It's the last Patch Tuesday of 2023, which calls for celebration - just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course.
Let's start with Apple, since two of the bugs Cupertino disclosed yesterday may have already been used for evil purposes.
While the fruit cart's December release fixes all the iThings, there's two especially concerning vulnerabilities in the WebKit web browser engine that affect AppleTVs and Apple Watches, plus some older iPhones and iPads.
CVE-2023-42916 is an out-of-bounds read flaw that could allow miscreants to access sensitive information, and CVE-2023-42917 is a memory corruption vulnerability that can lead to arbitrary code execution.
While Cupertino issued emergency fixes at the end of November to fix these security problems in some iPhones, iPads, and Macs, the patches issued address the same CVEs in older iPhones and iPads, as well as AppleTV HD and AppleTV 4K and Apple Watch Series 4 and later.
Microsoft closed out a very buggy year with just over 30 Windows patches - none of which are listed as being under attack or publicly known before today.
Of these, four are rated critical - including three remote code execution vulnerabilities and one spoofing bug - and 29 important.
CVE-2023-36019, the spoofing vulnerability, affects the web server component of Microsoft Power Platform and Azure Logic Apps.
The only vulnerability listed as publicly disclosed in Microsoft's December patch party is a speculative leaks flaw in some AMD processors tracked as CVE-2023-20588 and first disclosed in August.
The bulk of the bugs - a whopping 185 CVEs - are in Experience Manager and are all important- or moderate-rated cross-site scripting bugs that could allow arbitrary code execution and security feature bypass.
Patches for Illustrator, Substance 3D Sampler, Substance 3D Designer and After Effects all fix critical vulnerabilities that could lead to arbitrary code execution and memory leak.
The rest of Adobe's fixes address important and moderate vulnerabilities in InDesign, Dimension, Substance 3D Stager and Prelude.
Back in October, Qualcomm warned that all three of these flaws were under targeted attacks - citing threat intel from Google TAG and Project Zero - but said it wouldn't share any additional info until December.
SAP released 17 new and updated security patches, including four HotNews Notes and four High Priority Notes.
The new HotNews note, #3411067, received a 9.1 CVSS score and fixes a critical escalation of privilege vulnerability in SAP's Business Technology Platform.
It's critical enough that the vendor published a separate blog about the importance of updating - but doesn't provide much detail about the vulnerability itself.
Cisco published a security advisory about a vulnerability in Apache Struts that may affect a long list of its products containing the software - but noted that it's still under investigation.
Rounding out the end-of-year petapalooza, VMware fixed a moderate-rated privilege escalation vulnerability in its VMware Workspace ONE Launcher product.
The bug, tracked as CVE-2023-34064, could allow someone with physical access to Workspace ONE Launcher to abuse the Edge Panel feature, bypass setup, and then gain access to sensitive information.
Plus FortGuard fixed a double free vulnerability, CVE-2023-41678, in FortiOS and FortiPAM HTTPSd daemon.
This Cyber News was published on go.theregister.com. Publication date: Wed, 13 Dec 2023 01:13:05 +0000