Major software makers like Microsoft, Google, and Apple regularly release updates to address a wide range of critical security flaws. This month’s patches address a number of vulnerabilities that have already been exploited, so it’s crucial that you check your devices and apply the necessary updates as soon as possible.
Learn the ins and outs of the September updates right here!
Apple’s newest version of its mobile operating system, iOS 16, will be released alongside new iPhones in September. In early September, as was widely anticipated, Apple released iOS 16, alongside a backward-compatible version of the operating system for iPhones still running iOS 15.7.
Even if you choose not to update to iOS 16, you should still install iOS 15.7 because it fixes the same 11 vulnerabilities that iOS 16 does.
According to Apple’s support page, the already exploited vulnerability is a Kernel flaw that could allow an adversary to execute code. This flaw is identified as CVE-2022-32917.
Apple followed the debut of the iPhone 14 with the release of iOS 16.0.1 and iOS 16.0.2, both of which addressed various problems with the new operating system. Although Apple claims that iOS 16.0.2 includes “critical security improvements,” no CVE entries have been issued as of this writing.
Apple has also published watchOS 9 and watchOS 9.0.1 for the Apple Watch Ultra, as well as iPadOS 15.7, macOS Big Sur 11.6, macOS Monterey 12.6, tvOS 16, and watchOS 9.
Google Chrome has had a busy month of updates, starting with an emergency patch for a zero-day vulnerability that was already being exploited. CVE-2022-3075 is a bug that was reported to Google at the end of August, and the company released a patch the very next day.
Since Google would like as many people as possible to upgrade before more attackers get ahold of the facts, it has been cagey regarding the nature of the vulnerability—an insufficient data validation flaw inside the Mojo runtime libraries.
About midway through September, Google issued yet another patch, this time addressing eleven security holes, seven of which were considered highly critical.
Google then released Chrome 106 at the end of the month, patching twenty security holes, five of which were considered highly critical. Most serious are the use-after-free vulnerabilities in CSS (CVE-2022-3304) and Media (CVE-2022-3307).
The Android Security Bulletin for the month of September includes solutions for a number of vulnerabilities ranging from high to critical severity. In September, fixes were released for vulnerabilities in the Android Framework, the System, and the Kernel.
Two major vulnerabilities, CVE-2022-20231 and CVE-2022-20364, that might allow an attacker to escalate privileges have been patched in a new version for Google’s Pixel devices.
The majority of Samsung’s Galaxy line, including its own handsets, has already received the September security patch.
While it does not appear that any of the vulnerabilities Google fixed have been used in attacks, users are still encouraged to update as soon as the new version becomes available.
This month’s Microsoft Patch Tuesday is significant since it addresses a vulnerability that has been exploited in recent attacks. CVE-2022-37969 is a newly discovered privilege escalation vulnerability in the Windows Common Log File System Driver that might give an attacker full control of an affected system.
Among the 63 vulnerabilities patched by Microsoft was a zero-day, and five of those were deemed to be of critical importance. Remote code execution (RCE) vulnerabilities in the Windows IKE, such as CVE-2022-34722 and CVE-2022-34721, both have a CVSS score of 9.8.
Towards the end of September, Microsoft released an unscheduled security update to address a spoofing vulnerability in Endpoint Configuration Manager (CVE 2022 37972).
Telegram-like encrypted messaging service WhatsApp Two vulnerabilities in WhatsApp that might lead to remote code execution have been patched in a new update.
WhatsApp versions before v184.108.40.206 for Android, WhatsApp versions before v220.127.116.11 for Android Business, WhatsApp versions before v18.104.22.168 for iOS, and WhatsApp versions before v22.214.171.124 for iOS Business all contain an integer overflow vulnerability known as CVE-2022-36934 that could allow remote code execution during a video call.
Similarly, a specially prepared video file may have exploited CVE-2022-27492, an integer underflow weakness in WhatsApp for Android prior to v126.96.36.199 and WhatsApp for iOS v188.8.131.52, allowing remote code execution.
If you’re using the most recent version of WhatsApp, you shouldn’t be vulnerable to these issues anymore.
HP has addressed a critical flaw in its built-in support assistant software for its laptops. HP Support Assistant contains a critical vulnerability known as CVE-2022-38395 that allows for elevated privileges to be gained by an attacker.
HP’s support page contains scant information regarding the flaw, but it goes without saying that users of vulnerable hardware should immediately apply any available patches.
SAP released 16 new and updated patches on September Patch Day, including three critical updates for SAP Business One, SAP BusinessObjects, and SAP GRC.
Among the three fixes, the SAP Business One remedy for a Unquoted Service Path vulnerability is the most important. An attacker may use this hole “to execute an arbitrary binary file when the vulnerable service starts, which could allow it to elevate access to SYSTEM,” according to security firm Onapsis.
A second SAP BusinessObjects update addresses a vulnerability that might allow sensitive data to be leaked. The SAP BusinessObjects Business Intelligence Platform vulnerability, as described by Onapsis on their blog, “allows an attacker to obtain access to unencrypted sensitive information in the Central Management Console under certain scenarios.”
The third SAP GRC High Priority Note could allow an authenticated attacker to reopen a previously closed Firefighter session in the Firefighter Logon Pad.