An Android security patch is available for Google Pixel devices that have their own specific updatesand Samsung’s Galaxy lineup, including the Samsung Galaxy Note 10, Galaxy S21 and Galaxy A73. You can check for updates in the settings.
Microsoft Patch Tuesday
Microsoft fixed a pretty serious 98 security issues on its first Patch Tuesday this year, including an already exploited vulnerability: CVE-2023-21674 is a privilege escalation error affecting Windows extended local procedure calls, which can result in exiting the browser sandbox.
Microsoft wrote that by exploiting the bug, an attacker could gain system privileges, confirming that the vulnerability was found in real attacks.
Another Windows Credential Manager UI privilege escalation vulnerability, CVE-2023-21726, is relatively easy to exploit and does not require user intervention.
During Patch Tuesday in January, Microsoft also fixed nine Windows kernel vulnerabilities, eight of which were associated with privilege escalation and one information disclosure vulnerability.
Software company Mozilla has released important updates to its Firefox browser, the most serious of which have been the subject of a warning from the US Cybersecurity and Infrastructure Security Agency (CISA).
Among the 11 flaws fixed in Firefox 109, four are rated as having a big impact, including CVE-2023-23597, a logical error in process allocation that allows attackers to read arbitrary files. Meanwhile, Mozilla said its security team found memory security bugs in Firefox 108. “Some of these bugs were indicative of memory corruption, and we suspect that with enough effort, some of them could have been exploited to run arbitrary code,” the post reads.
According to CISA, an attacker could use some of these vulnerabilities to gain control of an affected system. advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and to apply the necessary updates”.
Enterprise software maker VMWare has published a security bulletin detailing four weaknesses affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a base CVSSv3 score of 9.8. VMWare says that by exploiting the vulnerability, an unauthenticated attacker could inject files into the operating system of a vulnerable device, resulting in an RCE.
Meanwhile, the broken access control RCE vulnerability tracked as CVE-2022-31704 also has a baseline CVCCv3 score of 9.8. It goes without saying that those affected by these vulnerabilities should fix them as soon as possible.
Software giant Oracle came out fixes for a whopping 327 security vulnerabilities, 70 of which are rated critical. Unfortunately, the 200 issues fixed in January could be exploited by an unauthenticated remote attacker.
Oracle encourages people to update their systems as soon as possible, warning that it has received reports of “attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”
In some cases, it has been reported that attackers were successful because targeted customers were unable to apply available Oracle patches, the report said.
SAP January update day 12 new and updated safety notes have been issued. With a CVSS score of 9.0, CVE-2023-0014 rated by the security firm as the most serious mistake Onapsis. This vulnerability affects the majority of all SAP customers, and fixing it is a difficult task, says Onapsis.
The capture-replay vulnerability is a risk because it could allow attackers to gain access to the SAP system. “A full fix for the vulnerability includes applying a kernel patch, ABAP patches, and manually migrating all trusted RFC and HTTP addresses,” explains Onapsis.