Earlier within the month, Google mounted one other zero-day flaw, a heap buffer overflow difficulty initially tracked as CVE-2023-4863, which it thought impacted solely the Chrome browser. However two weeks after fixing the problem, researchers found it was worse than they thought, affecting the widely-used libwebp picture library for rendering photographs within the WebP format.
Now tracked as CVE-2023-5129, it’s thought the bug impacts each utility that makes use of the libwebp library to course of WebP photographs. “The scope of this vulnerability is way wider than initially assumed, affecting thousands and thousands of various functions worldwide,” safety agency Rezilion wrote in a weblog.
The safety outfit additionally thinks it’s “extremely doubtless” that the underlying difficulty within the libwebp library is identical difficulty leading to CVE-2023-41064—one of many Apple flaws used as a part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spy ware.
Microsoft’s September Patch Tuesday is one to recollect, because it mounted round 65 flaws, two of that are already being exploited by attackers. Tracked as CVE-2023-36761, the primary is a Microsoft Phrase data disclosure vulnerability that would enable NTLM hashes to be uncovered.
The second and most extreme flaw is a privilege-escalation vulnerability in Microsoft Streaming Service Proxy tracked as CVE-2023-36802. An attacker who efficiently exploited this vulnerability may acquire system privileges, Microsoft mentioned, including that exploitation of the flaw has been detected.
Each flaws are marked as essential, so it’s a good suggestion to replace your gadgets as quickly as you may.
Firefox has had a busy month after Mozilla mounted 10 flaws in its privacy-conscious browser. CVE-2023-5168 is an out-of-bounds write bug in FilterNodeD2D1 affecting Firefox on Home windows, rated as having a excessive influence.
CVE-2023-5170 is a flaw that would lead to reminiscence leak from a privileged course of. This might be used to impact a sandbox escape if the right information was leaked, Firefox proprietor Mozilla mentioned in an advisory.
In the meantime, CVE-2023-5176 covers reminiscence security bugs mounted in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. “A few of these bugs confirmed proof of reminiscence corruption and we presume that with sufficient effort a few of these may have been exploited to run arbitrary code,” Mozilla mentioned.
Initially of the month, Cisco issued a patch for a vulnerability within the single sign-on implementation of Cisco BroadWorks Software Supply Platform and Cisco BroadWorks Xtended Companies Platform that would enable an unauthenticated, distant attacker to forge credentials to entry an affected system. Tracked as CVE-2023-20238, the flaw has been given a most CVSS rating of 10.
Additionally this month, Cisco patched a zero-day in Adaptive Safety Equipment and Firepower Menace Protection software program already exploited in Akira ransomware assaults. Tracked as CVE-2023-20269 and with a medium severity CVSS rating of 5, the vulnerability within the distant entry VPN characteristic of Cisco Adaptive Safety Equipment (ASA) Software program and Cisco Firepower Menace Protection (FTD) Software program may enable an unauthenticated, distant attacker to conduct a brute-force assault to determine legitimate username and password combos.
Enterprise software program agency SAP has issued a number of essential fixes as a part of its September Safety Patch Day. This features a patch for CVE-2023-40622, an data disclosure vulnerability in SAP BusinessObjects Enterprise Intelligence Platform with a CVSS rating of 9.9. “A profitable exploit offers data that can be utilized in subsequent assaults, main to an entire compromise of the appliance,” safety agency Onapsis mentioned.
CVE-2023-40309 is a lacking authorization test difficulty in SAP CommonCryptoLib with a CVSS rating of 9.8. The flaw may end up in an escalation of privileges and within the worst case, attackers can compromise the affected utility utterly, Onapsis mentioned.
In the meantime, CVE-2023-42472 is an inadequate file sort validation flaw in SAP BusinessObjects Enterprise Intelligence Platform with a CVSS rating of 8.7.