tech giants apple, Microsoft and Google both patched major security flaws in April, many of which had already been used in real-world attacks. Other companies that will release patches include the privacy-focused Firefox browser, enterprise software providers SolarWinds, and Oracle.
Here’s everything you need to know about the patches released in April.
apple
In the wake of the release of iOS 16.4, Apple released the iOS 16.4.1 update to fix two vulnerabilities that were already used in the attacks. Apple said on its support page that CVE-2023-28206 is an issue with IOSurfaceAccelerator that can see an application able to execute code with kernel privileges.
CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that may lead to arbitrary code execution. In either case, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”
The bug means that visiting a booby-trapped website could give cybercriminals control over your browser — or any application that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.
The two fixed flaws in iOS 16.4.1 were reported by Google’s Threat Analysis Group and AI Security Lab. With that in mind, Duquelin believes the vulnerabilities could have been used to plant spyware.
Apple also released iOS 15.7.5 to users of older iPhones to fix the same flaws that were already exploited. Meanwhile, the iPhone manufacturer has released macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.
Microsoft
Apple wasn’t the only big tech company to release emergency patches in April. Microsoft also released a hotfix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege error in the Windows Generic Log File System driver. Microsoft said in an advisory that an attacker who successfully exploited the flaw could gain system privileges.
Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing that has been rated as having a severe impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could lead to remote code execution on the server side.
The fix was part of a large number of patches for 98 vulnerabilities, so it’s worth checking out the instructions and updating as soon as possible.
Google Android
Google has released multiple patches for its Android operating system, fixing many serious vulnerabilities. Google said in its Android Security Bulletin that the most serious bug is a critical vulnerability in a system component that can lead to remote code execution without the need for additional execution privileges. User interaction is not necessary for the exploit.
The patched issues include 10 in the framework, including eight franchise elevation flaws, and nine other issues rated as severe. Google fixed 16 system bugs including two critical RCE flaws and several issues with kernel and SoC components.
The update also includes several pixel-specific fixes, including a privilege elevation flaw in the kernel tracked as CVE-2023-0266. The April Android patch is available for Google devices as well as models including Samsung’s Galaxy S series along with the Fold and Flip series.
Google Chrome
At the beginning of April, Google released a patch to fix 16 problems in the popular Chrome browser, some of them serious. Corrected flaws include CVE-2023-1810, a buffer overrun issue in visuals that is classified as having a high impact, and CVE-2023-1811, a dimension-not-usable vulnerability in windows. The remaining 14 security bugs are rated medium or low impact.
In the middle of the month, Google was forced to release an emergency update, this time to fix two flaws, one of which was already used in real-life attacks. CVE-2023-2033 is a type of confusing flaw in the V8 JavaScript engine. “Google is aware that the CVE-2023-2033 exploit is out in the wild,” the software giant said in its blog post.
Just days later, Google released another patch fixing issues including another zero-day bug traced as CVE-2023-2136, an integer overflow bug in the Skia graphics engine.