Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.
AUGUST WAS A bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.
Here’s everything you need to know about the important security fixes issued in August.
Apple iOS 15.6.1
After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.
It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.
Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.
Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.
Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.
Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.
Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.
Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.
The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.
The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).
Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.
The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.
VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.
VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.
VMware Workspace ONE Access, Identity Manager, and Aria Automation contain two privilege escalation vulnerabilities.
Later in August, VMWare detailed a local privilege escalation vulnerability in VMWare Tools, CVE-2022-31676, that could allow a malicious actor with local nonadministrative access to the Guest OS to escalate privileges as a root user in the virtual machine.
August was a busy month for Cisco security updates, with the software maker issuing patches for various flaws, including a bug in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated, remote attacker to retrieve an RSA private key.
The vulnerability is due to a logic error when the RSA key “is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco said in an advisory “An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key,” it warned.
Earlier in the month, Cisco fixed multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service on an affected device.
Later in August, Cisco patched a flaw in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance (formerly Cisco Web Security Appliance, or WSA) that could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.
The multiple Cisco patches came after it was confirmed the software maker had been hacked by the Yanluowang ransomware group in May of this year.
Software giant IBM has released patches for issues in the libcurl library that affect IBM MQ. The first, CVE-2022-27780, could allow a remote attacker to bypass security restrictions via a flaw that wrongly accepts percent-encoded URL separators like “/” by the URL parser. An attacker could exploit the vulnerability by sending a specially crafted host name in a URL, IBM said.
The second issue, an HSTS check bypass flaw tracked as CVE-2022-30115, could allow a remote attacker to obtain sensitive information.
Already exploited flaws in Zimbra’s Collaboration Suite (ZCS) have been deemed so serious that a joint warning was sent out by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
Patches for the five vulnerabilities rolled out between May and July of this year. CISA and the MS-ISAC told organizations that hadn’t updated their ZCS instances upon release to “assume compromise and hunt for malicious activity.”