Main topic: High-severity vulnerabilities in CODESYS V3 software development kit used in industrial facilities.
Key points:
1. Microsoft disclosed 15 high-severity vulnerabilities in CODESYS V3, used to program operational devices in industrial facilities.
2. Exploiting the vulnerabilities is difficult but can lead to code execution, denial-of-service attacks, and potential damage to targets.
3. Patches have been released, but organizations should prioritize installing updates to mitigate the risk.
August has seen a flurry of patches released by technology giants like Microsoft, Google Chrome, and Firefox to fix serious vulnerabilities. These patches are crucial as some of the flaws are already being exploited in attacks. While there was no iPhone update from Apple, major fixes were released for enterprise software, including Ivanti, SAP, and Cisco. Microsoft's Patch Tuesday fixed numerous vulnerabilities, including ones being actively targeted. Google Chrome also issued updates, addressing high impact flaws in V8 and WebRTC. Firefox patched various vulnerabilities, some of which could lead to arbitrary code execution. Lastly, Google patched several critical vulnerabilities in its Android operating system, including RCE issues in System and Media Framework.
Apple has released emergency security updates to fix two new zero-day vulnerabilities that were exploited in attacks targeting iPhone and Mac users, bringing the total number of exploited zero-days patched this year to 13.
Google has released emergency security updates for Chrome to address a zero-day vulnerability (CVE-2023-4863) that has been exploited in attacks, urging users to update their browsers to prevent further exploitation.
Samsung has released a new security patch for its Galaxy devices in September 2023, addressing critical and high-security vulnerabilities.
Microsoft will be releasing a major Windows update with over 150 new features, including the introduction of the ChatGPT-powered AI assistant Copilot and updates to apps like Paint and Backup.
Apple has released emergency security updates to fix three new zero-day vulnerabilities that were exploited to target iPhone and Mac users, bringing the total number of zero-days fixed this year to 16. The vulnerabilities allowed attackers to bypass signature validation, execute arbitrary code, and escalate privileges. The impacted devices include iPhone 8 and later, iPad mini 5th generation and later, Macs running macOS Monterey and newer, and Apple Watch Series 4 and later. The zero-days were discovered and reported by security researchers at Citizen Lab and Google's Threat Analysis Group.
Apple has released urgent security updates to patch vulnerabilities actively exploited, including flaws in WebKit, certificate validation, and kernel access, which were part of an exploit chain used to plant the Pegasus and Predator spyware.
Google has released the October 2023 security updates for Android, addressing 54 vulnerabilities, including two actively exploited flaws, with one impacting various software products and the other affecting multiple versions of Arm Mali GPU drivers on Android devices.
Microsoft has released patches to address zero-day vulnerabilities in open source libraries that affect its products, such as Skype and Edge browser, but the company has not confirmed if these vulnerabilities were exploited or if they were aware of any exploitation.
Apple has released an emergency patch to address a serious security flaw that may have already been exploited by attackers, marking the 16th documented zero-day exploit against Apple's iOS, iPadOS, and macOS-powered devices.
Samsung is rolling out its October security patch to address vulnerabilities in One UI, with a focus on backend fixes and addressing critical vulnerabilities and Android weaknesses, and the update is being released for various Galaxy devices including the Galaxy S series, Galaxy Z Fold/Flip series, and Galaxy A/M/F series.
Microsoft has released the KB5031356 cumulative update for Windows 10 21H2 and 22H2, which includes 25 fixes for various issues and security updates, as well as mitigations for a new distributed denial of service attack technique.