Patch Central: October fixes from Apple, Adobe, Mozilla, and Linux

If time flies when you’re having fun, October must have been an especially enjoyable month, as it streaked by so fast I barely caught a glimpse of it. Most IT pros probably know that the month of harvest and Halloween has also been officially designated as cybersecurity awareness month. But for those whose job it is to hold the line against hackers and attackers, every month is dedicated to security awareness.

The month got off to an interesting start with a major Facebook outage on Oct. 4 that had social media addicts suffering heavy withdrawal symptoms without their regular hourly (or more often) fixes. WhatsApp and Instagram, owned by Facebook, were likewise down. Rumors proliferated: was it an attack? Was it Armageddon? A configuration change on a backbone router turned out to be the culprit, but many of us were worried for a while there. On the other hand, a lot of people got more work done than usual that day.

There were plenty of actual attacks in October, though. These included a source code leak from the Twitch video live streaming service, a breach of Tesla’s data storage system, and more. A study by Infosec Institute claims October is the favorite month for attackers, in fact, particularly those connected to Russia, China, North Korea, and Iran.

Software vendors are stepping up their game to try to stay ahead of the bad guys. Google held its annual Cloud Next ‘21 conference (online only, no in-person attendance) and announced the formation of the Google Cybersecurity Action Team.

We published our usual Microsoft Patch Tuesday October roundup, detailing the security updates released on Oct. 12. Now let’s take a look at some of the patches that other software makers released in October.

Apple

iphone-12
Apple

October was a fairly heavy patch release month for Apple, though less so than September. They came out with a total of 11 updates for operating systems across their product line, with the first released on Oct. 1 and the last on Oct. 27. These include a zero-day vulnerability that has been exploited in the wild.

  • Safari 15.1 for macOS Big Sur and macOS Catalina, released Oct. 27. Addresses four vulnerabilities in WebKit, including an arbitrary code execution issue.
  • iOS 14.8.1 and iPadOS 14.8.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 26. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • macOS Monterey 12.0.1 for Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later), released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • macOS Big Sur 11.6.1 for macOS Big Sur, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • Security Update 2021-007 Catalina for macOS Catalina, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • watchOS 8.1 for Apple Watch Series 3 and later, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • iOS 15.1 and iPadOS 15.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • tvOS 15.1 for Apple TV 4K and Apple TV HD, released Oct. 25. Addresses multiple vulnerabilities across many components of the operating system, including arbitrary code execution issues.
  • watchOS 8.0.1 for Apple Watch Series 3 and later, released Oct. 11.
  • iOS 15.0.2 and iPadOS 15.0.2 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 11. Addresses three vulnerabilities in the game center and IOMobileFrameBuffer components of the operating system, one of which is an arbitrary code execution issue.
  • iOS 15.0.1 and iPadOS 15.0.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), released Oct. 1. Addresses one vulnerability in the status bar, which could allow a user to view restricted content from the lock screen.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.

Adobe

Adobe released a slew of security bulletins last month, affecting a broad swath of their products. It is normal protocol for Adobe to release its security fixes on the second Tuesday of the month, the same day as Microsoft. This time in addition to the updates released Oct. 12 on Patch Tuesday, 14 patches were released on Oct. 26. A total of 92 vulnerabilities are addressed, with 66 of them rated critical. Here are the products that got those updates:

