Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December. Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities. None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2. Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2. December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog. The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible. Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability. “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said. Six of the issues patched in December are remote code execution (RCE) flaws marked as critical, so it’s worth updating straight away. However, it’s also worth noting that the latest Patch Tuesday update is causing issues for some Windows 10 users. Although there is a workaround, Microsoft has promised an additional update to resolve this. Software maker Citrix has issued an emergency patch for a flaw it says is being used in attacks. Tracked as CVE-2022-27518, the issue in Citrix Gateway and Citrix ADC could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance, Citrix said in a bulletin. “Exploits of this issue on unmitigated appliances in the wild have been reported,” Citrix said. The firm “strongly urges” affected Citrix ADC and Citrix Gateway customers to install the relevant updated versions as soon as possible. The National Security Agency (NSA) has connected the attacks to APT5, a China-linked hacking group also known as Keyhole Panda or Manganese that targets telecommunications, high-tech manufacturing, and military application technology. The agency has published Threat Hunting Guidance to help organizations spot signs of attack. Security provider Fortinet has patched a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Tracked as CVE-2022-42475, the flaw has a CVSSv3 score of 9.3 and has already been used in attacks. “Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems,” the firm said. It has listed some indicators of compromise for organizations to look out for. Software giant VMWare has squashed a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI) in VMware ESXi, Workstation, and Fusion. Tracked as CVE-2022-31705 and with a CVSSv3 base score of 9.3, the vulnerability was exploited by security researchers at the GeekPwn 2022 hacking event. The firm has also fixed a command injection and a directory traversal flaw in its VMware vRealize Network Insight product, tracked as CVE-2022-31702 and CVE-2022-31703. By successfully exploiting the first vulnerability, an adversary with network access to the vRNI REST API could execute commands without authentication. VMware said the issue is in the critical severity range with a maximum CVSSv3 base score of 9.8. The second flaw has a CVSSv3 score of 7.5 and could allow malicious actors with network access to the vRNI REST API to read arbitrary files from the server. SAP’s December Security Patch Day includes 20 new and updated fixes. One of the most serious flaws, with a CVSSv3 score of 9.9, is a critical server-side request forgery vulnerability in SAP BusinessObjects. “Attackers with normal BI user privileges are able to upload and replace any file on the Business Objects server at the operating system level,” security firm Onapsis said. “This enables the attacker to take full control of the system and has a significant impact on confidentiality, integrity, and availability of the application.”