CYBERSECURITY PADAWAN

As part of the August’s Patch Tuesday, Microsoft has released fixes for 21 common vulnerabilities. The list also includes a fix for a zero-day bug that was first identified in December 2020. Per Microsoft’s evaluation, the vulnerability required no authentication and could have been remotely exploited.

Patch Tuesday August Roundup

Not much to report on the patching front; per its usual monthly routine, Microsoft delivered several improvements and fixes to the Chromium-base browser engine. To name a few, we have fixes for issues such as Heap buffer overflow in pdf, Use-after-free in Offline, Insufficient validation of untrusted input in Internals, Use-after-free in Extensions API, and, of course, Side-channel information leakage in Keyboard input.

This month’s highlight is definitely CVE-2021-42276 aka the Chakra Scripting Engine Memory Corruption Vulnerability. Microsoft’s zero-day hit has quite an interesting history; it was discovered in 2020, cataloged in 2021, and received a fix in August 2022. The issue affected both Edge and web browsers that used the ChakraCore engine.

CVE-2021-42276 was traced back to a defective Chakra Scripting Engine memory buffer. If successfully exploited, the issue would’ve allowed a threat actor to read and write information to any memory location. Why is the Chakra Scripting Engine Memory Corruption vulnerability considered a zero-day threat? Per Microsoft’s evaluation, the vulnerability could have been exploited regardless of the authentication level, meaning that the threat actor doesn’t require elevated privileges in order to leverage the issue. CVE-2021-42776 was labeled as fixed. The full list of fixes can be found below.

Release Date
CVE Number
CVE Title
Aug 5, 2022
CVE-2022-35796
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Aug 5, 2022
CVE-2022-33649
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Aug 5, 2022
CVE-2022-33636
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Aug 5, 2022
CVE-2022-2624
Chromium: CVE-2022-2624 Heap buffer overflow in PDF
Aug 5, 2022
CVE-2022-2623
Chromium: CVE-2022-2623 Use after free in Offline
Aug 5, 2022
CVE-2022-2622
Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing
Aug 5, 2022
CVE-2022-2621
Chromium: CVE-2022-2621 Use after free in Extensions
Aug 5, 2022
CVE-2022-2619
Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings
Aug 5, 2022
CVE-2022-2618
Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals
Aug 5, 2022
CVE-2022-2617
Chromium: CVE-2022-2617 Use after free in Extensions API
Aug 5, 2022
CVE-2022-2616
Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API
Aug 5, 2022
CVE-2022-2615
Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies
Aug 5, 2022
CVE-2022-2614
Chromium: CVE-2022-2614 Use after free in Sign-In Flow
Aug 5, 2022
CVE-2022-2612
Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input
Aug 5, 2022
CVE-2022-2611
Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API
Aug 5, 2022
CVE-2022-2610
Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch
Aug 5, 2022
CVE-2022-2606
Chromium: CVE-2022-2606 Use after free in Managed devices API
Aug 5, 2022
CVE-2022-2605
Chromium: CVE-2022-2605 Out of bounds read in Dawn
Aug 5, 2022
CVE-2022-2604
Chromium: CVE-2022-2604 Use after free in Safe Browsing
Aug 5, 2022
CVE-2022-2603
Chromium: CVE-2022-2603 Use after free in Omnibox
Nov 9, 2021
CVE-2021-42279
Chakra Scripting Engine Memory Corruption Vulnerability

Additional Cybersecurity Advice

Well, this concludes the August edition of Patch Tuesday. Hope it was to your taste, and, before I scoot, here is a couple of cybersec advice.

  • Automated patch deployment. If you’re planning on staying ahead of your attackers, automatic patching & patch management is the solution. Heimdal™ Security’s Patch & Asset Management will ensure that all your apps are up to speed, regardless of OS or type of improvement-carrying package you’re going to deploy.
  • Phishing. Please do yourself a favor and stay away from suspicious emails.
  • Prioritize security updates. While scribbling your patch deployment battle plan, do make sure that you prioritize security-related updates or patches over quality updates.

Additional resources:

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Software Patching Statistics: Common Practices and Vulnerabilities

8 Free and Open Source Patch Management Tools for Your Company

15+ Experts Explain Why Software Patching is Key for Your Online Security

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP