Here are the most relevant headlines of the week, download our full report and take note:
GitHub announced last Friday that they had replaced their RSA SSH host key used to protect Git operations.
Apple has released security updates fixing an actively exploited 0-day vulnerability in older iPhone, macOS, and iPad devices.
Flaw identified as CVE-2023-23529 is a WebKit-type confusion bug, which has a CVSS of 8.8
Google’s Threat Analysis Group has shared details about two campaigns that used 0-day exploits against Android, iOS, and Chrome.
First campaign: 0-day exploit strings targeting Android and iOS were detected and distributed via shortened links sent via SMS: Vulnerability, already fixed in 2022, which affected iOS in versions prior to 15.1, is identified as CVE-2022-42856 and CVSS 8.8 (type confusion bug in the JIT compiler).
More about this campaign: Vulnerability CVE-2021-30900, with CVSS 7.8, also fixed.
As for the bugs, all fixed:
CVE-2022-3723 (CVSS 8.8), type confusion in Chrome;
CVE-2022-4135 (CVSS 9.6), buffer overflow in Chrome’s GPU;
CVE-2022-38181 (CVSS 8.8), privilege escalation.
Second campaign: targeting devices in the United Arab Emirates via SMS, consisting of several 0-days and n-days targeting Samsung’s web browser.
Link exploits vulnerabilities CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 and CVE-2023-0266.