The past year and a half has been a period of change and uncertainty for people all over the world. Much of what had been constant and routine before was suspended, and that included some of my regular monthly articles on this blog. But life is slowly returning to normal in many places, and I’m happy to resume rounding up the third party patches here every thirty(ish) days.

Of course, attackers who exploit software vulnerabilities didn’t take a hiatus during that time, and in fact computer security and the integrity of our operating systems and applications became even more important as unprecedented number of people suddenly transitioned from working in controlled office environments to working from home. It’s been a challenge both for individuals and for company IT departments, to stay ahead of the zero day attacks and keep all those systems in all those different places updated and secured.

While managing so many systems remotely presented new challenges. According to Statistica, there were more than a thousand data breaches reported in 2020, with over 155 million people’s personal information exposed. The trend has continued into 2021, with a plethora of major breaches occurring during the first five months.  Many of these happened to large, well-known companies with huge investments in security. Small and mid-sized organizations, while they might not be high profile targets, are just as vulnerable.

Applying the appropriate security updates is the first and one of the most important steps in protecting your business from the same fate.

Let’s take a look at the patches released in May by some of the major software vendors (Microsoft Patch Tuesday updates are addressed in a separate article each month).

Apple

It was a big patching month for Apple, which released thirteen security updates across its product line.
The following updates were released on May 24th:

  • Safari 14.1.1 for macOS Catalina and macOS Mojave. Patches ten vulnerabilities in WebKit and WebRTC, including denial of service, information disclosure, cross site scripting, and arbitrary code execution issues.
  • Security Update 2021-003 Catalina for macOS Catalina. Fixes forty-eight vulnerabilities in various operating system components, including validation, information disclosure, denial of service, elevation of privilege, memory disclosure, application termination, security bypass, and arbitrary code execution issues.
  • Security Update 2021-004 Mojave for macOS Mojave. Fixes thirty vulnerabilities in various operating system components, including validation, information disclosure, denial of service, elevation of privilege, memory disclosure, application termination, security bypass, and arbitrary code execution issues.
  • macOS Big Sur 11.4 for macOS Big Sur. This update addresses many of the same issues as those for Catalina and Mojave. A zero day vulnerability, XCSSET Malware Access, has been discovered that caused experts to advise installing this update immediately.
  • iOS 14.6 and iPadOS 14.6 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Fixes forty-three vulnerabilities in various components of the mobile operating system, many of which are the same issues addressed in the patches for Apple’s desktop operating systems described above.
  • tvOS 14.6 for Apple TV 4K and Apple TV HD. Fixes twenty-six vulnerabilities in various components of the TV operating system, including many of the same issues addressed in the desktop and mobile operating systems as described above.
  • watchOS 7.5 for Apple Watch Series 3 and later. Fixes twenty-five vulnerabilities in various components of the watch operating system, including many of the same issues addressed in the desktop and mobile operating systems as described above.

On May 17th, Apple released:

  • Boot Camp 6.1.14 for Mac Pro (Late 2013 and later), MacBook Pro (Late 2013 and later), MacBook Air (Mid 2013 and later), Mac mini (Mid 2014 and later), iMac (Mid 2014 and later), MacBook (Early 2015 and later), iMac Pro (Late 2017). Fixes one memory corruption vulnerability that could allow elevation of privilege.

On May 4th, Apple released:

  • Safari 14.1 for macOS Catalina and macOS Mojave. Fixes two vulnerabilities in Apple’s web browser, both in the WebKit component and both of which could allow arbitrary code execution.

On May 3rd, Apple released:

  • macOS Big Sur 11.3.1 for macOS Big Sur. Superceded by 11.4.
  • iOS 14.5.1 and iPadOS 14.5.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Superceded by 14.6.
  • iOS 12.5.3 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Fixes four vulnerabilities in Apple’s older mobile operating system versions, all in WebKit and WebKit Storage, all of which can allow arbitrary code execution.
  • watchOS 7.4.1 for Apple Watch Series 3 and later. Superceded by 7.5.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Like Apple, Adobe released an unusually large number of security updates in May, affecting an array of their different products. All twelve of these were released on Adobe’s usual Patch Tuesday schedule, on May 11th.

