August was a bumper month for security patches, with Apple, Google and Microsoft among the companies releasing workarounds for already exploited vulnerabilities. The month also saw a number of major fixes arriving from the likes of VMWare, Cisco, IBM and Zimbra.
Here’s everything you need to know about the major security solutions released in August.
Apple iOS 15.6.1
After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two bugs, both of which were used by attackers in the wild.
Presumably, the vulnerabilities in WebKit (CVE-2022-32893) and Kernel (CVE-2022-32894) were chained together in attacks, with dire consequences. In a successful attack, a malicious person could take control of your iPhone and gain access to your sensitive files and banking information.
The combination of the two flaws “generally provides all the functionality needed to trigger a jailbreak on a device,” bypassing nearly all Apple-imposed security restrictions, Paul Ducklin, a lead researcher at Sophos, wrote in a blog post. analyzed the vulnerabilities. This would potentially allow malicious parties to “install spyware in the background and keep you under extensive surveillance,” Ducklin explains.
Apple always doesn’t give details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, please update your devices to iOS 15.6.1 without delay.
Apple has also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.
Google released a security update in August to fix this year’s fifth zero-day bug. In an advisory, Google listed 11 vulnerabilities that were fixed in August. The patches include a use-after-free bug in FedCM — tracked as CVE-2022-2852 and rated critical — as well as six highly rated issues and three classified as having medium impact. One of the highly-rated vulnerabilities has been exploited by attackers, CVE-2022-2856.
Google hasn’t given any details about the exploited flaw, but since attackers managed to get their hands on the details, it’s a good idea to update Chrome now.
Earlier in August, Google released Chrome 104, which fixed 27 vulnerabilities, seven of which were assessed as having high impact.
The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation without the need for additional privileges. Meanwhile, a problem in the media framework can lead to remote information disclosure, and a failure in the system can lead to remote code execution via Bluetooth. A vulnerability in kernel components can also lead to local privilege escalation.
The Android security patch was released at the end of August, but is now available on devices such as Google’s Pixel series, the Nokia T20 and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series and Galaxy Flip series ).
Microsoft’s August Patch Tuesday has fixed more than 100 security vulnerabilities, 17 of which are rated critical. One of the fixes was a patch for an already exploited bug that was tracked as CVE-2022-34713, also known as DogWalk.
The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as high impact because exploiting it could lead to system compromise. The vulnerability, which affects all Windows and Windows Server users, was first exposed in January 2020 more than two years ago, but Microsoft did not consider it a security issue at the time.
VMWare fixed a number of bugs in August, including a critical authentication bypass bug that was tracked as CVE-2022-31656. When releasing the patch, the software company warned that public exploit code is available.
VMWare also resolved an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, an SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrative and network access before they can trigger remote code execution.