Apple Users Need to Update iOS Now to Patch Serious Flaws

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.
Illustration of update and gear symbols
Illustration: WIRED Staff

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

There are no known zero days in February’s Chrome patch, but it’s still a good idea to update your Google software as soon as you can.

Firefox

Mozilla’s privacy-conscious Chrome competitor Firefox received a patch in February to fix 10 flaws it has rated as high severity. CVE-2023-25730 is a screen hijack via browser full-screen mode. “A background script invoking requestFullscreen and then blocking the main thread could force the browser into full-screen mode indefinitely, resulting in potential user confusion or spoofing attacks,” Mozilla warned

Meanwhile, Mozilla developers have fixed several memory safety bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote.

VMware

Enterprise software maker VMWare has issued a patch for an injection vulnerability affecting VMware Carbon Black App Control. Tracked as CVE-2023-20858, the flaw has been rated as critical with a maximum CVSSv3 base score of 9.1. “A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system,” VMWare said.

Another VMware patch has been issued to fix an XML External Entity vulnerability affecting VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated as important, with a maximum CVSSv3 base score of 8.8.

Citrix

February has been a busy month for Citrix, which has released patches to fix several serious security vulnerabilities. The issues patched this month include CVE-2023-24483, affecting Citrix Virtual Apps and Desktops Windows VDA. “A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA,” Citrix warned in an advisory

Meanwhile, Citrix identified two vulnerabilities that together could allow a standard Windows user to perform operations as System on a computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485. 

Another security flaw in Citrix Workspace app for Linux, CVE-2023-24486, could allow a malicious local user to gain access to the Citrix Virtual Apps and Desktops session of another user.

It goes without saying that if you are a Citrix user, make sure to apply the patches to your affected systems. 

SAP

SAP has issued 21 new security notes as part of its February Patch Day, including five ranked as high priority. Tracked as CVE-2023-24523, the most serious of the newly patched flaws is a privilege escalation vulnerability in SAP Start Service with a CVSS score of 8.8.

By taking advantage of the issue, an authenticated non-admin user with local access to a server port assigned to the SAP Host Agent Service can submit a specially crafted web service request with an arbitrary operating system command, security firm Onapsis has warned. This command is executed with administrator privileges and can impact a system’s confidentiality, integrity, and availability, it said.

The two remaining High Priority Notes affect SAP BusinessObjects customers, so if you use the software firm’s systems, get patching as soon as possible.