Google’s Pixel units have already obtained the November replace, together with some further fixes. The November Android Safety Bulletin has additionally began to roll out to a few of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday each month, however November’s is value discover. The replace fixes 59 vulnerabilities, two of that are already being exploited in real-life assaults. Tracked as CVE-2023-36033, the primary is an elevation of privilege vulnerability in Home windows DWM Core Library marked as necessary, with a CVSS rating of seven.8. “An attacker who efficiently exploited this vulnerability might achieve SYSTEM privileges,” Microsoft mentioned.

In the meantime, CVE-2023-36036 is an elevation of privilege vulnerability in Home windows Cloud Recordsdata Mini Filter Driver with a CVSS rating of seven.8. Additionally mounted in November’s replace cycle is the already exploited libWep flaw beforehand mounted in Chrome and different browsers, which additionally impacts Microsoft’s Edge, tracked as CVE-2023-4863.

One other notable flaw is CVE-2023-36397, a distant code execution vulnerability in Home windows Pragmatic Common Multicast marked as crucial with a CVSS rating of 9.8. “When Home windows message queuing service is working in a PGM Server surroundings, an attacker might ship a specifically crafted file over the community to realize distant code execution and try and set off malicious code,” Microsoft mentioned.

Cisco

Enterprise software program agency Cisco has issued fixes for 27 safety flaws, together with one rated as crucial with a close to most CVSS rating of 9.9. Tracked as CVE-2023-20048, the vulnerability within the internet providers interface of Cisco Firepower Administration Heart Software program might enable an authenticated, distant attacker to execute unauthorized configuration instructions on a Firepower Menace Protection machine managed by the FMC Software program.

Nonetheless, to efficiently exploit the vulnerability, an attacker would want legitimate credentials on the FMC Software program, Cisco mentioned.

An extra seven of the failings mounted by Cisco are rated as having a excessive influence, together with CVE-2023-20086—a denial-of-service flaw with a CVSS rating of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS rating of 8.2.

Atlassian

Atlassian has launched a patch to repair a critical flaw already being utilized in real-life assaults. Tracked as CVE-2023-22518, the improper-authorization vulnerability problem in Confluence Information Heart and Server is being utilized in ransomware assaults. “As a part of Atlassian’s ongoing monitoring and investigation of this CVE, we noticed a number of energetic exploits and studies of menace actors utilizing ransomware,” it mentioned.

Safety outfit Development Micro reported the Cerber ransomware group is utilizing the flaw in assaults. “This isn’t the primary time that Cerber has focused Atlassian—in 2021, the malware re-emerged after a interval of inactivity and centered on exploiting distant code execution vulnerabilities in Atlassian’s GitLab servers,” Development Micro mentioned.

All variations of Confluence Information Heart and Server are affected by the flaw, which permits an unauthenticated attacker to reset Confluence and create an administrator account. “Utilizing this account, an attacker can carry out all administrative actions accessible to a Confluence occasion administrator, resulting in a full lack of confidentiality, integrity and availability,” Atlassian mentioned.

SAP

Enterprise software program big SAP has launched its November Safety Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS rating of 9.6, essentially the most critical problem is an improper entry management vulnerability flaw in SAP Enterprise One. On account of exploiting the problem, a malicious consumer might learn and write to the SMB shared folder, the software program big mentioned.