Even though the holidays are approaching, software companies are still hard at work fixing serious security vulnerabilities. Enterprise software company Atlassian, Google, and Microsoft have all released patches for vulnerabilities that have already been used in attacks. Additionally, Cisco fixed a bug that had been rated as so serious that it had a near-maximum CVSS score of 9.9.
Everything you require to know about the November patch releases is provided here.
Google Chrome
With the release of seven security updates for Chrome, including an urgent patch for a flaw already being exploited in actual attacks, Google closed out November strongly. The already exploited vulnerability, identified as CVE-2023-6345, is an integer overflow problem in the open-source 2D graphics library Skia. "Google is aware that there is a public exploit for CVE-2023-6345," the company that makes browsers stated in a warning.
Though Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group reported it, little is known about the fix as of this writing. This suggests the exploit may have something to do with spyware.
The remaining six weaknesses, which Google fixed and assessed as having a high impact, include CVE-2023-6348, a Spellcheck type-confusion bug, and CVE-2023-6351, a libation use-after-free issue.
Google fixed fifteen security flaws in its popular browser earlier this month. Three of the bugs that the software behemoth fixed were classified as extremely serious. The first, tracked as CVE-2023-5480, is an improper implementation issue in Payments, and the second, tracked as CVE-2023-5482, is an inadequate data validation flaw in USB that has an 8.8 CVSS score. CVE-2023-5849, the third high-severity bug, is a USB integer overflow problem.
Mozilla Firefox
Firefox, a browser competitor to Chrome, has patched ten dangers, six of which are considered to have a high impact. WebGL2 blitFramebuffer has an out-of-bound memory access vulnerability (CVE-2023-6204), and MessagePort has a use-after-free problem (CVE-2023-6205).
Meanwhile, the full-screen transition in CVE-2023-6206 might permit clicking on links permission prompts. According to Firefox's parent company Mozilla, "the black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts." "Users could have been tricked into clicking where the permission grant button was going to appear by using this fact."
Memory safety issues CVE-2023-6212 and CVE-2023-6212, each with a CVSS score of 8.8, are present in Thunderbird 115.5, Firefox 120, and Firefox ESR 115.5.
Android by Google
The November Android Security Bulletin from Google lists the fixes that were patched this month, six of which are elevation of privilege bugs, and eight of which are in the Framework. According to a Google advisory, the worst vulnerability might result in local escalation of privilege without the need for additional execution privileges.
Additionally, Google resolved seven System bugs, six of which were classified as extremely serious and one as critical. The critical bug, tracked as CVE-2023-40113, may cause local information to be disclosed without the need for additional execution privileges.
FEATURED VIDEO
Historian Breaks Down Napoleon's Battle Tactics
MOST POPULAR
31 Greatest Cyber Monday Coffee Offers: Makers, Grinders, and Mugs
APPAREL
31 Greatest Cyber Monday Coffee Offers: Makers, Grinders, and Mugs
JAINA GREY
No, iOS 17's NameDrop feature doesn't require you to turn it off.
PRIVACY
No, iOS 17's NameDrop feature doesn't require you to turn it off.
REECE GERSON
How to Adjust the Thermostat: Science Says
RESEARCH
How to Adjust Your Thermostat: Science Says
CHIRIS BARANIUK
How to Write and Be More Productive with Obsidian
APPAREL
How to Use Obsidian for Writing and Productivity
JUSTIN POT
Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.
Microsoft
Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.
Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.
Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.
Cisco
Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.
However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.
A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.
Atlassian
A critical vulnerability that has already been used in actual attacks has been patched by Atlassian. Attacks using ransomware leverage the Confluence Data Center and Server improper-authorization risk, tracked as CVE-2023-22518. As part of its continuous monitoring and investigation of the CVE, Atlassian reported that it had come across multiple active exploits and reports of threat actors utilizing ransomware.
According to security firm Trend Micro, the Cerber malicious software group is exploiting the vulnerability in its attacks. Cerber has previously attacked Atlassian; in 2021, the malware reappeared following a hiatus and was primarily focused on taking advantage of remote code execution flaws in Atlassian's GitLab servers, according to Trend Micro.
The vulnerability affects all versions of Confluence Data Center and Server and lets an unauthorized attacker reset Confluence and make an administrator account. As per Atlassian, "an attacker can execute all administrative tasks accessible to a Confluence instance administrator using this account, resulting in a complete loss of confidentiality, integrity, and availability."
.png)
![DMCA](<a href="//www.dmca.com/Protection/Status.aspx?ID=04e80560-c54f-4869-929e-a1c5135e2aae" title="DMCA.com Protection Status" class="dmca-badge"> <img src ="https://images.dmca.com/Badges/dmca_protected_sml_120n.png?ID=04e80560-c54f-4869-929e-a1c5135e2aae" alt="DMCA.com Protection Status" /></a> <script src="https://images.dmca.com/Badges/DMCABadgeHelper.min.js"> </script>){kind=link}