September has seen tech giants including Microsoft, Google, and Apple issue updates to fix multiple serious security vulnerabilities. Many of the flaws patched during the month have already been exploited by attackers, making it important to check your devices and update now.
Here’s what you need to know about the patches released in September.
September is iPhone launch time, which also means the release of Apple’s updated operating system (OS) iOS 16. As expected, Apple released iOS 16 in early September, but it did so along with iOS 15.7 for iPhone users who want to wait before updating to the all-new OS.
If you decide not to go with iOS 16, it’s important you apply iOS 15.7 because both updates fix the same 11 flaws, one of which is already being used in real-life attacks.
The already exploited vulnerability—tracked as CVE-2022-32917—is an issue in the Kernel that could allow an adversary to execute code, according to Apple’s support page.
Later in the month, Apple released iOS 16.0.1 to fix several bugs in the newly-released iPhone 14, and iOS 16.0.2, which fixes several iOS 16 issues. While Apple says iOS 16.0.2 contains “important security updates,” no CVE entries have been published at the time of writing.
Apple has also released iPadOS 15.7, macOS Big Sur 11.7, macOS Monterey 12.6, tvOS 16, and watchOS 9, as well as watchOS 9.0.1 for the Apple Watch Ultra.
It’s been a busy month for Google Chrome updates, starting with an emergency fix to address a zero-day vulnerability already being used in attacks. Tracked as CVE-2022-3075, the flaw was deemed so serious that Google rushed out an update immediately after it was reported at the end of August.
Google didn’t give much detail about the vulnerability, which is related to an insufficient data validation issue within the runtime libraries known as Mojo, because it wants as many people as possible to update before more attackers get hold of the details.
In mid-September, Google released another fix, this time for 11 security vulnerabilities, including seven rated as high severity. Then, at the end of the month, Google issued Chrome 106, fixing 20 security flaws, five of which were rated as having a high severity. The most severe vulnerabilities include CVE-2022-3304, a use-after-free issue in CSS, and CVE-2022-3307, a use-after-free flaw in Media.
September’s Android Security Bulletin has detailed fixes for multiple issues ranging from high severity to critical. Issues patched in September include flaws in the Kernel as well as the Android Framework and System components.
An additional update has also been released for Google’s Pixel devices addressing two critical vulnerabilities, CVE-2022-20231 and CVE-2022-20364, that could lead to privilege escalation by an attacker.
The September patch is already here for most of the Samsung Galaxy range—which also includes specific updates for its own devices.
None of the issues patched by Google are known to have been exploited in attacks, but if the update is available to you, it’s a good idea to apply it as soon as possible.
Microsoft Patch Tuesday is an important one because it comes with a fix for a flaw already being used in attacks. The zero-day vulnerability, tracked as CVE-2022-37969, is a privilege escalation issue in the Windows Common Log File System Driver that could allow an adversary to take control of the machine.
The zero-day is among 63 vulnerabilities patched by Microsoft, including five rated as critical. These include CVE-2022-34722 and CVE-2022-34721, remote code execution (RCE) flaws in the Windows Internet Key Exchange Protocol (IKE) which both have a CVSS score of 9.8.
Later in September, Microsoft issued an out-of-band security update for a spoofing vulnerability in its Endpoint Configuration Manager tracked as CVE 2022 37972.
Encrypted messaging service WhatsApp has released an update to fix two vulnerabilities that could result in remote code execution. CVE-2022-36934 is an integer overflow issue in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, and Business for iOS prior to v2.22.16.12, which could result in remote code execution in a video call.
Meanwhile, CVE-2022-27492 is an integer underflow flaw in WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 that could have caused remote code execution for someone receiving a crafted video file, according to the WhatsApp security advisory.
WhatsApp patched these flaws about a month ago, so if you are running the current version, you should be safe.
HP has fixed a serious issue in the support assistant tool that comes preinstalled on all of its laptops. The privilege escalation bug in HP Support Assistant is ranked as a high-severity issue and is tracked as CVE-2022-38395.
HP has released only limited details about the vulnerability on its support page, but it goes without saying that those with affected equipment should ensure they update now.
SAP’s September Patch Day saw the release of 16 new and updated patches, including three high-priority fixes for SAP Business One, SAP BusinessObjects, and SAP GRC.
The SAP Business One fix, which patches an Unquoted Service Path vulnerability, is the most critical of the three. Attackers could exploit the flaw “to execute an arbitrary binary file when the vulnerable service starts, which could allow it to escalate privileges to SYSTEM,” security firm Onapsis says.
A second fix for SAP BusinessObjects patches an information disclosure vulnerability. “Under certain conditions, the vulnerability allows an attacker to gain access to unencrypted sensitive information in the Central Management Console of SAP BusinessObjects Business Intelligence Platform,” says Onapsis in its blog.
The third High Priority Note affecting SAP GRC customers could allow an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad.
Software giant Cisco has issued a patch to fix a high-severity security issue in the binding configuration of SD-WAN vManage software containers. Tracked as CVE-2022-20696, the flaw could allow an unauthenticated attacker who has access to the VPN0 logical network to access the messaging service ports on an affected system.
“A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload,” Cisco warned in an advisory.
Security company Sophos has just fixed an RCE flaw in its firewall product that it says is already being used in attacks. Tracked as CVE-2022-3236, the code injection vulnerability was discovered in the User Portal and Webadmin of Sophos Firewall.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the firm said in a security advisory.
A vulnerability in a WordPress plugin called AP Gateway is already being used in attacks. Tracked as CVE-2022-3180, the privilege escalation bug could allow attackers to add a malicious user with admin privileges to take over sites running the plugin.
“As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement to all of our users,” said Ram Gall, a Wordfence senior threat analyst, adding that certain details have been withheld intentionally to prevent further exploitation.
