August is one bumper months for security patches, with Apple, Google, and Microsoft among the companies releasing urgent fixes for already exploited vulnerabilities. The month also saw some major bug fixes coming from VMWare, Cisco, IBM, and Zimbra.
Here’s everything you need to know about the critical security fixes released in August.
Apple iOS 15.6.1
After a two-month patch hiatus, followed by more fixes in JulyApple release emergency security update in August with iOS 15.6. The iOS update has fixed two bugs, both of which are being used wild by attackers.
It is thought that vulnerabilities in WebKit (CVE-2022-32893) and Kernel (CVE-2022-32894) are being discovered. chained together in attacks, with dire consequences. A successful attack could allow an adversary to take control of your iPhone and gain access to your sensitive files and banking details.
Combining the two vulnerabilities “generally provides all the functionality needed to install a device jailbreak,” bypassing most security restrictions imposed by Apple, said Paul Ducklin, a research scientist at Sophos, wrote in a Blog analysis of vulnerabilities. This could potentially allow an adversary to “install background spyware and keep you under complete surveillance,” explains Ducklin.
Apple always avoids releasing details about vulnerabilities until most people update, so it is difficult to know who the attack target is. To make sure you stay safe, you should update your device to iOS 15.6.1 immediately.
Apple has also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.
Google released a security update in August to fix the bug no-Thursday gap this year. In one advisory, Google listed 11 vulnerabilities fixed in August. The patch includes a use after free vulnerability in FedCM — tracked as CVE-2022-2852 and rated as important – as well as six rated high and three rated as medium impact. One of the highly rated vulnerabilities was exploited by attackers, CVE-2022-2856.
Google hasn’t provided any details on the exploited vulnerability, but since the attackers already know the details, you should update Chrome now.
Early August, Google release Chrome 104, fixes 27 vulnerabilities, seven of which are rated as high-impact.
Android August security patch is a giant tool, with dozens of fixes for critical vulnerabilities, including one in the framework that could lead to local privilege escalation with no additional privileges required. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a vulnerability in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components can also lead to a local escalation of privileges.
Android security patch is so late in August, but is now available on devices like Google’s Pixel Rangethe Nokia T20and Samsung Galaxy Devices (including Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).
The Remote Code Execution (RCE) vulnerability in the Windows Support Diagnostic Tool (MDST) is considered to be highly impactful because its exploitation can lead to system compromise. Vulnerability affects all Windows and Windows Server users, for the first time Exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.
VMWare fixed a series of errors in August, including an important validation bypass error tracked as CVE-2022-31656. When the patch was released, the software company warned that the exploit code was publicly available.
VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, the SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also has a CVSS score of eight. Both require an attacker to have administrator privileges and network access before they can trigger remote code execution.