Apple, Google, and Microsoft have released major patches this month to fix multiple security flaws already being used in attacks. May was also a critical month for enterprise software, with GitLab, SAP, and Cisco releasing fixes for multiple bugs in their products.
Here’s everything you need to know about the security updates released in May.
Apple has released its long-awaited point update iOS 16.5, addressing 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five fixed in WebKit—tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
CVE-2023-32409 is an issue that could allow an attacker to break out of the Web Content sandbox remotely, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 is a flaw that risks a user disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.
Earlier in the month, Apple released iOS 16.4.1 (a) and iPadOS 16.4.1 (a)—the iPhone maker’s first-ever Rapid Security Response update—fixing the latter two exploited WebKit vulnerabilities also patched in iOS 16.5.
Apple iOS and iPadOS 16.5 were issued alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.
Apple also released its first security update for Beats and AirPods headphones.
Microsoft’s mid-month Patch Tuesday fixed 40 security issues, two of which were zero-day flaws already being used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation-of-privilege bug in the Win32k driver that could allow an attacker to gain System privileges.
The second serious flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the flaw is difficult to exploit: “Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.”
The security update is not a full fix: It addresses the vulnerability by updating the Windows Boot Manager, which could cause issues, the company warned. Additional steps are required at this time to mitigate the vulnerability, Microsoft said, pointing to steps affected users can take to mitigate the issue.
Google has released its latest Android security patches, fixing 40 flaws, including an already exploited Kernel vulnerability. The updates also include fixes for issues in the Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.
The most severe of these issues is a high-severity security vulnerability in the Framework component that could lead to local escalation of privilege, Google said, adding that user interaction is needed for exploitation.
Previously linked to commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to local escalation of privilege. User interaction is not needed for exploitation.
The May Android Security Bulletin is available for devices including Google’s own Pixel smartphones and tablets, as well as a number of devices in Samsung’s Galaxy series.
Google has issued Chrome 113, which includes 15 patches for its popular browser. One of these fixed flaws is CVE-2023-2459, an inappropriate implementation bug in Prompts rated as having a medium severity.
CVE-2023-2461 is a medium severity use-after-free issue in OS Inputs, and CVE-2023-2462, CVE-2023-2463, CVE-2023-2464, and CVE-2023-2465 are medium severity inappropriate implementation flaws.
Google also fixed several inappropriate implementation Chrome vulnerabilities it rated as having low severity.
Meanwhile, Google announced it is implementing a new quality rating system for security vulnerability reports. The system will rate reports as High, Medium, or Low quality based on the level of detail provided. “We believe that this new system will encourage researchers to provide more detailed reports, which will help us address reported issues more quickly and enable researchers to receive higher bounty rewards,” Google said, adding that the highest quality and most critical vulnerabilities are now eligible for rewards of up to $15,000.
Open source DevOps platform GitLab has issued a security update to fix a major flaw. Tracked as CVE-2023-2825, the path traversal vulnerability could enable an unauthenticated malicious user to read arbitrary files on the server. Needless to say, the issue is serious—it has been given a CVSS score of 10.
The update, 16.0.1 for GitLab Community Edition (CE) and Enterprise Edition (EE), is only required for installations running 16.0.0 and does not affect earlier versions. This is a critical severity issue, GitLab said in an advisory. “We strongly recommend that all installations running a version affected by the issues described are upgraded to the latest version as soon as possible.”
Enterprise software giant Cisco has fixed multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches that could allow an unauthenticated remote attacker to cause denial of service (DoS) or execute arbitrary code with root privileges.
With a CVSS base score of 9.8, CVE-2023-20159 is a stack buffer overflow vulnerability that could be exploited by sending a crafted request through the web-based user interface, Cisco said.
Also with a CVSS base score of 9.8, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 are unauthenticated stack buffer overflow vulnerabilities. Meanwhile, CVE-2023-20024, CVE-2023-20156, and CVE-2023-20157 are unauthenticated heap buffer overflow issues in the web-based user interface of Cisco Small Business Series Switches that could allow an unauthenticated remote attacker to cause a denial of service (DoS).
Software maker SAP has issued 25 new and updated security notes in its May 2023 Security Patch Day, including a fix for a flaw with a CVSS score of 9.8. CVE-2021-44152 is an issue in Reprise RLM 14.2 that could allow an unauthenticated attacker to change the password of any existing user.
Meanwhile, CVE-2023-28762 covers information disclosure vulnerabilities in the SAP BusinessObjects Intelligence Platform. The newest and most critical one “allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user or server over the network without any user interaction,” security firm Onapsis said.
