August ’22 a bumper month for high-impact vulnerabilities

The disclosure of multiple impactful and, critically, widespread vulnerabilities and proof-of-concept (POC) exploits made August a busy month for patching, with urgent updates needed for users of Apple and Google products, while corporate security teams were kept on their toes with fixes for vulns targeting Microsoft, Palo Alto and VMware, among others.

That is according to the third edition of Recorded Future’s CVE monthly report, in which the firm’s analysts highlighted some of the most critical bugs, including CVE-2022-2856 in Google’s Chrome web browser, and CVE-2022-32893 and -32894 in Apple Safari WebKit, Apple iOS, iPadOS and macOS, all of which are particularly important in part because of their vast user bases.

“When it rains, it pours,” said the analyst team. “As if the landscape was not content to simply break the dry spell of June, the number of high-risk vulnerabilities that we identified for August 2022 was over double the number from July, driven by two categories: disclosures of several zero-day vulnerabilities in products from major vendors like Apple, Google, and Microsoft; and releases of POC exploits for critical vulnerabilities in software from both our prioritised vendors and a diverse group of others.

“Unlike last month, there was a nearly equal distribution of high-risk vulnerabilities between our prioritised vendors and others. For our prioritised list, OSs and web browsers were principally affected. Outside of this list, we saw a wide spread of affected components, including router firmware, device management, interface controllers and learning management software.

“As is to be expected based on trends from the last several years, all of the high-risk vulnerabilities for this past month with CVSS scores were of low attack complexity. However, POC exploit code for these vulnerabilities ranged from a few lines to multi-file packages.”

The full list of prioritised vulnerabilities – in order of potential severity – is as follows:

  • CVE-2022-2856 in Google’s Chrome web browser.
  • CVE-2022-27255 in Realtek’s eCos interface controller.
  • CVE-2022-32548 in DrayTek’s Vigor router firmware.
  • CVE-2022-32893 in Apple’s Safari…