It's nan past Patch Tuesday of 2023, which calls for ceremony – just arsenic soon arsenic you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course.
Let's commencement pinch Apple, since 2 of nan bugs Cupertino disclosed yesterday whitethorn person already been utilized for evil purposes.
While nan consequence cart's December release fixes each nan iThings, there's 2 particularly concerning vulnerabilities successful nan WebKit (again) web browser motor that impact AppleTVs and Apple Watches, positive immoderate older iPhones and iPads. Both bugs person already been fixed successful a ton of different Apple products.
CVE-2023-42916 is an out-of-bounds publication flaw that could let miscreants to entree delicate information, and CVE-2023-42917 is simply a representation corruption vulnerability that tin lead to arbitrary codification execution. Both were spotted by Clément Lecigne of Google's Threat Analysis Group – which indicates spyware whitethorn beryllium involved, fixed TAG's proclivities.
"Apple is alert of a study that this rumor whitethorn person been exploited against versions of iOS earlier iOS 16.7.1," nan vendor commented astir some bugs.
And while Cupertino issued emergency fixes astatine nan extremity of November to hole these information problems successful immoderate iPhones, iPads, and Macs, nan patches issued reside nan aforesaid CVEs successful older iPhones and iPads, arsenic good as AppleTV HD and AppleTV 4K (all models) and Apple Watch Series 4 and later.
Microsoft closes retired a very-buggy year
Microsoft, meanwhile, closed retired a very buggy twelvemonth pinch conscionable complete 30 Windows patches – nary of which are listed arsenic being nether onslaught aliases publically known earlier today.
Of these, 4 are rated captious – including 3 distant codification execution (RCE) vulnerabilities and 1 spoofing bug – and 29 important.
CVE-2023-36019, nan spoofing vulnerability, affects nan web server constituent of Microsoft Power Platform and Azure Logic Apps. It earned nan highest CVSS standing this month, coming successful astatine 9.6 retired of 10, and could let a miscreant to execute codification connected nan victim's machine aft tricking them into clicking connected a specially crafted link.
Redmond says it started notifying affected customers past period pinch notifications successful nan Microsoft 365 Admin Center aliases Service Health successful nan Azure Portal. "You will request to validate your civilization connectors and travel nan guidance to make nan move to nan per-connector URI," according to nan information update.
The different 3 critical-severity bugs could beryllium abused for RCE. Both CVE-2023-35641 and CVE-2023-35630 impact nan Internet Connection Sharing service, and received an 8.8 CVSS rating. Attacks against some would beryllium constricted to systems connected nan aforesaid network.
Exploiting CVE-2023-3541 would require sending a specially crafted DHCP connection to a server running Internet Connection Sharing, while exploiting CVE-2023-35630 "requires nan attacker to modify an option->length section successful a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message," according to nan information update.
The past captious Micro-nasty, CVE-2023-35628, is an RCE successful nan Windows MSHTML level that could beryllium exploited by sending a malicious nexus complete email and tricking nan unfortunate into clicking nan link.
- Apple slaps spot connected WebKit holes successful iPhones and Macs amid fears of progressive attacks
- Trio of awesome holes successful ownCloud expose admin passwords, let unauthenticated record mods
- Two years on, 1 successful 4 apps still susceptible to Log4Shell
- 2.5M patients infected pinch information nonaccomplishment successful Norton Healthcare ransomware outbreak
Redmond notes nan Preview Pane is not an onslaught vector itself: "The attacker could utilization this vulnerability by sending a specially crafted email which triggers automatically erstwhile it is retrieved and processed by nan Outlook client. This could lead to exploitation BEFORE nan email is viewed successful nan Preview Pane."
And, arsenic nan Zero Day Initiative's Dustin Childs adds: "No uncertainty ransomware gangs will effort to create a reliable utilization for this vulnerability." The metallic lining is that it's a reasonably analyzable onslaught to propulsion off. "They whitethorn tally into immoderate problems arsenic exploitation does require memory-shaping technique," Childs wrote.
The only vulnerability listed arsenic publically disclosed successful Microsoft's December spot statement is simply a speculative leaks flaw successful immoderate AMD processors tracked arsenic CVE-2023-20588 and first disclosed successful August. According to Redmond, nan latest Windows builds alteration AMD's mitigation.
Adobe addresses 212 holes
Adobe addressed 212 vulnerabilities successful 9 patches plugging information holes successful Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects and Substance3D Designer. None of these person been exploited successful nan wild.
The bulk of nan bugs – a whopping 185 CVEs – are successful Experience Manager and are each important- aliases moderate-rated cross-site scripting (XSS) bugs that could let arbitrary codification execution and information characteristic bypass.
Patches for Illustrator, Substance 3D Sampler, Substance 3D Designer and After Effects each hole captious vulnerabilities (plus immoderate lesser-rated flaws) that could lead to arbitrary codification execution and representation leak.
The remainder of Adobe's fixes reside important and mean vulnerabilities successful InDesign, Dimension, Substance 3D Stager and Prelude.
Google and Qualcomm flaws nether attack
Google's December security updates for Android hole 85 vulnerabilities, including 3 that "may beryllium nether limited, targeted exploitation." All 3 impact Qualcomm components: CVE-2023-33063 is successful nan kernel while CVE-2023-33107 and CVE-2023-33106 are successful nan display.
Back successful October, Qualcomm warned that each 3 of these flaws were nether targeted attacks – citing threat intel from Google TAG and Project Zero – but said it wouldn't stock immoderate further info until December.
We now person more specifications and patches. Merry Christmas, indeed.
SAP information flaw gets its ain blog
SAP released 17 caller and updated information patches, including 4 HotNews Notes and 4 High Priority Notes.
The caller HotNews note, #3411067, received a 9.1 CVSS people and fixes a captious escalation of privilege vulnerability successful SAP's Business Technology Platform (SAP BTP). It's captious capable that nan vendor published a separate blog astir nan value of updating – but doesn't supply overmuch item astir nan vulnerability itself.
Atlassian, Cisco and Apache Struts
Atlassian coming pushed updates to hole 5 high-severity 7.5-rated CVEs. All of these are denial-of-service flaws and they impact Bamboo, Bitbucket, Jira and Confluence Data Center and Server.
Meanwhile, Cisco published a security advisory astir a vulnerability successful Apache Struts that whitethorn impact a agelong database of its products containing nan package – but noted that it's still nether investigation.
Apache Struts is an unfastened root model for processing Java EE web applications, and nan Apache Software Foundation initially disclosed nan flaw, tracked as CVE-2023-50164, earlier this month.
"An attacker tin manipulate record upload params to alteration paths traversal and nether immoderate circumstances this tin lead to uploading a malicious record which tin beryllium utilized to execute Remote Code Execution," nan instauration explained astatine nan time. Updating to Struts 2.5.33 aliases Struts 126.96.36.199 aliases greater is recommended.
VMware and FortiGuard subordinate in
And rounding retired nan end-of-year petapalooza, VMware fixed a moderate-rated privilege escalation vulnerability successful its VMware Workspace ONE Launcher product. The bug, tracked arsenic CVE-2023-34064, could let personification pinch beingness entree to Workspace ONE Launcher to maltreatment nan Edge Panel feature, bypass setup, and past summation entree to delicate information.
Plus FortGuard fixed a double free vulnerability, CVE-2023-41678, successful FortiOS and FortiPAM HTTPSd daemon. This high-severity bug could let an authenticated attacker to execute arbitrary codification execution via specifically crafted commands. ®