Fall is here, but hot zero-day summer shows no signs of cooling down, with the likes of Apple, Microsoft, and Google fixing flaws being used in real-life attacks.
Some major enterprise fixes were released during the month, including a Cisco patch for a vulnerability with a maximum CVSS score of 10.
Spyware has been a prominent trend over the past couple of months, and it’s a threat everyone should take seriously. Attacks can reach devices without any interaction from the user, so it’s important to keep your operating system up to date.
Here’s everything you need to know about the patches issued in September.
Apple didn’t release any security updates in August, but the iPhone maker sure made up for it in September. First came iOS 16.6.1, an emergency security update released on September 9 to fix two flaws already being used in so-called “zero-click” attacks.
Reported by researchers at the University of Toronto’s Citizen Lab, the vulnerabilities were used to plant spyware via attachments containing malicious images in an iMessage, in an attack the researchers called BLASTPASS.
In mid-September, Apple released its major software upgrade, iOS 17, followed by iOS 17.0.1 a few days later. The surprise iOS 17.0.1 upgrade was important because it fixed another three iPhone flaws being used in spyware attacks.
Tracked as CVE-2023-41992 and reported by security researchers at Citizen Lab and Google, the first issue is a flaw in the kernel that could allow an attacker to escalate privileges. The other two vulnerabilities in WebKit and Security could potentially be chained together to take over a user’s device.
The flaws patched in iOS 17.0.1 were also fixed in the iOS 16.7 release for users of older iPhones or people who don’t want to upgrade to the latest software.
At the end of September, Apple released iOS 17.0.2 to fix some early iOS 17 bugs, and this is the latest version of the software, as of publication.
Apple has also released macOS Sonoma 14 to fix over 60 vulnerabilities.
September was a big security month for Google’s Android users, with the monthly patch fixing 33 flaws, including one already being used in attacks. Tracked as CVE-2023-35674, the vulnerability in the framework could allow an adversary to elevate privileges without any interaction from the user. “There are indications that CVE-2023-35674 may be under limited, targeted exploitation,” Google said in its Android Security Bulletin.
Another severe issue is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed.
The Android security update has already reached Google’s own Pixel devices as well as Samsung devices, including the Galaxy S23 and S22 series.
At the end of September, Google updated its Chrome browser after fixing 10 vulnerabilities, one of which was already being exploited by adversaries. Tracked as CVE-2023-5217 and rated as having a high impact, the already-exploited bug is a heap buffer overflow flaw in vp8 encoding in libvpx. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the software giant said in an advisory.
The flaw was used in targeted spyware attacks, Google security researcher Maddie Stone later confirmed on Twitter.
Earlier in the month, Google fixed another zero-day flaw, a heap buffer overflow issue initially tracked as CVE-2023-4863, which it thought impacted only the Chrome browser. But two weeks after fixing the issue, researchers discovered it was worse than they thought, affecting the widely-used libwebp image library for rendering images in the WebP format.
Now tracked as CVE-2023-5129, it is thought the bug impacts every application that uses the libwebp library to process WebP images. “The scope of this vulnerability is much wider than initially assumed, affecting millions of different applications worldwide,” security firm Rezilion wrote in a blog.
The security outfit also thinks it is “highly likely” that the underlying issue in the libwebp library is the same issue resulting in CVE-2023-41064—one of the Apple flaws used as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware.
Microsoft’s September Patch Tuesday is one to remember, as it fixed around 65 flaws, two of which are already being exploited by attackers. Tracked as CVE-2023-36761, the first is a Microsoft Word information disclosure vulnerability that could allow NTLM hashes to be exposed.
The second and most severe flaw is a privilege-escalation vulnerability in Microsoft Streaming Service Proxy tracked as CVE-2023-36802. An attacker who successfully exploited this vulnerability could gain system privileges, Microsoft said, adding that exploitation of the flaw has been detected.
Both flaws are marked as important, so it’s a good idea to update your devices as soon as you can.
Firefox has had a hectic month after Mozilla fixed 10 flaws in its privacy-conscious browser. CVE-2023-5168 is an out-of-bounds write bug in FilterNodeD2D1 affecting Firefox on Windows, rated as having a high impact.
CVE-2023-5170 is a flaw that could result in memory leak from a privileged process. This could be used to effect a sandbox escape if the correct data was leaked, Firefox owner Mozilla said in an advisory.
Meanwhile, CVE-2023-5176 covers memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.
At the start of the month, Cisco issued a patch for a vulnerability in the single sign-on implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that could allow an unauthenticated, remote attacker to forge credentials to access an affected system. Tracked as CVE-2023-20238, the flaw has been given a maximum CVSS score of 10.
Also this month, Cisco patched a zero-day in Adaptive Security Appliance and Firepower Threat Defense software already exploited in Akira ransomware attacks. Tracked as CVE-2023-20269 and with a medium severity CVSS score of 5, the vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute-force attack to identify valid username and password combinations.
Enterprise software firm SAP has issued several important fixes as part of its September Security Patch Day. This includes a patch for CVE-2023-40622, an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.9. “A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application,” security firm Onapsis said.
CVE-2023-40309 is a missing authorization check issue in SAP CommonCryptoLib with a CVSS score of 9.8. The flaw can result in an escalation of privileges and in the worst case, attackers can compromise the affected application completely, Onapsis said.
Meanwhile, CVE-2023-42472 is an insufficient file type validation flaw in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 8.7.
