Apple Has Fixed a Necessary iOS Security Flaw—Have You Updated Yet?
Apple, Google, Microsoft, VMWare, Cisco, IBM, and Zimbra are among the companies releasing emergency fixes for earlier exploited vulnerabilities in August. In the month of August Apple, Google, and Microsoft are among the companies issuing emergency fixes for already exploited vulnerabilities this month. VMWare, Cisco, IBM, and Zimbra all released significant updates this month.
Here is all you need to know about the important security updates released in August.
Apple iOS 15.6.1
Following a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update with iOS 15.6.1 in August. The iOS update patched two flaws that were being exploited by attackers in the wild.
It is believed that the WebKit (CVE-2022-32893) and Kernel (CVE-2022-32894) vulnerabilities were being chained together in attacks, with serious consequences. An adversary could gain control of your iPhone and access your sensitive files and banking information if the attack is successful.
Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed restrictions imposed, Sophos’ Paul Ducklin wrote in a blog evaluating the threats and risks. This could allow malicious hackers to “install background spyware and keep you under comprehensive surveillance,” according to Ducklin.
Apple always avoids disclosing details about vulnerabilities until the majority of users have updated, making it difficult to determine who the attack targets were. To be safe, you should immediately update your devices to iOS 15.6.1.
Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, which you should all update as soon as possible.
Google issued a security update in August to address its fifth zero-day vulnerability this year. Google listed 11 vulnerabilities fixed in August in an advisory. The patches address a critical use-after-free flaw in FedCM, as well as six highly rated issues and three classifieds as having a medium impact. CVE-2022-2856, a highly rated vulnerability, has been exploited by attackers.
Google hasn’t provided any information about the exploited flaw, but since attackers have access to it, it’s a good idea to update Chrome right away. Google Chrome 104 was released earlier this month, patching 27 vulnerabilities, seven of which were rated as having a high impact.
The August Android security patch was substantial, containing dozens of fixes for critical vulnerabilities, including a flaw in the framework that could result in local privilege escalation with no additional privileges required. Meanwhile, a flaw in the media framework may result in remote information disclosure, and a flaw in the system may result in remote code execution via Bluetooth. A vulnerability in kernel components could also result in local privilege escalation.
The Android security patch was released in late August, but it is now available on devices such as Google’s Pixel lineup, Nokia’s T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).
Microsoft’s August Patch Tuesday patched over 100 security flaws, 17 of which are critical. Among the fixes was one for a previously exploited flaw known as CVE-2022-34713, also known as DogWalk.
Because exploiting the remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) can result in a system compromise, it is rated as having a high impact. The vulnerability, which affects all Windows and Windows Server users, was first disclosed in January 2020, but Microsoft did not consider it a security issue at the time.
In August, VMware patched a number of flaws, including a critical authentication bypass bug identified as CVE-2022-31656. When the patch was released, the software company warned that public exploit code was available.
VMWare also patched an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), which was identified as CVE-2022-31658 and had a CVSS score of eight. A SQL injection RCE vulnerability discovered in VMware Workspace ONE Access and Identity Manager received a CVSS score of eight as well. Before triggering remote code execution, an attacker must have administrator and network access.
Two privilege escalation vulnerabilities exist in VMware Workspace ONE Access, Identity Manager, and Aria Automation.
Later in August, VMWare disclosed CVE-2022-31676, a local privilege escalation vulnerability in VMWare Tools that could allow a malicious actor with local nonadministrative access to the Guest OS to escalate privileges as the virtual machine’s root user.
Cisco issued patches for a variety of flaws in August, including a bug in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated, remote attacker to retrieve an RSA private key.
The flaw is caused by a logic error when the RSA key “is stored in memory on a hardware platform that performs hardware-based cryptography,” according to Cisco’s advisory. “An attacker could use a Lenstra side-channel attack against the targeted device to exploit this vulnerability.” “If the exploit is successful, the attacker may be able to obtain the RSA private key,” it warned.
Cisco patched multiple vulnerabilities in the Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers earlier this month, which could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service on an affected device.
Later in August, Cisco patched a vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance (formerly Cisco Web Security Appliance, or WSA), which could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.
The multiple Cisco patches came after it was revealed in May that the software maker had been hacked by the Yanluowang ransomware group.
IBM has released patches to address issues in the libcurl library that affect IBM MQ. The first, CVE-2022-27780, could allow a remote attacker to circumvent security restrictions due to a flaw in the URL parser that incorrectly accepts percent-encoded URL separators like “/” According to IBM, an attacker could exploit the vulnerability by sending a URL with a specially crafted hostname.
The second issue, a CVE-2022-30115 HSTS check bypass flaw, could allow a remote attacker to obtain sensitive information.
Already exploited flaws in Zimbra’s Collaboration Suite (ZCS) were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center issued a joint warning (MS-ISAC).
Between May and July of this year, patches for the five vulnerabilities were released. CISA and the MS-ISAC advised organizations that had not yet updated their ZCS instances to “assume compromise and hunt for malicious activity.”