Third Party Patch Roundup – November 2021

November is past, and most of the northern hemisphere is seeing cooler weather. In the U.S., Thanksgiving has come and gone. In the IT world, we have plenty to be thankful for as we head toward a new year that will bring new technologies to make our jobs easier, but also new challenges.

‘Tis the season for hackers and attackers to ramp up their efforts and take advantage of users who are distracted by holiday activities and obligations. There have been some high profile incidents, including a breach of Planned Parenthood’s network that exposed patients’ addresses, insurance information, and medical records. Meanwhile, AT&T has been working to take down a botnet discovered inside its network. Ikea was targeted in a cyber attack that spread malware through internal email, and Panasonic disclosed a security breach that resulted in unauthorized access to data on a file server.

There is good news, though: the bad guys don’t always win. Interpol announced that they have arrested over a thousand cybercriminals across twenty countries in a four-month crackdown called Operation HAECHI-II, focusing on online financial crime.

Meanwhile, it’s up to all of us to do our part by ensuring that the security updates issued by software vendors are installed in a timely manner to protect our systems and networks from exploits. Let’s take a look at some of those patches that were released in November.


You might recall that in October was a fairly heavy patch release month for Apple, with a total of eleven updates for operating systems across their product line. November saw only four updates, and three of those had no published CVE entries. The one that did was:

  • iCloud for Windows, for Windows 10 and later (available via the Microsoft Store). This update patches six vulnerabilities in the Foundation, ImageIO, and WebKit components of the operating system. These include type confusion, multiple memory corruption issues, and a logic issue. The most serious could lead to arbitrary code execution.

The remaining three updates include:

  • WatchOS 8.1.1 for Apple Watch series 7
  • iOS 15.1.1 for iPhone 12 and later
  • tvOS 15.1.1 for Apple TV 4K and Apple TV HD

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support web site at


Adobe had a light month in November, too. That was a relief after the fourteen patches fixing 92 vulnerabilities that we saw in October. Here are this past month’s updates:

  • APSB21-87: Security hotfix available for RoboHelp Server – This update addresses a single path traversal vulnerability in RoboHelp Server running on Windows, which could lead to arbitrary code execution. It is rated critical.
  • APSB21-110 : Security update available for Adobe InCopy – This update addresses a pair of vulnerabilities in InCopy running on Windows and macOS, one rated critical and one important. They include access of memory location after end of buffer and null pointer dereference. The first could lead to arbitrary code execution and the second could be exploited to create an application denial of service.
  • APSB21-111: Security update available for Adobe Creative Cloud – This update addresses two vulnerabilities in Creative Cloud running on macOS, both rated important. One causes creation of a temporary file in a directory with incorrect permissions and the other is an improper access control issue. The first can result in an application denial of service and the second in privilege escalation.

For more information, see the security bulletin summary at


Chrome OS

Google released its most recent stable channel update for Chrome OS on November 30, as version 96.0.4664.77.

Chrome web browser

Chrome 96 for iOS was released on November 18.

Chrome 96 for Android was released on November 15.

Google also announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on November 15. This update includes twenty-five security updates. Those rated high severity include:

  • CVE-2021-38008: Use after free in media.
  • CVE-2021-38009: Inappropriate implementation in cache.
  • CVE-2021-38006: Use after free in storage foundation.
  • CVE-2021-38007: Type Confusion in V8.
  • CVE-2021-38005: Use after free in loader.
  • CVE-2021-38010: Inappropriate implementation in service workers.
  • CVE-2021-38011: Use after free in storage foundation.

The following patched vulnerabilities are rated medium severity:

  • CVE-2021-38012: Type Confusion in V8.
  • CVE-2021-38013: Heap buffer overflow in fingerprint recognition.
  • CVE-2021-38014: Out of bounds write in Swiftshader.
  • CVE-2021-38015: Inappropriate implementation in input.
  • CVE-2021-38016: Insufficient policy enforcement in background fetch.
  • CVE-2021-38017: Insufficient policy enforcement in iframe sandbox.
  • CVE-2021-38018: Inappropriate implementation in navigation.
  • CVE-2021-38019: Insufficient policy enforcement in CORS.
  • CVE-2021-38020: Insufficient policy enforcement in contacts picker.
  • CVE-2021-38021: Inappropriate implementation in referrer.

Finally, one vulnerability is rated as low severity:

  • CVE-2021-38022: Inappropriate implementation in WebAuthentication.

For more information, see

Android OS

The 2021-11-01 security patch addresses eight vulnerabilities in Framework, two in Media Framework, eight in System, as well as three Google Play system update issues included in Project Mainline components.

The most severe could enable an attacker to gain access to additional permissions with no user interaction required, enable a local malicious application to bypass user interaction requirements to gain access to additional permissions, and enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged user.

For more information, see


Oracle normally releases its critical patch updates on a quarterly cycle, in January, April, July and October.  The most recent update was released on October 19th.  It addresses 231 different vulnerabilities with 419 security fixes across 28 of Oracle’s product families. 36 of the patches are rated critical.

The next critical patch update will be released on January 18, 2022.

Oracle customers can read more about the current patch release on the Oracle web site at

Mozilla Firefox

On November 2, Mozilla released Firefox 94, which contains fixes for the following seven high severity, four moderate severity vulnerabilities and two of low severity, for a total of thirteen.

The following vulnerabilities are rated high severity:

The following vulnerabilities are rated moderate severity:

CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing – By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.

MOZ-2021-0004: Web Extensions could access pre-redirect URL when their context menu was triggered by a user – When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-XXX but in the context of Web Extensions.

CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker’s choosing.

CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS – The executable file warning was not presented when downloading .inetloc files, which can run commands on a user’s computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.


On November 9, SAP released the following security patches:

  • 11 new and update SAP Security patches released – This includes only one HotNews note and three High Priority notes. This is a relatively calm patch day for SAP with only eight new security notes since October and only three new notes above CVSS 7.0 is a record low number for the year. Nevertheless, the lower-rated notes should not be left unaddressed as some of these vulnerabilities can be used to launch follow-up attacks, e.g., through impersonation of users or exploiting transport permissions.
  • Update to Onapsis Found Vulnerability in CA Introscope Enterprise Manager –High Priority Note #2971638 is an update of a vulnerability in CA Introscope Enterprise Manager that was detected in 2020 by the Onapsis Research Labs. Hard-coded default passwords for the Admin and the Guest user allowed a remote attacker to bypass authentication, compromising the confidentiality of the service.
  • ABAP Platform Kernel Patch the most Critical – SAP Security Note #3099776, tagged with a CVSS score of 9.6 patches a Missing Authorization Check vulnerability in ABAP Platform Kernel that can result in an escalation of privileges for an authenticated business user. SAP optimistically labeled the CVSS vector of the vulnerability as low impact on availability despite the fact that a business user “is able to read and modify data.”


Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following thirity-seven security advisories since last month’s roundup. Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.

Many of this month’s fixes are for vulnerabilities in the Linux kernel. For more details about the vulnerabilities listed below, see Security notices | Ubuntu or click on the links to the individual notices.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top