You Need to Update Google Chrome, Windows, and Zoom Right Now

Advertisement

Updates have continued to be released thick and fast in October, with patches now available from the likes of Apple for iOS, Google Chrome, Android, and, of course, Microsoft in its monthly Patch Tuesday. That’s in addition to updates to fix issues in Zoom, Cisco, VMWare, and SAP products.

Here are the details about all the important patches issued in October.

Apple iOS 16.1 and iPadOS 16

October saw the release of two iOS 16 versions following the launch of the iPhone maker’s updated operating system in September

Advertisement
. First came iOS 16.0.3, which fixed some teething issues, including several bugs as well as a security flaw in Mail that could allow denial of service attacks.

Only weeks later, Apple released iOS 16.1 and iPadOS 16—the latter of which was delayed to coincide with the launch of the latest iPad models. The latest iOS versions come with a much longer list of security fixes and include an already exploited flaw.

Tracked as CVE-2022-42827, the kernel vulnerability could allow an application to execute code with kernel privileges, according to Apple’s support page. The operating system update fixes 20 vulnerabilities in total, including three in the kernel at the heart of the iPhone’s operating system. Meanwhile, iOS 16.1 fixes four flaws in WebKit, the engine that powers the Safari browser, two of which could lead to code execution if exploited.

Apple has also released iOS 15.7.1 and iPadOS 15.7.1 which fix the already exploited kernel flaw.

Given the seriousness of the issues and the lack of detail provided, it’s a good idea to update to iOS 16.1 or iOS 15.7.1 as soon as possible.

Microsoft Patch Tuesday

Patch Tuesday has once again arrived along with fixes for a rather hefty list of 84 flaws. Of these, 13 are rated as critical, and one is being used in attacks. Tracked as CVE-2022-41033, the elevation of privilege vulnerability in Windows COM+ Event System Service impacts almost every version of Windows. The flaw is serious, as it could be chained with other exploits to take over someone’s machine.

Notably absent from the Patch Tuesday updates was a fix for two actively exploited bugs tracked as CVE-2022-41040 and CVE-2022-41082, known as ProxyNotShell. The flaws were reported to Microsoft by security vendor GTSC. Microsoft has shared mitigations, but researchers warn they can be bypassed.

Google Chrome

October saw another emergency update for Google Chrome users, with the browser maker issuing a fix for a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-3723. The issue was patched within days of being reported by Avast researchers, which is indicative of how serious it is: The flaw could be exploited to execute code and gain control of the system. Google said it is “aware of reports that an exploit for CVE-2022-3723 exists in the wild.”

Advertisement

Earlier in the month, Google released Chrome 106, patching six vulnerabilities ranked as high-severity. Notable flaws include CVE-2022-3445, a use-after-free bug in Skia, the open source 2D graphics library that serves as the graphics engine for Google Chrome.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Advertisement