In the northern hemisphere, we’re well into the summer heat now, and many of us have vacation on our minds – but hackers, attackers, and malware distributors can take advantage of that to step up their efforts to infiltrate or take down our networks by exploiting the vulnerabilities in our operating systems, services, and applications. That means it’s more important than ever to make sure all your software is patched before you head to the beach for some much-needed rest and relaxation.
The past month has seen a number of major security issues. These include a zero-day exploit that hackers used to delete all the data on Western Digital My Book Live devices, a cross-scripting vulnerability that’s still being exploited in Cisco ASA devices, and attacks discovered in the wild that exploited a Chrome browser vulnerability.
We already talked about the six zero-day security holes that Microsoft patched in June in our Microsoft Patch Tuesday roundup, but other vendors have had their share of exploits, too. Let’s take a look at the patches released in June by some of the other major software vendors.
Apple
Apple issued far fewer patches in June than the month before. Following the 13 updates released in May, this month felt like a light one with only two security update releases:
On June 14, Apple released iOS 12.5.4 for the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). It addressed three vulnerabilities, two in WebKit and one in the Security component. All three are arbitrary code execution issues, two of which are due to memory corruption and one that is a use-after-free vulnerability.
On June 17, Apple released iMovie 10.2.4 for macOS Catalina 10.15.6 and later. It fixed a single vulnerability that could allow entitlements and privacy permissions granted to this app to be used by a malicious app.
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.
Adobe
Unlike Apple, Adobe had another busy month with the release of 10 security updates in June, affecting an array of their different products. However, this was two fewer than last month. All 10 were issued on June 8, the normal Patch Tuesday. Six contain fixes for critical vulnerabilities.
The vulnerabilities affect widely used products such as Adobe Acrobat and Reader, and Photoshop.
- APSB21-36 Security update available for Adobe Connect – this is an important update that addresses an escalation of privilege issue due to improper access control.
- APSB21-37 Security update available for Adobe Acrobat and Reader – this is a critical update that addresses two arbitrary code execution vulnerabilities that include out-of-bounds read and use-after-free issues.
- APSB21-38 Security update available for Adobe Photoshop – this is a critical update that addresses two arbitrary code executive vulnerabilities that include a buffer overflow issues.
- APSB21-39 Security update available for Adobe Experience Manager – this is an important update that addresses two arbitrary code execution vulnerabilities, an application denial of service vulnerability and a security feature bypass, and they include cross-site scripting, improper authorization, and server-side request forgery issues.
- APSB21-41 Security update available for Adobe Creative Cloud Desktop Application – this is a critical update that addresses an arbitrary code execution vulnerability, and an arbitrary file system write vulnerability, which includes an uncontrolled search path element and creation of a temporary file in a directory with incorrect permissions.
- APSB21-44 Security update available for Adobe RoboHelp Server – this is a critical update that addresses a single arbitrary code execution vulnerability involving path traversal.
- APSB21-46 Security update available for Adobe Photoshop Elements – this is an important update that addresses a single escalation of privilege vulnerability that involves creation of a temporary file in a directory with incorrect permissions.
- APSB21-47 Security update available for Adobe Premiere Elements – this is an important update that addresses a single escalation of privilege vulnerability that involves creation of a temporary file in a directory with incorrect permissions.
- APSB21-49 Security update available for Adobe After Effects – this is a critical update that addresses seven different critical, important, and moderate vulnerabilities that include arbitrary code execution, arbitrary file system read, memory leaks, and application denial of service. This includes out-of-bounds read issues, NULL pointer dereference, access of memory location after end of buffer, and buffer overflows.
- APSB21-50 Security update available for Adobe Animate – this is a critical update that addresses six of the same seven vulnerabilities described in the preceding update, excluding the NULL pointer dereference issue.
For more information, see the security bulletin summary.
Chrome OS
Google released the most recent stable channel update for the Chrome OS on June 30, version 91.0.4472.147. It contains a number of security updates, along with features and bug fixes.
