Another already exploited flaw, CVE-2023-21715, is a feature override issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in a common Windows registry file system driver.
That’s a lot of zero today’s bugs fixed in one release, so consider it a claim to update Microsoft-based systems as soon as possible.
The February Android update is available, fixing several vulnerabilities in devices running the tech giant’s smartphone software. The most serious of these issues is a vulnerability in the framework component that can lead to local privilege escalation without the need for additional privileges, as Google pointed out in an advisory.
Of the issues identified in the framework, eight were rated as having a high impact. Meanwhile, Google has squashed six Kernel bugs, as well as flaws in System, MediaTek, and Unisoc components.
During the month, Google fixed multiple privilege escalation flaws, as well as information disclosure and denial vulnerabilities. The company also released a patch for three Pixel security issues. The February Android patch is already available for Google’s Pixel devices, while Samsung moved quickly to release the update to users of the Galaxy Note 20 series.
Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate full-screen execution, and CVE-2023-0698 is an out-of-bounds read error in WebRTC. Four medium-severity vulnerabilities include free GPU usage, a buffer overflow bug in WebUI, and a type confusion vulnerability in data transfer. Two other defects were rated as having a low impact.
There are no known zero days in the February Chrome patch, but it’s still a good idea to update your Google software as soon as possible.
Mozilla’s privacy-conscious Chrome rival Firefox received a patch in February to fix 10 flaws it classified as high severity. CVE-2023-25730 is a full-screen browser hack. Mozilla warned that “a background script that calls requestFullscreen and then blocks the main thread may force the browser into full-screen mode indefinitely, resulting in potential user confusion or impersonation attacks.”
Meanwhile, Mozilla developers have fixed several memory security bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we assume that with sufficient effort some of these bugs could be exploited to run arbitrary code,” Mozilla wrote.
Enterprise software maker VMWare has released a patch for a security vulnerability affecting the VMware Carbon Black application. Tracked as CVE-2023-20858, the flaw is rated Critical with a maximum CVSSv3 base score of 9.1. “A malicious actor with privileged access to the App Control administrative console may be able to use inputs specifically designed to allow access to the underlying server operating system,” VMWare said.
Another VMware patch has been released to fix an external XML vulnerability affecting VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated Important, with a maximum CVSSv3 core score of 8.8.
February was a busy month for Citrix, which released patches to fix several critical security vulnerabilities. The issues fixed this month include CVE-2023-24483, which affects Citrix Virtual Apps and Desktops Windows VDA. “A security vulnerability has been identified that, if exploited, could cause a local user to elevate their privilege level to NT AUTHORITYSYSTEM on the Citrix Virtual Apps and Desktops Windows VDA,” Citrix warned in an advisory.
Meanwhile, Citrix has identified two vulnerabilities that together could allow a standard Windows user to perform system-like operations on a computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485.
Another security flaw in the Citrix Workspace application for Linux, CVE-2023-24486, could allow a malicious local user to access another user’s Citrix Virtual Apps and Desktops session.
It goes without saying that if you are a Citrix user, make sure to apply the patches to the affected systems.
SAP issued 21 new security notes as part of its February Patch Day, including five that were rated as high priority. Tracked as CVE-2023-24523, the most severe newly patched flaw is a privilege escalation vulnerability in the SAP Start service with a CVSS score of 8.8.
Taking advantage of the issue, an authenticated non-administrative user with local access to a server port dedicated to the SAP host proxy service can send a specially prepared Web service request using an arbitrary operating system command, security firm Onapsis warned. This command is executed with administrator privileges and can affect system confidentiality, integrity, and availability.
The remaining two high-priority issues affect SAP BusinessObjects clients, so if you’re on software company systems, get the patch ASAP.