23.2 C
New York
Wednesday, July 24, 2024

Google Fixes Serious Security Flaws in Chrome and Android

August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.

While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.

Read on for everything you need to know about the patches issued in August.

Microsoft

Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.

The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.

Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.

The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.

Google Chrome

August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.

A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.

Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.

Firefox

Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.

The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”

Google Android

Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.

Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

None of the issues fixed in the release are being used in attacks, but some are pretty severe, so it makes sense to update when you can. The update is available for Google’s Pixel devices as well as Samsung smartphones including the Galaxy S23.

Ivanti

IT software maker Ivanti has issued several notable patches during August, including fixes for flaws being used in rea-world attacks. Tracked as CVE-2023-35081, a path traversal vulnerability in Ivanti Endpoint Manager Mobile (EPMM)—formerly known as MobileIron Core—allows an attacker to write arbitrary files on the web application server. The adversary could then execute the uploaded file, for example, a web shell, according to a warning by the Cybersecurity and Infrastructure Security Agency.

“Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now,” Ivanti said in an advisory, adding, “It is critical that you immediately take action to ensure you are fully protected.”

The patch came after government ministries in Norway were targeted by another Ivanti EPMM flaw tracked as CVE-2023-35078. Ivanti said this bug can be combined with CVE-2023-35081 to bypass admin authentication.

August was an eventful month for Ivanti, which also discovered a vulnerability in Ivanti Sentry that it said is already being exploited. Tracked as CVE-2023-38035, the flaw enables an unauthenticated actor to access sensitive application programming interfaces (APIs) used to configure the Ivanti Sentry on the administrator portal (port 844).

While the issue has been given a CVSS score of 9.8, Ivanti said there is a “low risk of exploitation” for customers who do not expose port 8443 to the internet.

Cisco

Enterprise software firm Cisco has released patches for multiple flaws in its products, some of which are rated as having a high severity. Tracked as CVE-2023-20197 with a CVSS score of 7.5, one of the worst issues is a vulnerability in the filesystem image parser for Hierarchical File System Plus of ClamAV that could allow an unauthenticated, remote attacker to cause a denial of service on an affected device.

Meanwhile, a vulnerability in the Intermediate System-to-Intermediate System protocol of Cisco NX-OS Software for the Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated attacker to cause the IS-IS process to unexpectedly restart and a device to reload.

SAP

August was an eventful Security Patch Day for SAP, which released a new set of fixes to address vulnerabilities in its products. Multiple flaws have been fixed in SAP PowerDesigner, including one tracked as CVE-2023-37483 and with a CVSS score of 9.8. “The only thing that prevents the vulnerability from being rated with the maximum CVSS score of 10 is that the scope keeps unchanged during a successful exploit,” security firm Onapsis said.

The flaws fixed in August also include CVE-2023-39437, a Cross-Site Scripting vulnerability in SAP Business One. Another high-priority fix is a patch for a Binary hijack in SAP BusinessObjects Business Intelligence Suite, which is tracked as CVE-2023-37490 and has a CVSS score of 7.6.

Related Articles

Latest Articles