During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly
Google Chrome
Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory.
Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.
There are no known zero days in February’s Chrome patch, but it’s still a good idea to update your Google software as soon as you can.
Firefox
Mozilla’s privacy-conscious Chrome competitor Firefox received a patch in February to fix 10 flaws it has rated as high severity. CVE-2023-25730
Meanwhile, Mozilla developers have fixed several memory safety bugs in Firefox 110. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote.
VMware
Enterprise software maker VMWare has issued a patch for an injection vulnerability affecting VMware Carbon Black App Control. Tracked as CVE-2023-20858, the flaw has been rated as critical with a maximum CVSSv3 base score of 9.1. “A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system,” VMWare said.
Another VMware patch has been issued to fix an XML External Entity vulnerability affecting VMware vRealize Orchestrator that could lead to privilege escalation. Tracked as CVE-2023-20855, the flaw is rated as important, with a maximum CVSSv3 base score of 8.8.
Citrix
February has been a busy month for Citrix, which has released patches to fix several serious security vulnerabilities. The issues patched this month include CVE-2023-24483, affecting Citrix Virtual Apps and Desktops Windows VDA. “A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA,” Citrix warned in an advisory.
Meanwhile, Citrix identified two vulnerabilities that together could allow a standard Windows user to perform operations as System on a computer running Citrix Workspace, tracked as CVE-2023-24484 and CVE-2023-24485.
Another security flaw in Citrix Workspace app for Linux, CVE-2023-24486, could allow a malicious local user to gain access to the Citrix Virtual Apps and Desktops session of another user.
It goes without saying that if you are a Citrix user, make sure to apply the patches to your affected systems.
SAP
SAP has issued 21 new security notes as part of its February Patch Day, including five ranked as high priority. Tracked as CVE-2023-24523, the most serious of the newly patched flaws is a privilege escalation vulnerability in SAP Start Service with a CVSS score of 8.8.
By taking advantage of the issue, an authenticated non-admin user with local access to a server port assigned to the SAP Host Agent Service can submit a specially crafted web service request with an arbitrary operating system command, security firm Onapsis has warned. This command is executed with administrator privileges and can impact a system’s confidentiality, integrity, and availability, it said.
The two remaining High Priority Notes affect SAP BusinessObjects customers, so if you use the software firm’s systems, get patching as soon as possible.