Chrome web browser
Google released the latest stable channel update for the Windows desktop on June 24, version 91.0.4472.123/.124. Stable channel update for Windows, Mac, and Linux version 91.0.4472.101 was released on June 9 and contained fourteen security fixes, which included critical vulnerability CVE-2021-039544, a use-after-free issue in BF cache.
For more information, click here.
Android OS
This month’s bulletin discusses a number of vulnerabilities in the following components. The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
CVE-2021-0511 – Escalation of Privilege in Android runtime (High severity)
CVE-2021-0521 – Information disclosure in Framework (High severity)
CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, and CVE-2021-0520 – four escalation of privilege vulnerabilities in Media Framework (High severity)
CVE-2021-0507 – remote code execution in System (Critical)
CVE-2021-0516 – escalation of privilege in System (Critical)
CVE-2021-0505, CVE-2021-0506, and CVE-2021-0523 – three escalation of privilege vulnerabilities in system (High severity)
CVE-2021-0504, CVE-2021-0517, and CVE-2021-0522 – three information disclosure vulnerabilities in system (High severity)
For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin – June 2021.
Oracle
Oracle normally releases its critical patch updates on a quarterly cycle in January, April, July, and October. The most recent critical patch update occurred on April 19. The next scheduled release will be on July 20.
Oracle customers can read more about the current patch release on the Oracle website.
Mozilla Firefox
On June 1, Mozilla released Firefox 89, with fixes for nine vulnerabilities, two of which were rated high severity, five moderate, and two low. None were rated critical. The high severity vulnerabilities include:
CVE-2021-29965: Password Manager on Firefox for Android susceptible to domain spoofing – A malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog.
CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 – memory safety bugs present in Firefox 88 and Firefox ESR 78.11 that showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.
Moderate vulnerabilities include:
CVE-2021-29960: Filenames printed from private browsing mode incorrectly retained in preferences –
Firefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk.
CVE-2021-29961: Firefox UI spoof using “<select>” elements and CSS scaling – When styling and rendering an oversized <select> element, Firefox did not apply correct clipping, which allowed an attacker to paint over the user interface.
CVE-2021-29963: Shared cookies for search suggestions in private browsing mode – address bar search suggestions in private browsing mode were re-using session data from normal mode.
This bug only affects Firefox for Android. Other operating systems are unaffected.
CVE-2021-29964: Out of bounds-read when parsing a “WM_COPYDATA” message – A locally-installed hostile program could send WM_COPYDATA messages that Firefox would process incorrectly, leading to an out-of-bounds read. This bug only affects Firefox on Windows. Other operating systems are unaffected.
CVE-2021-29966: Memory safety bugs fixed in Firefox 89 – Mozilla developers Christian Holler, Tooru Fujisawa, Tyson Smith reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.
On June 16, Mozilla released Firefox 89.0.1, with a fix for one vulnerability, rated moderate:
CVE-2021-29968: Out of bounds read when drawing text characters onto a Canvas – When drawing text onto a canvas with WebRender disabled, an out of bounds read could occur. This only affects Firefox on Windows.
Click here for more information about Mozilla security updates.
Linux
Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following forty-nine security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. For more details about the vulnerabilities listed below, see Security notices | Ubuntu.
