Related Articles
August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.
While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.
Read on for everything you need to know about the patches issued in August.
Microsoft
Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.
The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.
Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.
The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.
Google Chrome
August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.
A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.
Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.
Firefox
Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.
The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”
Google Android
Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.
Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.
Most PopularGearThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian ChokkattuCultureConfessions of a Hinge Power UserBy Jason ParhamGearHow Do You Solve a Problem Like Polestar?By Carlton ReidSecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty
None of the issues fixed in the release are being used in attacks, but some are pretty severe, so it makes sense to update when you can. The update is available for Google’s Pixel devices as well as Samsung smartphones including the Galaxy S23.
Ivanti
IT software maker Ivanti has issued several notable patches during August, including fixes for flaws being used in rea-world attacks. Tracked as CVE-2023-35081, a path traversal vulnerability in Ivanti Endpoint Manager Mobile (EPMM)—formerly known as MobileIron Core—allows an attacker to write arbitrary files on the web application server. The adversary could then execute the uploaded file, for example, a web shell, according to a warning by the Cybersecurity and Infrastructure Security Agency.
“Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now,” Ivanti said in an advisory, adding, “It is critical that you immediately take action to ensure you are fully protected.”
The patch came after government ministries in Norway were targeted by another Ivanti EPMM flaw tracked as CVE-2023-35078. Ivanti said this bug can be combined with CVE-2023-35081 to bypass admin authentication.
August was an eventful month for Ivanti, which also discovered a vulnerability in Ivanti Sentry that it said is already being exploited. Tracked as CVE-2023-38035, the flaw enables an unauthenticated actor to access sensitive application programming interfaces (APIs) used to configure the Ivanti Sentry on the administrator portal (port 844).
While the issue has been given a CVSS score of 9.8, Ivanti said there is a “low risk of exploitation” for customers who do not expose port 8443 to the internet.
Cisco
Enterprise software firm Cisco has released patches for multiple flaws in its products, some of which are rated as having a high severity. Tracked as CVE-2023-20197 with a CVSS score of 7.5, one of the worst issues is a vulnerability in the filesystem image parser for Hierarchical File System Plus of ClamAV that could allow an unauthenticated, remote attacker to cause a denial of service on an affected device.
Meanwhile, a vulnerability in the Intermediate System-to-Intermediate System protocol of Cisco NX-OS Software for the Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated attacker to cause the IS-IS process to unexpectedly restart and a device to reload.
SAP
August was an eventful Security Patch Day for SAP, which released a new set of fixes to address vulnerabilities in its products. Multiple flaws have been fixed in SAP PowerDesigner, including one tracked as CVE-2023-37483 and with a CVSS score of 9.8. “The only thing that prevents the vulnerability from being rated with the maximum CVSS score of 10 is that the scope keeps unchanged during a successful exploit,” security firm Onapsis said.
The flaws fixed in August also include CVE-2023-39437, a Cross-Site Scripting vulnerability in SAP Business One. Another high-priority fix is a patch for a Binary hijack in SAP BusinessObjects Business Intelligence Suite, which is tracked as CVE-2023-37490 and has a CVSS score of 7.6.
