As security teams gear up for the challenges of 2024, the past week has ushered in a series of security updates, addressing critical vulnerabilities, with a notable focus on newly-reported issues in Chrome.
The most recent stable channel release for Chrome Desktop brings six security fixes, with four earning special mention in the release notes from Google. Among the addressed issues are two in ANGLE, along with use-after-free problems in WebAudio and WebGPU. Swift action is recommended – patch as soon as possible!
https://chromereleases.googleblog.com/2024/
In other developments:
CVSS 9.8 – Multiple CVEs: Rockwell Automation’s FactoryTalk Activation Manager software v4.00 harbours out-of-bounds write bugs, potentially granting attackers complete system control.
https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01
CVSS 9.8 – CVE-2023-6448: Unitronics Vision Series PLCs and HMIs ship with default administrative passwords, requiring immediate modification, as CISA warns of active exploitation.
https://nvd.nist.gov/vuln/detail/CVE-2023-6448
CVSS 9.6 – CVE-2023-39336: Ivanti Endpoint Manager 2022 SU4 and all earlier versions are susceptible to SQL injection for anyone with network access to a vulnerable machine.
https://nvd.nist.gov/vuln/detail/CVE-2023-39336
Additionally, a couple of new exploits have emerged in the wild this week:
CVSS 8.8 – CVE-2023-7024: Chrome heap buffer overflow at the close of last year.
https://nvd.nist.gov/vuln/detail/CVE-2023-7024
CVE-2023-7101: No CVSS score is available for this recently-discovered vulnerability in Spreadsheet::ParseExcel, a Perl module used for parsing Excel files.
Input validation shortcomings expose a potential remote code execution window.
https://nvd.nist.gov/vuln/detail/CVE-2023-7101