Apple, Google and Microsoft just fixed zero-day security flaws
Threat actors usually target widely accepted products or services to exploit, and it’s not often that all the big tech companies get hit around the same time. Zero-day vulnerabilities are security flaws discovered by blackhats before the security researchers and software developers become aware of them. April got these three giants patching and releasing updates to tackle loopholes exploited or yet to be exploited by threat actors.
Apple didn't waste time releasing iOS 16.4.1 to fix two vulnerabilities already being used in attacks. Google’s Threat Analysis Group and Amnesty International’s Security Lab draw Apple’s attention to two loopholes - CVE-2023-28206, an IOSurfaceAccelerator that could see an app execute code with kernel privileges and CVE-2023-28205, a WebKit flaw that could lead to arbitrary code execution. Apple fixed the issue and released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws.
Microsoft was able to release an urgent fix the same April to address two major vulnerabilities among the 98 vulnerabilities discovered. CVE-2023-21554 is a remote code execution vulnerability in Microsoft Message Queuing labelled as having a critical impact, while CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. Microsoft’s Patch Tuesday updates released advisories to address the flaws.
Google releases multiple patches for its Android operating system and Chrome browser. The Android April patch fixes many severe bugs, which include CVE-2023-0266, an elevation-of-privilege flaw in the kernel, and 10 other flaws in the framework. Google fixed 16 more bugs in the system, including two critical RCE flaws and several issues in the kernel and SoC components.
Google Chrome browser received its first patch at the start of April to address 16 issues, including two highly rated vulnerabilities and 14 others rated as having a medium or low impact. Mid-April, the Chrome browser got an emergency fix to address two flaws, one (CVE-2023-2033 - a flaw in the V8 JavaScript engine) of which is already deployed in a real-life attack. Prior to the end of April, Google released another patch, fixing issues including another zero-day flaw tracked as CVE-2023-2136, an integer overflow bug in the Skia graphics engine.
Given the number and seriousness of the issues patched by tech giants in April alone, security experts advise users to prioritise checking for updates and updating their devices to the current updated versions available to stay immune to any possible zero-day vulnerability attack.