The new year has kicked off with some hefty security updates released by the likes of Apple, Google, and Microsoft. January has been a busy time for enterprise patches too, with SAP, VMWare, and Oracle among those issuing security fixes during the month.

Here’s everything you need to know about the security fixes released in January.

Apple has released iOS 16.3 along with a new feature that allows you to use security keys as an extra layer of protection for your Apple ID. Apple’s latest update also comes with 13 security fixes, including three in WebKit, the engine that powers the Safari browser, two of which could allow code execution.

Another three issues have been patched in the iPhone Kernel at the heart of iOS. One of the vulnerabilities, tracked as CVE-2023-23504, is pretty serious—if exploited, it could result in an app being able to execute code with Kernel privileges.

Apple also released iOS 15.7.3 for users of older iPhones, fixing six security issues including the Kernel code execution bug patched in iOS 16.3. None of the issues fixed in iOS 15.7.3 or iOS 16.3 are believed to have been used in real-life attacks. However, Apple has released iOS 12.5.7 for older devices to patch an already exploited WebKit vulnerability, CVE-2022-42856. The iPhone maker fixed the same bug for smartphones using iOS 15 in December.

Apple’s January updates also include tvOS 16.3, Safari 16.3, macOS Big Sur 11.7.3, macOS Monterey 12.6.3, watchOS 9.3, and macOS Ventura 13.2.

It was a busy start to the year for Google, which has fixed 17 vulnerabilities in its Chrome browser, two of which are rated as having a high impact. The first of the two issues, tracked as CVE-2023-0128, is a use-after-free bug in Overview Mode. 

Meanwhile, CVE-2023-0129 is a heap buffer overflow issue in Network Service. Eight of the patched vulnerabilities are marked as having a medium impact, including CVE-2023-0130, an inappropriate implementation bug in Fullscreen, and CVE-2023-0137, a heap buffer overflow issue in Platform Apps. 

Later in the month, Google patched six Chrome issues, including two rated as having a high impact. CVE-2023-0471 is a use-after-free bug in WebTransport and CVE-2023-0472 is a use-after-free bug in WebRTC.

The first Chrome patches of 2023 do not include any already exploited issues, so although the update is important, it’s not as urgent as some of Google’s recent version releases. Last year, the browser maker patched nine zero day vulnerabilities.

Google has posted its Android Security Bulletin including a number of patches for Android devices. The most severe flaw is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed. CVE-2022-20456 is rated as having a high severity and affects Android versions 10 through 14. Meanwhile, CVE-2022-20490 is another local escalation of privilege bug that does not require user interaction to be exploited.

Google also fixed vulnerabilities in the Kernel, including three remote code execution (RCE) flaws marked as critical. CVE-2022-42719 is a use-after-free bug that could be used by attackers to crash the Kernel and execute code. Google has fixed several issues in the System, the most severe of which could lead to local escalation of privilege.