Thirty days has September — which means IT professionals had one less day this past month to get all the work done. The flip side is that hackers and attackers had one less day to work on exploits and find ways to worm their ways into our networks. As of the end of September, we have seen nearly twice as many zero-day exploits discovered as the total for the entire year of 2020 — the highest number for any year, ever. Yet another worldwide APT group, called FamousSparrow, was in the news in September and reported by ZDNet, although experts believe it has been involved in various cyberattacks all over the world since at least 2019. Meanwhile, the paradigm shift in the way people work, brought on by the COVID-19 lockdowns and restrictions, continues to result in exploits targeting remote workers. Finally, Happy Cybersecurity Awareness month! For the 18th year since it was launched in 2004 by the National Cyber Security Alliance, in October, we celebrate this recognition of the importance of protecting our systems, networks, and IT infrastructure against all the threats that proliferate out there on the Internet as well as attacks that originate internally. We published our usual Patch Tuesday roundup, detailing the security updates released by Microsoft on Sept. 14. Now let’s take a look at some of the patches that other software makers released in September.
September was a particularly heavy month for patches at Apple. They came out with a total of 14 fixes for operating systems across their product line, with five released on Sept. 13 and six on Sept. 20.
- Security Update 2021-006 Catalina for macOS Catalina — addresses one type confusion vulnerability.
- iOS 12.5.5 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) — addresses two vulnerabilities: the type confusion issue mentioned above and a use-after-free issue that could lead to arbitrary code execution.
- iTunes 12.12 for Windows for Windows 10 and later — addresses a vulnerability in ImageIO that could lead to arbitrary code execution and multiple memory corruption issues.
- Safari 15 for macOS Big Sur and macOS Catalina — addresses four memory corruption vulnerabilities in the WebKit component that could lead to arbitrary code execution.
- Xcode 13 for macOS Big Sur 11.3 and later — addresses eight issues in nginx.
- tvOS 15 for Apple TV 4K and Apple TV HD — addresses fourteen vulnerabilities in various OS components, including Accessory Manager, FontParser, ImageIO, the kernel, libexpat, Preferences, the sandbox, WebKit, and WiFi. These include memory corruption, access issues, logic issues, and an authorization issue. Some could lead to arbitrary code execution.
- watchOS 8 for Apple Watch Series 3 and later — addresses 15 vulnerabilities, including most of the same ones patched in tvOS 15 as listed above.
- iOS 15 and iPadOS 15 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) — addresses 22 vulnerabilities, including most of the same ones patched in tvOS 15 as listed above, plus issues in Siri, Model I/O, and Telephony.
- iTunes U 3.8.3 for iOS 12.4 and later or iPadOS 12.4 and later — addresses one validation issue in iTunes U.
- Safari 14.1.2 for macOS Catalina and macOS Mojave — addresses a use-after-free issue in WebKit.
- Security Update 2021-005 Catalina for macOS Catalina — addresses 22 vulnerabilities in various OS components, including multiple issues in CUPS and multiple issues in the kernel.
- macOS Big Sur 11.6 for macOS Big Sur — addresses 21 vulnerabilities in various OS components, most of which are the same ones addressed in Catalina as described above.
- watchOS 7.6.2 for Apple Watch Series 3 and later — addresses a single integer overflow issue that could lead to arbitrary code execution.
- iOS 14.8 and iPadOS 14.8 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) — addresses 13 vulnerabilities in various OS components, including two in the kernel and multiple issues in WebKit.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe released even more updates this month than Apple — 15 in all — affecting a broad swath of their products. The most widely used products — Acrobat and Reader — also have the largest number of vulnerabilities patched. Here are the products that got updates:
On Sept. 14, Adobe released the following two fixes:
- APSB21-85 Security update for Adobe XMP Toolkit SDK. Addresses one important out-of-bounds read vulnerability.
- APSB21-84 Security update for Adobe Photoshop. Addresses one critical buffer overflow vulnerability.
- APSB21-82 Security update for Adobe Experience Manager. Addresses one critical cross-site scripting vulnerability and three important vulnerabilities that include improper input validation, improper certificate validation, and cross-site scripting.
