zero-click attack requires no user interaction and delivers spyware using invisible iMessages with malicious attachments.

Apple also issued iOS 15.7.7 for older iPhones that fixed kernel and WebKit issues. His second WebKit flaw, tracked as CVE-2023-32435, was also reported by Kaspersky as part of the iOS Triangulation attack.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, watchOS 9.5.2 and watchOS 8.8.1.

microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. Some of the issues are serious, but it’s the first patch Tuesday since his March that doesn’t contain an already exploited flaw.

Critical issues patched in the June update include the Microsoft SharePoint Server privilege escalation vulnerability CVE-2023-29357 with a CVSS score of 9.8. According to Microsoft, an attacker with access to a spoofed JWT authentication token could use it to bypass authentication and perform network attacks that could gain access to the authenticated user’s privileges.

He added that the attacker does not need privileges and the user does not need to take any action.

CVE-2023-32031 and CVE-2023-28310, on the other hand, are remote code execution vulnerabilities in Microsoft Exchange Server that require an authenticated attacker to exploit.

google android

Now that the tech giant has released its June security bulletin, it’s time to update your Google Android devices. The most serious issue Google has fixed is a critical security vulnerability in a system component tracked as CVE-2023-21108 that could allow his RCE over Bluetooth without requiring additional execution permissions. . Another flaw in the system tracked as CVE-2023-21130 is an RCE bug also marked as critical.

One of the flaws patched in the June update is CVE-2022-22706. This is a vulnerability in Arm components that the chipmaker fixed in his 2022 after it was already used in attacks.

Sources 1/ https://Google.com/ 2/ https://www.wired.com/story/apple-google-moveit-security-patches-june-2023-critical-update/

