You Really Need to Update Firefox and Android Right Now

The Android security patch is available for Google’s Pixel devices, which have their own specific updates, and for Samsung’s Galaxy range, including the Samsung Galaxy Note 10, Galaxy S21 and Galaxy A73. You can check for the update in your settings.

Microsoft patch day

Microsoft fixed 98 security vulnerabilities in its first Patch Tuesday of the year, which was pretty hefty, including one already exploited vulnerability: CVE-2023-21674 is an elevation of privilege affecting Windows Advanced Local Procedure Call and leading to browser sandbox exit could.

By exploiting the flaw, an attacker could gain system privileges, Microsoft wrote, confirming that the flaw was discovered in real attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager user interface, CVE-2023-21726, is relatively easy to exploit and requires no user interaction.

On Patchday in January, Microsoft also fixed nine vulnerabilities in the Windows kernel, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software company Mozilla has released important updates to its Firefox browser, the most serious of which have been warned by the US Cybersecurity and Infrastructure Security Agency (CISA).

Of the 11 bugs fixed in Firefox 109, four are considered particularly serious, including CVE-2023-23597, a logic error in process allocation that could allow attackers to read arbitrary files. Meanwhile, Mozilla said its security team found memory security flaws in Firefox 108. “Some of these bugs showed evidence of memory corruption, and we believe some could be exploited with enough effort to execute arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

Vmware

Enterprise software vendor VMWare has released a security advisory listing four vulnerabilities affecting its VMware vRealize Log Insight product. The first is tracked as CVE-2022-31706 and is a directory traversal vulnerability with a base CVSSv3 score of 9.8. By exploiting the flaw, an unauthenticated malicious actor could inject files into an affected appliance’s operating system, leading to RCE, VMWare says.

Meanwhile, an RCE access control vulnerability tracked as CVE-2022-31704 also has a CVCCv3 baseline score of 9.8. It goes without saying that those affected by these vulnerabilities should patch as soon as possible.

oracle

Software giant Oracle has released patches for a whopping 327 vulnerabilities, 70 of which are classified as critical. Worryingly, 200 of the issues patched in January could be exploited by a remote, unauthenticated attacker.

Oracle recommends that people update their systems as soon as possible, and warns that reports have been received of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”

In some cases, attackers have been reported to have succeeded because target customers failed to apply available Oracle patches.

JUICE

On SAP’s January Patch Day, 12 new and updated security advisories were released. With a CVSS score of 9.0, CVE-2023-0014 is classified as the worst bug by security firm Onapsis. The bug affects the majority of all SAP customers, and containing it is a challenge, says Onapsis.

The Capture Replay vulnerability poses a risk as it could allow malicious users to gain access to an SAP system. “Fully patching the vulnerability involves applying a kernel patch, an ABAP patch, and manually migrating all trusted RFC and HTTP targets,” explains Onapsis.