The summer season has not slowed down the release of software updates, with tech behemoths Apple, Google, and Microsoft launching numerous patches to address vulnerabilities that are being exploited in actual attacks. In July, significant bugs were also addressed by enterprise software companies SAP, Citrix, and Oracle. Here is a comprehensive rundown of the major patches rolled out during the month.
In July, Apple was quite busy, releasing two separate security updates. The first update from the iPhone manufacturer was a security-only Rapid Security Response patch. This marked only the second instance of Apple issuing a Rapid Security Response, and the process was not as seamless as the first one. On July 10, Apple rolled out iOS 16.5.1 9 (a) to address a single WebKit vulnerability that was already being exploited, but the patch was quickly withdrawn after it was found to disrupt several websites for users. A few days later, Apple re-released the update as iOS 16.5.1 (c), finally resolving the WebKit issue without causing any other problems.
Later in July, Apple’s major point upgrade, iOS 16.6, was released with 25 security fixes, including the previously exploited WebKit bug that was addressed in iOS 16.5.1 (c), identified as CVE-2023-37450. Among the other bugs addressed in iOS 16.6 were 11 in the Kernel, the heart of the iOS operating system, one of which Apple said is already being exploited. The Kernel flaw is the third iOS issue identified by security firm Kaspersky as part of the zero-click “Triangulation spyware” attacks.
Apple also rolled out iOS 15.7.8 for users of older devices, along with iPadOS 16.6, Safari 16.6, macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6, and watchOS 9.6.
Microsoft’s July Patch Tuesday is a crucial update to watch for, as it addresses 132 vulnerabilities, including several zero-day flaws. To begin with, one of the bugs outlined in the patch update, identified as CVE-2023-36884, has yet to be addressed. In the meantime, the technology giant has provided steps to mitigate the already exploited flaw, which is reportedly being used in attacks by a Russian cybercrime group.
Other zero-day flaws included in Microsoft’s Patch Tuesday are CVE-2023-32046, a platform elevation of privilege bug in the MSHTML core Windows component, and CVE-2023-36874, a vulnerability in the Windows Error Reporting service that could let an attacker gain admin rights. Meanwhile, CVE-2023-32049 is an already exploited vulnerability in the Windows SmartScreen feature.
It is needless to say that you should update as soon as possible while keeping an eye out for the fix for CVE-2023-36884.
Google has rolled out an update for its Android operating system, addressing numerous security vulnerabilities, including three that it says “may be under limited, targeted exploitation.”
The first of the already exploited vulnerabilities is CVE-2023-2136, a remote code execution (RCE) bug in the System with a CVSS score of 9.6. The critical security vulnerability could lead to RCE with no additional privileges needed, according to the tech firm. “User interaction is not needed for exploitation,” Google warned.
CVE-2023-26083 is an issue in Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, rated as having a moderate impact. The vulnerability was used to deliver spyware to Samsung devices in December 2022.
CVE-2021-29256 is a high-severity flaw that also impacts Bifrost and Midgard Arm Mali GPU kernel drivers.
The Android updates have already reached Google’s Pixel devices and some of Samsung’s Galaxy range. Given the severity of this month’s bugs, it’s a good idea to check whether the update is available and install it now.
Google has released the Chrome 115 update for its popular browser, addressing 20 security vulnerabilities, four of which are rated as having a high impact. CVE-2023-3727 and CVE-2023-3728 are use-after-free bugs in WebRTC. The third flaw rated as having a high severity is CVE-2023-3730, a use-after-free. A vulnerability in Tab Groups has been identified as CVE-2023-3732, which is an out-of-bounds memory access issue in Mojo. Despite none of the vulnerabilities being exploited in real-world attacks, six have been classified as medium severity. Given that Chrome is a commonly targeted platform, it’s advisable to keep your system updated.
Mozilla’s Firefox 115 was released shortly after Chrome 115, addressing several high severity flaws. Notable among these are two use-after-free bugs, identified as CVE-2023-37201 and CVE-2023-37202. Mozilla also rectified two memory safety bugs, CVE-2023-37212 and CVE-2023-37211, which were found in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Mozilla’s advisory noted that these bugs demonstrated evidence of memory corruption, which could potentially be exploited to run arbitrary code with sufficient effort.
Enterprise software corporation Citrix has also issued an update warning, following the rectification of multiple flaws in its NetScaler ADC (now known as Citrix ADC) and NetScaler Gateway (now Citrix Gateway) tools. One of these flaws, CVE-2023-3519, is an unauthenticated remote code execution vulnerability that has been exploited and has a CVSS score of 9.8. Citrix has observed exploits of CVE-2023-3519 on unmitigated appliances and strongly urges affected customers to install the updated versions as soon as possible. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory about this bug, noting its use in attacks on a critical infrastructure organization in June.
Enterprise software company SAP has released its July Security Patch Day, which includes 16 security fixes. The most severe of these is CVE-2023-36922, an OS command injection vulnerability with a CVSS score of 9.1. Onapsis, a security firm, stated that an authenticated attacker could “inject an arbitrary operating system command into a vulnerable transaction and program.” Therefore, patching is highly recommended due to the high impact on the confidentiality, integrity, and availability of the affected SAP system.
In addition, CVE-2023-33989 is a directory traversal vulnerability in SAP NetWeaver with a CVSS score of 8.7, and CVE-2023-33987 is a request smuggling and request concatenation vulnerability in SAP Web Dispatcher with a CVSS score of 8.6.
Software firm Oracle has also released its July Critical Patch Update Advisory, which addresses 508 vulnerabilities across its products. This includes 77 new security patches for Oracle Communications, with 57 of these vulnerabilities being exploitable remotely over a network without user credentials. One of the most severe flaws is CVE-2023-20862, which has a CVSS score of 9.8. Oracle has also released 147 patches for Financial Services and 60 fixes for Fusion Middleware. The company stressed the importance of customers applying Critical Patch Update security patches promptly and remaining on actively supported versions, as it continues to receive reports of attempts to exploit vulnerabilities it has already patched. In some instances, attackers were successful because targeted customers had not applied available Oracle patches.