Summer is almost over in most of the northern hemisphere, but as temperatures start to cool, the pressure is still on IT professionals who are trying to stay ahead of the hackers and attackers. In the United States, Labor Day weekend was a holiday for many of us. Still, in the security world, the anticipation is mixed because holidays are a favorite time for ransomware distributors to come out and play. Hopefully, you applied these August patches from non-Microsoft vendors before your long weekend.
Many companies and their IT departments are still recovering from the effects of Hurricane Ida, which knocked out the power to New Orleans and other locales in the path of the storm. We’re heading into what some forecasters say could be a heavy Atlantic hurricane season, and these are the times that put our disaster recovery plans to the test.
What better time for attackers to launch their attacks than during the chaos that follows a natural disaster? From phishing schemes to social engineering, the bad guys never let a good crisis go to waste. They also know that businesses and individuals may be caught up in addressing the preparations and damage during such times and thus might be less diligent about ensuring that all of their software is up to date.
Software makers, as always, are issuing patches as quickly as they can after vulnerabilities are identified. Let’s look at some of the patches they released in August.
Ten security updates were issued in July, but August was a much lighter month for Apple. They released three updates but only two of them addressed published CVEs.
- iCloud for Windows 12.5, for Windows 10 and later (via the Microsoft Store) was released on August 16. It fixes two vulnerabilities in ImageIO, both of which could result in arbitrary code execution.
- macOS Big Sur 11.5.2 was released on August 11. This update has no published CVE entries.
- iTunes 12.11.4 for Windows 10 and later was released on August 9. This update addresses the same two ImageIO vulnerabilities described above.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe released slightly more than half the number of updates it issued in July. The seven fixes span several of their products, but this time there were no fixes for Acrobat and Reader, which is unusual. Here are the products that got updates:
On August 10, Adobe released the following two fixes:
- APSB21-66 Security update for Adobe Connect – addresses two vulnerabilities, a security feature bypass, and an arbitrary code execution issue, both of which are rated important.
- APSB21-64 available for Magento – addresses ten vulnerabilities that include both critical and important issues: security features bypass, arbitrary code execution, denial of service, privilege escalation, and arbitrary file system read issues.
On August 17, Adobe released the following five fixes:
- APSB21-70 Security update available for Adobe Media Encoder – addresses an arbitrary code execution issue that is rated critical.
- APSB21-69 Security update available for Adobe Bridge – addresses nine vulnerabilities with critical, important, and moderate ratings, which include arbitrary code execution, denial of service, memory leak, and arbitrary file system read issues.
- APSB21-68 Security update available for Adobe Photoshop – addresses two arbitrary code execution vulnerabilities that are both rated critical.
- APSB21-65 Security updates available for Adobe XMP Toolkit SDK – addresses eleven vulnerabilities rated critical and important, that include arbitrary code execution and denial of service issues.
- APSB21-60 Security hotfix available for Adobe Captivate – addresses one privilege escalation vulnerability rated important.
For more information, see the security bulletin summary.
The most recent stable channel update for Chrome OS was released on June 30. Google did not release a stable channel update for the OS in July.
Chrome web browser
Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on August 31. The update, Chrome 93.0.4577.63, contains twenty-seven security fixes, including five that are rated high severity:
- CVE-2021-30606: Use after free in Blink.
- CVE-2021-30607: Use after free in Permissions.
- CVE-2021-30608: Use after free in Web Share.
- CVE-2021-30609: Use after free in Sign-In.
- CVE-2021-30610: Use after free in Extensions API.
This version also fixes the following 12 vulnerabilities rated medium severity:
- CVE-2021-30611: Use after free in WebRTC.
- CVE-2021-30612: Use after free in WebRTC.
- CVE-2021-30613: Use after free in Base internals.
- CVE-2021-30614: Heap buffer overflow in TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10.
- CVE-2021-30615: Cross-origin data leak in Navigation.
- CVE-2021-30616: Use after free in Media.
- CVE-2021-30617: Policy bypass in Blink.
- CVE-2021-30618: Inappropriate implementation in DevTools.
- CVE-2021-30619: UI Spoofing in Autofill.
- CVE-2021-30620: Insufficient policy enforcement in Blink.
- CVE-2021-30621: UI Spoofing in Autofill.
- CVE-2021-30622: Use after free in WebApp Installs.
Also fixed are the following two vulnerabilities rated as low severity:
- CVE-2021-30623: Use after free in Bookmarks.
- CVE-2021-30624: Use after free in Autofill.
Google also released Chrome 93 for Android and iOS on August 31.
For more information, see Google Blog.
The August 2021 security patch level for Android addresses vulnerabilities in the Framework, Media Framework, and System components. All are rated high severity. The most severe of these issues is a high-security vulnerability in the Media Framework component that could enable a local malicious application to bypass operating system protections that isolate application data from other applications. For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin – August 2021.
