By WIRED
December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.
Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.
Here’s what you need to know about the important updates you might have missed during the month.
Apple iOS
In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.
Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.
The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.
Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.
Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.
Google Android
The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.
CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.
Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.
Google Chrome
Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.
It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.
Discussion about this post