Apple, Google, and Microsoft released major patches this month to fix several vulnerabilities already used in the attacks. May was also a critical month for enterprise software, as GitLab, SAP, and Cisco released fixes for multiple bugs in their products.
Here’s everything you need to know about the security updates released in May.
Apple iOS and iPadOS 16.5
Apple has released its long-awaited iOS 16.5 update, which addresses 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five WebKit fixed flaws – tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
CVE-2023-32409 is an issue that could allow an attacker to remotely break out of a web content sandbox, according to Clément Lecigne of Google’s Threat Analysis Group and Donncha Cearbhaill of the AI Security Lab. CVE-2023-28204 is a flaw that threatens user disclosure of sensitive information. Finally, CVE-2023-32373 is a null bug that could enable arbitrary code execution.
Earlier in the month, Apple released iOS 16.4.1(a) and iPadOS 16.4.1(a) — iPhone’s first-ever Rapid Security Response update — fixing the last two exploits in WebKit that were also patched in iOS 16.5.
Apple iOS and iPadOS 16.5 released alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6. 6.
Apple also released its first security update for Beats headphones and AirPods.
Microsoft’s mid-month patch on Tuesday fixed 40 security issues, two of which were flaws that had already been used in attacks. The first zero-day vulnerability, CVE-2023-29336, is a privilege elevation error in a Win32k driver that could allow an attacker to gain system privileges.
The second critical flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploits this vulnerability can bypass Secure Boot,” Microsoft said, adding that it is difficult to exploit the vulnerability: “Successful exploitation of this vulnerability requires an attacker to compromise administrator credentials on the device.”
The company warned that the security update isn’t a complete fix: it addresses the vulnerability by updating the Windows Boot Manager, which could cause problems. Microsoft said additional steps are required at this time to mitigate the vulnerability, indicating steps affected users can take to mitigate the problem.
Google has released the latest Android security patches, fixing 40 flaws, including the already exploited Kernel vulnerability. The updates also include fixes for issues with Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.
The most severe of these issues is a highly critical vulnerability in the Framework component that could lead to local privilege escalation, Google said, adding that user interaction is necessary for exploitation.
Previously associated with commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to native privilege escalation. User interaction is not necessary for the exploit.