In the midst of the festive season, major software companies, including Google, Microsoft, and Atlassian, are working tirelessly to address critical security vulnerabilities. Google Chrome took the spotlight in November Security Patch as Google issued seven security fixes, concluding the month with an emergency patch for an actively exploited flaw, CVE-2023-6345. This vulnerability, identified as an integer overflow issue in Skia, an open-source 2D graphics library, was already being utilized in real-world attacks.
The severity of the situation prompted Google to acknowledge the existence of an exploit “in the wild,” and while specific details about the fix were limited, it was reported by Google’s Threat Analysis Group, hinting at potential spyware-related implications. Alongside this, six other high-impact flaws were addressed, including a type-confusion bug in Spellcheck (CVE-2023-6348) and a use-after-free issue in libavif (CVE-2023-6351).
Earlier in the month, Google had released fixes for 15 security issues, with three high-severity bugs. Notable among these were an inappropriate implementation issue in Payments (CVE-2023-5480), an insufficient data validation flaw in USB (CVE-2023-5482), and an integer overflow issue in USB (CVE-2023-5849).
Mozilla Firefox November Security Patch Highlights
Mozilla Firefox, a competitor to Google Chrome, addressed ten vulnerabilities in November, with six rated as having a high impact. Among these were flaws such as out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204), a use-after-free issue in MessagePort (CVE-2023-6205), and potential clickjacking permission prompts during full-screen transitions (CVE-2023-6206). Two Memory safety bugs (CVE-2023-6211 and CVE-2023-6212) with a CVSS score of 8.8 were also addressed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.
Google Android and Microsoft Security Updates
The November Android Security Bulletin from Google outlined fixes, including eight in the Framework, with six being elevation of privilege bugs. Additionally, Google addressed seven issues in the System, including a critical bug (CVE-2023-40113) that could lead to local information disclosure. Pixel devices have already received the November update, and the bulletin has started rolling out to some Samsung Galaxy devices.
Microsoft’s November Security Patch Tuesday was noteworthy, addressing 59 vulnerabilities, two of which were actively exploited. An elevation of privilege vulnerability in Windows DWM Core Library (CVE-2023-36033) and a similar flaw in Windows Cloud Files Mini Filter Driver (CVE-2023-36036) were both marked as important. Another critical remote code execution vulnerability in Windows Pragmatic General Multicast (CVE-2023-36397) with a CVSS score of 9.8 was also fixed. Microsoft emphasized that exploiting this flaw could allow an attacker to achieve remote code execution by sending a specially crafted file over the network.
As the holiday season unfolds, these critical security updates underscore the ongoing efforts of tech giants to fortify their systems against potential cyber threats. Users are strongly urged to promptly install these November Security Patches to ensure the security and stability of their devices.