Drop What You are Doing and Replace iOS, Android, and Home windows

November noticed the launch of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Home windows to repair a number of safety vulnerabilities. A few of these points are fairly extreme, and several other have already been exploited by attackers. 

Right here’s what you have to learn about all of the essential updates launched prior to now month.

Apple iOS and iPadOS 16.1.1

Apple has launched iOS and iPadOS 16.1.1, which the iPhone maker recommends all customers apply. The patch fixes two safety vulnerabilities—and given the velocity of the discharge, you may assume they’re fairly severe. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the 2 flaws within the libxml2 software program library might permit an attacker to execute code remotely, in keeping with Apple’s assist web page. The problems have been each reported by safety researchers working for Google’s Venture Zero. 

For Mac customers, the issues have been addressed by macOS Ventura 13.0.1.

The excellent news is, it’s believed neither vulnerability has been exploited by attackers, however it’s nonetheless a good suggestion to use the replace as quickly as doable. 

Microsoft Home windows

Microsoft’s November Patch Tuesday was one other massive launch, seeing the Home windows maker repair 68 vulnerabilities, 4 of which have been zero days. 

Tracked as CVE-2022-41073, the primary is a Home windows print spooler elevation of privilege vulnerability that might permit a cybercriminal to realize system privileges. In the meantime, CVE-2022-41125 is a Home windows Cryptographic Subsequent Era key isolation subject that might permit an adversary to escalate privileges and acquire management of the system. CVE-2022-41128 is a Home windows scripting language vulnerability that might end in distant code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Net safety characteristic.

Google Android

Extra massive updates for customers of Google’s Android units have arrived in November, with Google issuing patches for a number of vulnerabilities, a few of that are severe. On the high of the checklist is a high-severity vulnerability within the Framework element that might result in native escalation of privilege, Google stated in a safety advisory.

The patches in November embody two Google Play system updates for points impacting the Media Framework parts (CVE-2022-2209) and WiFi (CVE-2022-20463). Google additionally mounted 5 points affecting its Pixel units.

The Android updates have began to roll out to Samsung units, together with third- and fourth-generation Galaxy foldables. You’ll be able to verify for the replace in your Settings. 

Google Chrome 

The world’s hottest browser continues to be a main goal for attackers, with Google this month fixing its eighth zero-day vulnerability this 12 months. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google’s personal menace evaluation group. Google stated it “is conscious that an exploit for CVE-2022-4135 exists within the wild.”

Earlier within the month, Google issued an replace to repair 10 Chrome vulnerabilities, six of that are rated as high-severity. These embody 4 use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. In the meantime, CVE-2022-3889 is a “sort confusion” subject in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was additionally a giant month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 safety vulnerabilities, eight of that are marked as having a excessive affect. 

Some of the essential patches is for CVE-2022-45404, a full-screen notification bypass that might permit an attacker to trigger a window to go full-screen with out the consumer seeing the notification immediate. This might end in spoofing assaults. In the meantime, a number of use-after-free bugs might result in an exploitable crash, and one flaw could possibly be exploited to run arbitrary code.

VMWare

Software program maker VMWare has launched safety fixes for a number of safety vulnerabilities in its VMware Workspace ONE Help, three of which have a CVSSv3 base rating of 9.8. The primary, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with community entry to Workspace ONE Help could possibly get hold of administrative entry with out the necessity to authenticate to the applying,” VMWare warned in an advisory.

A damaged authentication methodology vulnerability tracked as CVE-2022-31686 might allow a malicious actor with community entry to acquire admin entry with out the necessity to authenticate.