July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.
Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.
Apple iOS 15.6
Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.
Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.
Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.
The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.
Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.
The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.
Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.
Microsoft’s Patch Tuesday
Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.
Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.
Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.
Android July Security Bulletin
Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.
Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.
Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.
The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.
Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.
Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.