Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.

Here’s everything you need to know about the patches released in April.

Apple

Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already be ing used in attacks. CVE-2023-28206

is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”

The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.

The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.

Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

Microsoft

Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252

is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in remote code execution on the server side.

The fix was part of a slew of patches for 98 vulnerabilities, so it’s worth checking out the advisory and updating as soon as possible.

Google Android

Google has issued multiple patches for its Android operating system, fixing several serious holes. The most severe bug is a critical security vulnerability in the system component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin. User interaction is not needed for exploitation.

The patched issues include 10 in the framework, including eight elevation-of-privilege flaws, and nine others rated as having a high severity. Google fixed 16 bugs in the system including two critical RCE flaws and several issues in the kernel and SoC components.