It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.
Here’s what you need to know about the security updates issued in March.
Apple iOS
Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.
Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.
Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.
Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.
Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.
Google Chrome
March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.
Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.
At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.
The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.
Mozilla Firefox
Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.
Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.
CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort [they] could have been exploited to run arbitrary code,” Mozilla said.
Google Android
Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.
The update also fixes six privilege-elevation flaws in the Framework as well as a denial-of-service issue tracked as CVE-2024-0047.
The March update is now available for Google’s Pixel devices and some of Samsung’s Galaxy range.
Microsoft
Microsoft’s March Patch Tuesday has fixed over 60 security vulnerabilities, including multiple issues that could allow an attacker to execute code remotely. These include CVE-2024-21334, a remote code-execution vulnerability in the Open Management Infrastructure (OMI). The issue is rated as important, but has a CVSS score of 9.8. Using the flaw, a remote unauthenticated attacker could access the OMI instance from the internet and send specially crafted requests to trigger a use after free vulnerability, Microsoft said.
Among the other notable flaws patched during the month are two Hyper-V vulnerabilities, CVE-2024-21407 and CVE-2024-21408. The first is a remote code-execution flaw with a CVSS score of 8.1. The second issue is a denial-of-service issue rated as critical with a CVSS score of 5.5.
While none of the vulnerabilities have been used in attacks, they are still pretty serious, making it important you update soon.
Cisco
At the start of the month, Cisco released fixes for two issues in its Secure Client. Tracked as CVE-2024-20337 and with a CVSS score of 8.2, the first vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage-return-line-feed injection attack against a user.
Meanwhile, CVE-2024-20338 is an issue in the ISE Posture System Scan module of Cisco Secure Client for Linux that could allow an authenticated, local attacker to elevate privileges on an affected device.
Midway through March, Cisco released its semiannual Cisco IOS XR Software Security Advisory Bundled Publication. This fixed nine bugs, three of which are rated as having a high impact.
VMware
Enterprise software firm VMware issued an important update in March to fix four vulnerabilities, one of which has a CVSS score of 9.3. The use-after-free bug in XHCI USB controller is tracked as CVE-2024-22252 and rated as critical. “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host,” VMware said in an advisory.
CVE-2024-22253 is a use-after-free vulnerability in UHCI USB controller that could allow an attacker to execute code. Meanwhile, CVE-2024-22254 is an out-of-bounds write flaw with a CVSS score of 7.9.
SAP
SAP’s March Security Patch Day came with 10 updates, including fixes for two serious vulnerabilities. CVE-2019-10744 is a code-injection issue in applications built with SAP Build Apps with a CVSS score of 9.4.
Meanwhile, CVE-2024-22127 is a code-injection vulnerability in SAP NetWeaver AS Java with a CVSS score of 9.1. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity, and availability of the application, security firm Onapsis said.
