The Android security patch is available for Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, which includes the Samsung Galaxy Note 10, Galaxy S21 and Galaxy A73. You can check the update in your settings.
Microsoft Patch Tuesday
Microsoft fixed a fairly hefty 98 vulnerabilities in its first patch Tuesday of the year, including one already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw that affects the Windows Advanced Local Procedure Call that can lead to browser sandbox escape.
Exploiting the bug could allow a malicious attacker to gain system privileges, Microsoft wrote, confirming that the flaw has been detected in real attacks.
Another elevation of privilege vulnerability in the Windows Credential Manager user interface, CVE-2023-21726, is relatively easy to exploit and requires no user interaction.
On January Patch Tuesday, Microsoft also patched nine Windows Kernel vulnerabilities, eight of which were elevation of privilege vulnerabilities and one information disclosure vulnerability.
Mozilla Firefox
Software company Mozilla has released major updates to its Firefox browser, the most serious of which have been the subject of a warning from the US Cybersecurity and Infrastructure Security Agency (CISA).
Of the 11 bugs fixed in Firefox 109, four were rated as having a high impact, including CVE-2023-23597, a logic bug in process mapping that allows malicious parties to read arbitrary files. Meanwhile Mozilla said the security team found memory security bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we believe with enough effort, some could be exploited to execute arbitrary code,” it wrote.
An attacker could exploit some of these vulnerabilities to take control of an affected system, according to CISA in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories Firefox ESR 102.7 and Firefox 109 for more information and apply any necessary updates.”
VMWare
Enterprise software maker VMWare has published a security advisory detailing four flaws that affect its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first being a directory search vulnerability with a CVSSv3 base score of 9.8. Exploiting the flaw allows an unauthenticated malicious actor to inject files into an affected device’s operating system, resulting in RCE, VMWare says.
Meanwhile, an RCE vulnerability with broken access control, tracked as CVE-2022-31704, also has a CVCCv3 base score of 9.8. It goes without saying that those affected by these vulnerabilities should patch as soon as possible.
Oracle
Software giant Oracle has released patches for as many as 327 security vulnerabilities, 70 of which are rated as critical impact. It is concerning that 200 of the issues patched in January could be exploited by an unauthenticated remote attacker.
Oracle recommends that people update their systems as soon as possible and warns that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”
In some cases, it has been reported that attackers were successful because targeted customers failed to apply available Oracle patches, it says.
JUICE
from SAP Patch day in January has seen the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated by the security company as the most serious bug Onapse. The flaw affects the majority of all SAP customers and mitigating it is challenging, says Onapsis.
The capture-replay vulnerability is a risk because it could allow malicious users to gain access to an SAP system. “Full patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” explained Onapsis.