Table of Contents
If time flies when you’re having fun, October must have been an especially enjoyable month, as it streaked by so fast I barely caught a glimpse of it. Most IT pros probably know that the month of harvest and Halloween has also been officially designated as cybersecurity awareness month. But for those whose job it is to hold the line against hackers and attackers, every month is dedicated to security awareness.
The month got off to an interesting start with a major Facebook outage on Oct. 4 that had social media addicts suffering heavy withdrawal symptoms without their regular hourly (or more often) fixes. WhatsApp and Instagram, owned by Facebook, were likewise down. Rumors proliferated: was it an attack? Was it Armageddon? A configuration change on a backbone router turned out to be the culprit, but many of us were worried for a while there. On the other hand, a lot of people got more work done than usual that day.
There were plenty of actual attacks in October, though. These included a source code leak from the Twitch video live streaming service, a breach of Tesla’s data storage system, and more. A study by Infosec Institute claims October is the favorite month for attackers, in fact, particularly those connected to Russia, China, North Korea, and Iran.
Software vendors are stepping up their game to try to stay ahead of the bad guys. Google held its annual Cloud Next ‘21 conference (online only, no in-person attendance) and announced the formation of the Google Cybersecurity Action Team.
We published our usual Microsoft Patch Tuesday October roundup, detailing the security updates released on Oct. 12. Now let’s take a look at some of the patches that other software makers released in October.
Apple
October was a fairly heavy patch release month for Apple, though less so than September. They came out with a total of 11 updates for operating systems across their product line, with the first released on Oct. 1 and the last on Oct. 27. These include a zero-day vulnerability that has been exploited in the wild.
- Safari 15.1 for macOS Big Sur and macOS Catalina, released Oct. 27. Addresses four vulnerabilities in WebKit, including an arbitrary code execution issue.
- iOS 14.8.1 and iPadOS 14.8.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 26. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- macOS Monterey 12.0.1 for Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later), released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- macOS Big Sur 11.6.1 for macOS Big Sur, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- Security Update 2021-007 Catalina for macOS Catalina, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- watchOS 8.1 for Apple Watch Series 3 and later, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- iOS 15.1 and iPadOS 15.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- tvOS 15.1 for Apple TV 4K and Apple TV HD, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
- watchOS 8.0.1 for Apple Watch Series 3 and later, released Oct. 11.
- iOS 15.0.2 and iPadOS 15.0.2 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 11. Addresses three vulnerabilities in the game center and IOMobileFrameBuffer components of the operating system, one of which is an arbitrary code execution issue.
- iOS 15.0.1 and iPadOS 15.0.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 1. Addresses one vulnerability in the status bar, which could allow a user to view restricted content from the lock screen.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe
Adobe released a slew of security bulletins last month, affecting a broad swath of their products. It is normal protocol for Adobe to release its security fixes on the second Tuesday of the month, the same day as Microsoft. This time in addition to the updates released Oct. 12 on Patch Tuesday, 14 patches were released on Oct. 26. A total of 92 vulnerabilities are addressed, with 66 of them rated critical. Here are the products that got those updates:
- APSB21-79 : Security update available for Adobe After Effects running on Windows. This is a critical priority 3 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one denial of service issue.
- APSB21-92 : Security update available for Adobe Audition running on Windows and macOS. This is a critical priority 3 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one denial of service issue.
- APSB21-94 : Security update available for Adobe Bridge running on Windows. This is a critical priority 2 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one memory leak issue.
- APSB21-95 : Security update available for Adobe Character Animator running on Windows and macOS. This is a critical priority 3 update that addresses eight vulnerabilities, three of which are arbitrary code execution issues, along with denial of service, arbitrary file system read, and privilege escalation vulnerabilities.
- APSB21-96: Security update available for Adobe Prelude running on Windows. This is a critical priority 3 update that addresses nine vulnerabilities, six of which are arbitrary code execution issues, along with application denial of service and memory leak vulnerabilities.
- APSB21-97: Security update available for Adobe Lightroom Classic running on Windows. This is a critical priority 2 update that addresses one privilege escalation vulnerability.
- APSB21-98: Security update available for Adobe Illustrator running on Windows and macOS. This is a critical priority 3 update that addresses five vulnerabilities, including one arbitrary code execution issue, three application denial of service issues, and one memory leak vulnerability.
