Google has recently published a comprehensive manual that focuses on enhancing the security of your Android phone.
This guide addresses a staggering 100 potential issues that could compromise the safety of your device. It offers detailed instructions on how to implement Google’s solutions, ensuring that
your Android phone is shielded from various threats and vulnerabilities. By following these solutions, you can effectively protect your personal information, such as passwords, credit card details
, and sensitive data, from falling into the wrong hands. Google’s solutions encompass a wide range of security concerns,
including protection against malware, managing app permissions, encrypting your device, and ensuring secure browsing,
among others. Through these 100 fixes, Google aims to empower Android users to take charge of their device’s security and enjoy a https://www.youtube.com/ worry-free mobile experience.
December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.
Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.
Here’s what you need to know about the important updates you might have missed during the month.
Google Fixes Nearly 100 Issues
In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches.
Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow https://www.apple.com/in/iphone/ an attacker to execute code.
Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page.
Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.
The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of
service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device. Google Fixes Nearly 100 Issues
Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.Google Fixes Nearly 100 Issues.
Also read security link
Google Fixes Nearly 100 Issues
Google Android
The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for
two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional
privileges needed. User interaction is not needed for exploitation, Google said.Google Fixes Nearly 100 Issues
The December edition of the Google Android Security Bulletin was a substantial release, addressing close to 100 security vulnerabilities.
This update specifically focuses on resolving two critical issues within the Framework, with the most severe vulnerability having the potential to enable remote escalation of privilege without requiring any additional privileges.
Notably, user interaction is not a prerequisite for an attacker to exploit these vulnerabilities, as highlighted by Google.
Google Fixes Nearly 100 Issues
CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.Google Fixes Nearly 100 Issues
Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.
Google Chrome
Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability
impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.Google Fixes Nearly 100 Issues
Google concluded a successful December of updates by swiftly addressing a critical issue in its Chrome browser. This emergency fix was
necessary to address the eighth zero-day vulnerability discovered in Chrome in 2024. The specific vulnerability, known as CVE-2023-7024, is related to a heap buffer overflow problem within the open source WebRTC component.
In an advisory, Google acknowledged the existence of an exploit for CVE-2023-7024 in the wild, highlighting the urgency of the situation.Google Fixes Nearly 100 Issues
This latest update from Google demonstrates the company’s commitment to promptly addressing security concerns and ensuring the safety of its users. By swiftly releasing an emergency fix for the zero-day vulnerability,
Google aims to mitigate any potential risks associated with the issue. The heap buffer overflow problem in the WebRTC component is a serious matter,
as it could potentially allow malicious actors to execute arbitrary code or gain unauthorized access to sensitive information. Google’s proactive approach in addressing this vulnerability is commendable and reinforces
the importance of regular software updates to maintain a secure browsing experience.Google Fixes Nearly 100 Issues
It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues.
Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.Google Fixes Nearly 100 Issues
Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is
a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.Google Fixes Nearly 100 Issues
Microsoft
Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the
critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you https://www.microsoft.com/ en-in would have to click on a specially crafted URL to be compromised.
Microsoft has released its latest Patch Tuesday updates, addressing more than 30 vulnerabilities, including multiple remote code execution (RCE) flaws. One of the critical fixes is CVE-2023-36019, a spoofing vulnerability
found in Microsoft Power Platform Connector. This vulnerability has a CVSS score of 9.6 and could allow attackers to deceive victims
by manipulating malicious links, apps, or files. However, it is important to note that the victim would need to click on a specifically crafted URL for the compromise to occur.Google Fixes Nearly 100 Issues
Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit
this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.
It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.
Mozilla Firefox
Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these,
CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.
Mozilla has successfully addressed and resolved a total of 18 security vulnerabilities within its widely used Firefox browser.
It is worth noting that approximately one-third of these vulnerabilities have been classified as having a high severity level. Among these, one specific vulnerability, known as CVE-2023-6856, stands out as
a heap-buffer-overflow issue that impacts the WebGL DrawElementsInstanced method when used in conjunction with the Mesa VM driver.
This particular vulnerability possesses the potential to enable an attacker to execute remote code and escape the browser’s sandbox environment.
By promptly fixing these vulnerabilities, Mozilla has taken significant steps to enhance the security and protect the privacy of its users.
Mozilla has recently taken decisive action to address and resolve a total of 18 security vulnerabilities that were identified within its widely utilized Firefox browser. These vulnerabilities, which were discovered through rigorous testing and analysis, have been meticulously fixed to ensure the utmost security for Firefox users.
It is noteworthy that a significant proportion of these vulnerabilities, specifically one-third, have been classified as having a high severity level. This classification underscores the potential risks associated with these vulnerabilities and highlights the importance of promptly addressing them.Google Fixes Nearly 100 Issues
Among the various vulnerabilities that were successfully mitigated, one particular issue has garnered attention due to its potential impact. This vulnerability, identified as CVE-2023-6856, is categorized as a heap-buffer-overflow problem.