  • APSB21-15 Security update for Adobe Experience Manager – two vulnerabilities, one important and one critical.
  • APSB21-22 Security updates for Adobe InDesign – three critical vulnerabilities
  • APSB21-24 Security update for Adobe Illustrator – five critical vulnerabilities
  • APSB21-25 Security updates for Adobe InCopy – one critical vulnerability
  • APSB21-27 Security update Adobe Genuine Service – one important vulnerability
  • APSB21-29 Security update for Adobe Acrobat and Reader – ten vulnerabilities, six critical and four important
  • APSB21-30 Security updates Magento – seven vulnerabilities, one important and six moderate
  • APSB21-31 Security update Adobe Creative Cloud Desktop Application – one critical vulnerability
  • APSB21-32 Security update for Adobe Media Encoder – one important vulnerability
  • APSB21-33 Security update Adobe After Effects – three vulnerabilities, two critical and one important
  • APSB21-34 Security updates Adobe Medium – one critical vulnerability
  • APSB21-35 Security update Adobe Animate – seven vulnerabilities, two critical and five important

The most widely used of these products are Adobe Acrobat and Reader. The patch for these fixes ten vulnerabilities, six of them rated critical, eight of them being arbitrary code execution issues. Also included are a memory leak and an elevation of privilege vulnerability.

Vulnerabilities patched in other Adobe products include denial of service, arbitrary JavaScript execution, information disclosure, improper authorization, cross-site scripting, unauthorized access to restricted resources, and security feature bypass issues.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

Chrome web browser

Chrome 91 for Windows, Mac, and Linux was released by Google on May 25th, and contains thirty-two security fixes. Issues patched include heap buffer overflow, user-after-free, out of bounds write, out of bound read, out of bounds memory access, insufficient policy enforcement, and incorrect security UI in payments.

For more information, see https://chromereleases.googleblog.com/

Android OS

The May Android Security Bulletin discusses a number of vulnerabilities addressed by patch level 2021-05-05 or later. The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. Vulnerabilities that are addressed include elevation of privilege, information disclosure, and remote code execution issues rated high severity. These exist in the Framework, kernel, AMLogic, MediaTek, Unisoc, and Qualcomm components and include twenty-eight separate vulnerabilities.

For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin—May 2021

Oracle

Oracle normally releases its critical patch updates on a quarterly cycle, in January, April, July and October.  The most recent critical patch update occurred April 19. The next scheduled release will be on July 20th.

Oracle customers can read more about the current patch release on the Oracle web site at   https://www.oracle.com/security-alerts/

Mozilla

Firefox: On May 5th, Mozilla released Firefox 88.0.1 and Firefox for Android 88.1.3. These fixed two security vulnerabilities:

CVE-2021-29953: Universal Cross-Site Scripting – Critical. A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. This issue only affected Firefox for Android. Other operating systems are unaffected.

CVE-2021-29952: Race condition in Web Render Components – High severity. When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code.

Thunderbird: On May 17th, Mozilla released Thunderbird 78.10.2. This version fixed two security vulnerabilities:

CVE-2021-29957: Partial protection of inline OpenPGP message not indicated – Low impact. If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected.

CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master password protection – Low impact. OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user’s local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys and will automatically protect keys that had been imported using affected Thunderbird versions.

For more information about Mozilla security updates, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following fifty-five security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. For more details about the vulnerabilities listed below, see Security notices | Ubuntu

