ICYMI: Third-Party Patching for January 2024

Bugs and vulnerabilities are simply part of the IT infrastructure these days, as much as we wish they weren’t. The challenge of patching third-party systems and applications remains one of the most formidable hurdles for IT and security teams. On a monthly basis, we witness a barrage of new vulnerabilities emerging, prompting a critical question: How prepared is your organization to respond and mitigate these risks swiftly and efficiently?

Since the start of 2024, the realm of cybersecurity was put to the test with an assortment of severe vulnerabilities. For instance, Mozilla’s Firefox Version 122.0 patched an alarming fifteen security issues, five of which were categorized as high risk. Among these, vulnerabilities such as out-of-bounds write in ANGLE and stack buffer overflow in WebAudio were notable for their potential to compromise user data. Similarly, Oracle’s Java update shed light on thirteen new security risks, eleven of which could be exploited remotely without user credentials – a stark reminder of the pervasiveness of cyber threats.

Even major players like Apple are not immune to vulnerability and bug challenges. With ninety vulnerabilities addressed in their latest advisory released on January 22, including the Webkit zero-day exploit, CVE-2024-23222, affecting an array of products, the risk level surrounding third-party patches escalates.

Continuing in our overview of critical third-party patch updates since the start of 2024, Google’s Chrome browser, a mainstay in the web activity for countless users and businesses, continues to see significant patch activity. Since the start of 2024, a notable zero-day vulnerability has been catapulted into the limelight: CVE-2024-0519, which is related to an out-of-bounds memory access also in the V8 JavaScript engine and was reported by Anonymous. There has not yet been a bug bounty payout; however, this was reported by Google as being exploited in the wild.

Overall, there have been 4 releases since the start of 2024. As additional vulnerabilities have been identified, their severity levels have been particularly concerning, with many rated as ‘high’ severity, with CVSS scores bordering on 8.8. The exploits potentially enable an attacker to execute arbitrary code or cause a denial of service (DoS) through a mere web page visit — a sobering reminder of the ever-present need for vigilance in digital security. Google swiftly deployed patches for these zero-days in Chrome’s subsequent releases, reinforcing the necessity for IT and security teams to stay abreast of alerts and apply updates without delay.

The surge in severe vulnerabilities is not exclusive to the likes of Chrome and Firefox, leaving no browser exempt, including Microsoft’s Edge. In the latest round of updates, Edge patched several critical flaws, including CVE-2024-0241, a remote code execution vulnerability with a CVSS score of 9.0, indicative of its potential to compromise systems on a substantial scale.

This begs the question: Is your patch management protocol agile enough to adapt to these critical updates in real-time? Given these revelations, it’s clear that third-party patching is not just a line item on a checklist — it is an imperative part of maintaining the security posture of your enterprise. Neglecting this key operation can leave your business vulnerable to data breaches and cyber-attacks that can tarnish your reputation and bottom line.

To stay ahead of potential threats and secure your environment, it’s crucial to remain informed and proactive. Register for our next 3rd Party Roundup webinar, on February 27, to get insights into the latest and most critical third-party vulnerabilities.

If you’re not sure how your third-party patch strategy measures up to current best practices, contact Syxsense today. We’re happy to discuss your current third-party patching strategy and implementation to see if you’re leveraging the latest technology to ensure third-party patches are deployed quickly across your organization.