The vacation season is nearly over, however safety patches are nonetheless persevering with to reach thick and quick in December. The month has seen updates launched by Apple, Google, and Microsoft, in addition to enterprise software program corporations together with the likes of SAP, Citrix, and VMWare.
Most of the patches repair zero-day vulnerabilities already being exploited in assaults, making it essential that they’re utilized as quickly as attainable. Right here’s the lowdown on all of the patches launched in December.
Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2
Apple launched a significant level improve to its iOS 16 working system in December: iOS 16.2. The replace comes with options together with end-to-end encryption in iCloud, but it surely additionally fixes 35 safety vulnerabilities.
Not one of the points patched in iOS 16.2 are recognized to have been utilized in assaults; nevertheless, many are fairly severe. The failings embrace six within the Kernel and 9 within the engine that powers Apple’s Safari browser, WebKit, which might enable an attacker to execute code.
Apple additionally launched iOS 15.7.2 for customers of older iPhones that can’t run iOS 16, fixing a flaw already being utilized in assaults. Tracked as CVE-2022-42856, the WebKit vulnerability might enable an attacker to execute code, in line with Apple’s support page. On the finish of November, Apple fastened the identical WebKit flaw in iOS 16.1.2.
For the reason that launch of iOS 16 in September, Apple has been providing safety updates to those that don’t need to improve to the brand new working system. However iOS 15.7.2 is just for older iPhones, so when you’ve bought an iPhone 8 or above, you now have to improve to iOS 16 to remain safe.
The iPhone maker additionally launched macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Huge Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.
Google Android
December was a hefty patch month for Google’s Android working system, with fixes for dozens of safety vulnerabilities issued in the course of the month. Tracked as CVE-2022-20411, essentially the most extreme is a essential vulnerability within the System element that would result in distant code execution over Bluetooth with no further execution privileges wanted, Google mentioned in a security bulletin.
Google additionally fastened two essential flaws within the Android Framework element, CVE-2022-20472 and CVE-2022-20473. In the meantime, 151 Pixel-specific bugs had been patched by Google in December.
The December patch is out there for Google’s personal Pixel units in addition to Samsung smartphones, together with the {hardware} maker’s flagship Galaxy vary.
Google Chrome 108
Google has issued an emergency replace for its Chrome browser to repair the ninth zero-day vulnerability of the 12 months. Tracked as CVE-2022-4262, the high-severity sort confusion concern in Chrome’s V8 JavaScript engine might enable a distant attacker to use heap corruption through a crafted HTML web page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker mentioned in a blog.
The emergency replace arrived simply days after Google launched Chrome 108, patching 28 security flaws. Among the many fixes are CVE-2022-4174—a sort confusion flaw in V8—and several other use-after-free bugs. None of those vulnerabilities have been exploited in assaults, in line with Google. However provided that the most recent bug is already within the arms of attackers, it’s a good suggestion to replace Chrome as quickly as attainable.
Microsoft Patch Tuesday
Microsoft’s December Patch Tuesday was one other massive one, fixing 49 safety vulnerabilities, together with a flaw being utilized in assaults. Tracked as CVE-2022-44698, the difficulty is a Home windows SmartScreen safety characteristic bypass vulnerability that would result in lack of integrity and availability.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.
