It's a big deal when attackers discover vulnerabilities in hardware, and it's happened again with both Intel and AMD processors. Known as Downfall (CVE-2022-40982) and Inception (CVE-2023-20569), these flaws have already gained a reputation based on the severe impact they can have, so don’t get caught off guard. Is your processor on the list?

We also have other significant discoveries and fixes for you, including eleven severe vulnerabilities found in Chromium, as well as fixes for multiple DoS and code execution vulnerabilities discovered in Thunderbird. It's essential that you stay up-to-date on these issues to protect your system from any potential harm.

Be sure to check out our Linux security expert analysis with industry leaders to gain critical insights into the past, present, and future of Linux security.

Found this newsletter helpful? Please pay it forward and share it with a fellow security geek! We also welcome feedback on how we could improve our newsletters. If you have any comments or thoughts, please share them with us.

Yours in Open Source,

Brittany Signature 150

Microcode

The Discovery 

Multiple significant microcode security issues have been discovered. An information exposure bug known as Downfall (CVE-2022-40982) has been found in some Intel(R) Processors, as well as a side channel vulnerability in some AMD CPUs known as Inception (CVE-2023-20569) that may allow an attacker to influence the return address prediction, potentially resulting in speculative execution at an attacker-controlled address.

2.Motherboard

The Impact

These flaws could result in the disclosure of sensitive information.

The Fix

Important security updates that mitigate these notorious flaws have been released. We strongly encourage all impacted users to apply these updates as soon as possible to protect the confidentiality and integrity of their sensitive data.

Your Related Advisories:

Register to Customize Your Advisories

Thunderbird

The Discovery 

Multiple security issues were discovered in Thunderbird, including a bug in popup notifications delay calculation that could have enabled an attacker to trick a user into granting permissions (CVE-2023-4047), and an out-of-bounds read that could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations (CVE-2023-4048). These bugs are simple to exploit and threaten impacted systems' confidentiality, integrity, and availability. As a result, they have received a National Vulnerability Database severity rating of “High”. 

Thunderbird

The Impact

These issues could result in denial of service (DoS) attacks or the execution of arbitrary code.

The Fix

A Thunderbird security update has been released that mitigates these severe flaws. We strongly recommend that all impacted users apply these updates now to protect against attacks leading to potential system downtime and compromise.

Your Related Advisories:

Register to Customize Your Advisories

Chromium 

The Discovery 

Eleven severe vulnerabilities have been found in Chromium, including multiple Type Confusion bugs in V8, use-after-frees in Cast, Blink Task Scheduling and WebRTC, a heap buffer overflow in Visuals, out-of-bounds read and write in WebGL, out-of-bounds memory access in ANGLE, and insufficient data validation and inappropriate implementation in Extensions. These bugs have received a National Vulnerability Database severity rating of “High” due to their ease of exploitation and the significant threat they pose to impacted systems' confidentiality, integrity, and availability. 

Chromium

The Impact

These issues have allowed a remote attacker to potentially exploit heap corruption and perform arbitrary read/write via a crafted HTML page. They also enabled an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension.

The Fix

Important updates have been released for Chromium that fix these dangerous flaws. We urge all impacted users to apply these updates immediately to protect against potential security threats.

Your Related Advisories:

Register to Customize Your Advisories