  • USN-4973-1: Python vulnerability – 01 June 2021. Python could allow unintended access to network services.CVE-2021-29921
  • USN-4972-1: PostgreSQL vulnerabilities – 01 June 2021. Several security issues were fixed in PostgreSQL. CVE-2021-32029, CVE-2021-32028, CVE-2021-32027
  • USN-4971-1: libwebp vulnerabilities – 01 June 2021. libwebp could be made to crash or run programs as your login if it opened a specially crafted file. CVE-2020-36331, CVE-2018-25010, CVE-2018-25011, and 8 others
  • USN-4970-1: GUPnP vulnerability – 01 June 2021. GUPnP could allow unintended access to network services. CVE-2021-33516
  • USN-4968-2: LZ4 vulnerability – 31 May 2021. LZ4 could be made to crash or run programs if it opened a specially crafted file. CVE-2021-3520
  • USN-4967-2: nginx vulnerability – 27 May 2021. nginx could be made to crash or run programs if it received specially crafted network traffic. CVE-2021-23017
  • USN-4969-2: DHCP vulnerability – 27 May 2021. DHCP could be made to crash if it received specially crafted network traffic. CVE-2021-25217
  • USN-4969-1: DHCP vulnerability – 27 May 2021. DHCP could be made to crash if it received specially crafted network traffic. CVE-2021-25217
  • USN-4968-1: LZ4 vulnerability – 26 May 2021. LZ4 could be made to crash or run programs if it opened a specially crafted file. CVE-2021-3520
  • USN-4967-1: nginx vulnerability – 26 May 2021. nginx could be made to crash or run programs if it received specially crafted network traffic. CVE-2021-23017
  • USN-4966-2: libx11 vulnerability – 25 May 2021. libx11 could allow unintended access to services. CVE-2021-31535
  • USN-4965-2: Apport vulnerabilities – 25 May 2021. Several security issues were fixed in Apport. CVE-2021-32549, CVE-2021-32555, CVE-2021-32551, and 8 others
  • USN-4966-1: libx11 vulnerability – 25 May 2021. libx11 could allow unintended access to services. CVE-2021-31535
  • USN-4965-1: Apport vulnerabilities – 25 May 2021. Several security issues were fixed in Apport. CVE-2021-32549, CVE-2021-32554, CVE-2021-32547, and 8 others
  • USN-4964-1: Exiv2 vulnerabilities – 25 May 2021. Several security issues were fixed in Exiv2. CVE-2021-29464, CVE-2021-29463, CVE-2021-32617, and 2 others
  • USN-4962-1: Babel vulnerability – 19 May 2021. Babel code be made to execute arbitrary code if it received a specially crafted input. CVE-2021-20095
  • USN-4963-1: Pillow vulnerabilities – 19 May 2021. Pillow could be made to crash or hang if it opened a specially crafted file. CVE-2021-28677, CVE-2021-28675, CVE-2021-28678, and 3 others
  • USN-4961-1: pip vulnerability – 19 May 2021. pip could be made to install different git revisions.
  • USN-4960-1: runC vulnerability – 19 May 2021. runC could be made to overwrite files as the administrator.CVE-2021-30465
  • USN-4945-2: Linux kernel (Raspberry Pi) vulnerabilities – 19 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-28660, CVE-2021-30002, and 4 others
  • USN-4959-1: GStreamer Base Plugins vulnerability – 18 May 2021. GStreamer Base Plugins could be made to expose sensitive information if it received a specially crafted input. CVE-2021-3522
  • USN-4957-2: DjVuLibre vulnerabilities – 18 May 2021. Several security issues were fixed in DjVuLibre. CVE-2021-32491, CVE-2021-32492, CVE-2021-32493, and 2 others
  • USN-4958-1: Caribou vulnerability – 17 May 2021. Applications using Caribou could be made to crash if given specially crafted input.
  • USN-4957-1: DjVuLibre vulnerabilities – 17 May 2021. Several security issues were fixed in DjVuLibre. CVE-2021-32493, CVE-2021-32490, CVE-2021-3500, and 2 others
  • USN-4956-1: Eventlet vulnerability – 17 May 2021. Eventlet could be made denial of service if it received a specially crafted request. CVE-2021-21419
  • USN-4955-1: Please vulnerabilities – 17 May 2021. Several security issues were fixed in Please. CVE-2021-31155, CVE-2021-31154, CVE-2021-31153
  • USN-4628-3: Intel Microcode vulnerabilities – 17 May 2021. Several security issues were fixed in Intel Microcode. CVE-2020-8698, CVE-2020-8696, CVE-2020-8695
