Headline
You Need to Update iOS, Chrome, Windows, and Zoom ASAP
Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.
May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.
Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.
Here’s what you need to know.
Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6
With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.
Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.
Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.
Microsoft’s Flubbed May Patch Tuesday
Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.
On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.
In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.
Firefox 100.0.2
In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.
Android
May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”
The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.
Related news
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to
Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild. The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges. Successful exploitation of
Categories: Exploits and vulnerabilities Categories: News Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch. (Read more...) The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An
Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.
An authentication issue was addressed with improved state management. This issue is fixed in tvOS 15.5. A local user may be able to enable iCloud Photos without authentication.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
If you're an Apple user, make sure you patch for CVE-2022-22675, a zero-day flaw actively exported in the wild. The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.
Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-5 - watchOS 8.6 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.