August was A month filled with security patches, with Apple, Google and Microsoft releasing emergency fixes for vulnerabilities that have already been exploited. The month also saw some big fixes coming in from the likes of VMWare, Cisco, IBM and Zimbra.
Here’s everything you need to know about the important security fixes released in August.
Apple iOS 15.6.1
After a two-month patch layoff, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6. The iOS update fixed two flaws, both of which were used by attackers in the wild.
Vulnerabilities in WebKit (CVE-2022-32893) and Kernel (CVE-2022-32894) are believed to have been tied together in attacks, with severe consequences. A successful attack could allow an adversary to take control of your iPhone and gain access to your sensitive files and bank details.
Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities that the combination of the two flaws “usually provides all the functionality needed to install a device jailbreak,” bypassing nearly all of Apple’s security restrictions. This could potentially allow adversaries to “install spyware in the background and keep you under overall surveillance,” Duklin explained.
Apple always avoids giving details about vulnerabilities until most people have updated, so it’s hard to know who the targets of the attack were. To ensure your safety, you should update your devices to iOS 15.6.1 without delay.
Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.
Google released a security update in August to fix its fifth flaw this year. In an advisory, Google listed 11 vulnerabilities that were fixed in August. The fixes include a FedCM ‘Post-null’ bug – tracked as CVE-2022-2852 and rated critical – as well as six highly rated releases, three of which are medium impact. One of the highly rated vulnerabilities was exploited by attackers, CVE-2022-2856.
Google hasn’t provided any details about the bug that was exploited, but since the attackers have gone through the details, it’s a good idea to update Chrome now.
Earlier in August, Google released Chrome 104, to fix 27 vulnerabilities, seven of which were rated as high impact.
The August Android security patch was huge, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could escalate local privileges without requiring additional privileges. Meanwhile, a problem with the media framework may lead to remote information disclosure, and a glitch in the system may lead to remote code execution via Bluetooth. A vulnerability in kernel components can also lead to local privilege escalation.
The Android security patch was delayed in August, but is now available on devices like Google’s Pixel range, Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).
Microsoft’s August patch on Tuesday fixed more than 100 security vulnerabilities, of which 17 were classified as critical. Among the fixes was a patch for an already exploited flaw that was tracked as CVE-2022-34713, also known as DogWalk.
The Windows Support Diagnostic Tool (MDST) Remote Code Execution (RCE) error has been classified as High Impact because exploiting it can compromise the system. The vulnerability, which affects all Windows and Windows Server users, was first revealed more than two years ago in January 2020, but Microsoft did not consider it a security issue at the time.
VMWare fixed a bunch of bugs in August, including a critical authentication bypass bug that was tracked as CVE-2022-31656. When the patch was released, the software company warned that generic exploit code was available.
VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), which was tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, the RCE SQL entry vulnerability in VMware Workspace ONE Access and Identity Manager earned a score of eight in CVSS. Both require an attacker to have administrator and network access before they can run remote code execution.
#Apple #fixed #critical #iOS #security #flaw #updated