The Android security patch is available for Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy line, including Samsung Galaxy Note 10, Galaxy S21 and Galaxy A73. You can check for the update in your settings.
Microsoft Patch Tuesday
Microsoft fixed 98 rather heavy security issues in its first patch on Tuesday of the year, including a previously exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw affecting Windows advanced local procedure call which could lead to the browser sandbox escaping.
By exploiting the bug, an adversary could gain system privileges, Microsoft wrote, confirming that the flaw has been detected in real attacks.
Another elevation of privilege vulnerability in the Windows Credential Manager UI, CVE-2023-21726, is relatively easy to exploit and requires no user interaction.
January’s Patch Tuesday also saw Microsoft fix nine Windows kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.
MozillaFirefox
Software company Mozilla has released major updates for its Firefox browser, the most serious of which have been issued with a warning by the US Cybersecurity and Infrastructure Security Agency (CISA).
Of the 11 flaws patched in Firefox 109, four are rated as high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory security bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we suspect that with enough effort, some could have been exploited to execute arbitrary code,” he wrote.
An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and to apply any necessary updates.”
VMWare
Enterprise software maker VMWare has released a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated malicious actor could inject files into the operating system of an impacted appliance, resulting in an RCE, VMWare explains.
Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those affected by these vulnerabilities should patch as soon as possible.
Oracle
Software giant Oracle has released patches for 327 security vulnerabilities, 70 of which are considered to have critical impact. Worryingly, 200 of the issues fixed in January can be exploited by an unauthenticated remote attacker.
Oracle recommends users update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”
In some cases, attackers were reported to have succeeded because the targeted customers had not applied available Oracle patches, he said.
SAP
SAP’s January Patch Day saw the release of 12 new and updated security notes. With a CVSS score of 9.0, CVE-2023-0014 is rated as the most serious bug by security firm Onapsis. The flaw affects the majority of all SAP customers and mitigating it is a challenge, Onapsis said.
The capture-replay vulnerability is a risk because it could allow malicious users to gain access to an SAP system. “Full vulnerability patching includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations,” says Onapsis.