The new year has kicked off with some hefty security updates released by the likes of Apple, Google, and Microsoft. January has been a busy time for enterprise patches too, with SAP, VMWare, and Oracle among those issuing security fixes during the month. Here’s everything you need to know about the security fixes released in January.
Apple has released iOS 16.3 along with a new feature that allows you to use security keys as an extra layer of protection for your Apple ID. Apple’s latest update also comes with 13 security fixes, including three in WebKit, the engine that powers the Safari browser, two of which could allow code execution.
Another three issues have been patched in the iPhone Kernel at the heart of iOS. One of the vulnerabilities, tracked as CVE-2023-23504, is pretty serious—if exploited, it could result in an app being able to execute code with Kernel privileges.
Apple also released iOS 15.7.3 for users of older iPhones, fixing six security issues including the Kernel code execution bug patched in iOS 16.3. None of the issues fixed in iOS 15.7.3 or iOS 16.3 are believed to have been used in real-life attacks. However, Apple has released iOS 12.5.7 for older devices to patch an already exploited WebKit vulnerability, CVE-2022-42856. The iPhone maker fixed the same bug for smartphones using iOS 15 in December.
Apple’s January updates also include tvOS 16.3, Safari 16.3, macOS Big Sur 11.7.3, macOS Monterey 12.6.3, watchOS 9.3, and macOS Ventura 13.2.
It was a busy start to the year for Google, which has fixed 17 vulnerabilities in its Chrome browser, two of which are rated as having a high impact. The first of the two issues, tracked as CVE-2023-0128, is a use-after-free bug in Overview Mode.
Meanwhile, CVE-2023-0129 is a heap buffer overflow issue in Network Service. Eight of the patched vulnerabilities are marked as having a medium impact, including CVE-2023-0130, an inappropriate implementation bug in Fullscreen, and CVE-2023-0137, a heap buffer overflow issue in Platform Apps.
Later in the month, Google patched six Chrome issues, including two rated as having a high impact. CVE-2023-0471 is a use-after-free bug in WebTransport and CVE-2023-0472 is a use-after-free bug in WebRTC.