  • USN-4954-1: GNU C Library vulnerabilities – 14 May 2021. Several security issues were fixed in GNU C Library. CVE-2009-5155, CVE-2020-6096
  • USN-4953-1: AWStats vulnerabilities – 13 May 2021. Several security issues were fixed in AWStats.CVE-2020-35176, CVE-2017-1000501, CVE-2020-29600
  • USN-4932-2: Django vulnerability – 13 May 2021. Django could be made to overwrite files. CVE-2021-31542
  • USN-4952-1: MySQL vulnerabilities – 12 May 2021. Several security issues were fixed in MySQL. CVE-2021-2154, CVE-2021-2293, CVE-2021-2203, and 30 others
  • USN-4951-1: Flatpak vulnerability – 12 May 2021. A Flatpak application could access files that it would not normally be permitted to access. CVE-2021-21381
  • USN-4950-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-3489, CVE-2021-3490,
  • USN-4949-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-29264, CVE-2021-3489, and 9 others
  • USN-4948-1: Linux kernel (OEM) vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-3489, CVE-2021-29649, CVE-2021-28951, and 18 others
  • USN-4946-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-20292, CVE-2021-26930, CVE-2021-29264, and 6 others
  • USN-4947-1: Linux kernel (OEM) vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2020-35519, CVE-2021-29650, CVE-2021-29646, and 2 others
  • USN-4945-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-28660, CVE-2021-28375, and 4 others
  • USN-4944-1: MariaDB vulnerabilities – 11 May 2021. Several security issues were fixed in MariaDB.
  • USN-4943-1: XStream vulnerabilities – 11 May 2021. Several security issues were fixed in XStream library. CVE-2020-26258, CVE-2021-21351, CVE-2021-21342, and 11 others
  • USN-4942-1: Firefox vulnerability – 10 May 2021. Firefox could be made to crash or run programs as your login if it opened a malicious website. CVE-2021-29952
  • USN-4941-1: Exiv2 vulnerabilities – 10 May 2021. Several security issues were fixed in Exiv2. CVE-2021-29458, CVE-2021-3482, CVE-2021-29470, and 1 other
  • USN-4940-1: PyYAML vulnerability – 10 May 2021. PyYAML could be made to run programs if it opened a specially crafted YAML file. CVE-2020-14343
  • USN-4939-1: WebKitGTK vulnerabilities – 10 May 2021. Several security issues were fixed in WebKitGTK.CVE-2021-1871, CVE-2021-1844, CVE-2021-1788
  • USN-4936-1: Thunderbird vulnerabilities – 06 May 2021. Several security issues were fixed in Thunderbird. CVE-2021-23969, CVE-2021-23978, CVE-2021-23968, and 2 others
  • USN-4938-1: Unbound vulnerabilities – 06 May 2021. Several security issues were fixed in Unbound. CVE-2019-25031, CVE-2019-25035, CVE-2019-25040, and 10 others
  • USN-4934-2: Exim vulnerabilities – 06 May 2021. Several security issues were fixed in Exim. CVE-2020-28011, CVE-2020-28009, CVE-2021-27216, and 13 others
  • USN-4937-1: GNOME Autoar vulnerability – 06 May 2021. GNOME Autoar could be made to overwrite files. CVE-2021-28650
  • USN-4935-1: NVIDIA graphics drivers vulnerabilities – 04 May 2021. Several security issues were fixed in NVIDIA graphics drivers. CVE-2021-1076, CVE-2021-1077
  • USN-4934-1: Exim vulnerabilities – 04 May 2021.  Several security issues were fixed in Exim. CVE-2020-28022, CVE-2020-28026, CVE-2020-28009, and 18 others
  • USN-4932-1: Django vulnerability – 04 May 2021. Django could be made to overwrite files. CVE-2021-31542
  • USN-4933-1: OpenVPN vulnerabilities – 04 May 2021. Several security issues were fixed in OpenVPN. CVE-2020-15078, CVE-2020-11810
  • USN-4918-3: ClamAV regression – 03 May 2021. USN-4918-1 introduced a regression in ClamAV that could cause it to fail to scan.
  • USN-4931-1: Samba vulnerabilities – 03 May 2021. Several security issues were fixed in Samba. CVE-2020-14318, CVE-2020-14323, CVE-2020-14383, and 1 other
  • LSN-0076-1: Kernel Live Patch Security Notice – 03 May 2021. Several security issues were fixed in the kernel. CVE-2021-29154, CVE-2021-3493

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.