Another heavy month of fixes

Thirty days has September — which means IT professionals had one less day this past month to get all the work done. The flip side is that hackers and attackers had one less day to work on exploits and find ways to worm their ways into our networks. As of the end of September, we have seen nearly twice as many zero-day exploits discovered as the total for the entire year of 2020 — the highest number for any year, ever. Yet another worldwide APT group, called FamousSparrow, was in the news in September and reported by ZDNet, although experts believe it has been involved in various cyberattacks all over the world since at least 2019. Meanwhile, the paradigm shift in the way people work, brought on by the COVID-19 lockdowns and restrictions, continues to result in exploits targeting remote workers. Finally, Happy Cybersecurity Awareness month! For the 18th year since it was launched in 2004 by the National Cyber Security Alliance, in October, we celebrate this recognition of the importance of protecting our systems, networks, and IT infrastructure against all the threats that proliferate out there on the Internet as well as attacks that originate internally. We published our usual Patch Tuesday roundup, detailing the security updates released by Microsoft on Sept. 14. Now let’s take a look at some of the patches that other software makers released in September.

Apple

September was a particularly heavy month for patches at Apple. They came out with a total of 14 fixes for operating systems across their product line, with five released on Sept. 13 and six on Sept. 20.

  • Security Update 2021-006 Catalina for macOS Catalina — addresses one type confusion vulnerability.
  • iOS 12.5.5 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) — addresses two vulnerabilities: the type confusion issue mentioned above and a use-after-free issue that could lead to arbitrary code execution.
  • iTunes 12.12 for Windows for Windows 10 and later — addresses a vulnerability in ImageIO that could lead to arbitrary code execution and multiple memory corruption issues.
  • Safari 15 for macOS Big Sur and macOS Catalina — addresses four memory corruption vulnerabilities in the WebKit component that could lead to arbitrary code execution.
  • Xcode 13 for macOS Big Sur 11.3 and later — addresses eight issues in nginx.
  • tvOS 15 for Apple TV 4K and Apple TV HD — addresses fourteen vulnerabilities in various OS components, including Accessory Manager, FontParser, ImageIO, the kernel, libexpat, Preferences, the sandbox, WebKit, and WiFi. These include memory corruption, access issues, logic issues, and an authorization issue. Some could lead to arbitrary code execution.
  • watchOS 8 for Apple Watch Series 3 and later — addresses 15 vulnerabilities, including most of the same ones patched in tvOS 15 as listed above.
  • iOS 15 and iPadOS 15 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) — addresses 22 vulnerabilities, including most of the same ones patched in tvOS 15 as listed above, plus issues in Siri, Model I/O, and Telephony.
  • iTunes U 3.8.3 for iOS 12.4 and later or iPadOS 12.4 and later — addresses one validation issue in iTunes U.
  • Safari 14.1.2 for macOS Catalina and macOS Mojave — addresses a use-after-free issue in WebKit.
  • Security Update 2021-005 Catalina for macOS Catalina — addresses 22 vulnerabilities in various OS components, including multiple issues in CUPS and multiple issues in the kernel.
  • macOS Big Sur 11.6 for macOS Big Sur — addresses 21 vulnerabilities in various OS components, most of which are the same ones addressed in Catalina as described above.
  • watchOS 7.6.2 for Apple Watch Series 3 and later — addresses a single integer overflow issue that could lead to arbitrary code execution.
  • iOS 14.8 and iPadOS 14.8 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) — addresses 13 vulnerabilities in various OS components, including two in the kernel and multiple issues in WebKit.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.

Adobe

Adobe released even more updates this month than Apple — 15 in all — affecting a broad swath of their products. The most widely used products — Acrobat and Reader — also have the largest number of vulnerabilities patched. Here are the products that got updates:

On Sept. 14, Adobe released the following two fixes:

