Summer is almost over in most of the northern hemisphere, but as temperatures start to cool, the pressure is still on IT professionals who are trying to stay ahead of the hackers and attackers. In the United States, Labor Day weekend was a holiday for many of us. Still, in the security world, the anticipation is mixed because holidays are a favorite time for ransomware distributors to come out and play. Hopefully, you applied these August patches from non-Microsoft vendors before your long weekend.
Many companies and their IT departments are still recovering from the effects of Hurricane Ida, which knocked out the power to New Orleans and other locales in the path of the storm. We’re heading into what some forecasters say could be a heavy Atlantic hurricane season, and these are the times that put our disaster recovery plans to the test.
What better time for attackers to launch their attacks than during the chaos that follows a natural disaster? From phishing schemes to social engineering, the bad guys never let a good crisis go to waste. They also know that businesses and individuals may be caught up in addressing the preparations and damage during such times and thus might be less diligent about ensuring that all of their software is up to date.
Software makers, as always, are issuing patches as quickly as they can after vulnerabilities are identified. Let’s look at some of the patches they released in August.
Apple
Ten security updates were issued in July, but August was a much lighter month for Apple. They released three updates but only two of them addressed published CVEs.
- iCloud for Windows 12.5, for Windows 10 and later (via the Microsoft Store) was released on August 16. It fixes two vulnerabilities in ImageIO, both of which could result in arbitrary code execution.
- macOS Big Sur 11.5.2 was released on August 11. This update has no published CVE entries.
- iTunes 12.11.4 for Windows 10 and later was released on August 9. This update addresses the same two ImageIO vulnerabilities described above.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe
Adobe released slightly more than half the number of updates it issued in July. The seven fixes span several of their products, but this time there were no fixes for Acrobat and Reader, which is unusual. Here are the products that got updates:
On August 10, Adobe released the following two fixes:
- APSB21-66 Security update for Adobe Connect – addresses two vulnerabilities, a security feature bypass, and an arbitrary code execution issue, both of which are rated important.
- APSB21-64 available for Magento – addresses ten vulnerabilities that include both critical and important issues: security features bypass, arbitrary code execution, denial of service, privilege escalation, and arbitrary file system read issues.
On August 17, Adobe released the following five fixes:
- APSB21-70 Security update available for Adobe Media Encoder – addresses an arbitrary code execution issue that is rated critical.
- APSB21-69 Security update available for Adobe Bridge – addresses nine vulnerabilities with critical, important, and moderate ratings, which include arbitrary code execution, denial of service, memory leak, and arbitrary file system read issues.
- APSB21-68 Security update available for Adobe Photoshop – addresses two arbitrary code execution vulnerabilities that are both rated critical.
- APSB21-65 Security updates available for Adobe XMP Toolkit SDK – addresses eleven vulnerabilities rated critical and important, that include arbitrary code execution and denial of service issues.
- APSB21-60 Security hotfix available for Adobe Captivate – addresses one privilege escalation vulnerability rated important.
For more information, see the security bulletin summary.
Chrome OS
The most recent stable channel update for Chrome OS was released on June 30. Google did not release a stable channel update for the OS in July.
Chrome web browser
Google announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on August 31. The update, Chrome 93.0.4577.63, contains twenty-seven security fixes, including five that are rated high severity:
- CVE-2021-30606: Use after free in Blink.
- CVE-2021-30607: Use after free in Permissions.
- CVE-2021-30608: Use after free in Web Share.
- CVE-2021-30609: Use after free in Sign-In.
- CVE-2021-30610: Use after free in Extensions API.
This version also fixes the following 12 vulnerabilities rated medium severity:
- CVE-2021-30611: Use after free in WebRTC.
- CVE-2021-30612: Use after free in WebRTC.
- CVE-2021-30613: Use after free in Base internals.
- CVE-2021-30614: Heap buffer overflow in TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10.
- CVE-2021-30615: Cross-origin data leak in Navigation.
- CVE-2021-30616: Use after free in Media.
- CVE-2021-30617: Policy bypass in Blink.
- CVE-2021-30618: Inappropriate implementation in DevTools.
- CVE-2021-30619: UI Spoofing in Autofill.
- CVE-2021-30620: Insufficient policy enforcement in Blink.
- CVE-2021-30621: UI Spoofing in Autofill.
- CVE-2021-30622: Use after free in WebApp Installs.
Also fixed are the following two vulnerabilities rated as low severity:
- CVE-2021-30623: Use after free in Bookmarks.
- CVE-2021-30624: Use after free in Autofill.
Google also released Chrome 93 for Android and iOS on August 31.
For more information, see Google Blog.
Android OS
The August 2021 security patch level for Android addresses vulnerabilities in the Framework, Media Framework, and System components. All are rated high severity. The most severe of these issues is a high-security vulnerability in the Media Framework component that could enable a local malicious application to bypass operating system protections that isolate application data from other applications. For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin – August 2021.
Oracle
Oracle typically releases its critical patch updates on a quarterly cycle, in January, April, July, and October. The most recent update was released on July 20.
The next critical patch update will be released on October 19.
Oracle customers can read more about the current patch release on the Oracle website.
Mozilla Firefox
On August 11, Mozilla released Firefox 91, which contains fixes for the following nine vulnerabilities:
High impact:
Moderate impact:
Low impact:
On August 16, Mozilla released Firefox 91.0.1, which contained fixes for one vulnerability rated high severity:
Linux
