The vacation season is right here, however software program companies are nonetheless busy issuing fixes for main safety flaws. Microsoft, Google, and enterprise software program agency Atlassian have launched patches for vulnerabilities already being utilized in assaults. Cisco additionally patched a bug deemed so severe, it was given a near-maximum CVSS rating of 9.9.
Right here’s every thing it’s essential to know concerning the patches launched in November.
Google Chrome
Google ended November with a bang after issuing seven safety fixes for Chrome, together with an emergency patch for a difficulty already being utilized in real-life assaults. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow situation in Skia, an open supply 2D graphics library. “Google is conscious that an exploit for CVE-2023-6345 exists within the wild,” the browser maker mentioned in an advisory.
Little is understood concerning the repair on the time of writing; nevertheless, it was reported by Benoît Sevens and Clément Lecigne of Google’s Menace Evaluation Group, indicating the exploit might be spyware-related.
The six different flaws mounted by Google and rated as having a excessive affect embrace CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free situation in libavif.
Earlier within the month, Google released fixes for 15 safety points in its extensively used browser. Among the many bugs mounted by the software program big are three rated as having a excessive severity. Tracked as CVE-2023-5480, the primary is an inappropriate implementation situation in Funds, whereas the second, CVE-2023-5482, is an inadequate information validation flaw in USB with a CVSS rating of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow situation in USB.
Mozilla Firefox
Chrome competitor Firefox has mounted 10 vulnerabilities within the browser, six of that are rated as having a excessive affect. CVE-2023-6204 is an out-of-bound reminiscence entry flaw in WebGL2 blitFramebuffer, whereas CVE-2023-6205 is a use-after-free situation in MessagePort.
In the meantime, CVE-2023-6206 may enable clickjacking permission prompts utilizing the full-screen transition. “The black fade animation when exiting full display screen is roughly the size of the anti-clickjacking delay on permission prompts,” Firefox proprietor Mozilla mentioned. “It was doable to make use of this reality to shock customers by luring them to click on the place the permission grant button can be about to seem.”
CVE-2023-6212 and CVE-2023-6212 are Reminiscence security bugs, each with a CVSS rating of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.
Google Android
Google’s November Android Security Bulletin particulars fixes patched on this month, together with eight within the Framework, six of that are elevation of privilege bugs. The worst flaw may result in native escalation of privilege with no further execution privileges wanted, Google mentioned in an advisory.
Google additionally mounted seven points within the System, six of that are rated as having a excessive severity and one marked as important. Tracked as CVE-2023-40113, the important bug may result in native data disclosure with no further execution privileges wanted.
Discussion about this post