May has been another busy month of security updates where Google’s Chrome browser and Android operating system, Zoom and Apple’s iOS release patches to fix serious vulnerabilities.
Meanwhile, things have not gone smoothly for Microsoft, which was forced to issue an out-of-band update following a disastrous patch Tuesday during the month. And Cisco, Nvidia, Zoom and VMWare have all issued patches for printing errors.
Here’s what you need to know.
Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6
With Apple set to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker is likely to release its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.
Vulnerabilities addressed in iOS 15.5 include bugs in the kernel as well as in the WebKit browser engine, according to Apple’s support page. Fortunately, none of the patches released in iOS and iPad 15.5 are used in attacks, according to the company, but that does not mean that they will not be if you do not update now.
Meanwhile, users of macOS, tvOS, and Apple Watch should update their devices ASAP, as Apple also released an emergency update to fix an issue that they believe is already being used in attacks. The bug in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with kernel rights. Core issues are as bad as it gets, so it’s worth checking out and updating your devices right away.
Microsoft’s Flubbed May Patch Tuesday
Microsoft’s May Patch Tuesday was something of a disaster for the diligent companies that installed it right away.
On May 10, the company released security updates to fix 75 vulnerabilities, eight marked as serious and three that were exploited by attackers. The issues that were fixed in Maize Patch Tuesday were important, but there were soon issues for some Microsoft users who reported authentication errors after installing the latest updates. It affected people who used the client and server’s Windows platforms and systems running all versions of Windows, including Windows 11 and Windows Server 2022.
In an attempt to resolve the issue, the company was forced to issue an out-of-band update to Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20th. The update will not install automatically – you will need to download it from the Microsoft Update Catalog.
Firefox 100.0.2
In early May, Mozilla released Firefox 100, including nine security patches for its Firefox browser, seven of which were rated high. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3 and Thunderbird 91.9.1. Click these update buttons.
Android
May’s Android security update is a major one, and fixes 36 vulnerabilities, including an issue that is already being exploited by attackers. The already exploited error is a privilege escalation error in the Linux kernel known as “The Dirty Pipe.”
The bug, which affects newer Android devices running Android 12 and later, was revealed by Google in February, but it has taken a while to reach devices.