As the northern hemisphere heads into the dog days of summer, things are getting hotter (figuratively) on the security front. We saw Microsoft release fixes for over 100 vulnerabilities on Patch Tuesday in July, but the days when Windows was perceived to be the only OS with security worries are long past.
Ransomware attacks have surged in 2021, and we saw a string of such cyberattacks that happened over the fourth of July weekend, and the month ended with a number of critical issues from other vendors.
On July 29, Uptycs Threat Research discussed how “attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying access control lists.”
That same day, Apple labeled the latest security update to their WatchOS software as “urgent,” noting that it includes a fix for a memory issue that has already been exploited in the wild.
Meanwhile, Google issued a security update for its Google Drive to make file sharing more secure, and Mozilla dropped FTP support in Firefox 90 for security reasons.
Software makers are scrambling to keep up. Let’s look at some of the patches they released in July.
Apple
June was a light patch month for Apple, with only two released, but they more than made up for it in July. Ten security updates were issued across different operating systems and devices.
- watchOS 7.6.1 for Apple Watch Series 3 and later, 29 Jul 2021. Addresses a memory corruption vulnerability that could be used for arbitrary code execution with kernel privileges.
- iOS 14.7.1 and iPadOS 14.7.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), 26 Jul 2021. Addresses a memory corruption vulnerability that could be used for arbitrary code execution with kernel privileges. Addresses a memory corruption vulnerability that could be used for arbitrary code execution with kernel privileges.
- macOS Big Sur 11.5.1 for macOS Big Sur, 26 Jul 2021. Addresses a memory corruption vulnerability that could be used for arbitrary code execution with kernel privileges.
- macOS Big Sur 11.5 for macOS Big Sur, 21 Jul 2021. Addresses 36 vulnerabilities across a range of operating system components, including arbitrary code execution, information disclosure, unexpected application termination, root privilege escalation, circumvention of sandbox restrictions, denial of service, partial disclosure of memory contents, access to user’s contacts, execution of code on the Apple T2 security chip, privacy preferences bypass, and access to restricted files.
- Security Update 2021-004 Catalina for macOS Catalina, 21 Jul 2021. Addresses 26 vulnerabilities across a range of operating system components, including many of the same as described above.
- Security Update 2021-005 Mojave for macOS Mojave, 21 Jul 2021. Addresses 20 vulnerabilities across a range of operating system components, including many of the same as described above.
- iPadOS 14.7 for iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, and iPad mini 4 and later, 21 Jul 2021. Addresses 37 vulnerabilities across a range of operating system components, including many of the same as described above.
- Safari 14.1.2 for macOS Catalina and macOS Mojave, 19 Jul 2021. Addresses three vulnerabilities, all in the WebKit component, all of which may be used for arbitrary code execution.
- iOS 14.7 for iPhone 6s and later, and iPod touch (7th generation), 19 Jul 2021. Addresses 37 vulnerabilities across a range of operating system components, including the same described above in iPadOS 14.7.
- watchOS 7.6 for Apple Watch Series 3 and later, 19 Jul 2021. Addresses 21 vulnerabilities across a range of operating system components, including many of the same as described above for iPadOS and iOS.
- tvOS 14.7 for Apple TV 4K and Apple TV HD, 19 Jul 2021. Addresses 20 vulnerabilities across a range of operating system components, including many of the same as described above for WatchOS, iOS, and iPadOS.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe
If you thought Adobe had a busy month with the release of 10 security updates in June, you’ll think July was a real scorcher. Twelve security updates were released, covering the following software applications:
- APSB21-63 Security update available for Adobe Photoshop – addresses one critical and one moderate vulnerability in Photoshop 2020 and 2021 that includes an arbitrary code execution issue and an arbitrary file system read issue.
- APSB21-62 Security update available for Adobe Audition – addresses a moderate out-of-bounds read vulnerability in Audition running on Windows and macOS.
- APSB21-59 Security update available for Adobe Character Animator – addresses one critical and one important vulnerability in Character Animator running on Windows, including a memory leak issue and an arbitrary code execution issue.
- APSB21-58 Security update available for Adobe Prelude – addresses one critical and one moderate arbitrary code execution issue in Prelude running on Windows.
- APSB21-56 Security update available for Adobe Premiere Pro – addresses a critical vulnerability in Windows and macOS that could lead to arbitrary code execution.
- APSB21-54 Security update available for Adobe After Effects – addresses one moderate and four critical vulnerabilities in Premiere Pro running on Windows, including an arbitrary file system read issue and four arbitrary code execution issues.
- APSB21-43 Security update available for Adobe Media Encoder – addresses one critical and three moderate vulnerabilities in Media Encoder running on Windows, including two memory leak issues, an arbitrary file system read issue, and an arbitrary code execution issue.
- APSB21-53 Security update available for Adobe Bridge – addresses one moderate and three critical vulnerabilities in Adobe Bridge running on Windows, including one arbitrary file system read issue and three arbitrary code execution issues.
