I guess it was another busy month of security updates, with Google’s Chrome browser and Apple’s Android, Zoom and iOS operating systems releasing patches to fix serious vulnerabilities.
Meanwhile, things aren’t going smoothly for Microsoft, which was forced to issue an out-of-band update after the month’s disastrous Patch Tuesday. And Cisco, Nvidia, Zoom, and VMWare all released fixes to push flaws.
Here’s what you need to know.
Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6
With Apple set to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released what may be its last major update to iOS 15 in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of them serious.
Security issues fixed in iOS 15.5 include vulnerabilities in the kernel as well as in the WebKit browser engine, according to Apple’s support page. Fortunately, none of the patches released in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.
Meanwhile, macOS, tvOS and Apple Watch users should update their devices as soon as possible, as Apple has also issued an emergency update to fix an issue it believes is already being used in attacks. The vulnerability in Apple AVD, designated CVE-2022-22675, could allow an application to execute code with kernel privileges. Kernel problems are the worst possible, so it’s worth checking and updating your devices right away.
Flubbed Microsoft’s May Patch Tuesday
Microsoft’s May Patch Tuesday was something of a disaster for diligent businesses that installed it right away.
On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that are being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users who reported authentication errors after installing the latest updates. This affected people using the client and server Windows platforms and systems running all versions of Windows, including Windows 11 and Windows Server 2022.
In an effort to fix the problem, the company was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update will not install automatically – you must download it from the Microsoft Update Catalog.
Firefox 100.0.2
In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, seven of which were rated very serious. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running Mozilla’s latest software. Mozilla fixed the issues in another update: Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click these update buttons.
Android
The May Android security update is a big one, fixing 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux kernel known as the “Dirty Pipe”.
The flaw, which affects newer Android devices running Android 12 and above, was disclosed by Google in February, but took some time to reach devices.
