Implications of a Security Vulnerability in Apple’s OS X Operating System for Denial-of-Service Attacks
The new year has kicked off with some hefty security updates released by the likes of Apple, Google, and Microsoft. There were a lot of enterprise patches issued in the month of January.
September is iPhone launch time, which also means the release of Apple’s updated operating system (OS) iOS 16. As expected, Apple released two new operating systems in September, one for the Mac and another for the iPhone.
If you decide not to go with iOS 16, it’s important you apply iOS 15.7 because both updates fix the same 11 flaws, one of which is already being used in real-life attacks.
In the month of June, Apple documented a vulnerability in its OS X operating system. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.
Apple’s latest releases include iPadOS 15.7, macOS Big sur 11.7, Mac OS Monterey, tvOS 16, and watchOS 9, as well as watchOS 9.0.1 for the Apple Watch Ultra.
Security Updates for the Android Operating System with a CVE-2022-3723 Type Confusion Flaw, and Other Critical Vulnerabilities
October offered another emergency update for the browser maker, this time fixing a type confusion flaw in the V8 JavaScript engine. The flaw was fixed within days of being reported by the researchers, which indicates how serious it is. Google said it is “aware of reports that an exploit for CVE-2022-3723 exists in the wild.”
In order to prevent attackers from getting hold of the details of the vulnerability, a lot of people need to be updated in order to get the bug fixed.
There is an additional update released for the devices addressing two critical vulnerabilities, which could lead to privilege Escalation by an attacker.
The release ofiOS 16.1 and iPadOS 16 was pushed back due to the upcoming launch of the latest iPad models. The recent versions of the mobile operating system come with a long list of security fixes and an already exploited flaw.
Patch Tuesday has once again arrived along with fixes for a rather hefty list of 84 flaws. 13 are rated as critical, and one is being used in attacks. A privilege vulnerability in the Windows COM+ Event System Service affects every version of Windows. The flaw could be used with other exploits to take over someone’s machine.
There was a fix for two actively exploited bugs in the Patch Tuesday updates, but they weren’t included. Security vendor GTSC reported the flaws to Microsoft. Researchers warn that Microsoft’s share of mitigations can be bypassed.
In December there are security patches coming thick and fast despite the end of the holiday season. The month has seen updates from Apple, Microsoft, and a host of other companies.
How Secure is Your Web? An Apple Perspective on Fixes in the Framework, Browser, Mediatek, Unisoc, and WebRTC
Apple has released iOS 16.3 along with a new feature that allows you to use security keys as an extra layer of protection for your Apple ID. Two of the security fixes available in the latest Apple update can allow code execution and three are in WebKit, the engine that powers the Safari browser.
A malicious file that evades Mark of the Web’s defenses can result in a loss of integrity and the availability of security features such as Protected View in Microsoft Office, according to Microsoft.
Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.
Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. There are four medium-severity vulnerabilities, one of which is a use after free vulnerability. Two further flaws are rated as having a low impact.