Oracle typically releases its critical patch updates on a quarterly cycle, in January, April, July, and October. The most recent update was released on July 20.
The next critical patch update will be released on October 19.
Oracle customers can read more about the current patch release on the Oracle website.
On August 11, Mozilla released Firefox 91, which contains fixes for the following nine vulnerabilities:
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash.
- CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash.
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment Thunderbird incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash.
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash.
- CVE-2021-29989: Memory safety bugs fixed in Thunderbird 91 Mozilla developers Kershaw Chang, Philipp, Chris Peterson, Sebastian Hengst, Christoph Kerschbaumer, Olli Pettay, Sandor Molnar, and Simon Giesecke reported memory safety bugs present in versions of Thunderbird prior to 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
- CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux After requesting multiple permissions and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to.
- CVE-2021-29985: Use-after-free media channels A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash.
- CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory.
On August 16, Mozilla released Firefox 91.0.1, which contained fixes for one vulnerability rated high severity:
- CVE-2021-29991: Header Splitting possible with HTTP/3 Responses Firefox incorrectly accepted a newline in a HTTP/3 header, interpreting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
- Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following 38 security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.
USN-5060-1: NTFS-3G vulnerabilities – NTFS-3G could be made to execute arbitrary code if it received a specially crafted image file.
- USN-5058-1: Thunderbird vulnerabilities – Several security issues were fixed in Thunderbird.
- USN-5057-1: Squashfs-Tools vulnerability – squashfs-tools could be made to overwrite files.
- USN-5054-1: uWSGI vulnerability – uWSGI could be made to crash if it received specially crafted input.
- USN-5056-1: APR vulnerability – APR could be made to expose sensitive information if it received a specially crafted input.
- USN-5055-1: GNOME grilo vulnerability – grilo could be made to allow MITM attacks.
- USN-5053-1: libssh vulnerability – libssh could be made to crash or run programs if it received specially crafted network traffic.
- USN-5051-3: OpenSSL vulnerability – OpenSSL could be made to crash or expose sensitive information if it received a specially crafted ASN.1 string.
- USN-5051-2: OpenSSL vulnerability – OpenSSL could be made to crash or expose sensitive information if it received a specially crafted ASN.1 string.
- USN-5052-1: MongoDB vulnerability – MongoDB could provide unintended access.
- USN-5037-2: Firefox regression – USN-5037-1 caused a regression in Firefox.
- USN-5051-1: OpenSSL vulnerabilities – Several security issues were fixed in OpenSSL.
- USN-5044-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel.
- USN-5050-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel.
- USN-5048-1: Inetutils vulnerability – Inetutils could be made to crash if it received specially crafted input.
- USN-5047-1: Firefox vulnerability – Firefox could be made to incorrectly accept newlines in HTTP/3 response headers.
- USN-5045-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel.
- USN-5046-1: Linux kernel vulnerabilities – Several security issues were fixed in the Linux kernel.
- USN-5043-1: Exiv2 vulnerabilities – Several security issues were fixed in Exiv2.
- USN-5042-1: HAProxy vulnerabilities – Several security issues were fixed in HAProxy.
- LSN-0080-1: Kernel Live Patch Security Notice – Several security issues were fixed in the kernel.
- USN-5022-2: MariaDB vulnerabilities – Several security issues were fixed in MariaDB.
- USN-5039-1: Linux kernel vulnerability – The system could be made to crash or run programs as an administrator.
- USN-5038-1: PostgreSQL vulnerabilities – Several security issues were fixed in PostgreSQL.
- USN-3809-2: OpenSSH regression – USN-3809-1 introduced a regression in OpenSSH.
- USN-5037-1: Firefox vulnerabilities – Firefox could be made to crash or run programs as your login if it opened a malicious website.
- USN-5034-2: c-ares vulnerability – c-ares could be made to return wrong domains.
- USN-5035-1: GPSd vulnerability – GPSd could return the wrong time.
- USN-5034-1: c-ares vulnerability – c-ares could be made to return wrong domains.
- USN-5033-1: Perl vulnerability – Perl could be made to run arbitrary programs.
- USN-5032-2: Docker vulnerabilities – This update provides a new upstream version.
- USN-5032-1: Docker vulnerabilities – This update provides a new upstream version.
- USN-5031-1: openCryptoki vulnerability – openCryptoki could be made to allow invalid curve attacks if it received a specially crafted key.
- USN-5027-2: PEAR vulnerability – PEAR could be made to overwrite files as the administrator.
- USN-5030-1: Perl DBI module vulnerabilities – Several security issues were fixed in Perl DBI module.
- USN-5029-1: GnuTLS vulnerabilities – Several security issues were fixed in GnuTLS.
- USN-5028-1: Exiv2 vulnerability – Exiv2 could be made to denial of service if received a specially crafted image.
- USN-5026-2: QPDF vulnerabilities – Several security issues were fixed in QPDF.