Earlier within the month, Google fixed one other zero-day flaw, a heap buffer overflow challenge initially tracked as CVE-2023-4863, which it thought impacted solely the Chrome browser. But two weeks after fixing the difficulty, researchers found it was worse than they thought, affecting the widely-used libwebp picture library for rendering photos within the WebP format.

Now tracked as CVE-2023-5129, it’s thought the bug impacts each software that makes use of the libwebp library to course of WebP photos. “The scope of this vulnerability is much wider than initially assumed, affecting millions of different applications worldwide,” safety agency Rezilion wrote in a blog.

The safety outfit additionally thinks it’s “highly likely” that the underlying challenge within the libwebp library is similar challenge leading to CVE-2023-41064—one of many Apple flaws used as a part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spy ware.

Microsoft

Microsoft’s September Patch Tuesday is one to recollect, because it fastened round 65 flaws, two of that are already being exploited by attackers. Tracked as CVE-2023-36761, the primary is a Microsoft Word info disclosure vulnerability that would permit NTLM hashes to be uncovered.

The second and most extreme flaw is a privilege-escalation vulnerability in Microsoft Streaming Service Proxy tracked as CVE-2023-36802. An attacker who efficiently exploited this vulnerability might achieve system privileges, Microsoft stated, including that exploitation of the flaw has been detected.

Both flaws are marked as vital, so it’s a good suggestion to replace your gadgets as quickly as you may.

Mozilla Firefox

Firefox has had a busy month after Mozilla fastened 10 flaws in its privacy-conscious browser. CVE-2023-5168 is an out-of-bounds write bug in FilterNodeD2D1 affecting Firefox on Windows, rated as having a excessive affect.

CVE-2023-5170 is a flaw that would end in reminiscence leak from a privileged course of. This might be used to impact a sandbox escape if the proper information was leaked, Firefox proprietor Mozilla stated in an advisory.

Meanwhile, CVE-2023-5176 covers reminiscence security bugs fastened in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla stated.

Cisco

At the beginning of the month, Cisco issued a patch for a vulnerability within the single sign-on implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that would permit an unauthenticated, distant attacker to forge credentials to entry an affected system. Tracked as CVE-2023-20238, the flaw has been given a most CVSS rating of 10.

Also this month, Cisco patched a zero-day in Adaptive Security Appliance and Firepower Threat Defense software program already exploited in Akira ransomware assaults. Tracked as CVE-2023-20269 and with a medium severity CVSS rating of 5, the vulnerability within the distant entry VPN function of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software might permit an unauthenticated, distant attacker to conduct a brute-force assault to establish legitimate username and password combos.

SAP

Enterprise software program agency SAP has issued a number of vital fixes as a part of its September Security Patch Day. This features a patch for CVE-2023-40622, an info disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform with a CVSS rating of 9.9. “A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application,” safety agency Onapsis said.

CVE-2023-40309 is a lacking authorization examine challenge in SAP CommonCryptoLib with a CVSS rating of 9.8. The flaw may end up in an escalation of privileges and within the worst case, attackers can compromise the affected software fully, Onapsis stated.

Meanwhile, CVE-2023-42472 is an inadequate file sort validation flaw in SAP BusinessObjects Business Intelligence Platform with a CVSS rating of 8.7.