- USN-4905-2: X.Org X Server vulnerability – June 30, 2021. X.Org X Server could be made to crash or run programs if it received specially crafted input. CVE-2021-3472
- USN-4997-2: Linux kernel (KVM) vulnerabilities – June 25, 2021. Several security issues were fixed in the Linux kernel. CVE-2020-26145, CVE-2021-23134, CVE-2021-31440, and 14 others
- USN-5000-2: Linux kernel (KVM) vulnerabilities – June 25, 2021. Several security issues were fixed in the Linux kernel. CVE-2020-26145, CVE-2021-23134, CVE-2021-3506, and 12 others
- USN-4995-2: Thunderbird vulnerabilities – June 25, 2021. Several security issues were fixed in Thunderbird. CVE-2021-29948, CVE-2021-29957, CVE-2021-23992, and 17 others
- USN-4998-1: Ceph vulnerabilities – June 25, 2021. Several security issues were fixed in Ceph. CVE-2021-3509, CVE-2020-27839, CVE-2021-20288, and 4 others
- USN-5004-1: RabbitMQ vulnerabilities – June 24, 2021. Several security issues were fixed in rabbitmq-server. CVE-2021-22116, CVE-2019-11287
- USN-5003-1: Linux kernel vulnerabilities – June 23, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-23133, CVE-2021-3609, CVE-2021-3600
- USN-5002-1: Linux kernel (HWE) vulnerability – June 23, 2021. The system could be made to run programs as an administrator. CVE-2021-3609
- USN-5001-1: Linux kernel (OEM) vulnerabilities – June 23, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-31440, CVE-2020-26141, CVE-2021-3609, and 12 others
- USN-5000-1: Linux kernel vulnerabilities – June 23, 2021. Several security issues were fixed in the Linux kernel. CVE-2020-26139, CVE-2021-31829, CVE-2021-32399, and 12 others
- USN-4999-1: Linux kernel vulnerabilities – June 23, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-31440, CVE-2020-25670, CVE-2020-26141, and 14 others
- USN-4997-1: Linux kernel vulnerabilities – June 23, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-23134, CVE-2021-3506, CVE-2020-24586, and 14 others
- USN-4995-1: Thunderbird vulnerabilities – June 22, 2021. Several security issues were fixed in Thunderbird. CVE-2021-23961, CVE-2021-29967, CVE-2021-23991, and 17 others
- USN-4996-2: OpenEXR vulnerabilities – June 22, 2021. Several security issues were fixed in OpenEXR. CVE-2021-3605, CVE-2021-26260, CVE-2021-20296, and 2 others
- USN-4996-1: OpenEXR vulnerabilities – June 22, 2021. Several security issues were fixed in OpenEXR.CVE-2021-3605, CVE-2021-23215, CVE-2021-20296, and 2 others
- USN-4994-2: Apache HTTP Server vulnerabilities – June 21, 2021. Several security issues were fixed in Apache HTTP Server. CVE-2021-26691, CVE-2020-35452, CVE-2021-30641, and 1 other
- USN-4994-1: Apache HTTP Server vulnerabilities – June 21, 2021. Several security issues were fixed in Apache HTTP Server. CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, and 2 others
- USN-4993-1: Dovecot vulnerabilities – June 21, 2021. Several security issues were fixed in Dovecot. CVE-2021-29157, CVE-2021-33515
- USN-4992-1: GRUB 2 vulnerabilities – June 18, 2021. Several security issues were fixed in GRUB 2. CVE-2021-20225, CVE-2020-14372, CVE-2020-25632, and 3 others
- USN-4991-1: libxml2 vulnerabilities – June 17,2021. Several security issues were fixed in libxml2.CVE-2021-3516, CVE-2017-8872, CVE-2020-24977, and 5 others
- USN-4990-1: Nettle vulnerabilities– June 17, 2021. Several security issues were fixed in Nettle. CVE-2018-16869, CVE-2021-3580
- USN-4989-2: BlueZ vulnerabilities – June 16, 2021. Several security issues were fixed in BlueZ. CVE-2020-26558, CVE-2020-27153
- USN-4989-1: BlueZ vulnerabilities – June 16, 2021. Several security issues were fixed in BlueZ. CVE-2021-3588, CVE-2020-26558, CVE-2020-27153
- USN-4988-1: ImageMagick vulnerabilities – June 15, 2021. Several security issues were fixed in ImageMagick. CVE-2020-27757, CVE-2020-27771, CVE-2017-14528, and 31 others
- USN-4986-4: rpcbind regression – June 10, 2021. USN-4986-1 caused a regression in rpcbind.