It specifically affects the WebGL DrawElementsInstanced method when utilized in conjunction with the Mesa VM driver. The severity of this vulnerability lies in its ability to enable an attacker to execute remote code and escape the browser’s sandbox environment. This means that
an attacker could potentially gain unauthorized access to sensitive information or execute malicious code on a victim’s system. By effectively addressing this vulnerability, Mozilla has demonstrated its commitment to safeguarding user privacy and ensuring a secure browsing experience.
The swift resolution of these security vulnerabilities by Mozilla is a testament to the organization’s dedication to user safety.
By promptly fixing these vulnerabilities, Mozilla has effectively reduced the risk of potential cyber threats and attacks that could exploit these weaknesses. The high severity rating assigned to a significant portion of these vulnerabilities
further emphasizes the importance of taking immediate action to address them. Through these proactive measures, Mozilla has not only enhanced the security of its Firefox browser but has also reassured its users that their online activities are protected from potential threats.
Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed
evidence of memory corruption and we presume that with enough effort [they] could have been exploited to run arbitrary code,” Mozilla said.Google Fixes Nearly 100 Issues
Apache
The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as
CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.Google Fixes Nearly 100 Issues
Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.The vulnerability allows a malicious person to manipulate file upload
parameters, granting them unauthorized access to various file paths. This could lead to the uploading of a harmful file, which can be used to carry out remote code execution (RCE) attacks. A security advisory has been issued to raise awareness about the potential risks linked to this vulnerability.
This could potentially result in the uploading of a harmful file, which can then be used to execute remote code execution (RCE) attacks.
This information has been provided in a security advisory, highlighting the potential risks associated with this vulnerability.Google Fixes Nearly 100 Issues
To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.
Atlassian
Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated
attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.Google Fixes Nearly 100 Issues
Atlassian, a leading enterprise software company, has released a patch to address critical remote code execution (RCE) vulnerabilities in its Confluence Data Center and Server. Identified as CVE-2023-22522, this
vulnerability enables an authenticated attacker to inject unsafe user input into a Confluence page through template injection.
By exploiting this vulnerability, an attacker can gain remote code execution capabilities on the affected instance. Atlassian has provided detailed information about this issue in their advisory.Google Fixes Nearly 100 Issues
We understand that Atlassian, a leading enterprise software company, has taken swift action to address critical vulnerabilities in its
Confluence Data Center and Server. These vulnerabilities, known as CVE-2023-22522, involve a template injection flaw that could potentially allow an authenticated attacker to inject unsafe user input into a Confluence page. Atlassian has released a patch to mitigate this risk and prevent remote code execution (RCE) on affected instances.Google Fixes Nearly 100 Issues
Atlassian has prioritized the security of its customers by promptly addressing the template injection vulnerability in Confluence. By releasing a patch, they have effectively closed the door on potential RCE attacks that
could exploit this flaw. This proactive approach demonstrates Atlassian’s commitment to ensuring the safety and integrity of their software, protecting users from potential harm.Google Fixes Nearly 100 Issues
The recent advisory from Atlassian highlights the importance of promptly addressing vulnerabilities in enterprise software.
By acknowledging and swiftly resolving the template injection flaw, Atlassian has taken a responsible and proactive stance towards protecting their customers. This action reinforces their dedication to maintaining
a secure software environment and safeguarding users’ data and systems.Google Fixes Nearly 100 Issues
Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.Google Fixes Nearly 100 Issues
Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.Google Fixes Nearly 100 Issues
SAP
Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business
Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.SAP, a leading provider of business software, has recently announced the release of its
December Security Patch Day. This update aims to address a number of significant security vulnerabilities that have been identified. Among the most critical issues are four escalation-of-privilege bugs in SAP Business
Technology Platform, which have been assigned the CVE identifiers CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424. These vulnerabilities have been given a CVSS score of 9.1, indicating their severity and potential impact on affected systems.Google Fixes Nearly 100 Issues
The escalation-of-privilege bugs addressed in this security patch are of utmost concern due to their potential to allow unauthorized
users to gain elevated privileges within the SAP Business Technology Platform. This could potentially lead to unauthorized access to sensitive data or the ability to perform malicious actions within the system. SAP has taken these vulnerabilities seriously and has promptly released this security patch to ensure the protection of its customers’ systems and data.Google Fixes Nearly 100 Issues
By releasing this December Security Patch Day, SAP demonstrates its commitment to addressing security vulnerabilities promptly and effectively.
It is crucial for organizations utilizing SAP Business Technology Platform to apply this patch as soon as possible to mitigate the risk posed by these critical vulnerabilities. Regularly updating software and promptly applying security patches is an essential practice to maintain the integrity and security of business systems.
“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.Google Fixes Nearly 100 Issues
Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1.
“This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.Google Fixes Nearly 100 Issues