Google’s Pixel units have already acquired the November replace, together with some extra fixes. The November Android Security Bulletin has additionally began to roll out to a few of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday each month, however November’s is price discover. The replace fixes 59 vulnerabilities, two of that are already being exploited in real-life assaults. Tracked as CVE-2023-36033, the primary is an elevation of privilege vulnerability in Windows DWM Core Library marked as vital, with a CVSS rating of seven.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft stated.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS rating of seven.8. Also fastened in November’s replace cycle is the already exploited libWep flaw beforehand fixed in Chrome and different browsers, which additionally impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a distant code execution vulnerability in Windows Pragmatic General Multicast marked as essential with a CVSS rating of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft stated.

Cisco

Enterprise software program agency Cisco has issued fixes for 27 safety flaws, together with one rated as essential with a close to most CVSS rating of 9.9. Tracked as CVE-2023-20048, the vulnerability within the internet companies interface of Cisco Firepower Management Center Software may enable an authenticated, distant attacker to execute unauthorized configuration instructions on a Firepower Threat Defense gadget managed by the FMC Software.

However, to efficiently exploit the vulnerability, an attacker would wish legitimate credentials on the FMC Software, Cisco said.

An additional seven of the failings fastened by Cisco are rated as having a excessive influence, together with CVE-2023-20086—a denial-of-service flaw with a CVSS rating of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS rating of 8.2.

Atlassian

Atlassian has released a patch to repair a critical flaw already being utilized in real-life assaults. Tracked as CVE-2023-22518, the improper-authorization vulnerability situation in Confluence Data Center and Server is being utilized in ransomware assaults. “As part of Atlassian’s ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it stated.

Security outfit Trend Micro reported the Cerber ransomware group is utilizing the flaw in assaults. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian’s GitLab servers,” Trend Micro stated.

All variations of Confluence Data Center and Server are affected by the flaw, which permits an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian stated.

SAP

Enterprise software program large SAP has launched its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS rating of 9.6, essentially the most critical situation is an improper entry management vulnerability flaw in SAP Business One. As a results of exploiting the problem, a malicious person may learn and write to the SMB shared folder, the software program large stated.