- APSB21-81 Security update for Adobe Genuine Service. Addresses one important privilege escalation vulnerability.
- APSB21-80 Security update for Adobe Digital Editions. Addresses two critical vulnerabilities, one that can result in arbitrary file system write and one in arbitrary code execution, plus one important privilege escalation vulnerability.
- APSB21-78 Security update for Adobe Premiere Elements. Addresses two critical arbitrary code execution vulnerabilities and one that is rated important.
- APSB21-77 Security update for Adobe Photoshop Elements. Addresses one critical out-of-bounds write vulnerability that can result in arbitrary code execution.
- APSB21-76 Security update for AdobeCreative Cloud Desktop Applications. Addresses one critical arbitrary file system write vulnerability.
- APSB21-75 Security update for Adobe ColdFusion. Addresses two critical security feature bypass vulnerabilities.
- APSB21-74 Security update for Adobe Framemaker. Addresses seven vulnerabilities, three of which are critical arbitrary code execution issues and three arbitrary file system read issues rated important or moderate, along with one important privilege escalation vulnerability.
- APSB21-73 Security update for Adobe InDesign. Addresses three critical arbitrary code execution vulnerabilities.
- APSB21-72 Security update for Adobe SVG-Native-Viewer. Addresses one critical arbitrary code execution vulnerability.
- APSB21-71 Security update for Adobe InCopy. Addresses two critical arbitrary file system write vulnerabilities.
- APSB21-67 Security update for Adobe Premiere Pro. Addresses one critical arbitrary code execution vulnerability.
- APSB21-55 Security update for Adobe Acrobat and Reader. Addresses fifteen vulnerabilities, seven of them critical arbitrary code execution, memory leak, and application denial-of-service issues. Two moderate arbitrary file system read vulnerabilities and six important arbitrary code execution, application denial-of-service, and memory leak issues are also addressed.
For more information, see the Adobe security bulletin.
The most recent stable channel update for Chrome OS was released on Sept. 29 as version 93.0.4577.95. It contains both bug fixes and security updates.
Chrome web browser
Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on Sept. 30. This update includes four security fixes:
- CVE-2021-37974: Use after free in Safe Browsing (High severity)
- CVE-2021-37975: Use after free in V8 (High severity)
- CVE-2021-37976: Information leak in core (Medium severity)
- Various fixes from internal audits, fuzzing, and other initiatives
Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.
For more information, see this Google blog.
The 2021-09-01 security patch addresses seven issues in Framework, two in Media Framework, seven in System, and one in Google Play. The most severe include a denial-of-service vulnerability in Framework, a security bypass issue in Media Framework that could be exploited by a local malicious app, and a vulnerability in System that could allow bypass of user interaction requirements to gain access to additional permissions.
Google has more information on this website.
Oracle normally releases its critical patch updates quarterly in January, April, July, and October. The most recent update was released on July 20. The next critical patch update will be released on Oct. 19. Oracle customers can read more about the current patch release on the Oracle website.
On Sept. 7, Mozilla released fixes for security vulnerabilities in the following products:
Vulnerabilities fixed in Firefox 92 include:
- CVE-2021-29993: Handling custom intents could lead to crashes and UI spoofs — (high impact). Firefox for Android allowed navigations through the intent:// protocol, which could be used to cause crashes and UI spoofs.
- #CVE-2021-38491: Mixed-Content-Blocking was unable to check opaque origins — (moderate impact). Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded.
- #CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer — (moderate impact). When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode.
This bug only affects Firefox for Windows. Other operating systems are unaffected.
- #CVE-2021-38493: Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1 — (high impact) Mozilla developers Gabriele Svelto and Tyson Smith reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
- #CVE-2021-38494: Memory safety bugs fixed in Firefox 92 — (high impact). Mozilla developers Christian Holler and Lars T. Hansen reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
- CVE-2021-29991: Header Splitting possible with HTTP/3 Responses Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
Popular Linux distros, as usual, have seen several security advisories and updates this month. In May, Ubuntu issued 56 security advisories since last month’s roundup (significantly more than the 27 in August). Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.
Many of this month’s fixes are for vulnerabilities in the Linux kernel.
