Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.
Here’s everything you need to know about the patches released in April.
Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already being used in attacks. CVE-2023-28206 is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.
CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”
The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.
The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.
Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.
Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.
Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in remote code execution on the server side.
The fix was part of a slew of patches for 98 vulnerabilities, so it’s worth checking out the advisory and updating as soon as possible.
Google has issued multiple patches for its Android operating system, fixing several serious holes. The most severe bug is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin. User interaction is not needed for exploitation.
The patched issues include 10 in the framework, including eight elevation-of-privilege flaws, and nine others rated as having a high severity. Google fixed 16 bugs in the system including two critical RCE flaws and several issues in the kernel and SoC components.
The update also includes several Pixel-specific patches, including an elevation-of-privilege flaw in the kernel tracked as CVE-2023-0266. The Android April patch is available for Google’s devices as well as models including Samsung’s Galaxy S-series alongside the Fold and Flip-series.
At the start of April, Google issued a patch to fix 16 issues in its popular Chrome browser, some of which are serious. The patched flaws include CVE-2023-1810, a heap buffer overflow issue in Visuals rated as having a high impact, and CVE-2023-1811, a use-after-free vulnerability in Frames. The remaining 14 security bugs are rated as having a medium or low impact.
Just days later, Google released another patch, fixing issues including another zero-day flaw tracked as CVE-2023-2136, an integer overflow bug in the Skia graphics engine.