The New Year: Fixing Zero-Day Vulnerabilities with Early Updates of the Windows Operating System, the Mac OS, and WebKit
Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. In December there were a lot of patches released.
The release of two versions of the operating system in October followed the launch of the new operating system in September. First came iOS 16.0.3, which fixed some teething issues, including several bugs as well as a security flaw in Mail that could allow denial of service attacks.
The major point upgrade of Apple’s operating system was released in December. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.
According to Apple, the vulnerability could allow an application to execute code with kernel privileges. The operating system update fixes 20 vulnerabilities in total, including three in the kernel at the heart of the iPhone’s operating system. Meanwhile, iOS 16.1 fixes four flaws in WebKit, the engine that powers the Safari browser, two of which could lead to code execution if exploited.
December Updates of the Mac: Apple, Google, Windows, and Other IT Projects Have Been Solved Or Are They Coming Soon?
iPadOS 15.7 and watchOS 9 have been released, as well as other Apple products such as the iMac, MacBook, and Apple Watch.
Earlier in the month, Google released Chrome 106, patching six vulnerabilities ranked as high-severity. Skia, a 2D graphical library that provides the graphics engine for Gmail and other websites, is affected by a use-after-free bug.
Three remote code execution flaws that are marked as critical were fixed by the company. Attackers can use this bug to crash the Kernel and execute code. Google has fixed several issues in the System, the most severe of which could lead to local escalation of privilege.
There are two critical flaws in the Android Framework component. In December, 151 Pixel-specific bugs were patched.
Only weeks later, Apple released iOS 16.1 and iPadOS 16—the latter of which was delayed to coincide with the launch of the latest iPad models. The latest versions of the phone have a much longer list of fixes and have already been exploited.
Another big patch was Microsoft’s December Patch Tuesday, fixing 49 security vulnerabilities, including a flaw being used in attacks. The vulnerability in the Windows smart screen security feature could lead to the loss of integrity and availability.
Notably absent from the Patch Tuesday updates was a fix for two actively exploited bugs tracked as CVE-2022-41040 and CVE-2022-41082, known as ProxyNotShell. The security vendor GTSC reported the flaws to Microsoft. Researchers warn that Microsoft’s shares of mitigations can be bypassed.
The security patches that arrived during the holiday season are still arriving fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare.
Using Protected Keys to Enhance Mark of the Web (MOTW) Resilience in a New Version of the Mac OS
The new feature in the new release of the software allows security keys to be used as an additional layer of protection for your Apple ID. Apple’s latest update also comes with 13 security fixes, including three in WebKit, the engine that powers the Safari browser, two of which could allow code execution.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.