Update Android Right Now to Fix a Scary Remote-Execution Flaw

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare.

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2
Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code.

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure.

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android
December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin.

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December.

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range.

Google Chrome 108
Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday
Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Another serious flaw is an elevation of privileges vulnerability in the DirectX graphics kernel tracked as CVE-2022-44710. A successful attack could allow an adversary to gain system privileges.

MOST POPULAR

The Work-From-Anywhere War Is Beginning
BY BRUCE DAISLEY

KODI SMIT-McPHEE as PETER, BENEDICT CUMBERBATCH as PHIL BURBANK riding horses in THE POWER OF THE DOG
37 of the Best Films on Netflix This Week
BY WIRED

Riz Ahmed as Ruben Stone in the Sound of Metal
10 of the Best Films on Amazon Prime Right Now
BY WIRED

Fleabag holding a guinea pig in production still from Fleabag
25 of the Best Amazon Prime Series Right Now
BY WIRED

ADVERTISEMENT

Six of the issues patched in December are remote code execution (RCE) flaws marked as critical, so it’s worth updating straight away.

However, it’s also worth noting that the latest Patch Tuesday update is causing issues for some Windows 10 users. Although there is a workaround, Microsoft has promised an additional update to resolve this.

Citrix
Software maker Citrix has issued an emergency patch for a flaw it says is being used in attacks. Tracked as CVE-2022-27518, the issue in Citrix Gateway and Citrix ADC could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance, Citrix said in a bulletin. “Exploits of this issue on unmitigated appliances in the wild have been reported,” Citrix said.

The firm “strongly urges” affected Citrix ADC and Citrix Gateway customers to install the relevant updated versions as soon as possible.

The National Security Agency (NSA) has connected the attacks to APT5, a China-linked hacking group also known as Keyhole Panda or Manganese that targets telecommunications, high-tech manufacturing, and military application technology. The agency has published Threat Hunting Guidance to help organizations spot signs of attack.

Fortinet
Security provider Fortinet has patched a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Tracked as CVE-2022-42475, the flaw has a CVSSv3 score of 9.3 and has already been used in attacks.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems,” the firm said. It has listed some indicators of compromise for organizations to look out for.

VMWare
Software giant VMWare has squashed a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI) in VMware ESXi, Workstation, and Fusion. Tracked as CVE-2022-31705 and with a CVSSv3 base score of 9.3, the vulnerability was exploited by security researchers at the GeekPwn 2022 hacking event.

The firm has also fixed a command injection and a directory traversal flaw in its VMware vRealize Network Insight product, tracked as CVE-2022-31702 and CVE-2022-31703. By successfully exploiting the first vulnerability, an adversary with network access to the vRNI REST API could execute commands without authentication.

VMware said the issue is in the critical severity range with a maximum CVSSv3 base score of 9.8. The second flaw has a CVSSv3 score of 7.5 and could allow malicious actors with network access to the vRNI REST API to read arbitrary files from the server.

SAP
SAP’s December Security Patch Day includes 20 new and updated fixes. One of the most serious flaws, with a CVSSv3 score of 9.9, is a critical server-side request forgery vulnerability in SAP BusinessObjects.

“Attackers with normal BI user privileges are able to upload and replace any file on the Business Objects server at the operating system level,” security firm Onapsis said. “This enables the attacker to take full control of the system and has a significant impact on confidentiality, integrity, and availability of the application.

https://www.wired.co.uk/