April was a busy month, especially with RSA Conference taking up a whole week. We didn’t want to miss out on highlighting some critical information on third-party patches, though, so here’s our April 2023 round-up.
Based on Syxsense data, developer insights, and open-source intelligence, we’re highlighting a number of third-party patches that are critical for organizations to fix. The high-level numbers and software we think you should focus on:
- Google Chrome has had 4 releases since April 1, with 2 of those updates resolving a total of 24 flaws; 2 of which being actively exploited in the wild
- Microsoft has had 5 releases since April 1, addressing all Chromium-based flaws and zero-days, as well as 3 Edge-specific vulnerabilities
- Firefox has had 2 releases since the month started, addressing a total of 22 disclosed security flaws.
- In April, Adobe released information on 56 vulnerabilities.
- Oracle released 414 total security patches this month for all its products, with 9 fixes for Java deployments.
For Syxsense customers, all of these remediations are available for deployment now in their Syxsense console.
Finally, this month, we want to highlight the most important third-party patches, and those are for Google Chrome. Information on the first Chrome zero-day (CVE-2023-2033) was publicly released on April 11, with a second zero-day (CVE-2023-2136) being reported on April 12 after the first one was publicly identified. CVE-2023-2033 is related to a type confusion issue in the V8 Javascript engine. CVE-2023-2136 allows for integer overflow in Skia, an open-source 2D graphics library.
Chrome is, by far, the most popular web browser and that makes it an easy and preferred target for malicious hackers. But more importantly, both vulnerabilities have exploits in the wild. That’s why the company said access to bug details and links may be kept restricted until a majority of users are updated with a fix. These vulnerabilities, on top of multiple high severity flaws, were reported earlier in April, and Syxsense strongly recommends any Chrome users to make sure Chrome is updated as soon as possible. We recommend that any consumers have Chrome on an auto-update setting, but administrators should be sure to double-check and update accordingly, especially if any end-users don’t have administrative rights to their devices.
If you want more details on third-party patches ahead of our write-up for next month, register for May’s 3rd Party Round-up webinar hosted by Jon Cassell on Tuesday, May 30 at 12:00 PM EST: May Third-Party Round-up webinar.
If you’re looking for the typical Microsoft Patch Tuesday information, don’t miss our Patch Tuesday webinar.
