Apple’s iOS 16.4: Security Updates Are Better Than a Goose Emoji

Meanwhile, Google’s Project Zero researchers have reported 18 zero-day vulnerabilities in Samsung’s Exynos modems. The four most severe — CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498 — allow Internet-to-baseband code to be executed remotely, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a baseband-level phone without user interaction and only require the attacker to know the victim’s phone number,” they wrote.

Devices from the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series as well as the Pixel 6 and Pixel 7 series from Google are affected.

Patch schedules vary by manufacturer, but affected Pixel devices have received a fix for all four critical Internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by disabling Wi-Fi calling and Voice over LTE (VoLTE) in their device settings, Google said.

Google Chrome

Google released Chrome 111 of its popular browser and fixed eight vulnerabilities, seven of which are memory security bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked in Passwords as CVE-2023-1528, and CVE-2023-1529, an out-of-bounds memory access vulnerability in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber ​​Security Center and CVE-2023-1531 is a high-level use-after-free vulnerability in ANGLE.

None of the issues are known to Google to have been used in attacks, but given their impact, it makes sense to update Chrome if you can.

Cisco

Enterprise software giant Cisco has released the twice-yearly security package for its IOS and IOS XE software that fixes 10 vulnerabilities. Six of the issues Cisco fixed are classified as major, including CVE-2023-20080, a denial of service bug, and CVE-2023-20065, a privilege escalation bug.

Earlier this month, Cisco fixed several vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated remote attacker to execute arbitrary code or cause denial of service. Worst of all, with a CVSS score of 9.8, CVE-2023-20078 is a vulnerability in the web-based management interface of multiplatform Cisco IP Phone 6800, 7800, and 8800 Series phones.

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding: “A successful exploit could allow the attacker to run arbitrary commands on an affected device’s underlying operating system.”

fire fox

Privacy-conscious developer Mozilla has released Firefox 111 and closes 13 vulnerabilities, seven of which are classified as particularly serious. These include three bugs in Firefox for Android, including CVE-2023-25749, which may have caused third-party apps to open without prompting.

Meanwhile, in Firefox 111, two memory security flaws, CVE-2023-28176 and CVE-2023-28177, were fixed and exploited to execute arbitrary code,” Mozilla said.

JUICE

It’s another month of major updates for software maker SAP, which released 19 new security advisories in its March Security Patch Day guide. Issues fixed during the month include four with a CVSS score greater than 9.

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with “strong negative impacts” on the integrity, confidentiality and availability of the system, according to security firm Onapsis.

Finally, CVE-2023-23857 with a CVSS score of 9.9 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to connect to an open interface and use an open naming and directory API to access services,” Onapsis said.