July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.
Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.
Apple has released iOS and iPadOS 15.6 to fix 39 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.
Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.
Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.
The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.
Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.
The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.
Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.
Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.
Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.
Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.
Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.
Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.
Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.
The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.
Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.
Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.
In July, Oracle’s Financial Services Applications product family requires the highest number of patches at 59, 17 percent of the total, followed by Oracle Communications with 56 patches—16 percent of the total, according to security firm Tenable.
Due to the threat posed by a successful attack, Oracle “strongly recommends” you apply the July security patches as soon as you can.
Software vendor Cisco has fixed multiple vulnerabilities in Cisco Nexus Dashboard that could allow an attacker to execute arbitrary commands, read or upload container image files, or perform cross-site request forgery attacks.
Tracked as CVE-2022-20857 and rated “critical” with a severity score of 9.8 out of 10, one of the worst vulnerabilities could allow an unauthenticated, remote attacker to conduct a cross-site request forgery attack on an affected device.
SonicWall is urging users to update straightaway after issuing a patch to fix a critical SQL injection bug. The flaw, tracked as CVE-2022-22280 with a CVSS score of 9.4, is not believed to have been used in any real-life attacks yet, but it’s serious. It’s with this in mind that the firm is advising users upgrade to GMS 9.3.1-SP2-Hotfix-2 and Analytics 2.5.0.3-Hotfix-1.
Hot on the heels of June’s security patch, Atlassian has released another important fix for July, patching critical vulnerabilities that impact Confluence, Jira, Bamboo, Fisheye, Crucible, and Bitbucket users.
CVE-2022-26136 is a vulnerability in multiple Atlassian products that allows a remote unauthenticated attacker to bypass Servlet Filters used by first- and third-party apps. This vulnerability can result in authentication bypass and cross-site scripting.
The second, tracked as CVE-2022-26137, is a cross-origin resource sharing bypass vulnerability in multiple Atlassian products that allows a remote unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests.
Meanwhile, CVE-2022-26138 is a scary flaw that could allow a remote unauthenticated attacker who knows the hardcoded password to log in to Confluence and access all content accessible to users in the user group.
If you use the affected products, update as soon as possible.
Updated 8-1-22, 11 am ET: This story was updated to count the total number of CVEs Apple patched in its iOS 15.6 update rather than the parts of the system impacted, raising the number from 37 to 39.