The urgent need to update the software

0

Kate O’Flaherty* says people should update iOS, Chrome, Windows and Zoom ASAP.


May has been another busy month of security updates, with Google’s Chrome browser and Apple’s Android, Zoom and iOS operating system releasing patches to fix serious vulnerabilities.

Meanwhile, things didn’t go well for Microsoft, which was forced to release an out-of-band update after a disastrous patch on Tuesday during the month.

And Cisco, Nvidia, Zoom, and VMWare have all released patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

While Apple was expected to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker likely released its last major 15-point iOS update in May.

It came with new features, but iOS and iPadOS 15.5 also patched 34 security vulnerabilities, some of which are serious.

Security issues addressed in iOS 15.5 include flaws in the kernel, as well as the WebKit browser engine, according to Apple’s support page.

Fortunately, none of the fixes released in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, macOS, tvOS and Apple Watch users should update their devices as soon as possible, as Apple has also released an emergency update to fix an issue it says is already being used in attacks. .

The flaw in Apple AVD, tagged CVE-2022-22675, could allow an application to execute code with kernel privileges.

Problems in the kernel are as serious as it gets, so it’s worth checking and updating your devices right away.

Microsoft Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent companies that installed it immediately.

On May 10, the company released security updates to fix 75 vulnerabilities, eight rated as serious and three exploited by attackers.

The issues fixed in May’s Patch Tuesday were significant, but there were soon issues for some Microsoft users, who reported authentication failures after installing the latest updates.

This has impacted people using client and server Windows platforms and systems running all versions of Windows, including Windows 11 and Windows Server 2022.

In order to fix the issue, the company was forced to release an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20.

The update will not install automatically. You need to download it from Microsoft’s Update Catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, comprising nine security patches for its Firefox browser, seven of which were rated as high severity.

But later in May, ethical hackers from the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software.

Mozilla fixed the issues in another update Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1.

Click on these update buttons.

android

The May Android security update is significant, patching 36 vulnerabilities, including an issue already exploited by attackers.

This exploited flaw is a privilege escalation bug in the Linux kernel known as “The Dirty Pipe”.

The flaw, which affects new Android devices running Android 12 and later, was disclosed by Google in February, but it took some time to reach the devices.

Other Android security patches in May include 15 high-severity vulnerabilities and one critical-severity vulnerability in Qualcomm components, two denial-of-service flaws in Android system, and three high-severity issues in MediaTek components.

Google Pixel and Samsung users, in particular, should look out for the May update, as additional vulnerabilities have been patched on those devices.

The update has so far reached Android devices including the Samsung Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra, as well as the Galaxy Tab S8 series, Galaxy Watch 4 series, and Galaxy S21 series.

Chrome 102

Another month, another major Google Chrome security update, this time for 32 issues, one of which is rated as critical and eight are rated as very serious.

The critical issue, CVE-2022-1853, impacts IndexedDB functionality, while the top-rated flaws affect areas such as DevTools, UI foundations, and user training function.

None of the flaws patched in Chrome 102 have been exploited, Google says.

This contrasts with April, when the company released emergency updates to fix several vulnerabilities already exploited in its Chromium-based browser.

Earlier in May, Google released 13 fixes to Chrome v101.0.4951.61 for Android, eight of which were classified as having a very severe impact.

Cisco

Cisco has addressed multiple vulnerabilities in the Cisco Enterprise NFV infrastructure software that could allow an attacker to escape from the guest virtual machine to the host machine, inject commands that run at the root level, or leak system data from the host to the virtual machine.

It goes without saying that these high-severity issues, tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780, are serious, so it’s a good idea to update as soon as possible.

Nvidia

Chipmaker Nvidia released a security update in mid-May for its Nvidia GPU display driver to address flaws that could allow denial of service, information disclosure, or data tampering.

The list of 10 vulnerabilities includes issues in the kernel mode layer on Windows and Linux devices.

The updates themselves can be found on Nvidia’s download website.

Zoom

Video conferencing app Zoom released version 5.10.0 to address an issue discovered by Google’s Project Zero security researchers in February.

The XMPP messaging protocol flaw requires no user interaction to execute the attack.

“User interaction is not required for a successful attack.

The only capability an attacker needs is to be able to send messages to the victim via Zoom chat using the XMPP protocol,” says security researcher Ivan Fratric, who describes how the attacker can force the victim client to connect to a malicious server, leading to arbitrary attacks. code execution.

VMWare

Cloud provider VMWare has released patches to address several issues, including an elevation of privilege vulnerability (CVE-2022-22973) and an authentication bypass flaw (CVE-2022-22972), the latter of which needs to be applied immediately because “the ramifications are serious.”

*Kate O’Flaherty is a Contributor on WIRED UK.

This article first appeared on wired.co.uk.

Share.

Comments are closed.