july has been a month’s worth of major updates, including patches for already exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.
Security vulnerabilities also continue to affect enterprise products, with July patches released for SAP, Cisco and Oracle software. Here’s what you need to know about the vulnerabilities that were fixed in July.
Apple iOS 15.6
Apple has released iOS and iPadOS 15.6 to fix 37 security vulnerabilities, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to run code with kernel privileges, according to Apple’s support page, giving it deep access to your device.
Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as bugs in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU drivers.
Apple is not aware of the patched flaws used in attacks, but some vulnerabilities are quite serious, especially those that affect the kernel at the heart of the operating system. It is also possible for vulnerabilities to be chained together in attacks, so be sure to update as soon as possible.
The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.
Google Chrome
Google released an emergency patch for its Chrome browser in July, which fixes four issues, including a zero-day bug that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was exploited to effect shellcode execution in Chrome’s rendering process.
The flaw was used in targeted attacks on Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.
Based on the malware and tactics used to carry out the attack, Avast credits Chrome’s zero-day use to Candiru, an Israel-based company that sells spyware to governments.
Microsoft’s Patch Tuesday
Microsoft’s patch Tuesday in July is a big one and fixes 84 security vulnerabilities, including a flaw already used in real-world attacks. The vulnerability, CVE-2022-22047, is a local escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest releases of Windows 11 and Windows Server 2022. An attacker who managed to can be misused, according to Microsoft, can get system privileges.
Of the 84 issues fixed in Microsoft’s July Patch Tuesday, there were 52 issues with privilege escalation, four issues with bypassing security features, and 12 issues with remote code execution.
Microsoft security patches sometimes cause other problems, and the July update was no different: after its release, some users discovered that MS Access runtime applications could not be opened. Fortunately, the company has come up with a solution.
Android July Security Bulletin
Google released July updates to its Android operating system, including a fix for a critical vulnerability in the system component that could allow remote code execution without the need for additional privileges.
Google also fixed serious issues in the kernel – which could lead to information disclosure – and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device uses those chips. Samsung devices are starting to receive the July patch and Google has also released updates to its Pixel lineup.
JUICE
Software maker SAP has released 27 new and updated security notes as part of its July Security Patch Day, fixing several very serious vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure error in the vendor’s Business Objects platform’s central management console.
The vulnerability allows an unauthenticated attacker to obtain token information over the network, security firm Onapsis said. Fortunately, an attack like this requires a legitimate user to access the application. However, it is still important to patch as soon as possible.
Oracle
Oracle released 349 patches in the July 2022 Critical Patch Update, including fixes for 230 vulnerabilities that can be exploited remotely.
Oracle’s April Patch update contained 520 security fixes, some of which CVE-2022-22965, also known as Spring4Shell, addressed a remote code execution flaw in the Spring framework. Oracle’s July update continues to resolve this issue.
.