The summer patch cycle shows no signs of slowing down, with tech giants Apple, Google, and Microsoft releasing multiple updates to fix flaws being used in real-life attacks. July also saw serious bugs squashed by enterprise software firms SAP, Citrix, and Oracle.
Here’s everything you need to know about the major patches released during the month.
Apple iOS and iPadOS 16.6
Apple had a busy July after issuing two separate security updates during the month. The iPhone maker’s first update came in the form of a security-only Rapid Security Response patch.
It was only the second time Apple had issued a Rapid Security Response, and the process was not as smooth as the first. On July 10, Apple released iOS 16.5.1 9 (a) to fix a single WebKit flaw already being used in attacks, but the iPhone maker quickly retracted it after discovering that the patch broke several websites for users. Apple reissued the update as iOS 16.5.1 (c) a few days later, at last fixing the WebKit issue without breaking anything else.
Later in the month, Apple’s major point upgrade iOS 16.6 appeared with 25 security fixes, including the already exploited WebKit bug patched in iOS 16.5.1 (c), tracked as CVE-2023-37450.
Among the other bugs squashed in iOS 16.6 are 11 in the Kernel at the core of the iOS operating system, one of which Apple said is already being used in attacks. The Kernel flaw is the third iOS issue discovered by security outfit Kaspersky as part of the zero-click “Triangulation spyware” attacks.
Apple also released iOS 15.7.8 for users of older devices, as well as iPadOS 16.6, Safari 16.6, macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6, and watchOS 9.6.
Microsoft
Microsoft’s July Patch Tuesday is an update to look out for because it fixes 132 vulnerabilities, including multiple zero-day flaws. First things first: One of the bugs detailed in the patch update, tracked as CVE-2023-36884, has not yet been fixed. In the meantime, the tech giant has offered steps to mitigate the already exploited flaw, which has apparently been used in attacks by a Russian cybercrime gang.
Other zero-day flaws included in Microsoft’s Patch Tuesday are CVE-2023-32046, a platform elevation of privilege bug in the MSHTML core Windows component, and CVE-2023-36874, a vulnerability in the Windows Error Reporting service that could allow an attacker to gain admin rights. Meanwhile, CVE-2023-32049 is an already exploited vulnerability in the Windows SmartScreen feature.
It goes without saying that you should update as soon as possible while keeping an eye out for the fix for CVE-2023-36884.
Google Android
Google has updated its Android operating system, fixing dozens of security vulnerabilities, including three it says “may be under limited, targeted exploitation.”
The first of the already exploited vulnerabilities is CVE-2023-2136, a remote code execution (RCE) bug in the System with a CVSS score of 9.6. The critical security vulnerability could lead to RCE with no additional privileges needed, according to the tech firm. “User interaction is not needed for exploitation,” Google warned.
CVE-2023-26083 is an issue in Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, rated as having a moderate impact. The vulnerability was used to deliver spyware to Samsung devices in December 2022.
CVE-2021-29256 is a high-severity flaw that also impacts Bifrost and Midgard Arm Mali GPU kernel drivers.
The Android updates have already reached Google’s Pixel devices and some of Samsung’s Galaxy range. Given the severity of this month’s bugs, it’s a good idea to check whether the update is available and install it now.
Google Chrome 115
Google has issued the Chrome 115 update for its popular browser, fixing 20 security vulnerabilities, four of which are rated as having a high impact. CVE-2023-3727 and CVE-2023-3728 are use-after-free bugs in WebRTC. The third flaw rated as having a high severity is CVE-2023-3730, a use-after-free vulnerability in Tab Groups, while CVE-2023-3732 is an out-of-bounds memory access bug in Mojo.
Six of the flaws are listed as having a medium severity, and none of the vulnerabilities are known to have been used in real-life attacks. Even so, Chrome is a highly targeted platform, so check your system for updates.
https://arstechnica.com/?p=1958098