A further by now exploited flaw, CVE-2023-21715, is a attribute bypass difficulty in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows frequent log file technique driver.
That’s a good deal of zero-day flaws fixed in one particular launch, so take it as a prompt to update your Microsoft-dependent programs as soon as achievable.
Android’s February protection update is listed here, correcting several vulnerabilities in products managing the tech giant’s smartphone application. The most severe of these difficulties is a safety vulnerability in the Framework element that could lead to community escalation of privilege with no added privileges required, Google pointed out in an advisory.
Amongst the difficulties preset in the Framework, 8 are rated as getting a superior effect. In the meantime, Google has squashed six bugs in the Kernel, as very well as flaws in the Program, MediaTek, and Unisoc factors.
Through the thirty day period, Google patched several privilege escalation flaws, as nicely as data disclosure and denial of assistance vulnerabilities. The business also introduced a patch for a few Pixel-distinct safety difficulties. The Android February patch is presently available for Google’s Pixel equipment, even though Samsung has moved speedily to situation the update to consumers of its Galaxy Take note 20 series.
In the meantime, CVE-2023-0697 is a flaw that enables inappropriate implementation in entire-screen manner, and CVE-2023-0698 is an out-of-bounds read through flaw in WebRTC. 4 medium-severity vulnerabilities involve a use soon after no cost in GPU, a heap buffer overflow flaw in WebUI, and a style confusion vulnerability in Details Transfer. Two additional flaws are rated as owning a small effects.
There are no acknowledged zero times in February’s Chrome patch, but it’s nonetheless a good thought to update your Google computer software as soon as you can.
Mozilla’s privateness-mindful Chrome competitor Firefox obtained a patch in February to resolve 10 flaws it has rated as high severity. CVE-2023-25730 is a display hijack through browser full-display screen mode. “A background script invoking requestFullscreen and then blocking the main thread could power the browser into total-monitor mode indefinitely, ensuing in probable user confusion or spoofing attacks,” Mozilla warned.
Meanwhile, Mozilla builders have fastened a number of memory protection bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we presume that with adequate energy some of these could have been exploited to operate arbitrary code,” Mozilla wrote.
Organization software program maker VMWare has issued a patch for an injection vulnerability influencing VMware Carbon Black Application Manage. Tracked as CVE-2023-20858, the flaw has been rated as crucial with a greatest CVSSv3 foundation score of 9.1. “A destructive actor with privileged accessibility to the Application Command administration console may well be equipped to use specifically crafted enter letting accessibility to the fundamental server running technique,” VMWare mentioned.
A different VMware patch has been issued to repair an XML External Entity vulnerability influencing VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated as essential, with a highest CVSSv3 base score of 8.8.
February has been a hectic month for Citrix, which has produced patches to fix many severe protection vulnerabilities. The issues patched this thirty day period include CVE-2023-24483, affecting Citrix Digital Apps and Desktops Windows VDA. “A vulnerability has been identified that, if exploited, could final result in a neighborhood user elevating their privilege degree to NT AUTHORITYSYSTEM on a Citrix Virtual Applications and Desktops Windows VDA,” Citrix warned in an advisory.
In the meantime, Citrix recognized two vulnerabilities that alongside one another could make it possible for a common Home windows person to execute functions as Program on a personal computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485.
Another protection flaw in Citrix Workspace application for Linux, CVE-2023-24486, could allow a malicious nearby user to attain entry to the Citrix Virtual Applications and Desktops session of a different person.
It goes without stating that if you are a Citrix consumer, make positive to use the patches to your impacted devices.
SAP has issued 21 new safety notes as element of its February Patch Day, like 5 rated as substantial precedence. Tracked as CVE-2023-24523, the most serious of the newly patched flaws is a privilege escalation vulnerability in SAP Start Support with a CVSS rating of 8.8.
By using benefit of the situation, an authenticated non-admin person with area accessibility to a server port assigned to the SAP Host Agent Services can post a specially crafted web company ask for with an arbitrary running process command, security company Onapsis has warned. This command is executed with administrator privileges and can effect a system’s confidentiality, integrity, and availability, it reported.
The two remaining Higher Precedence Notes have an impact on SAP BusinessObjects clients, so if you use the computer software firm’s programs, get patching as shortly as possible.