Google Fixes Almost 100 Android Safety Points


December was a busy month for updates as companies together with Apple and Google rushed to get patches out to repair critical flaws of their merchandise earlier than the vacation break.

Enterprise software program giants additionally issued their justifiable share of patches, with Atlassian and SAP squashing a number of essential bugs throughout December.

Right here’s what it’s good to know concerning the vital updates you might need missed in the course of the month.

Apple iOS

In mid-December, Apple launched iOS 17.2, a serious level improve containing options such because the Journal app, in addition to 12 safety patches. Among the many flaws mounted in iOS 17.2 is CVE-2023-42890, a problem within the WebKit browser engine that would enable an attacker to execute code.

One other flaw within the iPhone’s Kernel, tracked as CVE-2023-4291, may see an app escape of its safe sandbox, Apple wrote on its assist web page. In the meantime, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, may result in code execution.

The iOS 17.2 replace additionally put a mechanism in place to stop a Bluetooth assault utilizing a penetration testing machine known as Flipper Zero, in accordance with assessments by ZDNET and 9to5Mac. The annoying denial of service cyber-assault may trigger a flurry of pop ups to look on an iPhone and finally lock up the machine.

Apple additionally launched iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Only one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older gadgets, alongside macOS Sonoma 14.2.1. The shock iPhone replace accommodates unspecified bug and safety fixes, whereas the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Safety Bulletin was a hefty one, fixing almost 100 safety points. The replace contains patches for 2 essential points within the Framework, essentially the most extreme of which may result in distant escalation of privilege with no extra privileges wanted. Consumer interplay is just not wanted for exploitation, Google stated.

CVE-2023-40088 is a essential flaw within the System that would result in distant code execution, whereas CVE-2023-40078 is an elevation of privilege bug rated as having a excessive affect.

Google has additionally issued an replace for its sensible machine WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Safety Bulletin has not been posted on the time of writing.

Google Chrome

Google ended a bumper December of updates in type with an emergency repair for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow problem within the open supply WebRTC part. Google is “conscious that an exploit for CVE-2023-7024 exists within the wild,” the browser maker stated in an advisory.

It wasn’t the primary repair launched by Google in December. The software program large additionally issued a Chrome patch mid-month to repair 9 safety points. Of the failings reported by exterior researchers, 5 are rated as having a excessive severity, together with CVE-2023-6702, a sort confusion flaw in V8, and 4 use-after-free bugs.


Supply hyperlink