April was a big month for security updates, including emergency patches for Apple iOS and Google Chrome to fix vulnerabilities already exploited by attackers.
Microsoft released important fixes as part of its Patch Tuesday in mid-April, while Android users on multiple devices need to make sure they apply the latest update when it becomes available.
Here are all the April updates you need to know about.
Just two weeks after the launch of iOS 15.4, Apple released iOS and iPad 15.4.1 to fix a vulnerability in AppleAVD this is already being used to attack the iPhone. Using the CVE-2022-22675 vulnerability, attackers can execute arbitrary code with kernel privileges through an application, according to Apple. support page. This can give an attacker full control over your device, so it is important to apply a fix.
As an added bonus, iOS and iPadOS 15.4.1 fixes a battery drain issue affecting some iPhones on iOS 15.4. Updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.
Meanwhile, macOS Monterey 12.3.1 fixes the same issue on macOS, as well as another vulnerability in the Intel graphics driver, CVE-2022-22674, that could allow an application to read kernel memory. This is another major fix – Apple says that attackers could have taken advantage of this issue.
Apple has also released tvOS 15.4.1 and watchOS 8.5.1 with bug fixes.
Over the past year, Apple updates have been coming fast and fast, and the iPhone maker has patched a number of significant vulnerabilities, including zero click question operated Spyware Pegasus, a highly specialized malware developed by the Israeli firm NSO Group. This was the subject of a recent report by security researchers from Citizen Lab who detailed how Pegasus and other similar zero-click attacks have targeted members of the European Parliament, lawmakers, political activists and civil society organizations.
The zero click attack is especially scary because, as the name suggests, no interaction is required for it to work. This means that an image sent via iMessage can infect your iPhone with spyware.
Citizen Lab has detailed a previously undisclosed iOS zero-click vulnerability called HOMAGE exploited by the NSO Group. Some versions of iOS prior to iOS 13.2 may be at risk, so it’s important to keep your iPhone up to date.
Android users should also be on the lookout, as Google patched 44 vulnerabilities in its mobile operating system this month. According to Google Android Security Bulletinthe most serious problem in a platform component can lead to local privilege escalation without any user interaction.
The update is split into two parts: security patch level 2022-04-01 for most Android devices, and security patch level 2022-04-05 for certain phones and tablets. The last of the two fixes 30 issues in system and kernel components, among other things. There are also fixes for five security issues specific to Google. Pixel smartphonesone of which can allow the application elevate privileges and execute code on certain versions of Linux.
To find an update, you need to check your device settings. Devices that have already received the April Android update include Google Pixel devices and certain third-party Android phones, including Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and Z Fold3, as well as OnePlus 9 and OnePlus 9 Pro.
As the world’s largest web browser over 3 billion users, it is not surprising that the attackers are targeting Google Chrome. Browser-based attacks are of particular concern as they could potentially be linked to other vulnerabilities and used to hijack your device.
It’s been a particularly busy month for the Google Chrome team, which received several security updates weeks apart. latestforced out in mid-April, fixes two issues, including the serious zero-day vulnerability CVE-2022-1364, which is already being exploited by attackers.
Technical details are not available at this time, but the timing of the fix – just a day after it was reported – indicates that it is quite serious. If you are using Chrome, your browser version must be 100.0.4896.127 to enable the fix. You will need to restart Chrome after installing the update for it to activate.
The Chrome issue also affects other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you’re using one of those, be sure to apply the fix.
But that’s not all. April 27 Google announced another Chrome update fixing 30 security vulnerabilities. None of them have yet been used, but seven of them are assessed as high risk, the company said. The update brings the browser to version 101.0.4951.41.
In mid-April, Oracle released a quarterly Critical update, including a whopping 520 security patches. Some of the issues fixed in the update are serious – 300 of them can be used remotely without authentication, and 75 security issues are rated as critical. Some Oracle fixes are related to CVE-2022-22965, also known as Spring4Shelllack of remote code execution (RCE) in the Spring framework.
In April, Microsoft held a major Patch Tuesday, releasing patches for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important CVE-2022-24521according to the company, is already being used by attackers.
This is reported by the NSA and researchers from CrowdStrike, the problem in the Windows Common Log File system driver does not require human intervention and can be used to gain administrative privileges on the logged in system. Other notable fixes include CVE-2022-26904, a well-known issue, and CVE-2022-26815, a severe DNS server vulnerability.
April 5, Mozilla released a patch to fix security issues in the Thunderbird email client, as well as in the Firefox browser. There are few details, but Thunderbird 91.8 fixes four vulnerabilities rated as significant, some of which could be used to run arbitrary code.
Firefox ESR 91.8 and Firefox 99 also fix a lot of security issues.
elementor WordPress website builder plugin gets big security fix in April due to a critical vulnerability that could allow attackers to perform remote code execution and effectively take over a website.
Researchers from Plugin vulnerabilitiesThe vulnerability appeared in plugin version 3.6.0, released on March 22. “We recommend that you do not use this plugin until a thorough security review has been carried out and all issues have been resolved,” the researchers said.
Although an attacker must be authenticated to exploit this problem, it is still quite serious because anyone who enters a vulnerable website can exploit it. Elementor 5 Million Users Update Version 3.6.3 should be installed ASAP.
- 📩 Latest news about technology, science and more: Receive our newsletters!
- This startup wants watch your brain
- Skillful, discreet translations modern pop music
- Netflix doesn’t need password exchange lock
- How to change the workflow with block planning
- The end of the astronauts.and the advent of robots
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with the best solutions from our Gear team, from robotic vacuum cleaners to affordable mattresses to smart speakers
Credit: www.wired.com /