  • APSB21-79 : Security update available for Adobe After Effects running on Windows. This is a critical priority 3 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one denial of service issue.
  • APSB21-92 : Security update available for Adobe Audition running on Windows and macOS. This is a critical priority 3 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one denial of service issue.
  • APSB21-94 : Security update available for Adobe Bridge running on Windows. This is a critical priority 2 update that addresses nine vulnerabilities, eight of which are arbitrary code execution issues with one memory leak issue.
  • APSB21-95 : Security update available for Adobe Character Animator running on Windows and macOS. This is a critical priority 3 update that addresses eight vulnerabilities, three of which are arbitrary code execution issues, along with denial of service, arbitrary file system read, and privilege escalation vulnerabilities.
  • APSB21-96: Security update available for Adobe Prelude running on Windows. This is a critical priority 3 update that addresses nine vulnerabilities, six of which are arbitrary code execution issues, along with application denial of service and memory leak vulnerabilities.
  • APSB21-97: Security update available for Adobe Lightroom Classic running on Windows. This is a critical priority 2 update that addresses one privilege escalation vulnerability.
  • APSB21-98: Security update available for Adobe Illustrator running on Windows and macOS. This is a critical priority 3 update that addresses five vulnerabilities, including one arbitrary code execution issue, three application denial of service issues, and one memory leak vulnerability.
  • APSB21-99: Security update available for Adobe Media Encoder running on Windows and macOS. This is a critical priority 3 update that addresses six vulnerabilities, three of which are arbitrary code execution issues, along with a memory leak and two application denial of service vulnerabilities.
  • APSB21-100: Security update available for Adobe Premiere Pro running on Windows and macOS. This is a critical priority 3 update that addresses six vulnerabilities, three of which are arbitrary code execution issues and three of which are application denial of service vulnerabilities.
  • APSB21-105: Security update available for Adobe Animate running on Windows. This is a critical priority 3 update that addresses ten vulnerabilities, nine of which are arbitrary code execution issues and one of which is a privilege escalation vulnerability.
  • APSB21-106: Security update available for Adobe Premiere Elements running on Windows and macOS. This is a critical priority 3 update that addresses seven vulnerabilities, four of which are arbitrary code execution issues, along with a memory leak and two application denial of service vulnerabilities.
  • APSB21-107: Security update available for Adobe InDesign running on Windows and macOS. This is a critical priority 3 update that addresses three vulnerabilities, two of which are arbitrary code execution issues along with one application denial of service vulnerability.
  • APSB21-108: Security update available for Adobe XMP Toolkit SDK running on all platforms. This is a critical priority 2 update that addresses five vulnerabilities, four of which are arbitrary code execution issues along with one application denial of service vulnerability.
  • APSB21-109: Security update available for Adobe Photoshop running on Windows and macOS. This is a critical priority 3 update that addresses three vulnerabilities, two of which are arbitrary code execution issues along with one privilege escalation vulnerability.

For more information, see the Adobe security bulletin summary.

Google

Chrome OS

Google released a stable channel update for Chrome OS on Oct. 20 as version 94.0.4606.104. It contains both bug fixes and security updates. You can find out more here. (Note that another stable channel update for Chrome OS was released on Nov. 1).

Chrome web browser

Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on Oct. 28. This update includes the following security fixes, all rated high severity:

  • CVE-2021-37997 : Use after free in Sign-In.
  • CVE-2021-37998 : Use after free in Garbage Collection.
  • CVE-2021-37999 : Insufficient data validation in New Tab Page.
  • CVE-2021-38000 : Insufficient validation of untrusted input in Intents.
  • CVE-2021-38001 : Type Confusion in V8.
  • CVE-2021-38002 : Use after free in Web Transport.
  • CVE-2021-38003 : Inappropriate implementation in V8.

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

For more information, see this Google blog.

Android OS

october patches

The 2021-10-05 security patch addresses an arbitrary code execution/elevation of privilege vulnerability in Android Runtime rated high severity; six vulnerabilities in Framework that include three elevation of privilege, two information disclosure, and one denial of service issue; an arbitrary code execution/elevation of privilege vulnerability in Media Framework; and two vulnerabilities in system that include one information disclosure and one denial of service issue.

For more information, see this Android security bulletin.

Oracle

Oracle normally releases its critical patch updates on a quarterly cycle, in January, April, July, and October. The most recent update was released on Oct. 19. It addresses 231 different vulnerabilities with 419 security fixes across 28 of Oracle’s product families. Thirty-six of the patches are rated critical.

The next critical patch update will be released on Jan. 18, 2022.

Oracle customers can read more about the current patch release on the Oracle website.

Mozilla Firefox

On Oct. 5, Mozilla released Firefox 93, which contains fixes for the following five high severity and three moderate severity vulnerabilities.

The following vulnerabilities are rated high severity:

The following vulnerabilities are rated moderate severity:

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued 36 security advisories since last month’s roundup (significantly fewer than in September). Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.

Many of this month’s fixes are for vulnerabilities in the Linux kernel.

For more details about the vulnerabilities listed below, see Security notices | Ubuntu

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top