Apple, Microsoft and Google: three of the biggest names in tech. And in October 2023 they appeared together in this Wired article – because they’ve all been busy patching some serious vulnerabilities.
So what did they fix? And how can organisations of all sizes improve their patch management systems?
Apple iOS and iPad OS
At the end of October, Apple issued 12 new security fixes for its iOS 17.1. They included:
- Patches for vulnerabilities in the Kernel framework (CVE-2023-42849). According to Apple’s support page, the issue fixed here could enable an attacker to bypass kernel memory mitigations.
- Patches for WebKit, the browser engine used by Safari (CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852), to fix flaws that could allow arbitrary code execution.
- Patches earlier in the month for vulnerabilities that were already being used in real attacks – including a Kernel bug, tracked by NIST as CVE-2023-42824, which could enable an attacker to escalate their privileges once they’d gained access to a user’s device.
- A fix for CVE-2023-5217 – a buffer overflow vulnerability found in Google Chrome and affecting a number of platforms, that allowed remote attackers to exploit heap corruption by executing code.
Microsoft
With more than 100 issues patched, Microsoft’s efforts have included zero-day vulnerabilities, among others:
- A disclosure bug in Wordpad (a word processing program), CVE-2023-36563, which could expose information including NTLM hashes and enable NTLM attacks. According to Microsoft this bug does also require social engineering, with a malicious file that must be opened by a user.
- An issue (tracked as CVE-2023-35349) in Message Queuing that could allow for code to be remotely executed.
- A severe privilege escalation vulnerability (CVE-2023-41763) within Skype for Business, which an attacker could use to make a specially crafted network call – resulting in the potential disclosure of IP addresses, port numbers, or both.
Google Chrome
The Chrome browser had 20 vulnerabilities patched, including one (the first on our list) that was rated as critical:
- CVE-2023-5218, a use-after-free flaw in Site Isolation that could allow remote attackers to craft an HTML page in order to exploit heap corruption.
- A use-after-free issue in Blink History (CVE-2023-5476).
- CVE-2023-5474 – a heap buffer overflow in PDF through which an attacker could exploit heap corruption using a crafted PDF file, with prior social engineering tactics.
Users should update as soon as possible
Some of the vulnerabilities here have already been exploited by attackers, while some haven’t yet been used in real-life attacks. They have varying degrees of severity, but all of them could be exploited – so users should update their devices and software as soon as possible to benefit from the security patching.
As well as Chrome, Google has patched a further 53 vulnerabilities on Android, some of them rated as critical – including a heap buffer overflow issue (CVE-2023-4863) that Malwarebytes noted could be used to install spyware.
How can your organisation improve patch management?
Big tech companies are patching all the time – as highlighted by Microsoft’s well known monthly Patch Tuesday updates.
It’s the art of maintaining security. And there are some best practices for patch management that companies of all sizes can follow:
- Know who’s responsible for patching what. Different vulnerabilities or network areas might fall under the responsibility of internal security teams, while third party contractors might work on others.
- Use a critical-first approach. Build a framework to categorise your systems so that critical systems are at the top of the patching priority list.
- Apply automated patch management wherever it’s effective and efficient, to simplify and streamline regular security updates.
- Test patches in a controlled environment before they’re rolled out.
- Identify all devices that need to be patched – including devices in different departments, and those used on remote networks.
- Keep an open and ongoing communication with any third party patch management contractors – never just assume they’ve got everything covered.
And come to Black Hat MEA to gain access to the latest insights and research in patch management, and connect with vendors and partners who can help you secure your organisation. We can’t wait to see you there
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!