Apple, Google and Microsoft released major patches this month to fix multiple security flaws that had already been used in attacks. May is also a pivotal month for enterprise software, with GitLab, SAP and Cisco releasing fixes for multiple bugs in their products.
Here’s everything you need to know about the security updates released in May.
Apple iOS and iPadOS 16.5
Apple has released its long-awaited point update, iOS 16.5, which addresses 39 issues, three of which have been exploited in real life. The iOS update patches vulnerabilities in the operating system’s core kernel and WebKit, the engine that powers the Safari browser. The three exploited vulnerabilities are one of five that have been fixed in WebKit, designated CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab report that CVE-2023-32409 is an issue that could allow attackers to remotely breach web content sandboxes. CVE-2023-28204 is a flaw that exposes users to the risk of disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.
Earlier this month, Apple released iOS 16.4.1(a) and iPadOS 16.4.1(a) — the iPhone maker’s first rapid security response updates — that fix the latter two exploited WebKit vulnerabilities , which was also patched in iOS 16.5.
Apple iOS and iPadOS 16.5 released alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones and iTunes 12.12.9, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4 and macOS Monterey 12.6 for Windows . 6.
Apple also released its first security update for Beats and AirPods headphones.
Microsoft’s mid-month Patch Tuesday fixes 40 security issues, two of which are zero-day vulnerabilities that have already been used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation of privilege bug in the Win32k driver that could allow an attacker to gain system privileges.
The second critical flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow code execution by a privileged attacker. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the vulnerability is difficult to exploit: “Successful exploitation of this vulnerability would require an attacker to compromise administrator credentials on the device.”
The company warns that the security update isn’t a complete fix: it addresses a vulnerability by updating the Windows Boot Manager, which could cause problems. Microsoft said additional steps are currently required to mitigate the vulnerability, noting that affected users can take steps to mitigate the issue.
Google released the latest Android security patch, fixing 40 vulnerabilities, including a kernel vulnerability that has been exploited. These updates also include fixes for issues in the Android framework, system, kernel, MediaTek, Unisoc, and Qualcomm components.
The most serious of these issues is a high-severity security vulnerability in framework components that could lead to local privilege escalation, Google said, adding that user interaction is required to exploit.
CVE-2023-0266, previously associated with commercial spyware vendors, is a kernel issue that could lead to local privilege escalation. Development requires no user interaction.