Pro IQRA News Updates.
During the month, Google fixed multiple privilege escalation flaws, as well as information disclosure and denial vulnerabilities. The company also released a patch for three Pixel security issues. The February Android patch is already available for Google’s Pixel devices, while Samsung moved quickly to release the update to users of the Galaxy Note 20 series.
Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate full-screen execution, and CVE-2023-0698 is an out-of-bounds read error in WebRTC. Four medium-severity vulnerabilities include free GPU usage, a buffer overflow bug in WebUI, and a type confusion vulnerability in data transfer. Two other defects were rated as having a low impact.
There are no known zero days in the February Chrome patch, but it’s still a good idea to update your Google software as soon as possible.
Mozilla’s privacy-conscious Chrome rival Firefox received a patch in February to fix 10 flaws it classified as high severity. CVE-2023-25730 is a full-screen browser hack. Mozilla warned that “a background script that calls requestFullscreen and then blocks the main thread may force the browser into full-screen mode indefinitely, leading to potential user confusion or impersonation attacks.”
Meanwhile, Mozilla developers have fixed several memory security bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we assume that with sufficient effort some of these bugs could be exploited to run arbitrary code,” Mozilla wrote.
Enterprise software maker VMWare has released a patch for a security vulnerability affecting the VMware Carbon Black application. Tracked as CVE-2023-20858, the flaw is rated Critical with a maximum CVSSv3 base score of 9.1. “A malicious actor with privileged access to the App Control administrative console may be able to use inputs specifically designed to allow access to the underlying server operating system,” VMWare said.
Another VMware patch has been released to fix an external XML vulnerability affecting VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated Important, with a maximum CVSSv3 core score of 8.8.
February was a busy month for Citrix, which released patches to fix several critical security vulnerabilities. The issues fixed this month include CVE-2023-24483, which affects Citrix Virtual Apps and Desktops Windows VDA. “A security vulnerability has been identified that, if exploited, could cause a local user to elevate their privilege level to NT AUTHORITY\SYSTEM on the Citrix Virtual Apps and Desktops Windows VDA,” Citrix warned in an advisory.
Meanwhile, Citrix has identified two vulnerabilities that together could allow a standard Windows user to perform system-like operations on a computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485.
Another security flaw in the Citrix Workspace application for Linux, CVE-2023-24486, could allow a malicious local user to access another user’s Citrix Virtual Apps and Desktops session.
It goes without saying that if you are a Citrix user, make sure to apply the patches to the affected systems.
SAP issued 21 new security notes as part of its February Patch Day, including five that were rated as high priority. Tracked as CVE-2023-24523, the most severe newly patched flaw is a privilege escalation vulnerability in the SAP Start service with a CVSS score of 8.8.
By taking advantage of the issue, an authenticated non-administrative user with local access to a server port dedicated to the SAP host proxy service can send a specially prepared Web service request using an arbitrary operating system command, security firm Onapsis warned. This command is executed with administrator privileges and can affect the confidentiality, integrity, and availability of the system.
The remaining two high-priority issues affect SAP BusinessObjects clients, so if you’re on software company systems, get the patch ASAP.