Non-Microsoft June Patch Roundup: Apple, Google, Linux, and more

By /

In the northern hemisphere, we’re well into the summer heat now, and many of us have vacation on our minds – but hackers, attackers, and malware distributors can take advantage of that to step up their efforts to infiltrate or take down our networks by exploiting the vulnerabilities in our operating systems, services, and applications. That means it’s more important than ever to make sure all your software is patched before you head to the beach for some much-needed rest and relaxation.

The past month has seen a number of major security issues. These include a zero-day exploit that hackers used to delete all the data on Western Digital My Book Live devices, a cross-scripting vulnerability that’s still being exploited in Cisco ASA devices, and attacks discovered in the wild that exploited a Chrome browser vulnerability.

We already talked about the six zero-day security holes that Microsoft patched in June in our Microsoft Patch Tuesday roundup, but other vendors have had their share of exploits, too. Let’s take a look at the patches released in June by some of the other major software vendors.

Apple

Apple password policies

Apple issued far fewer patches in June than the month before. Following the 13 updates released in May, this month felt like a light one with only two security update releases:

On June 14, Apple released iOS 12.5.4 for the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). It addressed three vulnerabilities, two in WebKit and one in the Security component. All three are arbitrary code execution issues, two of which are due to memory corruption and one that is a use-after-free vulnerability.

On June 17, Apple released iMovie 10.2.4 for macOS Catalina 10.15.6 and later. It fixed a single vulnerability that could allow entitlements and privacy permissions granted to this app to be used by a malicious app.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.

Adobe

Unlike Apple, Adobe had another busy month with the release of 10 security updates in June, affecting an array of their different products. However, this was two fewer than last month. All 10 were issued on June 8, the normal Patch Tuesday. Six contain fixes for critical vulnerabilities.

The vulnerabilities affect widely used products such as Adobe Acrobat and Reader, and Photoshop.

For more information, see the security bulletin summary.

Google

Chrome OS

Google released the most recent stable channel update for the Chrome OS on June 30, version 91.0.4472.147. It contains a number of security updates, along with features and bug fixes.

Chrome web browser

Google released the latest stable channel update for the Windows desktop on June 24, version 91.0.4472.123/.124. Stable channel update for Windows, Mac, and Linux version 91.0.4472.101 was released on June 9 and contained fourteen security fixes, which included critical vulnerability CVE-2021-039544, a use-after-free issue in BF cache.

For more information, click here.

Android OS

non-Microsoft june patch

This month’s bulletin discusses a number of vulnerabilities in the following components. The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

CVE-2021-0511 – Escalation of Privilege in Android runtime (High severity)

CVE-2021-0521 – Information disclosure in Framework (High severity)

CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, and CVE-2021-0520 – four escalation of privilege vulnerabilities in Media Framework (High severity)

CVE-2021-0507 – remote code execution in System (Critical)

CVE-2021-0516 – escalation of privilege in System (Critical)

CVE-2021-0505, CVE-2021-0506, and CVE-2021-0523 – three escalation of privilege vulnerabilities in system (High severity)

CVE-2021-0504, CVE-2021-0517, and CVE-2021-0522 – three information disclosure vulnerabilities in system (High severity)

For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin – June 2021.

Oracle

Oracle normally releases its critical patch updates on a quarterly cycle in January, April, July, and October. The most recent critical patch update occurred on April 19. The next scheduled release will be on July 20.

Oracle customers can read more about the current patch release on the Oracle website.

Mozilla Firefox

On June 1, Mozilla released Firefox 89, with fixes for nine vulnerabilities, two of which were rated high severity, five moderate, and two low. None were rated critical. The high severity vulnerabilities include:

CVE-2021-29965: Password Manager on Firefox for Android susceptible to domain spoofing – A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog.

CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 – memory safety bugs present in Firefox 88 and Firefox ESR 78.11 that showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

Moderate vulnerabilities include:

CVE-2021-29960: Filenames printed from private browsing mode incorrectly retained in preferences

Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk.

CVE-2021-29961: Firefox UI spoof using “<select>” elements and CSS scalingWhen styling and rendering an oversized <select> element, Firefox did not apply correct clipping, which allowed an attacker to paint over the user interface.

CVE-2021-29963: Shared cookies for search suggestions in private browsing mode – address bar search suggestions in private browsing mode were re-using session data from normal mode.
This bug only affects Firefox for Android. Other operating systems are unaffected.

CVE-2021-29964: Out of bounds-read when parsing a “WM_COPYDATA” messageA locally-installed hostile program could send WM_COPYDATA messages that Firefox would process incorrectly, leading to an out-of-bounds read. This bug only affects Firefox on Windows. Other operating systems are unaffected.

CVE-2021-29966: Memory safety bugs fixed in Firefox 89Mozilla developers Christian Holler, Tooru Fujisawa, and Tyson Smith reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.

On June 16, Mozilla released Firefox 89.0.1, with a fix for one vulnerability, rated moderate:

CVE-2021-29968: Out of bounds read when drawing text characters onto a Canvas – When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. This only affects Firefox on Windows.

Click here for more information about Mozilla security updates.

Linux

Linux VM template

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following forty-nine security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. For more details about the vulnerabilities listed below, see Security notices | Ubuntu.

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top