Table of Contents
It’s time to check your software updates. Major patches were released in March for Apple’s iOS, Google’s Chrome and its privacy-conscious competitor Firefox. Bugs have also been fixed by major software giants such as Cisco, VMware and SAP.
Here’s what you need to know about the security updates released in March.
Apple iOS
Apple compensated for a quiet February by releasing two separate patches in March. At the beginning of the month, the iPhone maker released iOS 17.4, which fixed more than 40 bugs, including two that are already used in real-world attacks.
Tracked as CVE-2024-23225, the first bug in the iPhone kernel could allow an attacker to bypass memory protection. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its website support page.
The second flaw in RTKit, the real-time operating system used in devices such as AirPods, is tracked as CVE-2024-23296 and could also allow an adversary to bypass kernel memory protections.
Later in March, Apple released a second software update, iOS 17.4.1, this time to confirm two errors in the iPhone software, both tracked as CVE-2024-1580. Using the issues fixed in iOS 17.4.1, an attacker can execute code if they persuade someone to interact with an image.
Shortly after the release of iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1, and macOS Ventura 13.6.6.
Google Chrome
March was another hectic month for Google, which fixed several bugs in its Chrome browser. Mid-month, Google issued 12 patches, including a fix for CVE-2024-2625, a high severity object lifecycle issue in V8.
The moderate issues include CVE-2024-2626, an out-of-bounds read in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an improper implementation issue in Downloads.
At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE, followed as CVE-2024-2883. Two other use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, received a high severity rating. In the meantime, CVE-2024-2887 is a type confusion error in WebAssembly.
The last two issues were exploited during the Pwn2Own 2024 hacking competition, so you should update your Chrome browser as soon as possible.
Mozilla Firefox
Mozilla’s Firefox had a busy March after that patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript execution flaw in event handlers that could lead to sandbox escape. Both issues are assessed as having a critical impact.
Earlier this month, Mozilla issued Firefox 124 will address twelve security issues, including CVE-2024-2605, a sandbox escape flaw that affects Windows operating systems. An attacker could have used the Windows Error Reporter to execute arbitrary code on the system and escape the sandbox, Mozilla said.
CVE-2024-2615 addresses critical memory safety bugs in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we believe that with sufficient effort they could have been exploited to execute arbitrary code,” Mozilla said. .
GoogleAndroid
Google has released its March Android security bulletinwhich fixed nearly 40 issues in the mobile operating system, including two critical bugs in the system component. CVE-2024-0039 is a remote code execution flaw, while CVE-2024-23717 is an elevation of privilege vulnerability.
“The most serious of these issues is a critical security vulnerability in the system component that could allow remote code execution without the need for additional execution privileges,” Google said in its advisory.