- APSB21-99: Security update available for Adobe Media Encoder running on Windows and macOS. This is a critical priority 3 update that addresses six vulnerabilities, three of which are arbitrary code execution issues, along with a memory leak and two application denial of service vulnerabilities.
- APSB21-100: Security update available for Adobe Premiere Pro running on Windows and macOS. This is a critical priority 3 update that addresses six vulnerabilities, three of which are arbitrary code execution issues and three of which are application denial of service vulnerabilities.
- APSB21-105: Security update available for Adobe Animate running on Windows. This is a critical priority 3 update that addresses ten vulnerabilities, nine of which are arbitrary code execution issues and one of which is a privilege escalation vulnerability.
- APSB21-106: Security update available for Adobe Premiere Elements running on Windows and macOS. This is a critical priority 3 update that addresses seven vulnerabilities, four of which are arbitrary code execution issues, along with a memory leak and two application denial of service vulnerabilities.
- APSB21-107: Security update available for Adobe InDesign running on Windows and macOS. This is a critical priority 3 update that addresses three vulnerabilities, two of which are arbitrary code execution issues along with one application denial of service vulnerability.
- APSB21-108: Security update available for Adobe XMP Toolkit SDK running on all platforms. This is a critical priority 2 update that addresses five vulnerabilities, four of which are arbitrary code execution issues along with one application denial of service vulnerability.
- APSB21-109: Security update available for Adobe Photoshop running on Windows and macOS. This is a critical priority 3 update that addresses three vulnerabilities, two of which are arbitrary code execution issues along with one privilege escalation vulnerability.
For more information, see the Adobe security bulletin summary.
Chrome OS
Google released a stable channel update for Chrome OS on Oct. 20 as version 94.0.4606.104. It contains both bug fixes and security updates. You can find out more here. (Note that another stable channel update for Chrome OS was released on Nov. 1).
Chrome web browser
Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on Oct. 28. This update includes the following security fixes, all rated high severity:
- CVE-2021-37997 : Use after free in Sign-In.
- CVE-2021-37998 : Use after free in Garbage Collection.
- CVE-2021-37999 : Insufficient data validation in New Tab Page.
- CVE-2021-38000 : Insufficient validation of untrusted input in Intents.
- CVE-2021-38001 : Type Confusion in V8.
- CVE-2021-38002 : Use after free in Web Transport.
- CVE-2021-38003 : Inappropriate implementation in V8.
Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.
For more information, see this Google blog.
Android OS
The 2021-10-05 security patch addresses an arbitrary code execution/elevation of privilege vulnerability in Android Runtime rated high severity; six vulnerabilities in Framework that include three elevation of privilege, two information disclosure, and one denial of service issue; an arbitrary code execution/elevation of privilege vulnerability in Media Framework; and two vulnerabilities in system that include one information disclosure and one denial of service issue.
For more information, see this Android security bulletin.
Oracle
Oracle normally releases its critical patch updates on a quarterly cycle, in January, April, July, and October. The most recent update was released on Oct. 19. It addresses 231 different vulnerabilities with 419 security fixes across 28 of Oracle’s product families. Thirty-six of the patches are rated critical.
The next critical patch update will be released on Jan. 18, 2022.
Oracle customers can read more about the current patch release on the Oracle website.
Mozilla Firefox
On Oct. 5, Mozilla released Firefox 93, which contains fixes for the following five high severity and three moderate severity vulnerabilities.
The following vulnerabilities are rated high severity:
The following vulnerabilities are rated moderate severity:
Linux
Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued thirty-six security advisories since last month’s roundup (significantly fewer than in September). Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.
Many of this month’s fixes are for vulnerabilities in the Linux kernel.
For more details about the vulnerabilities listed below, see Security notices | Ubuntu
- USN-5126-2: Bind vulnerability – Bind could be made to consume resources if it received specially crafted network traffic.
- USN-5125-1: PHP vulnerability – PHP-PFM in PHP could be made to run program as an administrator if it received specially crafted input. CVE-2021-21703
- USN-5009-2: libslirp vulnerabilities – Several security issues were fixed in libslirp.CVE-2021-3593, CVE-2021-3595, CVE-2021-3594
- USN-5122-2: Apport vulnerability – Apport could be made to create files as the administrator.
