November witnessed releases patches from Apple’s iOS, Google Chrome, Firefox and Microsoft Windows to fix many security vulnerabilities. Some of these problems are quite serious and some have been exploited by attackers.
Here’s what you need to know about all the important updates released in the past month.
Apple iOS and iPadOS 16.1.1
Apple has released iOS and iPadOS 16.1.1, the iPhone maker recommends all users to adopt. The patch fixes two security holes—and given the speed of release, you can tell they’re pretty serious.
Tracked as CVE-2022-40303 and CVE-2022-40304Two vulnerabilities in the libxml2 software library could allow attackers to execute code remotely, according to Apple support page. Both issues were reported by security researchers working for Google’s Project Zero.
For Mac users, the vulnerabilities have been resolved with macOS Ventura 13.0.1.
The good news is, it is believed that none of the vulnerabilities have been exploited by an attacker, but you should still apply the update as soon as possible.
Microsoft Windows
by Microsoft November patch was another major release that saw the manufacturer of Windows fix 68 vulnerabilities, four of them is zero days.
Tracked as CVE-2022-41073, the first is a Windows printer spooler privilege elevation vulnerability that could allow cybercriminals to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that can lead to remote code execution. Final, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.
GoogleAndroid
Many major updates for users of Google’s Android devices arrived in November, with Google release patches for many vulnerabilities, some serious. Topping the list is a high-severity vulnerability in a Framework component that could lead to local privilege escalation, Google said in a security advisory.
The November patches include two Google Play system updates for issues affecting the Media Framework (CVE-2022-2209) and WiFi (CVE-2022-20463) components. Google also fixed five issues affecting its Pixel devices.
Android updates have started rolling out to Samsung devices, including the third and fourth generation Galaxy Fold. You can check for updates in your Settings.
Google Chrome
The world’s most popular browser continues to be a main target for attackers, with Google this month fixing the bug eighth zero-day vulnerability this year.
Vulnerability, tracked as CVE-2022-4135, is a GPU heap buffer overflow reported by Clement Lecigne, a researcher on Google’s own threat analysis team. Google speak it “knows that an exploit for CVE-2022-4135 exists in the wild.”
At the beginning of the month, Google grant an update to fix 10 Chrome vulnerabilities, six of which are rated critical. These include the following four usage errors after free: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887 and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8 and CVE-2022-3890 is a heap buffer overflow in Crashpad.
Mozilla Firefox
November is also an important month for Google Chrome’s competitor Firefox. Mozilla has grant Firefox 107, fixes 19 security holes, eight of which are marked as high impact.
One of the most important patches is for CVE-2022-45404, ignoring the full screen message could allow an attacker to cause the window to go full screen without the user seeing the notification prompt. This can lead to spoofing attacks. Meanwhile, some after-free use bugs can lead to an exploitable crash and a vulnerability that can be exploited to run arbitrary code.
VMware
Software maker VMWare has released security fixes for multiple security vulnerabilities in their VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. firstly, CVE-2022-31685, is an authentication bypass vulnerability. VMWare warned: “A malicious actor with network access to Workspace ONE Assist could gain administrative access without application authentication.” advisory.
The broken authentication method vulnerability tracked as CVE-2022-31686 could allow a malicious actor with network access to obtain administrator access without authentication.
