Google Addresses Seventh Zero-Day Vulnerability in Chrome

Despite the festive season, tech companies remain vigilant, rolling out fixes for critical security vulnerabilities. Microsoft, Google, and enterprise software firm Atlassian have all released patches to address vulnerabilities exploited in ongoing attacks. Cisco has also addressed a significant bug, receiving a near-maximum CVSS score of 9.9.

Here's a comprehensive overview of the November patches:

**Google Chrome:**

Google concluded November with a noteworthy announcement, releasing seven security fixes for Chrome. Among these, an emergency patch was issued to address an actively exploited vulnerability tracked as CVE-2023-6345. This flaw involves an integer overflow issue in Skia, an open-source 2D graphics library. Google acknowledged the existence of an exploit in the wild for CVE-2023-6345. The patch details remain somewhat undisclosed, but it was reported by Benoît Sevens and Clément Lecigne from Google's Threat Analysis Group, suggesting potential ties to spyware activities.

The six other high-impact flaws fixed by Google include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google addressed 15 security issues in Chrome, with three rated as highly severe. Notably, CVE-2023-5480 highlighted an inappropriate implementation issue in Payments, CVE-2023-5482 addressed insufficient data validation in USB with a CVSS score of 8.8, and CVE-2023-5849 tackled an integer overflow issue in USB.

**Mozilla Firefox:**

Firefox, a competitor to Chrome, addressed 10 vulnerabilities in November, six of which were deemed highly impactful. CVE-2023-6204 identified an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 addressed a use-after-free issue in MessagePort.

CVE-2023-6206 raised concerns about clickjacking permission prompts during full-screen transitions. Mozilla noted the potential for surprising users by exploiting the timing of the black fade animation and the anti-clickjacking delay on permission prompts.

Memory safety bugs were also fixed, with CVE-2023-6212 and CVE-2023-6212 both receiving a CVSS score of 8.8. These bugs impacted Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

**Google Android:**

Google's November Android Security Bulletin outlined fixes, including eight in the Framework, six of which were elevation of privilege bugs. One particularly severe flaw could lead to local escalation of privilege without requiring additional execution privileges. Additionally, seven issues in the System were addressed, with CVE-2023-40113 being a critical bug potentially leading to local information disclosure without additional execution privileges.

November updates have already been rolled out to Google's Pixel devices, with some additional fixes. Samsung's Galaxy line is also starting to receive the November Android Security Bulletin.

**Microsoft:**

Microsoft's Patch Tuesday for November addressed 59 vulnerabilities, two of which were actively exploited. CVE-2023-36033, an elevation of privilege vulnerability in Windows DWM Core Library, and CVE-2023-36036, an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver, were both marked as important with a CVSS score of 7.8.

The update also resolved the previously exploited libWep flaw, impacting Chrome and other browsers, as tracked by CVE-2023-4863. Another critical flaw, CVE-2023-36397, involved a remote code execution vulnerability in Windows Pragmatic General Multicast, with a CVSS score of 9.8.

**Cisco:**

Cisco addressed 27 security flaws, with one rated as critical and receiving a near-maximum CVSS score of 9.9. CVE-2023-20048, a vulnerability in the web services interface of Cisco Firepower Management Center Software, could allow an authenticated, remote attacker to execute unauthorized configuration commands. Successful exploitation would require valid credentials on the FMC Software.

Seven other flaws were rated as highly impactful, including CVE-2023-20086, a denial-of-service flaw, and CVE-2023-20063, a code-injection vulnerability.

**Atlassian:**

Atlassian released a patch for a critical flaw, CVE-2023-22518, in Confluence Data Center and Server. This vulnerability, already exploited in real-life attacks, is being utilized in ransomware attacks. Trend Micro reported the Cerber ransomware group's involvement, noting its focus on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers in 2021. The Confluence flaw allows an unauthenticated attacker to reset Confluence and create an administrator account, leading to a complete compromise of confidentiality, integrity, and availability.

**SAP:**

Enterprise software giant SAP addressed three new flaws in its November Security Patch Day. The most severe issue, CVE-2023-31403, with a CVSS score of 9.6, was an improper access control vulnerability in SAP Business One. Exploitation could enable a malicious user to read and write to the SMB shared folder.

Stay proactive in maintaining the security of your systems by promptly applying these updates.