August was one an excellent month for security patches, with Apple, Google and Microsoft among the companies issuing emergency fixes for already exploited vulnerabilities. Some great solutions from the likes of VMWare, Cisco, IBM and Zimbra also arrived during the month.
Here’s everything you need to know about the important security fixes released in August.
Apple iOS 15.6.1
After a two-month hiatus, followed by several fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being exploited by attackers in the wild.
Vulnerabilities in WebKit (CVE-2022-32893) and Kernel (CVE-2022-32894) are believed to be being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking data.
The combination of the two flaws “typically provides all the functionality needed to jailbreak the device,” bypassing nearly all Apple-imposed security restrictions, Paul Ducklin, a senior researcher at Sophos, wrote in a blog analyzing the vulnerabilities. This could allow adversaries to “install spyware in the background and keep you under complete surveillance,” Ducklin explained.
Apple always avoids giving details about vulnerabilities until most people have updated, so it’s hard to know who the targets of the attack were. To make sure you’re safe, you should update your devices to iOS 15.6.1 without delay.
Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at your next opportunity.
Google Chrome
Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM (tracked as CVE-2022-2852 and rated critical), as well as six issues rated high and three rated medium impact. One of the highest rated vulnerabilities has been exploited by attackers, CVE-2022-2856.
Google hasn’t provided any details about the exploited flaw, but since the attackers got the details, it’s a good idea to update Chrome now.
In early August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which had a high impact.
Google Android
August’s Android security patch was strong, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could cause local privilege escalation without requiring additional privileges. Meanwhile, a problem in the media framework could lead to remote information disclosure, and a system failure could lead to remote code execution via Bluetooth. A vulnerability in kernel components could also lead to local privilege escalation.
The Android security patch came out at the end of August, but is now available on devices such as Google’s Pixel range, the Nokia T20 and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note, Galaxy Fold and Galaxy Flip).
Microsoft
Microsoft’s August Patch Tuesday fixed more than 100 security bugs, of which 17 were classified as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.
The Remote Code Execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) has a high impact because exploiting it can lead to system compromise. The vulnerability, which affects all Windows and Windows Server users, was first exposed more than two years ago in January 2020, but Microsoft did not consider it a security issue at the time.
VMWare
VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. When releasing the patch, the software company warned that public exploit code is available.
VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, an RCE SQL injection vulnerability found in VMware Workspace ONE Access and Identity Manager also earned a CVSS score of eight. Both require an attacker to have administrator and network access before they can enable remote code execution.