None of the issues patched by Google are known to have been exploited in attacks, but if the update is available to you, it’s a good idea to apply it as soon as possible.
Microsoft Patch Tuesday is an important one because it comes with a fix for a flaw already being used in attacks. The zero-day vulnerability, tracked as CVE-2022-37969, is a privilege escalation issue in the Windows Common Log File System Driver that could allow an adversary to take control of the machine.
The zero-day is among 63 vulnerabilities patched by Microsoft, including five rated as critical. These include CVE-2022-34722 and CVE-2022-34721, remote code execution (RCE) flaws in the Windows Internet Key Exchange Protocol (IKE) which both have a CVSS score of 9.8.
Later in September, Microsoft issued an out-of-band security update for a spoofing vulnerability in its Endpoint Configuration Manager tracked as CVE 2022 37972.
Encrypted messaging service WhatsApp has released an update to fix two vulnerabilities that could result in remote code execution. CVE-2022-36934 is an integer overflow issue in WhatsApp for Android prior to v22.214.171.124, Business for Android prior to v126.96.36.199, iOS prior to v188.8.131.52, and Business for iOS prior to v184.108.40.206, which could result in remote code execution in a video call.
Meanwhile, CVE-2022-27492 is an integer underflow flaw in WhatsApp for Android prior to v220.127.116.11 and WhatsApp for iOS v18.104.22.168 that could have caused remote code execution for someone receiving a crafted video file, according to the WhatsApp security advisory.
WhatsApp patched these flaws about a month ago, so if you are running the current version, you should be safe.
HP has fixed a serious issue in the support assistant tool that comes preinstalled on all of its laptops. The privilege escalation bug in HP Support Assistant is ranked as a high-severity issue and is tracked as CVE-2022-38395.
HP has released only limited details about the vulnerability on its support page, but it goes without saying that those with affected equipment should ensure they update now.
SAP’s September Patch Day saw the release of 16 new and updated patches, including three high-priority fixes for SAP Business One, SAP BusinessObjects, and SAP GRC.
The SAP Business One fix, which patches an Unquoted Service Path vulnerability, is the most critical of the three. Attackers could exploit the flaw “to execute an arbitrary binary file when the vulnerable service starts, which could allow it to escalate privileges to SYSTEM,” security firm Onapsis says.
A second fix for SAP BusinessObjects patches an information disclosure vulnerability. “Under certain conditions, the vulnerability allows an attacker to gain access to unencrypted sensitive information in the Central Management Console of SAP BusinessObjects Business Intelligence Platform,” says Onapsis in its blog.
The third High Priority Note affecting SAP GRC customers could allow an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad.
Software giant Cisco has issued a patch to fix a high-severity security issue in the binding configuration of SD-WAN vManage software containers. Tracked as CVE-2022-20696, the flaw could allow an unauthenticated attacker who has access to the VPN0 logical network to access the messaging service ports on an affected system.
“A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload,” Cisco warned in an advisory.
Security company Sophos has just fixed an RCE flaw in its firewall product that it says is already being used in attacks. Tracked as CVE-2022-3236, the code injection vulnerability was discovered in the User Portal and Webadmin of Sophos Firewall.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the firm said in a security advisory.
WP Gateway WordPress Plugin
A vulnerability in a WordPress plugin called AP Gateway is already being used in attacks. Tracked as CVE-2022-3180, the privilege escalation bug could allow attackers to add a malicious user with admin privileges to take over sites running the plugin.
“As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement to all of our users,” said Ram Gall, a Wordfence senior threat analyst, adding that certain details have been withheld intentionally to prevent further exploitation.