- USN-4987-1: ExifTool vulnerability– June 10, 2021. libimage-exiftool-perl could be made to crash if it opened a specially crafted file. CVE-2021-22204
- USN-4986-3: rpcbind regression– June 10, 2021. USN-4986-1 caused a regression in rpcbind.
- USN-4971-2: libwebp vulnerabilities – June 10, 2021. libwebp could be made to crash or run programs as your login if it opened a specially crafted file.CVE-2020-36331, CVE-2018-25014, CVE-2020-36328, and 7 others
- USN-4986-2: rpcbind vulnerability – June 9, 2021. rpcbind could be made to consume resources and crash if it received specially crafted network traffic CVE-2017-8779
- USN-4986-1: rpcbind vulnerability – June 9, 2021. rpcbind could be made to consume resources and crash if it received specially crafted network traffic CVE-2017-8779
- USN-4985-1: Intel Microcode vulnerabilities – June 9, 2021. Several security issues were fixed in Intel Microcode. CVE-2020-24512, CVE-2020-24513, CVE-2020-24511, and 1 other
- USN-4982-1: Linux kernel vulnerabilities – June 8, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-28950, CVE-2021-28972, CVE-2021-31916, and 10 others
- USN-4984-1: Linux kernel vulnerabilities – June 8, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-28972, CVE-2021-29647, CVE-2021-28971, and 10 others
- USN-4937-2: GNOME Autoar regression – June 7, 2021. USN-4937-1 introduced a regression in GNOME Autoar.
- USN-4969-3: DHCP regression – June 7, 2021. USN-4969-1 introduced a regression in DHCP.
- USN-4975-2: Django vulnerability – June 7, 2021. Several security issues were fixed in Django. CVE-2021-33203
- USN-4979-1: Linux kernel vulnerabilities – June 4, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-31916, CVE-2021-3428, CVE-2020-25670, and 10 others
- USN-4983-1: Linux kernel (OEM) vulnerabilities – June 3, 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29155, CVE-2021-3501, CVE-2021-31829, and 1 other
- USN-4981-1: Squid vulnerabilities – June 3, 2021. Several security issues were fixed in Squid. CVE-2021-28651, CVE-2021-28652, CVE-2021-31806, and 4 others
- USN-4980-1: polkit vulnerability – June 3, 2021. The system could be made to run programs as an administrator. CVE-2021-3560
- USN-4977-1: Linux kernel vulnerabilities – June 3, Several security issues were fixed in the Linux kernel. CVE-2020-25673, CVE-2021-3501, CVE-2021-29155, and 3 others
- USN-4978-1: Firefox vulnerabilities – June 2, 2021. Firefox could be made to crash or run programs as your login if it opened a malicious website. CVE-2021-29960, CVE-2021-29959, CVE-2021-29961, and 2 others
- USN-4976-1: Dnsmasq vulnerability – June 2, 2021. Dnsmasq could be exposed to cache poisoning. CVE-2021-3448
- USN-4975-1: Django vulnerabilities – June 2, 2021. Several security issues were fixed in Django. CVE-2021-32052, CVE-2021-33571, CVE-2021-33203
- USN-4974-1: Lasso vulnerability – June 2, 2021. Applications using Lasso could be made to allow unintended access. CVE-2021-28091
- USN-4973-1: Python vulnerability – June 1, 2021. Python could allow unintended access to network services. CVE-2021-29921
- USN-4972-1: PostgreSQL vulnerabilities – 01 June 2021. Several security issues were fixed in PostgreSQL. CVE-2021-32029, CVE-2021-32028, CVE-2021-32027
- USN-4971-1: libwebp vulnerabilities – June 1, 2021. libwebp could be made to crash or run programs as your login if it opened a specially crafted file. CVE-2020-36331, CVE-2018-25010, CVE-2018-25011, and 8 others
- USN-4970-1: GUPnP vulnerability – June 1, 2021. GUPnP could allow unintended access to network services. CVE-2021-33516.