As December ends, major tech companies engaged in a race against time to fortify their products against critical vulnerabilities. Apple, Google, Microsoft, Mozilla, Apache, Atlassian, and SAP all stepped up to the plate, releasing crucial updates to bolster security. Here’s a detailed look at the significant updates from each of these companies during the bustling month.
Apple iOS: Fortifying iOS 17.2 Against Threats
In the middle of December, Apple unleashed iOS 17.2, a substantial update introducing features like the Journal app. However, the spotlight was on the security front, with the release addressing pivotal vulnerabilities. A notable fix was CVE-2023-42890, targeting a flaw in the WebKit browser engine that could potentially allow unauthorized code execution. The update also tackled issues in the iPhone’s Kernel (CVE-2023-4291) and ImageIO (CVE-2023-42898 and CVE-2023-42899), averting potential security risks.
Additionally, iOS 17.2 implemented measures to thwart Bluetooth attacks using devices like Flipper Zero, a vulnerability highlighted by tests conducted by ZDNET and 9to5Mac. Subsequently, iOS 17.2.1, iOS 16.7.4, macOS Sonoma 14.2.1 were swiftly rolled out, addressing unspecified bug fixes and security concerns.
Google Android: Strengthening Security with a Robust Bulletin
Google’s December Security Bulletin for Android was a robust response, addressing nearly 100 security issues. The focus was on critical vulnerabilities in the Framework, with one posing a potential risk of remote escalation of privilege without requiring user interaction. Standout flaws included CVE-2023-40088, a critical flaw in the System leading to remote code execution, and CVE-2023-40078, an elevation of privilege bug.
WearOS, Google’s smart device platform, also received attention, with an update targeting CVE-2023-40094, an elevation of privilege flaw. Meanwhile, the Pixel Security Bulletin was anticipated at the time of reporting.
Google Chrome: Swift Action to Counter Zero-Day Vulnerability
December concluded with Google swiftly addressing an emergency in its Chrome browser – the eighth zero-day vulnerability of 2024. CVE-2023-7024, a heap buffer overflow issue in the WebRTC component, raised alarms as known exploits were reported in the wild. Earlier in the month, mid-month updates had already tackled nine security issues, including high-severity vulnerabilities such as CVE-2023-6702 and CVE-2023-6509.
Microsoft: A Vigorous December Patch Tuesday
Microsoft’s December Patch Tuesday was a proactive response to over 30 vulnerabilities, including several remote code execution (RCE) flaws. Critical fixes encompassed CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector, and CVE-2023-35628, a critical Windows MSHTML Platform RCE bug. While no known exploits were reported, the urgency of promptly applying updates remained paramount.
Mozilla Firefox: A Focus on Security with 18 Fixes
Mozilla dedicated December to addressing 18 security vulnerabilities in its Firefox browser. Approximately one-third of these were categorized as high severity. Key issues included CVE-2023-6856, a heap-buffer-overflow affecting WebGL DrawElementsInstanced, and fixes for memory safety bugs like CVE-2023-6864 and CVE-2023-6873, holding the potential for arbitrary code execution.
Apache: Critical Patch for Struts 2 Framework
The Apache Software Foundation responded to a critical flaw in its Struts 2 open source developer framework (CVE-2023-50164). This vulnerability, carrying a CVSS score of 9.8, allowed attackers to manipulate file upload parameters, potentially leading to remote code execution. Swift action was advised, urging users to upgrade to Struts 2.5.33 or Struts 6.3.0.2 promptly.
Atlassian: Bolstering Security Against RCE Vulnerabilities
Atlassian, a stalwart in enterprise software, released patches targeting critical Remote Code Execution (RCE) vulnerabilities. CVE-2023-22522, a template injection vulnerability in Confluence Data Center and Server, stood out as critical with a CVSS score of 9. Users were strongly encouraged to update to the latest version to address this vulnerability. Other patches covered RCE vulnerabilities in the Atlassian macOS app, Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.
SAP: Fortifying Against Escalation-of-Privilege Bugs
SAP’s December Security Patch Day was dedicated to shoring up defenses against serious security flaws. The most critical were four escalation-of-privilege bugs in SAP Business Technology Platform. These bugs could empower an unauthenticated attacker to obtain arbitrary permissions, posing a high impact on confidentiality and integrity. Another concern, CVE-2023-42481, highlighted an improper access control vulnerability in SAP Commerce Cloud, emphasizing the need for users to promptly apply security updates.
In conclusion, December showcased the tech industry’s unwavering commitment to addressing security vulnerabilities. Users are strongly advised to remain vigilant and apply necessary patches promptly, ensuring the security of their systems and data in the evolving digital landscape.