For more details about the vulnerabilities listed below, see Security notices | Ubuntu.
- USN-5094-2: Linux kernel (Raspberry Pi) vulnerabilities – CVE-2021-38204, CVE-2021-38205, CVE-2021-3679, and 2 others.
- USN-5091-2: Linux kernel (Raspberry Pi) vulnerabilities – CVE-2021-3679, CVE-2021-38160, CVE-2021-33624, and 2 others.
- USN-5096-1: Linux kernel (OEM) vulnerabilities — CVE-2021-38204, CVE-2021-3679, CVE-2021-34556, and 13 others.
- USN-5095-1: Apache Commons IO vulnerability – Apache Commons IO could be made to expose sensitive information if it received a specially crafted input. CVE-2021-29425.
- USN-5092-2: Linux kernel vulnerabilities – CVE-2021-41073, CVE-2021-38160, CVE-2021-35477,and 9 others.
- USN-5094-1: Linux kernel vulnerabilities — CVE-2021-3732, CVE-2021-3679, CVE-2021-37576,and 3 others.
- USN-5090-4: Apache HTTP Server regression — USN-5090-1 introduced a regression in Apache HTTP Server.
- USN-5090-3: Apache HTTP Server regression — USN-5090-1 introduced a regression in Apache HTTP Server.
- USN-5093-1: Vim vulnerabilities – CVE-2021-3796, CVE-2021-3778, CVE-2021-3770.
- USN-5092-1: Linux kernel vulnerabilities — CVE-2021-41073, CVE-2021-37576, CVE-2021-38204,and 9 others.
- USN-5091-1: Linux kernel vulnerabilities — CVE-2021-38160, CVE-2021-3679, CVE-2021-38199,and 3 others.
- USN-5090-2: Apache HTTP Server vulnerabilities — CVE-2021-39275, CVE-2021-40438, CVE-2021-34798
- USN-5090-1: Apache HTTP Server vulnerabilities – CVE-2021-34798, CVE-2021-33193, CVE-2021-40438, and 2 others.
- USN-5089-2: ca-certificates update — A certificate about to expire was removed from ca-certificates.
- USN-5089-1: ca-certificates update – A certificate about to expire was removed from ca-certificates.
- USN-5088-1: EDK II vulnerabilities — CVE-2019-11098, CVE-2021-3712, CVE-2021-23840,and 1 other.
- USN-5087-1: WebKitGTK vulnerabilities — Several security issues were fixed in WebKitGTK including CVE-2021-30858.
- USN-5086-1: Linux kernel vulnerability – IBM s390x systems could be made to crash or run programs as an administrator.
- USN-5085-1: SQL parse vulnerability – SQL parse could be made to denial of service if it received a specially crafted regular expression. Fixed CVE-2021-32839.
- USN-5071-3: Linux kernel (Raspberry Pi) vulnerabilities – CVE-2021-3612, CVE-2021-22543.
- USN-5073-3: Linux kernel (Raspberry Pi) vulnerabilities – CVE-2021-38160, CVE-2021-34693, CVE-2021-3612.
- USN-5079-4: curl regression – USN-5079-2 introduced a regression in curl.
- USN-5084-1: LibTIFF vulnerability — LibTIFF could be made to crash or run programs if it opened a specially crafted file. Fixed CVE-2020-19143.
- USN-5079-3: curl vulnerabilities — USN-5079-1 introduced a regression in curl.
- USN-5073-2: Linux kernel (GCP) vulnerabilities — CVE-2021-38160, CVE-2021-3656, CVE-2021-3653, and 2 others.
- USN-5083-1: Python vulnerabilities – Several security issues were fixed in Python. Addressed CVE-2021-3733, CVE-2021-3737.
- USN-5071-2: Linux kernel (HWE) vulnerabilities – CVE-2021-3656, CVE-2021-3612, CVE-2021-3653,and 2 others.
- USN-5082-1: Linux kernel (OEM) vulnerabilities – CVE-2021-3653, CVE-2021-3656, CVE-2021-3609.
- USN-5081-1: Qt vulnerabilities — Several security issues were fixed in Qt. Addressed CVE-2021-38593, CVE-2020-17507.
