July has been a month of major updates, including patches for already exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.
Security vulnerabilities also continue to affect enterprise products, with July patches issued for SAP, Cisco and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.
Apple iOS 15.6
Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue with the Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.
Other patches in iOS 15.6 fix vulnerabilities in the WebKit browser engine and kernel, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU drivers.
Apple is not aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are quite serious, especially those that affect the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained into attacks, so be sure to update as soon as possible.
iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.
Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was exploited to achieve shellcode execution in the Chrome renderer process.
The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.
Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.
Microsoft Patch Tuesday
Microsoft’s July Patch Tuesday is important because it fixes 84 security issues, including a flaw that is already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and Windows client platforms, including the latest versions of Windows 11 and Windows Server 2022. A An attacker able to successfully exploit the vulnerability could gain system privileges, according to Microsoft.
Of the 84 issues fixed in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.
Microsoft’s security patches sometimes cause other problems, and the July update was no different: after the release, some users found that applications running MS Access failed to open. Fortunately, the company is releasing a solution.
July Android Security Bulletin
Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the system component that could lead to remote code execution without requiring additional privileges.
Google also fixed serious issues in kernel, which could lead to information disclosure, and in the framework, which could lead to escalation of local privileges. Meanwhile, vendor-specific patches are available for MediaTek, Qualcomm, and Unisoc if your device uses those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.
Software maker SAP has released 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure bug in the vendor’s Business Objects platform central management console.
The vulnerability allows an unauthenticated attacker to obtain token information on the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it is still important to patch as soon as possible.
Oracle has released 349 patches in its July 2022 Critical Patch Update, including fixes for 230 remotely exploitable flaws.
Oracle’s April patch update included 520 security fixes, some of which addressed CVE-2022-22965, also known as Spring4Shell, a remote code execution flaw in the Spring framework. Oracle’s July update continues to address this issue.