Android security patches are available on Google’s Pixel devices, which have their own Specific updates, and Samsung’s Galaxy range, including the Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for updates in your settings.
Microsoft Patch Tuesday
Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including already exploited vulnerabilities: CVE-2023-21674 An elevation of privilege error affecting a Windows Advanced Local Procedure call can lead to a browser sandbox escape.
By exploiting the bug, an adversary could gain system privileges, Microsoft wrote, adding that the flaw has been discovered in real-life attacks.
Another elevation of privilege vulnerability in the Windows Credential Manager user interface, CVE-2023-21726, is relatively easy to exploit and requires no interaction from the user.
January’s Patch Tuesday also saw Microsoft fix nine Windows kernel vulnerabilities, eight of which are elevation of privilege issues and one an information disclosure vulnerability.
Mozilla Firefox
Software firm Mozilla has released significant updates to its Firefox browser, the most serious of which has been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA).
Of the 11 bugs fixed in Firefox 109, four are rated as high impact, including CVE-2023-23597, logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said Its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we speculate that with enough effort, some could have been exploited to run arbitrary code,” it wrote.
An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA says Advisor. “CISA encourages users and administrators to review Mozilla’s security advisories Firefox ESR 102.7 and Firefox 109 For more information and to apply the necessary updates.”
VMWare
Enterprise software maker VMWare has published a security advisory detailing four vulnerabilities affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706, the first is a directory traversal vulnerability with a CVSSv3 base score of 9.8. By exploiting the flaw, an unauthenticated, malicious actor could inject files into the operating system of an affected device, resulting in RCE, VMWare says.
Meanwhile, a broken access control RCE vulnerability tracked as CVE-2022-31704 also has a CVCCv3 base score of 9.8. It goes without saying that those affected by these vulnerabilities should be patched as soon as possible.
the oracle
The software giant is Oracle issued Patches for 327 security vulnerabilities, 70 of which are rated as having significant impact. Worryingly, the 200 issues patched in January could be exploited by a remote unauthenticated attacker.
Oracle is recommending that people update their systems as soon as possible, warning that it has “received reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches.”
In some instances, it has been reported that the attackers succeeded because the targeted customers failed to apply available Oracle patches, it says.
SAP
of SAP January Patch Day 12 has seen the release of new and updated safety notes. With a CVSS score of 9.0, CVE-2023-0014 Rated as the most serious bug by the security firm Onapsis. The flaw affects the majority of all SAP customers and its mitigation is a challenge, says Onapsis.
A capture-replay vulnerability is a security risk because it can allow malicious users to gain access to the SAP system. “Complete patching of vulnerabilities involves applying kernel patches, ABAP patches, and manual migration of all trusted RFC and HTTP destinations,” explains Onapsis.
