Kate O’Flaherty* says vital security patches have been rolled out for Apple devices, Microsoft Outlook and Android, while Chrome and Firefox have gotten fixes.
Multiple big tech firms issued crucial security patches in March to fix major holes being used in real-life attacks.
Microsoft’s March Patch Tuesday was a big one, while Google Android users should be looking out for the latest update—particularly if they own a Samsung device. Apple has also released a new round of patches to fix issues that include a zero-day flaw in older iPhones.
Here’s what you need to know about all the patches issued in March.
Apple iOS and iPadOS 16.4
Apple iOS updates continue to come thick and fast, with the iPhone maker releasing iOS and iPadOS 16.4 in March.
The update comes with a bunch of new features, along with a rather hefty 33 fixes for iOS security vulnerabilities.
Some of the bugs fixed in iOS 16.4 are pretty serious, although none are known to have been used in attacks.
Among the notable bugs are flaws in WebKit, the engine that powers the Safari browser, and in the Kernel at the heart of the iPhone operating system, according to Apple’s support page.
Tracked as CVE-2023-27969 and CVE-2023-27933, the two Kernel exploits could allow an attacker to execute code.
Meanwhile, Apple fixed a Sandbox issue tracked as CVE-2023-28178 that could allow an app to bypass privacy preferences.
While the iOS 16.4 patches haven’t been used in attacks, Apple also released iOS 15.7.4 for older iPhones to fix 16 issues, including an already exploited flaw.
Tracked as CVE-2023-23529, the WebKit bug could lead to arbitrary code execution—although it requires some user interaction.
The same issue was fixed in iOS 16.3.1 in February.
Apple also released macOS Ventura 13.3, Safari 16.4, watchOS 9.4, tvOS 16.4, macOS Big Sur 11.7.5, macOS Monterey 12.6.4, macOS Monterey, and macOS Ventura 13.3.
March was a big Patch Tuesday for Microsoft, with the software giant releasing fixes for over 80 flaws, one of which is already being used in attacks.
With a CVSS score of 9.8, CVE-2023-23397 is a critical issue in Microsoft’s Outlook that has apparently been used in attacks by Russia-linked cybercriminals.
Microsoft also issued a detection script to help people spot the attack.
Microsoft said in an advisory that an attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash, which could then be used in relay attacks.
“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” the firm said, adding that it could lead to exploitation even before the email is viewed in the Preview Pane.
Google-owned threat intelligence company Mandiant later claimed that the vulnerability has been exploited for nearly a year in attacks targeting companies and critical infrastructure.
The Google Android March security bulletin includes fixes for more than 50 security issues.
The most severe is a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed.
User interaction is not required for exploitation, Google said.
Google also patched eight issues in the Framework marked as having a high severity, which could lead to privilege escalation without any user interaction.
Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung.
The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog.
“Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote.
Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.
Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities.
In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.
Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating.
Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.
Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.
None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.
Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities.
Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.
At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service.
With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones.
Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact.
These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.
Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111.
“Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.
It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance.
Issues fixed during the month include four with a CVSS score of over 9.
One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform.
This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.
Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java.
“The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.
*Kate O’Flaherty is Contributor on WIRED UK.
This article first appeared at wired.co.uk