Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.
Here’s everything you need to know about the patches released in April.
Hot on the heels of, Apple has released the iOS 16.4.1 to fix two vulnerabilities already being used in attacks. is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its .
is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”
The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm.
The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.
Apple also releasedfor users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.
Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update.is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an
Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in remote code execution on the server side.
The fix was part of a slew of patches for 98 vulnerabilities, so it’s worth checking out the advisory and updating as soon as possible.
Google has issued multiple patches for its Android operating system, fixing several serious holes. The most severe bug is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed, Google said in its. User interaction is not needed for exploitation.
The patched issues include 10 in the framework, including eight elevation-of-privilege flaws, and nine others rated as having a high severity. Google fixed 16 bugs in the system including two critical RCE flaws and several issues in the kernel and SoC components.
The update also includes severalpatches, including an elevation-of-privilege flaw in the kernel tracked as CVE-2023-0266. The Android April patch is available for Google’s devices as well as models Samsung’s Galaxy S-series alongside the Fold and Flip-series.
At the start of April, Google issued ato fix 16 issues in its popular Chrome browser, some of which are serious. The patched flaws include CVE-2023-1810, a heap buffer overflow issue in Visuals rated as having a high impact, and CVE-2023-1811, a use-after-free vulnerability in Frames. The remaining 14 security bugs are rated as having a medium or low impact.
Just days later, Googleanother patch, fixing issues including another zero-day flaw tracked as CVE-2023-2136, an integer overflow bug in the Skia graphics engine.