  • APSB21-85 Security update for Adobe XMP Toolkit SDK. Addresses one important out-of-bounds read vulnerability.
  • APSB21-84 Security update for Adobe Photoshop. Addresses one critical buffer overflow vulnerability.
  • APSB21-82 Security update for Adobe Experience Manager. Addresses one critical cross-site scripting vulnerability and three important vulnerabilities that include improper input validation, improper certificate validation, and cross-site scripting.
  • APSB21-81 Security update for Adobe Genuine Service. Addresses one important privilege escalation vulnerability.
  • APSB21-80 Security update for Adobe Digital Editions. Addresses two critical vulnerabilities, one that can result in arbitrary file system write and one in arbitrary code execution, plus one important privilege escalation vulnerability.
  • APSB21-78 Security update for Adobe Premiere Elements. Addresses two critical arbitrary code execution vulnerabilities and one that is rated important.
  • APSB21-77 Security update for Adobe Photoshop Elements. Addresses one critical out-of-bounds write vulnerability that can result in arbitrary code execution.
  • APSB21-76 Security update for AdobeCreative Cloud Desktop Applications. Addresses one critical arbitrary file system write vulnerability.
  • APSB21-75 Security update for Adobe ColdFusion. Addresses two critical security feature bypass vulnerabilities.
  • APSB21-74 Security update for Adobe Framemaker. Addresses seven vulnerabilities, three of which are critical arbitrary code execution issues and three arbitrary file system read issues rated important or moderate, along with one important privilege escalation vulnerability.
  • APSB21-73 Security update for Adobe InDesign. Addresses three critical arbitrary code execution vulnerabilities.
  • APSB21-72 Security update for Adobe SVG-Native-Viewer. Addresses one critical arbitrary code execution vulnerability.
  • APSB21-71 Security update for Adobe InCopy. Addresses two critical arbitrary file system write vulnerabilities.
  • APSB21-67 Security update for Adobe Premiere Pro. Addresses one critical arbitrary code execution vulnerability.
  • APSB21-55 Security update for Adobe Acrobat and Reader. Addresses fifteen vulnerabilities, seven of them critical arbitrary code execution, memory leak, and application denial-of-service issues. Two moderate arbitrary file system read vulnerabilities and six important arbitrary code execution, application denial-of-service, and memory leak issues are also addressed.

For more information, see the Adobe security bulletin.

Google

Chrome OS

The most recent stable channel update for Chrome OS was released on Sept. 29 as version 93.0.4577.95. It contains both bug fixes and security updates.

Chrome web browser

Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on Sept. 30. This update includes four security fixes:

  • CVE-2021-37974: Use after free in Safe Browsing (High severity)
  • CVE-2021-37975: Use after free in V8 (High severity)
  • CVE-2021-37976: Information leak in core (Medium severity)
  • Various fixes from internal audits, fuzzing, and other initiatives

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

For more information, see this Google blog.

Android OS

The 2021-09-01 security patch addresses seven issues in Framework, two in Media Framework, seven in System, and one in Google Play. The most severe include a denial-of-service vulnerability in Framework, a security bypass issue in Media Framework that could be exploited by a local malicious app, and a vulnerability in System that could allow bypass of user interaction requirements to gain access to additional permissions.

Google has more information on this website.

Oracle

Oracle normally releases its critical patch updates quarterly in January, April, July, and October. The most recent update was released on July 20. The next critical patch update will be released on Oct. 19. Oracle customers can read more about the current patch release on the Oracle website.

Mozilla Firefox

On Sept. 7, Mozilla released fixes for security vulnerabilities in the following products:

Vulnerabilities fixed in Firefox 92 include:

Linux

Popular Linux distros, as usual, have seen several security advisories and updates this month. In May, Ubuntu issued 56 security advisories since last month’s roundup (significantly more than the 27 in August). Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.

Many of this month’s fixes are for vulnerabilities in the Linux kernel.

For more details about the vulnerabilities listed below, see Security notices | Ubuntu.

Luis Robinson

Next Post

New Fortinet service offers next-gen firewall protection for AWS environments

Mon Nov 28 , 2022
Cybersecurity firm Fortinet Inc. today announced the availability of FortiGate Cloud-Native Firewall on Amazon Web Services Inc., a managed next-generation service specifically designed for AWS environments. FortiGate CNF incorporates FortiGuard artificial intelligence-powered Security Services for real-time detection of and protection against malicious external and internal threats. Underpinned by FortiOS, Fortinet’s network operating […]
New Fortinet service offers next-gen firewall protection for AWS environments

You May Like