May has been Another busy month with security updates, with Google Chrome browser and Android operating system, Zoom and Apple’s iOS throwing patches to fix serious vulnerabilities.
In the meantime, things have not gone well for Microsoft, which was forced to release an out-of-band update after a disastrous patch on Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare issued patches for urgent defects.
Here’s what you need to know.
Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6
With Apple announcing iOS 16 at its World Developers Conference in June, the iPhone maker is likely to release its latest major iOS 15 update in May. It included new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.
Security issues fixed in iOS 15.5 include defects in the kernel and engine of the WebKit browser, according to Apple’s support page. Fortunately, none of the patches issued on iOS and iPad 15.5 are used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.
Meanwhile, users of macOS, tvOS and Apple Watch should update their devices as soon as possible, as Apple also issued an emergency update to fix a problem that it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an application to run code with kernel privileges. Kernel issues are as bad as they are, so it’s worth checking and updating your devices right away.
On Tuesday, Microsoft’s flubbed patch
Tuesday’s May patch was a kind of disaster for the diligent companies that set it up right away.
On May 10, the company released security updates to fix 75 vulnerabilities, eight of which were classified as serious and three that were being exploited by attackers. The issues fixed in Patch Tuesday in May were significant, but soon there were issues for some Microsoft users, who reported authentication errors after installing the latest updates. It affected people who used Windows client and server platforms and systems running all versions of Windows, including Windows 11 and Windows Server 2022.
In an attempt to fix the issue, the company was forced to release an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20th. The update will not be automatically installed – you must download it from the Microsoft Update Catalog.
Firefox 100.0.2
In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, seven of which were classified as high-severity. But later in May, ethical hackers from the Pwn20wn competition in Vancouver were able to demonstrate how attackers could run JavaScript code on devices with the latest Mozilla software. Mozilla fixed issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click these update buttons.
Android
May’s Android security update is one of the big ones, with patches of 36 vulnerabilities, including a problem that is already being exploited by attackers. The already exploited flaw is a privilege escalation error in the Linux kernel known as “The Dirty Pipe”.
The flaw, which affects newer Android devices with Android 12 and later, was revealed by Google in February, but it took a while to reach the devices.
