Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.
A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.
Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.
Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.
While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.
Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.
Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.
Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.
The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.
“The attacker needs no privileges, nor does the user need to perform any action,” it added.
Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.
It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.
One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.
The June Android patch also includes CVE-2023-21127, a critical RCE flaw in the framework and CVE-2022-33257 and CVE-2022-40529—two serious bugs in the Qualcomm closed-source components.
The Android security update is available for Google’s Pixel phones and is starting to roll out to Samsung’s Galaxy range.
Google has released Chrome 114, fixing several serious flaws. The patched bugs include CVE-2023-3214, a critical use-after-free vulnerability in Autofill payments.
CVE-2023-3215 is another use-after-free flaw in WebRTC rated as having a high impact, while CVE-2023-3216 is a high severity type confusion bug in V8. A final use-after-free in WebXR is also rated as high.
Earlier in the month, Google released a fix for an already exploited type confusion bug, CVE-2023-3079. “Google is aware that an exploit for CVE-2023-3079 exists in the wild,” the browser maker said.
Right at the end of May, software maker Progress discovered a SQL injection vulnerability in its MOVEit Transfer product that could lead to escalated privileges and unauthorized access. Tracked as CVE-2023-34362, the flaw was used in real-life attacks in May and June 2023.
“Depending on the database engine being used, an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements,” Progress warned in an advisory.
It soon emerged that the attacks were carried out by the Clop ransomware group, which threatened to leak data if victim organizations—which include several US government agencies—didn’t respond by mid-June. However, while researchers at security company Huntress were monitoring exploitation of the flaw, they found additional vulnerabilities, resulting in another patch release. In the second round of patched bugs are SQL injection vulnerabilities tracked as CVE-2023-35036.
Then on June 15, a third round of flaws tracked as CVE-2023-35708 emerged, prompting another patch release.
Needless to say, if you haven’t patched already, it’s urgent to do so as soon as you can.
Software giant VMWare has issued patches for flaws in its Aria Operations for Networks that are already being used in attacks. Tracked as CVE-2023-20887, the first is marked as critical with a CVSS score of 9.8. “A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” VMWare warned in an advisory.
CVE-2023-20888 is an authenticated deserialization vulnerability with a CVSS score of 9.1. Meanwhile, CVE-2023-20889 is information disclosure vulnerability in the important severity range with a CVSS score of 8.8.
Later in June, VMWare patched multiple issues in its vCenter Server. Tracked as CVE-2023-20892, the first is a heap overflow vulnerability that could allow an attacker to execute code.
CVE-2023-20893 is a use-after-free vulnerability in the implementation of the DCERPC protocol that could enable an attacker to execute arbitrary code on the underlying operating system.
CVE-2023-20894 is an out-of-bounds write vulnerability with a CVSS score of 8.1, and CVE-2023-20895 is a memory corruption issue that could allow an attacker to bypass authentication.
Cisco has patched a vulnerability in the client update process of its AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. Tracked as CVE-2023-20178, the flaw could allow a low-privileged, authenticated, local attacker to execute code with System privileges. The fix is especially urgent because security researcher Filip Dragović has recently dropped a proof-of-concept exploit for the flaw.
Another notable patch includes CVE-2023-20105, which has a CVSS score of 9.6 and is rated as having a critical impact. The flaw in Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an attacker to alter the passwords of any user on the system, including an administrative read-write user, and then impersonate them.
Security firm Fortinet patched a vulnerability in June that it warns is possibly being used in attacks. Tracked as CVE-2023-27997, the heap-based buffer overflow vulnerability may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. The severity of the flaw is reflected in its CVSS score of 9.8, so make sure you patch it as soon as possible.
SAP’s June Patch Day includes fixes for a number of flaws including two rated as having a high severity. The patches include CVE-2021-42063, a cross-site scripting vulnerability in SAP Knowledge Warehouse versions 7.30, 7.31, 7.40, 7.50.
The flaw could enable unauthorized adversaries to conduct XSS attacks, which could lead to sensitive data disclosure. “This vulnerability allows an attacker to gain user-level access and compromise the confidentiality, integrity, and availability of the UI5 Varian Management application,” security company Onapsis said.
