Apple and Google Just Patched Their First Zero-Day Flaws of the Year

Later in January, Google launched Chrome 121 to the secure channel, fixing 17 safety points, three of that are rated as having a excessive affect. These embody CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The ultimate high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.

Clearly, these updates are essential, so test and apply them as quickly as you possibly can.

Microsoft

Microsoft’s January Patch Tuesday squashes almost 50 bugs in its common software program, together with 12 distant code execution (RCE) flaws.

No safety holes included on this month’s set of updates are recognized to have been utilized in assaults, however notable flaws embody CVE-2024-20677, a bug in Microsoft Workplace that might permit attackers to create malicious paperwork with embedded FBX 3D mannequin information to execute code.

To mitigate this vulnerability, the power to insert FBX information has been disabled in Phrase, Excel, PowerPoint, and Outlook for Home windows and Mac. Variations of Workplace that had this characteristic enabled will now not have entry to it, Microsoft mentioned.

In the meantime, CVE-2024-20674 is a Home windows Kerberos safety characteristic bypass vulnerability rated as crucial with a CVSS rating of 8.8. In a single situation for this vulnerability, the attacker may persuade a sufferer to hook up with an attacker-controlled malicious utility, Microsoft mentioned. “Upon connecting, the malicious server may compromise the protocol,” the software program big added.

Mozilla Firefox

Sizzling on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 safety flaws in its newest replace. 5 of the bugs are rated as having a excessive severity, together with CVE-2024-0741, an out-of-bounds write subject in Angle that might permit an attacker to deprave reminiscence, resulting in an exploitable crash.

An unchecked return worth in TLS handshake code tracked as CVE-2024-0743 may additionally trigger an exploitable crash.

CVE-2024-0755 covers reminiscence security bugs fastened in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “A few of these bugs confirmed proof of reminiscence corruption and we presume that with sufficient effort a few of these may have been exploited to run arbitrary code,” Mozilla said.

Cisco

Enterprise software program big Cisco has patched a vulnerability in a number of Cisco Unified Communications and Contact Middle Options merchandise that might permit an unauthenticated, distant attacker to execute arbitrary code on an affected system.

Tracked as CVE-2024-20253 and with a whopping CVSS rating of 9.9, Cisco mentioned an attacker may exploit the vulnerability by sending a crafted message to a listening port of an affected system.

“A profitable exploit may permit the attacker to execute arbitrary instructions on the underlying working system with the privileges of the online providers consumer,” Cisco mentioned. “With entry to the underlying working system, the attacker may additionally set up root entry on the affected system,” it warned.

SAP

SAP has issued 10 new safety fixes as a part of its January Security Patch Day, which incorporates a number of points with a CVSS rating of 9.1. CVE-2023-49583 is an escalation-of-privilege subject in functions developed by way of SAP Enterprise Software Studio, SAP Net IDE Full-Stack, and SAP Net IDE for SAP HANA.

In the meantime, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege points in SAP Edge Integration Cell.

One other notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Software Interface Framework, which has a CVSS rating of 8.4. “A weak operate module of the appliance permits an attacker to traverse by way of numerous layers and execute OS instructions instantly,” safety agency Onapsis said. “Profitable exploits may cause appreciable affect on confidentiality, integrity, and availability of the appliance.”