Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

/in


Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.

Here’s everything you need to know about the patches released in April.

Apple

Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already being used in attacks. CVE-2023-28206 is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”

The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.

The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.

Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

Microsoft

Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in…

Source…