Kate O’Flaherty* says major security patches has been dropped for iOS, Android, Windows, Chrome, Firefox, VMware, Cisco, Citrix, and SAP.
November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities.
Some of these issues are pretty severe, and several have already been exploited by attackers.
Here’s what you need to know about all the important updates released in the past month.
Apple iOS and iPadOS 16.1.1
Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply.
The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious.
Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page.
The issues were both reported by security researchers working for Google’s Project Zero.
For Mac users, the flaws were addressed by macOS Ventura 13.0.1.
The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible.
Microsoft Windows
Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days.
Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges.
Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system.
CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution.
Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.
Google Android
More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious.
At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.
The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463).
Google also fixed five issues affecting its Pixel devices.
The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables.
You can check for the update in your Settings.
Google Chrome
The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year.
The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google’s own threat analysis group.
Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”
Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity.
These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888.
Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad.
Mozilla Firefox
November was also a big month for Google Chrome competitor Firefox.
Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact.
One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt.
This could result in spoofing attacks.
Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.
VMWare
Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8.
The first, CVE-2022-31685, is an authentication bypass vulnerability.
“A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.
A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.
CVE-2022-31687, a broken access control vulnerability, could also allow an adversary with network access to gain administrative access without authenticating.
Cisco
Cisco has patched 33 security vulnerabilities in its enterprise firewall products, two of which have a high severity rating of 8.6.
The first, CVE-2022-20947, is a vulnerability in the dynamic access policies functionality of Cisco Adaptive Security Appliance Software and Firepower Threat Defense software.
This could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in denial of service (DoS).
Meanwhile, CVE-2022-20946 is an issue in the generic routing encapsulation tunnel decapsulation feature of Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause DoS on an affected device.
Citrix
November has also seen a security release from enterprise software maker Citrix, which has fixed vulnerabilities in Citrix Gateway and Citrix ADC.
CVE-2022-27510 could allow unauthorized access to Gateway user capabilities, while CVE-2022-27513 could enable remote desktop takeover via phishing.
CVE-2022-27516 is a user login brute force protection functionality bypass issue.
Affected customers of Citrix ADC and Citrix Gateway should install the relevant updated versions as soon as possible, Citrix says on its support page.
SAP
Software firm SAP has released multiple fixes in its November 2022 Security Patch Day, one of which has a CVSS score of 9.9.
CVE-2022-41203 is an issue in the SAP BusinessObjects BI Platform that could allow an authenticated attacker with low privileges to intercept a serialized object in the parameters and substitute it with a malicious one.
This could lead to a deserialization of untrusted data vulnerability with the ability to “compromise the confidentiality, integrity, and availability of the system,” SAP said.
*Kate O’Flaherty is Contributor on WIRED UK.
This article first appeared at wired.co.uk