The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare.
Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.
Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2
Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.
None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code.
Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.
Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure.
The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.
Google Android
December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin.
Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December.
The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range.
Google Chrome 108
Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.
The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.
Microsoft Patch Tuesday
Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.
