Atualizações de segurança importantes para Janeiro
Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.
Obviamente, essas atualizações são importantes, então verifique e aplique-as assim que possível.
Patch Tuesday de Janeiro da Microsoft
Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.
No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.
Para mitigar essa vulnerabilidade, a capacidade de inserir arquivos FBX foi desativada no Word, Excel, PowerPoint e Outlook para Windows e Mac. As versões do Office que tinham esse recurso ativado não terão mais acesso a ele, disse a Microsoft.
Atualização de Segurança no Mozilla Firefox
Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.
CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.
Vulnerabilidade Crítica Corrigida pela Cisco
Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.
Atualizações de Segurança da SAP em Janeiro
SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.
Outra falha notável é CVE-2024-21737, uma vulnerabilidade de injeção de código no SAP Application Interface Framework, que tem um escore CVSS de 8.4. “Um módulo de função vulnerável da aplicação permite que um atacante atravesse várias camadas e execute comandos do sistema operacional diretamente” disse a empresa de segurança Onapsis. “Exploits bem-sucedidos podem causar impacto considerável na confidencialidade, integridade e disponibilidade da aplicação.”
