Let’s put this straight: not all of us pay attention when security patches or updates are rolled out.
This poor security culture could be blamed on a lack of awareness of the need for security patches, the frequency of updates, or the pain points in deploying them.
Whatever the reason, a security patch (unlike, say, a feature improvement update) should not be taken lightly by anyone.
If we consider that the Pwn2Own Vancouver 2024 hacking contest in March had popular brands like Google, Tesla and Ubuntu hacked, you might be throwing caution to the wind by putting off security patches to later dates or ignoring them completely.
In what has been a season of security updates, popular brands like Apple, Google, and Microsoft have released important security updates to hard-wire their defenses against known and emerging threats.
Apple’s latest security release addresses undisclosed issues regarding customer data security, while Google’s Chrome browser has recently been updated with 12 security fixes, different from the anti-phishing updates it added to its browser recently. Microsoft has followed suit with multiple updates on its Windows 11 Operating System (OS).
This article looks at what was patched up across these three brands and points out the need to check them out if you haven’t.
Security Updates in Detail
Below is a breakdown of what was updated on each platform and how you can patch things up before it’s too late.
Apple Security Updates for iOS and iPadOS
If you use an iOS or iPadOS device, Apple has dished out a number of security updates for you. This time, the updates address several vulnerabilities, some of which were being actively exploited in the wild.
Although the iPhone maker’s security updates affect many of its devices, the iOS 17.4 and iPadOS 17.4 patches caught the eye, as reports of zero-day attacks affecting iPhone and iPad users were already making the rounds.
The Cyber and Fraud Centre Scotland reported in March that these security flaws were being exploited by malicious users and allowed them access to users’ devices.
Apple did not deny these claims, acknowledging that these vulnerabilities may have already been exploited by malicious actors.
“Apple is aware of a report that this issue may have been exploited,” Apple wrote on its support page.
In addition to these zero-day flaws, the updates address other security issues across various components of the iOS and iPadOS ecosystems, including Siri, Spotlight, Synapse, and UIKit. These vulnerabilities could have enabled attackers to access sensitive user data, spoof system notifications, or potentially break out of an app’s sandbox.
Google Chrome Security Updates
After it announced tighter privacy features on Chrome, Google has released another critical update to address several high-severity vulnerabilities in Chrome, including one that had been pounced on by malicious actors.
This Chrome update, which brings the browser to version 123.0.6312.58/.59 on Windows and Mac and 123.0.6312.58 on Linux, includes 12 security fixes.
Among the most critical issues addressed, include flaws identified under different Common Vulnerabilities and Exposures (CVEs) — a list of publicly disclosed computer security flaws that have been assigned unique identifiers.
One of the critical flaws is CVE-2024-2625, an object-lifecycle vulnerability in the V8 JavaScript engine rated as high severity. This flaw, according to NIST, “allowed a remote attacker to potentially exploit object corruption via a crafted HTML page on Chrome.”
The update also patches several medium-severity flaws, including CVE-2024-2626, an out-of-bounds read bug in the Swiftshader component; CVE-2024-2627, a use-after-free vulnerability in the Canvas component; and CVE-2024-2628, an inappropriate implementation issue in the Downloads component.
Towards the end of March, Google pushed an additional seven security fixes for Chrome after some vulnerabilities were exploited at the Pwn2Own 2024 hacking contest held in Canada last month. Some of these vulnerabilities include a critical use-after-free vulnerability in the ANGLE component (CVE-2024-2883) that was reportedly being exploited. Two other high-severity use-after-free bugs, CVE-2024-2885 and CVE-2024-2886, and a Type Confusion in WebAssembly (CVE-2024-2887) were also addressed.
Google has acknowledged the critical nature of these vulnerabilities and has disbursed a total of $10,000 in rewards to the external researchers who reported the vulnerabilities.
To mitigate the risk, Chrome users are strongly encouraged to update their browsers to the latest version as soon as possible. The update can be easily obtained by opening the Chrome settings page and checking for updates or by allowing the browser to auto-update itself.
Microsoft Windows 11 Updates
Like Apple and Google, Microsoft is not sleeping on patching security flaws in its Windows operating system. The Windows 11 updates, rolled out in March, affect versions 22H2 and 23H2 as they run on the same core operating system and identical system files.
Microsoft says this update focuses on implementing security patches on its proprietary networking standard, the Distributed Component Object Model (DCOM). It’s important to note that once this update is installed, the changes cannot be reversed using the registry key.
Additionally, the update resolves an issue related to computer accounts and Active Directory. Previously, when reusing an existing computer account to join an Active Directory domain, the process failed on devices with Windows updates dated October 11, 2022, or later.
Users have several channels available to obtain this update.
If your Windows update is automatically set to download and install, then updates will be automatically downloaded and installed from Windows Update.
For businesses using Windows Update for Business, the update will be fetched and applied according to their configured policies. Alternatively, users can manually download the standalone package from the Microsoft Update Catalog website.
If Windows Server Update Services (WSUS) is configured, it will automatically sync with this update under the settings for the product Windows 11, with the classification of Security Updates.
Although these updates are not mandatory, they are essential. Let’s say you skip them; your system could be vulnerable to security exploits targeting the DCOM networking standard, which means, hackers could also gain unauthorized access to your device or network. If you rely on Active Directory to manage computer and user accounts in your organization, you might face issues adding new devices to the domain.
The Bottom Line
The recent security updates from tech giants Apple, Microsoft, and Google are not to be ignored. These patches address critical vulnerabilities that are actively being exploited by malicious actors, putting user data and system integrity at serious risk.
To protect yourself, it is crucial to check the operating systems listed for these updates and Chrome and ensure they are up to date.
If you don’t leave your systems on auto-update as I do, do well to update your devices and software to the latest versions as soon as possible. Failing to do so could leave you exposed to data breaches or system compromises and, of course, financial losses.