Heimdal® returns with the Easter edition of our Patch Tuesday series with more news from the vulnerability management front. Throughout April, Microsoft has launched 17 security fixes for its Chromium-based Edge browser as well as other miscellaneous improvements. Without further ado, here’s what Patch Tuesday April has in stock for us. Enjoy and happy holidays, everyone!
Patch Tuesday April 2023 – Highlights
Let’s start this list with CVE-2023-28284 aka the Microsoft Edge (Chromium-based) Security Feature Bypass vulnerability. With a CVSS 3.1.4.3 score of 3.8, this vulnerability could potentially allow a threat actor to go around the warning prompt that pops up on the screen when the user attempts to download an allegedly unsafe file from an unverified website. Microsoft notes that this defect can only be leveraged if the user connects with a threat actor-owned website or interacts with a malicious resource that it hosted on a verified website. Upon exchange, a specially crafted file will be uploaded to the user’s machine, allowing the malicious actor to bypass the warning prompt.
Next stop is CVE-2023-24935, a Microsoft Chromium-based spoofing vulnerability that could potentially allow a threat actor to run malicious scripts on the user’s browser upon interaction with a tainted web server. Once the in-browser script is executed, the user will be redirected to the threat actor-held website.
Check out the full list of April releases.
| Release Date |
CVE Number |
CVE Title |
|---|---|---|
| Apr 6, 2023 |
CVE-2023-28301 |
Microsoft Edge (Chromium-based) Tampering Vulnerability |
| Apr 6, 2023 |
CVE-2023-24935 |
Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Apr 6, 2023 |
CVE-2023-28284 |
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Apr 6, 2023 |
CVE-2023-1823 |
Chromium: CVE-2023-1823 Inappropriate implementation in FedCM |
| Apr 6, 2023 |
CVE-2023-1822 |
Chromium: CVE-2023-1822 Incorrect security UI in Navigation |
| Apr 6, 2023 |
CVE-2023-1821 |
Chromium: CVE-2023-1821 Inappropriate implementation in WebShare |
| Apr 6, 2023 |
CVE-2023-1820 |
Chromium: CVE-2023-1820 Heap buffer overflow in Browser History |
| Apr 6, 2023 |
CVE-2023-1819 |
Chromium: CVE-2023-1819 Out of bounds read in Accessibility |
| Apr 6, 2023 |
CVE-2023-1818 |
Chromium: CVE-2023-1818 Use after free in Vulkan |
| Apr 6, 2023 |
CVE-2023-1817 |
Chromium: CVE-2023-1817 Insufficient policy enforcement in Intents |
| Apr 6, 2023 |
CVE-2023-1816 |
Chromium: CVE-2023-1816 Incorrect security UI in Picture In Picture |
| Apr 6, 2023 |
CVE-2023-1815 |
Chromium: CVE-2023-1815 Use after free in Networking APIs |
| Apr 6, 2023 |
CVE-2023-1814 |
Chromium: CVE-2023-1814 Insufficient validation of untrusted input in Safe Browsing |
| Apr 6, 2023 |
CVE-2023-1813 |
Chromium: CVE-2023-1813 Inappropriate implementation in Extensions |
| Apr 6, 2023 |
CVE-2023-1812 |
Chromium: CVE-2023-1812 Out of bounds memory access in DOM Bindings |
| Apr 6, 2023 |
CVE-2023-1811 |
Chromium: CVE-2023-1811 Use after free in Frames |
| Apr 6, 2023 |
CVE-2023-1810 |
Chromium: CVE-2023-1810 Heap buffer overflow in Visuals |
Additional Cybersecurity Advice
This wraps up the spring edition of Heimdal®’s Patch Tuesday updates. As you would expect, here are a couple of things you can try out to bolster your threat defenses and jog up your vulnerability & patch management game.
- Consider reverting to previous builds/versions. There’s no recipe for flawless patching, which means something’s bound to happen at any time (e.g., unexpected patch failure, connection errors, no mobile control, insufficient privileges, failure to meet regulatory compliance requirements, etc.). Ensure that your backups are up and running if you need to revert the app(s) to a previous version.
- Vulnerability scanning. Don’t forget about your vulnerability scanning schedule. The best practice dictates that scanning should occur at least once per month. Don’t forget about documenting your findings.
- Automatic patching. Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automatic patching. If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
- Pen-and-paper planning. If you’re managing a team, consider drafting up a list of patching protocols. Include dates, times, Operating Systems, tests, and everything you can think of. Don’t forget to scribble down any modifications made to the software.
Conclusion
This wraps up the April edition of Heimdal®’s Patch Tuesday series. Hope you’ve enjoyed it. As always, stay safe, patch your heart out, and keep away from suspicious websites. Happy Easter everyone!
- Patch Tuesday, March 2023.
- Heimdal® Cyber Threat Report 2023
- Heimdal® Announces Revolutionary Cybersecurity Platform
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
