Apple just patched 37 iPhone security bugs

Apple just patched 37 iPhone security bugs

July was a month of critical updates, including patches for previously exploited vulnerabilities in Microsoft and Google products. This month also saw Apple’s first iOS update in eight weeks, which fixes dozens of security vulnerabilities in iPhones and iPads.

Enterprise products also continue to be affected by vulnerabilities, with patches for SAP, Cisco and Oracle software being released in July. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple released iOS and iPadOS 15.6 to fix 37 security vulnerabilities, including an Apple File System (APFS) issue tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to run code with kernel privileges, according to Apple’s support site, giving it sweeping access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as bugs in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU drivers.

Apple is not aware of any of the patched vulnerabilities used in attacks, but some of the vulnerabilities are quite severe – particularly those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July that fixes four issues, including a zero-day bug that has already been exploited. The WebRTC memory corruption vulnerability tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers was exploited to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to distribute spyware called DevilsTongue.

Based on the malware and the tactics used to carry out the attack, Avast credits the use of Chrome Zero Day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patchday is a major patch that fixes 84 security issues, including a bug that is already being used in real attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest versions of Windows 11 and Windows Server 2022. An attacker who According to Microsoft, anyone who can successfully exploit the vulnerability could gain system privileges.

Of the 84 issues patched by Microsoft in the July patchday, 52 were privilege escalation bugs, four security feature bypass vulnerabilities, and 12 remote code execution issues.

Microsoft security patches sometimes cause other problems, and the July update was no different: after it was released, some users noticed that MS Access runtime applications were not opening. Fortunately, the company is introducing a solution.

July Android Security Bulletin

Google released July updates to its Android operating system, including a fix for a critical system component vulnerability that could lead to remote code execution without requiring additional permissions.

Google has also fixed serious issues in the kernel – which could lead to information disclosure – and in the framework, which could lead to local escalation of privilege. In the meantime, MediaTek, Qualcomm, and Unisoc vendor-specific patches are available if your device uses these chips. Samsung devices will start receiving the July patch starting in July, and Google has also released updates to its Pixel lineup.

JUICE

As part of its Security Patch Day in July, the software manufacturer SAP published 27 new and updated security advisories in which several serious vulnerabilities are eliminated. The most severe issue tracked as CVE-2022-35228 is an information disclosure error in the vendor’s Business Objects platform central management console.

The vulnerability allows an unauthenticated attacker to obtain token information over the network, according to security firm Onapsis. “Fortunately, such an attack would require a legitimate user to access the application,” the company adds. However, it is still important to patch as soon as possible.

oracle

Oracle released 349 patches in its July 2022 Critical Patch Update, including fixes for 230 remotely exploitable vulnerabilities.

Oracle’s April patch update contained 520 security fixes, some of which addressed CVE-2022-22965, also known as Spring4Shell, a remote code execution bug in the Spring framework. Oracle’s July update continues to fix this issue.

#Apple #patched #iPhone #security #bugs

Leave a Comment

Your email address will not be published.