To find the update, you’ll need to check your device’s settings. Devices that have received the April Android update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series , Z Flip 5G, Z Flip3, Z Fold, Z Fold2 and Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.
Google Chrome Urgent Updates
As the world’s largest browser with over 3 billion users, it’s no surprise that attackers are targeting Google Chrome. Browser-based attacks are particularly worrisome because they can potentially be linked to other vulnerabilities and used to take over your device.
It’s been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, released in mid-April, fixes two issues, including a high-severity zero-day vulnerability, CVE-2022-1364, that is already being exploited by attackers.
Technical details are not currently available, but the timing of the fix – just a day after reporting – suggests it’s quite serious. If you use Chrome, your browser must already be on version 100.0.4896.127 to include the patch. You’ll need to restart Chrome after the update installs to make sure it takes effect.
The Chrome issue also affects other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you’re using any of them, be sure to apply the patch.
But that’s not all. On April 27, Google announced another Chrome update fixing 30 security vulnerabilities. None of them have been used yet, the company says, but seven are rated high-risk. The update brings the browser to version 101.0.4951.41.
April 2022 Oracle Patch Critical Update
In mid-April, Oracle released its quarterly critical patch update containing a whopping 520 security fixes. Some of the issues fixed in the update are serious – 300 of them can be used remotely without authentication, and 75 security issues are rated as critical. Some of Oracle’s fixes address CVE-2022-22965, also known as Spring4Shell, a remote code execution (RCE) flaw in the Spring framework.
Microsoft’s busy April Patch Tuesday
Microsoft had a big Patch Tuesday in April, releasing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.
Reported by the NSA and researchers from CrowdStrike, the flaw in the Windows Common Log File System Driver requires no human interaction to be exploited and can be used to gain administrative privileges on a logged-on system. Other notable fixes include CVE-2022-26904 – a publicly known issue – and CVE-2022-26815, a serious DNS server flaw.
Mozilla Thunderbird 91.8.0 Fix
On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. Details are scarce, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be used to execute arbitrary code.
Firefox ESR 91.8 and Firefox 99 also fix numerous security issues.
Elementor WordPress plugin version 3.6.3
The Elementor website builder plugin for WordPress received a major security patch in April for a critically rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.
Discovered by researchers at Plugin Vulnerabilities, the flaw was introduced into the plugin in version 3.6.0, released on March 22. “We would recommend against using this plugin until it has undergone a thorough security review and all issues have been addressed,” the researchers said.
Although an attacker must be authenticated to exploit the issue, it is still quite serious because anyone logged into an affected website can exploit it. The update for the 5 million users of Elementor, version 3.6.3, should be applied as soon as possible.
More great stories on WIRED