- USN-5124-1: GNU binutils vulnerabilities – Several security issues were fixed in GNU binutils. CVE-2021-3487, CVE-2020-16592
- USN-5123-2: MySQL vulnerabilities – Several security issues were fixed in MySQL. CVE-2021-35624, CVE-2021-35604
- USN-5123-1: MySQL vulnerabilities – Several security issues were fixed in MySQL. CVE-2021-35602, CVE-2021-35634, CVE-2021-35643, and 40 more
- USN-5122-1: Apport vulnerability – Apport could be made to create files as the administrator.
- USN-5114-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2020-3702, CVE-2021-40490, CVE-2021-38198, and 1 more.
- USN-5121-1: Mailman vulnerabilities – Several security issues were fixed in Mailman. CVE-2021-42096, CVE-2021-42097
- USN-5116-2: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2020-3702, CVE-2021-3732, CVE-2021-38205, and 3 more
- USN-5120-1: Linux kernel (Azure) vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-22543, CVE-2021-38199, CVE-2020-36311, and 6 more
- USN-5119-1: libcaca vulnerabilities – libcaca could be made to crash if it received a specially crafted image. CVE-2021-30498, CVE-2021-30499
- USN-5117-1: Linux kernel (OEM) vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-3753, CVE-2021-3743, CVE-2021-3739, and 1 more
- USN-5116-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-38198, CVE-2020-3702, CVE-2021-3732, and 3 more
- USN-5115-1: Linux kernel (OEM) vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-3679, CVE-2021-34556, CVE-2021-35477, and 13 more
- USN-5113-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-42008, CVE-2021-38166, CVE-2021-40490, and 5 more
- USN-5111-2: strongSwan vulnerability – Several security issues were fixed in strongSwan. CVE-2021-41991
- USN-5111-1: strongSwan vulnerabilities – Several security issues were fixed in strongSwan. CVE-2021-41991, CVE-2021-41990
- USN-5092-3: Linux kernel (Azure) regression – USN-5092-2 introduced a regression in the Linux kernel for Microsoft Azure cloud systems
- .USN-5110-1: Ardour vulnerability – Ardour could be made to crash or possibly arbitrary code execute if it received a specially crafted XML file. CVE-2020-22617
- USN-5109-1: nginx vulnerability – Security issue was fixed in nginx. CVE-2017-20005
- USN-5091-3: Linux kernel (Azure) regression – USN-5091-1 introduced a regression in the Linux kernel for Microsoft Azure cloud systems.
- USN-5078-3: Squashfs-Tools vulnerability – Squashfs-Tools could be made to overwrite files. CVE-2021-41072
- USN-5108-1: libntlm vulnerability – libntlm could be made to crash or possibly execute arbitrary code. CVE-2019-17455
- USN-5022-3: MySQL vulnerabilities – Several security issues were fixed in MySQL. CVE-2021-2179, CVE-2021-2162, CVE-2021-2389, and 13 more
- USN-5107-1: Firefox vulnerabilities – Firefox could be made to crash or run programs as your login if it opened a malicious website. CVE-2021-38497, CVE-2021-32810, CVE-2021-38501, and 4 more
- USN-5106-1: Linux kernel (OEM) vulnerabilities – Several security issues were fixed in the Linux kernel. CVE-2021-22543, CVE-2021-38160, CVE-2021-41073, and 3 more
- USN-5105-1: Bottle vulnerability – Bottle could be made to cache malicious requests if it received a specially crafted input. CVE-2020-28473
- USN-5104-1: Squid vulnerability – Squid could be made to crash or expose sensitive information over the network. CVE-2021-28116
- USN-5103-1: docker.io vulnerability – Docker could be made to adjust the permissions of files. CVE-2021-41089
- USN-5102-1: Mercurial vulnerabilities – Several security issues were fixed in Mercurial. CVE-2019-3902, CVE-2018-17983
- USN-5101-1: MongoDB vulnerability – MongoDB could be made to crash if it received specially crafted network traffic. CVE-2019-20925
- USN-5100-1: containerd vulnerability – containerd would allow unintended access to files. CVE-2021-41103
- USN-5099-1: Imlib2 vulnerability – Imlib2 could be made to denial of service and possibly execute arbitrary code. CVE-2020-12761
- USN-4973-2: Python vulnerability – Python could allow unintended access to network services. CVE-2021-29921