Patch Tuesday Updates in the Apple Operating System, iOS 16.0.3, and Android 16.3.1: Status and Problems from the Microsoft Support Team on September 16, 2016
Microsoft’s Patch Tuesday is one of several patches available in the month of October, and it’s just one of many that have been released thick and fast. Also included are updates to fix issues in the products.
The release of the updated operating system in September preceded the release of two more versions of the device software in October. First came iOS 16.0.3, which fixed some teething issues, including several bugs as well as a security flaw in Mail that could allow denial of service attacks.
Apple released an update to fix a flaw that has already been used in attacks. The vulnerability in the web application could allow an attacker to execute code, according to Apple. The WebKit flaw was fixed by Apple at the end of November.
Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug can allow an attacker to execute code with privileges.
Towards Secure Cloud Computing: The Apple Watch Ultra, Google, Windows, iPadOS, ProxyNotShell, and Other High Impact Bugs
The Apple Watch Ultra is one of the many new products that the company has released.
It was a busy start to the year for Google, which has fixed 17 vulnerabilities in its Chrome browser, two of which are rated as having a high impact. The first of the two issues, tracked as CVE-2023-0128, is a use-after-free bug in Overview Mode.
Google also fixed vulnerabilities in the Kernel, including three remote code execution (RCE) flaws marked as critical. A use after-free bug that could be used by attackers to crash the server and execute code. The most severe issue in the System that could lead to local escalation of privilege has been fixed.
Google has posted its Android Security Bulletin including a number of patches for Android devices. The Framework component is vulnerable and could lead to local privilege escalation with no additional privileges needed. There is a high severity that affects versions 10 through 14. Meanwhile, CVE-2022-20490 is another local escalation of privilege bug that does not require user interaction to be exploited.
An emergency patch was released by Apple just days after the release of iPadOS 16.31 to fix a flaw in the browser WebKit engine that was already being used in attacks.
There were fixes for a lengthy list of 84 flaws. One is being used in attacks of the 13 that are critical. Tracked as CVE-2022-41033, the elevation of privilege vulnerability in Windows COM+ Event System Service impacts almost every version of Windows. It can be chained with other exploits to take over someone’s machine.
The patches that were released on Patch Tuesday did not include a fix for two actively exploited bugs, known as ProxyNotShell. The flaws were reported to Microsoft. Researchers say that Microsoft shared their mitigations, but they can be bypassed.
The holiday season is almost over but security patches are still arriving fast. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare.
What Do You Need to Know Before You Get Started Using Windows Security Keys? A Survey of High-Energy Security Issues in the Apple Internet Framework
One of the new features included in the latest iteration of the operating system is the ability to use security keys as an additional layer of protection for your Apple ID. Apple’s latest update also comes with 13 security fixes, including three in WebKit, the engine that powers the Safari browser, two of which could allow code execution.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.
There are eight issues in the Framework that have high impact. In addition, there were flaws in the system, Unisoc components, and six bugs in the kerning.
There is a flaw in full-screen mode, and there is an out-of-bounds read flaw in WebRTC. A heap buffer overflow flaw in WebUI is one of four medium-severity vulnerabilities. The two flaws that are rated as having low impact are not the only flaws.