December was a hectic month for updates, as companies like Apple and Google rushed to release patches to fix serious flaws in their products before the holidays.
Enterprise software giants also released quite a few patches, with Atlassian and SAP fixing a number of critical bugs in December.
Here’s what you need to know about the important updates you may have missed during the month.
Apple iOS
In mid-December, Apple released iOS 17.2, a major upgrade with features like the Journal app and twelve security patches. Among the flaws fixed in iOS 17.2 it does CVE-2023-42890an issue in the WebKit browser engine that could allow an attacker to execute code.
Another flaw in the iPhone’s kernel, tracked as CVE-2023-4291, could allow an app to break out of its secure sandbox, Apple wrote on its website. support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.
The iOS 17.2 update also introduced a mechanism to prevent a Bluetooth attack using a so-called penetration testing device Flipper zeroaccording to tests of ZDNET And 9to5Mac. The nasty Denial of Service cyber attack can cause a series of pop-ups to appear on an iPhone and eventually lock the device.
Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2, and watchOS 10.2.
Just a week after releasing iOS 17.2, Apple released it iOS 17.2.1 and iOS 16.7.4 for older devices, in addition macOS Sonoma 14.2.1. The surprise iPhone update includes unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.
GoogleAndroid
The Google Android Dec Security bulletin was a big job and fixed almost 100 security issues. The update includes patches for two critical issues in the Framework, the most serious of which could allow remote escalation of privilege without the need for additional privileges. User interaction is not necessary for exploitation, Google said.
CVE-2023-40088 is a critical flaw in the system that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug that is considered to have a high impact.
Google also has one update for its smart device WearOS platform, adoption CVE-2023-40094, a privilege escalation error. The Pixel Security Bulletin has not yet been posted at the time of writing.
Google Chrome
Google ended a great December full of updates in style with a emergency solution for its Chrome browser. The eighth zero-day vulnerability to hit Chrome in 2024 CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in a statement advisory.
It wasn’t the first fix Google released in December. The software giant too issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by third-party researchers, five are rated as very serious, including CVE-2023-6702, a type confusion bug in V8, and four use-after-free bugs.