Headline
You Should Update Apple iOS and Google Chrome ASAP
Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.
It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.
Here’s what you need to know about the security updates issued in March.
Apple iOS
Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.
Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.
Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.
Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.
Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.
Google Chrome
March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.
Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.
At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.
The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.
Mozilla Firefox
Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.
Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.
CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort [they] could have been exploited to run arbitrary code,” Mozilla said.
Google Android
Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.
Related news
Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to
Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap
Gentoo Linux Security Advisory 202407-22 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could arbitrary code execution. Versions greater than or equal to 115.9.1:esr are affected.
Apple Security Advisory 05-13-2024-5 - macOS Ventura 13.6.7 addresses bypass vulnerabilities.
Apple Security Advisory 05-13-2024-3 - iOS 16.7.8 and iPadOS 16.7.8 addresses bypass vulnerabilities.
Debian Linux Security Advisory 5686-1 - Nick Galloway discovered an integer overflow in dav1d, a fast and small AV1 video stream decoder which could result in memory corruption.
Ubuntu Security Notice 6710-2 - USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Manfred Paul discovered that Firefox did not properly perform bounds checking during range analysis, leading to an out-of-bounds write vulnerability. A attacker could use this to cause a denial of service, or execute arbitrary code. Manfred Paul discovered that Firefox incorrectly handled MessageManager listeners under certain circumstances. An attacker who was able to inject an event handler into a privileged object may have been able to execute arbitrary code.
Red Hat Security Advisory 2024-1485-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1484-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 03-25-2024-2 - macOS Sonoma 14.4.1 addresses code execution and out of bounds write vulnerabilities.
Google has released an update for Chrome to fix seven security vulnerabilities.
Red Hat Security Advisory 2024-1491-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1490-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1489-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1488-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1487-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include integer overflow, out of bounds write, and use-after-free vulnerabilities.
Mozilla released an update of Firefox to fix two critical security vulnerabilities that together allowed an attacker to escape the sandbox.
Mozilla released an update of Firefox to fix two critical security vulnerabilities that together allowed an attacker to escape the sandbox.
Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.
Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.
Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.
Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.
Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited.
Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited.