Major Tech Companies Address Zero-Day Vulnerabilities: A September Roundup

As the autumn leaves start to fall, the heat of a zero-day summer continues to burn. Major tech giants like Apple, Microsoft, Google, Cisco, and SAP have been busy patching flaws actively exploited in real-world attacks. Spyware is becoming increasingly prevalent, and everyone should be vigilant. Attacks can infect devices without user interaction, underscoring the importance of updating your operating systems. Let's delve into the patches issued in September by these tech giants.

Apple iOS and iPad OS

Apple had a busy September, launching multiple security updates following a quiet August. One significant update was iOS 16.6.1, an emergency security patch released to fix two vulnerabilities actively exploited in zero-click attacks. These flaws, reported by researchers at the University of Toronto's Citizen Lab, allowed the deployment of spyware through malicious image attachments in iMessages. This attack strategy was dubbed BLASTPASS by the researchers.

The iPhone maker also released its major software upgrade, iOS 17, in mid-September, followed by iOS 17.0.1 a few days later. The latter patch was critical, fixing three iPhone flaws exploited by spyware attacks. Furthermore, Apple released iOS 17.0.2 to correct some early iOS 17 bugs by the end of the month. They also released macOS Sonoma 14, which addressed over 60 vulnerabilities.

Google Android and Google Chrome

Google's Android users also saw significant security updates in September. The monthly patch fixed 33 vulnerabilities, including one already being exploited. Another critical security flaw, which could lead to remote code execution without any additional execution privileges needed, was also addressed. Google's Pixel and Samsung devices, such as the Galaxy S23 and S22 series, have already received the update.

Google also patched ten vulnerabilities in its Chrome browser in September. According to Google, one of these, a heap buffer overflow flaw in vp8 encoding in libvpx, was already being exploited by adversaries. This flaw was used in targeted spyware attacks, confirmed Google security researcher Maddie Stone.

Microsoft

Microsoft's September Patch Tuesday was significant, with around 65 flaws being addressed, two already being exploited by attackers. Users are advised to update their devices promptly to safeguard against these vulnerabilities.

Mozilla Firefox

Firefox had a busy month after Mozilla fixed ten flaws in its privacy-conscious browser. One of these bugs showed evidence of memory corruption and could have been exploited to run arbitrary code.

Cisco

Cisco issued a patch for a vulnerability in the single sign-on implementation of the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. This flaw could allow an unauthenticated, remote attacker to forge credentials to access an affected system.

SAP

SAP issued several vital fixes as part of its September Security Patch Day. This includes a patch for an information disclosure vulnerability in the SAP BusinessObjects Business Intelligence Platform. A successful exploit provides information that can be used in subsequent attacks, leading to a complete application compromise.