- APSB21-51 Security update available for Adobe Acrobat and Reader – addresses a total of 13 vulnerabilities in Acrobat and Reader running on Windows and macOS, 10 rated critical and three rated important. These include eight arbitrary code execution issues, two memory leak issues, one arbitrary file system write issue, one arbitrary file system read issue, and one application denial of service issue.
- APSB21-45 Security Updates Available for Adobe Framemaker – addresses one critical vulnerability in Framemaker running on Windows, which is an arbitrary code execution issue.
- APSB21-42 Security update available for Adobe Illustrator – addresses five vulnerabilities, three rated critical and three important, in Illustrator running on Windows. These include three arbitrary code execution issues and two arbitrary file system read issues.
- APSB21-40 Security updates available for Adobe Dimension – addresses a critical vulnerability in Dimension running on Windows and macOS, which is an arbitrary code execution issue.
For more information, see the security bulletin summary.
Chrome OS
The most recent stable channel update for Chrome OS was released on June 30. Google did not release a stable channel update for the OS in July.
Chrome web browser
Google announced the release of Chrome 92 desktop browser for Windows, Mac, and Linux on July 20. The update contains 35 security fixes, including nine rated high severity:
- [1210985] CVE-2021-30565: Out of bounds write in Tab Groups.
- 1202661] CVE-2021-30566: Stack buffer overflow in Printing
- [1211326] CVE-2021-30567: Use after free in DevTools.
- [1219886] CVE-2021-30568: Heap buffer overflow in WebGL.
- [1218707] CVE-2021-30569: Use after free in sqlite.
- [1101897] CVE-2021-30571: Insufficient policy enforcement in DevTools.
- [1214234] CVE-2021-30572: Use after free in Autofill.
- 1216822] CVE-2021-30573: Use after free in GPU.
- [1227315] CVE-2021-30574: Use after free in protocol handling.
Google released Chrome 92 for Android on July 23, but it contains only stability and performance improvements.
Google release Chrome 92 for iOS on July 20, which likewise contains only stability and performance improvements.
For more information, click here.
Android OS
The 07/01 security patch level for Android addresses 17 vulnerabilities in the Framework, Media Framework, and System components. All are rated high severity. The most severe include an issue that could enable a local malicious application to execute arbitrary code within the context of a privileged process and issues that could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions.
For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin – July 2021.
Oracle
Oracle normally releases its critical patch updates on a quarterly cycle in January, April, July, and October. The most recent update was released on July 20.
This month’s 342 updates contain fixes for 231 new security vulnerabilities across the Oracle products family. Affected products include Database Server, Oracle Big Data Graph, Oracle Essbase, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Policy Automation, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Virtualization.
Forty-nine of the updates (30 vulnerabilities) are rated critical and 158 updates (85 vulnerabilities) are rated high severity.
The next critical patch update will be released on October 19.
Oracle customers can read more about the current patch release on the Oracle website.
Mozilla Firefox
On July 13, Mozilla released Firefox 90, which contains fixes for the following nine vulnerabilities:
High impact:
#CVE-2021-29970: Use-after-free in accessibility features of a document – A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash.
This bug only affected Firefox when accessibility was enabled.
#CVE-2021-29971: Granted permissions only compared host; omitting scheme and port on Android – If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host – irrespective of scheme or port – would be granted that permission.
This bug only affects Firefox for Android. Other operating systems are unaffected.
#CVE-2021-30547: Out of bounds write in ANGLE – An out-of-bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash.
#CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 – Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.
#CVE-2021-29977: Memory safety bugs fixed in Firefox 90 – Mozilla developers Andrew McCreight, Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption.
For more information about Mozilla security updates, click here.
Moderate impact:
#CVE-2021-29972: Use of out-of-date library included use-after-free vulnerability – A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well.
#CVE-2021-29973: Password autofill on HTTP websites was enabled without user interaction on Android – Password autofill was enabled without user interaction on insecure websites on Firefox for Android. This was corrected to require user interaction with the page before a user’s password would be entered by the browser’s autofill functionality.
This bug only affects Firefox for Android. Other operating systems are unaffected.
#CVE-2021-29974: HSTS errors could be overridden when network partitioning was enabled – When network partitioning was enabled, for example as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain that had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically.
#CVE-2021-29975: Text message could be overlaid on top of another website – Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion.
Linux
Popular Linux distros, as usual, have seen a number of security advisories and updates. During the month of May, Ubuntu issued 29 security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.
These include a DjVuLibre vulnerability that could be used for arbitrary code execution, PHP vulnerabilities, an Avahi vulnerability that can be used for denial of service, several vulnerabilities in libslirp and in QEMU, Firefox vulnerabilities, vulnerabilities in the kernel, and vulnerabilities in the following components: containerd, systemd, the NVIDIA graphics driver, GNU binutils, Ruby, curl, MySQL, Aspell, WebKitGTK, MariaDB, libsndfile, QPDF, and PEAR.
For more details about the vulnerabilities, see Security notices | Ubuntu
