Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.
That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.
Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory.
Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.
During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.
Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.
There are no known zero days in February’s Chrome patch, but it’s still a good idea to update your Google software as soon as you can.
Mozilla’s privacy-conscious Chrome competitor Firefox received a patch in February to fix 10 flaws it has rated as high severity. CVE-2023-25730 is a screen hijack via browser full-screen mode. “A background script invoking requestFullscreen and then blocking the main thread could force the browser into full-screen mode indefinitely, resulting in potential user confusion or spoofing attacks,” Mozilla warned.
Meanwhile, Mozilla developers have fixed several memory safety bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote.
Enterprise software maker VMWare has issued a patch for an injection vulnerability affecting VMware Carbon Black App Control. Tracked as CVE-2023-20858, the flaw has been rated as critical with a maximum CVSSv3 base score of 9.1. “A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system,” VMWare said.
Another VMware patch has been issued to fix an XML External Entity vulnerability affecting VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated as important, with a maximum CVSSv3 base score of 8.8.
February has been a busy month for Citrix, which has released patches to fix several serious security vulnerabilities. The issues patched this month include CVE-2023-24483, affecting Citrix Virtual Apps and Desktops Windows VDA. “A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA,” Citrix warned in an advisory.
Meanwhile, Citrix identified two vulnerabilities that together could allow a standard Windows user to perform operations as System on a computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485.
Another security flaw in Citrix Workspace app for Linux, CVE-2023-24486, could allow a malicious local user to gain access to the Citrix Virtual Apps and Desktops session of another user.
It goes without saying that if you are a Citrix user, make sure to apply the patches to your affected systems.
SAP has issued 21 new security notes as part of its February Patch Day, including five ranked as high priority. Tracked as CVE-2023-24523, the most serious of the newly patched flaws is a privilege escalation vulnerability in SAP Start Service with a CVSS score of 8.8.
By taking advantage of the issue, an authenticated non-admin user with local access to a server port assigned to the SAP Host Agent Service can submit a specially crafted web service request with an arbitrary operating system command, security firm Onapsis has warned. This command is executed with administrator privileges and can impact a system’s confidentiality, integrity, and availability, it said.
The two remaining High Priority Notes affect SAP BusinessObjects customers, so if you use the software firm’s systems, get patching as soon as possible.