July has been an important month of updates, including patches for vulnerabilities that have been exploited in Microsoft and Google products. This month also saw Apple’s first iOS update in eight weeksFix dozens of security bugs in iPhone and iPad.
The vulnerabilities also continue to hit enterprise products, with patches released in July for SAP, Cisco, and Oracle software. Here’s what you need to know about the security holes that were fixed in July.
Apple iOS 15.6″
Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including a problem in the Apple File System (APFS) is tracked as CVE-2022-32832. If exploited, the vulnerability could allow an application to execute code with kernel privileges, according to Apple support pagegive it deep access to your device.
Other iOS 15.6 patches address vulnerabilities in the WebKit browser engine and kernel, as well as vulnerabilities in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.
Apple is not aware of any patched vulnerabilities used in the attacks, but some are quite serious – especially those affecting the kernel at the heart of the operating system. It’s also possible that vulnerabilities are chained together in attacks, so make sure you update as soon as possible.
Google release an emergency patch for the Chrome browser in July, fixing four issues, including an exploited zero-day vulnerability. Follow is CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the internal memory security vulnerability WebRTC was abused to execute shellcode in Chrome’s rendering process.
This vulnerability was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilTongue.
Microsoft’s third patch
Microsoft’s July Tuesday patch is a big one, fixing 84 security issues consists of a vulnerability was used in the real world attacks. Gap, CVE-2022-22047, is a local privilege reporting vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. According to Microsoft, an attacker who can successfully exploit the vulnerability can obtain System privileges.
Of the 84 issues patched in Microsoft’s Tuesday July Patch, 52 are privilege escalation bugs, four are security bypass flaws, and 12 are remote code execution bugs.
Microsoft security patches sometimes cause other problems, and the July update was no different: After the release, some users noticed MS Access runtime applications not opening. Thankfully, the company is rolling out a repair.
Android’s July Security Bulletin
Google released July update for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution without additional privileges.
Google has also fixed critical issues in the kernel — which could lead to information disclosure — and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting take July patch and Google also release updates to its Pixel range.
Software maker SAP has released 27 new and updated security notes as part of its July security patch date, fixing many high-severity vulnerabilities. Follow is CVE-2022-35228The most serious issue is a disclosure error in the central management console of the vendor’s Business Objects platform.
The vulnerability allows an unauthenticated attacker to obtain token information over the network, according to the security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the company added. However, it is still important to patch the bug as soon as possible.
Oracle has grant 349 patches in the July 2022 Critical Patch Update, including fixes for 230 bugs that can be exploited remotely.
Oracle April patch update includes 520 security fixsome of them have the address CVE-2022-22965, aka Spring4Shell, a remote code execution vulnerability in the spring framework. Oracle’s July Update continues to address this issue.