November noticed the launch of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Home windows to repair a number of safety vulnerabilities. A few of these points are fairly extreme, and a number of other have already been exploited by attackers.
Right here’s what you have to learn about all of the vital updates launched prior to now month.
Apple iOS and iPadOS 16.1.1
Apple has launched iOS and iPadOS 16.1.1, which the iPhone maker recommends all customers apply. The patch fixes two safety vulnerabilities—and given the velocity of the discharge, you may assume they’re fairly severe.
Tracked as CVE-2022-40303 and CVE-2022-40304, the 2 flaws within the libxml2 software program library may permit an attacker to execute code remotely, in response to Apple’s assist web page. The problems have been each reported by safety researchers working for Google’s Undertaking Zero.
For Mac customers, the failings have been addressed by macOS Ventura 13.0.1.
The excellent news is, it’s believed neither vulnerability has been exploited by attackers, nevertheless it’s nonetheless a good suggestion to use the replace as quickly as attainable.
Microsoft Home windows
Microsoft’s November Patch Tuesday was one other huge launch, seeing the Home windows maker repair 68 vulnerabilities, 4 of which have been zero days.
Tracked as CVE-2022-41073, the primary is a Home windows print spooler elevation of privilege vulnerability that might permit a cybercriminal to realize system privileges. In the meantime, CVE-2022-41125 is a Home windows Cryptographic Subsequent Era key isolation difficulty that might permit an adversary to escalate privileges and achieve management of the system. CVE-2022-41128 is a Home windows scripting language vulnerability that might lead to distant code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Net safety characteristic.
Extra huge updates for customers of Google’s Android units have arrived in November, with Google issuing patches for a number of vulnerabilities, a few of that are severe. On the high of the listing is a high-severity vulnerability within the Framework part that might result in native escalation of privilege, Google stated in a safety advisory.
The patches in November embody two Google Play system updates for points impacting the Media Framework elements (CVE-2022-2209) and WiFi (CVE-2022-20463). Google additionally fastened 5 points affecting its Pixel units.
The Android updates have began to roll out to Samsung units, together with third- and fourth-generation Galaxy foldables. You may examine for the replace in your Settings.
The world’s hottest browser continues to be a main goal for attackers, with Google this month fixing its eighth zero-day vulnerability this yr.
The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google’s personal menace evaluation group. Google stated it “is conscious that an exploit for CVE-2022-4135 exists within the wild.”
Earlier within the month, Google issued an replace to repair 10 Chrome vulnerabilities, six of that are rated as high-severity. These embody 4 use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. In the meantime, CVE-2022-3889 is a “sort confusion” difficulty in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad.
November was additionally an enormous month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 safety vulnerabilities, eight of that are marked as having a excessive impression.
One of the vital patches is for CVE-2022-45404, a full-screen notification bypass that might permit an attacker to trigger a window to go full-screen with out the consumer seeing the notification immediate. This might lead to spoofing assaults. In the meantime, a number of use-after-free bugs may result in an exploitable crash, and one flaw might be exploited to run arbitrary code.
Software program maker VMWare has launched safety fixes for a number of safety vulnerabilities in its VMware Workspace ONE Help, three of which have a CVSSv3 base rating of 9.8. The primary, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with community entry to Workspace ONE Help could possibly acquire administrative entry with out the necessity to authenticate to the applying,” VMWare warned in an advisory.
A damaged authentication methodology vulnerability tracked as CVE-2022-31686 may allow a malicious actor with community entry to acquire admin entry with out the necessity to authenticate.