- USN-5080-2: Libgcrypt vulnerabilities — Libgcrypt could be made to expose sensitive information. Addressed CVE-2021-33560, CVE-2021-40528.
- USN-5080-1: Libgcrypt vulnerabilities – Libgcrypt could be made to expose sensitive information. Addressed CVE-2021-33560, CVE-2021-40528.
- USN-5078-2: Squashfs-Tools vulnerabilities – Squashfs-Tools could be made to overwrite files. Addressed CVE-2021-40153, CVE-2021-41072.
- USN-5079-2: curl vulnerabilities – Several security issues were fixed in curl. Addressed CVE-2021-22946, CVE-2021-22947.
- USN-5079-1: curl vulnerabilities – Several security issues were fixed in curl. Addressed CVE-2021-22947, CVE-2021-22945, CVE-2021-22946.
- USN-5078-1: Squashfs-Tools vulnerability — Squashfs-Tools could be made to overwrite files. Addressed CVE-2021-41072.
- USN-5077-2: Apport vulnerabilities – Several security issues were fixed in Apport. Addressed CVE-2021-3709, CVE-2021-3710.
- USN-5077-1: Apport vulnerabilities — Several security issues were fixed in Apport. Addressed CVE-2021-3710, CVE-2021-3709.
- USN-5076-1: Git vulnerability – Git incorrectly handed certain repository paths. Addressed CVE-2021-40330.
- LSN-0081-1: Kernel Live Patch Security Notice — CVE-2021-3653, CVE-2021-22555, CVE-2021-3656, and 1 other.
- USN-5075-1: Ghostscript vulnerability — Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. Addressed CVE-2021-3781.
- USN-5074-1: Firefox vulnerabilities — Firefox could be made to crash or run programs as your login if it opened a malicious website. Addressed CVE-2021-38493, CVE-2021-38494, CVE-2021-38491.
- USN-5073-1: Linux kernel vulnerabilities — CVE-2021-3612, CVE-2021-34693, CVE-2021-38160,and 2 others.
- USN-5072-1: Linux kernel vulnerabilities — CVE-2021-3656, CVE-2021-3653.
- USN-5071-1: Linux kernel vulnerabilities — CVE-2020-36311, CVE-2021-22543, CVE-2021-3653,and 2 others.
- USN-5070-1: Linux kernel vulnerabilities — CVE-2021-3612, CVE-2021-38198, CVE-2021-22543, and 7 others.
- USN-5069-2: mod-auth-mellon vulnerability — mod-auth-mellon could be made to redirect to arbitrary sites. Addressed CVE-2021-3639.
- USN-5066-2: PySAML2 vulnerability — PySAML2 could be made to accept invalid SAML documents. Addressed CVE-2021-21239.
- USN-5068-1: GD library vulnerabilities — Several security issues were fixed in GD library. Addressed CVE-2021-40145, CVE-2021-38115, CVE-2017-6363.
- USN-5069-1: mod-auth-mellon vulnerability — mod-auth-mellon could be made to redirect to arbitrary sites. Addressed CVE-2021-3639.
- USN-5067-1: SSSD vulnerabilities — Several security issues were fixed in sssd. Addressed CVE-2021-3621, CVE-2018-10852, CVE-2019-3811, and 1 other.
- USN-5066-1: PySAML2 vulnerability — PySAML2 could be made to accept invalid SAML documents. Addressed CVE-2021-21239.
- USN-5065-1: Open vSwitch vulnerability – Open vSwitch could be made to crash or run programs if it received specially crafted network traffic. Addressed CVE-2021-36980.
- USN-5064-1: GNU cpio vulnerability – GNU cpio could be made to crash or run programs if it opened a specially crafted file. Addressed CVE-2021-38185.
- USN-5063-1: HAProxy vulnerabilities – HAProxy could be made to expose sensitive information over the network. Addressed CVE-2021-40346.
- USN-5062-1: Linux kernel vulnerability — The system could be made to crash or run programs as an administrator. Addressed CVE-2021-3653.
- USN-5051-4: OpenSSL regression — USN-5051-2 introduced a regression in OpenSSL.