Plus: Mozilla patched more than a dozen bugs in Firefox, and enterprise companies Ivanti, Cisco, and SAP rolled out numerous updates to squash some serious bugs.
In August, Microsoft, Google Chrome, and its rival Firefox released multiple patches to address serious issues, some of which were used in attacks, bringing an end to the summer.
While Apple iPhones haven’t been updated at the time of writing, there are some major enterprise fixes released this month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.
Read on for everything you need to know about the patch coming in August.
Microsoft
Microsoft fixed dozens of vulnerabilities in Tuesday’s August patch, two of which have been used in real-world attacks. The first is a defense-in-depth update for CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If this sounds familiar, that’s because Microsoft already patched the vulnerability in July. But Microsoft says installing the latest update can “block the attack chain” that leads to the issue.
The second flaw, CVE-2023-38180, is an issue in .NET and Visual Studio that could allow an attacker to perform a denial of service.
Six issues fixed by the August patch day are rated critical, including CVE-2023-36895 — an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the security update guidance.
The fifth and sixth critical issues Microsoft fixed in August were CVE-2023-29328 and CVE-2023-29330, both of which were RCE flaws in Teams.
Google Chrome
Chrome 115 kicked off August with a series of updates, nine of which were rated as high-impact. The 17 patches include three type confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. CVE-2023-4071 is a heap buffer overflow issue in Visuals, and CVE-2023-4076 is a use-after-free flaw in WebRTC.
A few weeks later, Google released Chrome 116, which fixed 26 vulnerabilities, eight of which were rated as high impact. The most severe issues include CVE-2023-2312 (a use-after-free bug in offline) and CVE-2023-4349 (a use-after-free flaw in the Device Trust Connector). The third CVE-2023-4350 is an inappropriate implementation bug in fullscreen.
Then, on August 23, Google released its first more regular weekly security update, fixing five flaws. The four vulnerabilities rated as high impact include two use-after-free errors and two out-of-bounds memory access issues.
Firefox browser
Google Chrome’s privacy-focused rival Firefox also had a busy August, fixing more than a dozen vulnerabilities in Firefox 116. Issues patched by Firefox owner Mozilla include CVE-2023-4045, a high-rated issue in Offscreen Canvas, and CVE-2023-4047, a bug in pop-up notification delay calculations that could allow attackers to trick users into granting permissions.
This update also fixes memory security bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. Mozilla said the flaw fixed in the latest update “shows evidence of memory corruption.” “We believe that with enough effort, some of these could potentially be exploited to run arbitrary code.”
Google Android
Google has released 40 updates for its Android operating system, which include patches for serious flaws in the framework, system and kernel. The most severe bug fixed in August was numbered CVE-2023-21273, which is a critical security vulnerability in system components that could lead to RCE without additional execution permissions. Google said in its Android security advisory that no user interaction is required to exploit the flaw.
Meanwhile, CVE-2023-21282, an RCE flaw in the media framework, has also been flagged as having critical impact. Another critical issue in the kernel, numbered CVE-2023-21264, could lead to local privilege escalation, although system execution permissions are required.
None of the issues fixed in this release have been used in attacks, but some are quite serious, so it makes sense to update when possible. The update is available for Google’s Pixel devices as well as Samsung smartphones including the Galaxy S23.
Ivanti
IT software maker Ivanti released several notable patches in August, including fixes for flaws used in real-world attacks. A path traversal vulnerability, tracked as CVE-2023-35081, in Ivanti Endpoint Manager Mobile (EPMM) (formerly MobileIron Core) could allow an attacker to write arbitrary files on a web application server. Attackers could then execute the uploaded file, such as a web shell, according to the Cybersecurity and Infrastructure Security Agency’s warning.
“As soon as we were informed of the vulnerability, we immediately mobilized resources to address the issue and provide a patch immediately,” Ivanti said in an advisory. He added, “It is critical that you take immediate action to ensure You are fully protected.”
The patch comes after Norwegian government agencies were hit by another Ivanti EPMM flaw, tracked as CVE-2023-35078. Ivanti said this vulnerability can be combined with CVE-2023-35081 to bypass administrator authentication.
August was an eventful month for Ivanti, as the company also discovered a vulnerability in Ivanti Sentry and said it had been exploited. The vulnerability, tracked as CVE-2023-38035, allows an unauthenticated attacker to access the sensitive application programming interface (API) used to configure Ivanti Sentry on the administrator portal (port 844).
While the issue has a CVSS score of 9.8, Ivanti said there is a “low risk of exploitation” for customers who do not expose port 8443 to the internet.
cisco
Enterprise software company Cisco has released patches for multiple flaws in its products, some of which are of high severity. Tracked as CVE-2023-20197 with a CVSS score of 7.5, one of the most serious issues is a vulnerability in the file system image parser of ClamAV’s Layered File System Plus that could allow an unauthenticated remote attacker to cause Denial of service to affected devices.
Also, a vulnerability in the Intermediate System-to-Intermediate System protocol of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated attacker to cause IS-IS Unexpected process restarts and device reloads.
sap
August is a big security patch day for SAP, with the company releasing a new set of fixes to address vulnerabilities in its products. Multiple flaws have been fixed in SAP PowerDesigner, one of which is CVE-2023-37483 with a CVSS score of 9.8. “The only thing preventing this vulnerability from achieving the maximum CVSS score of 10 is that the scope remains unchanged during a successful exploit,” security firm Onapsis said.
Flaws fixed in August also include CVE-2023-39437, a cross-site scripting vulnerability in SAP Business One. Another high-priority fix is a patch for binary hijacking in SAP BusinessObjects Business Intelligence Suite, which is tracked as CVE-2023-37490 and has a CVSS score of 7.6.
Categories: Security
Source: thptvinhthang.edu.vn
