Security News
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.
Google on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild. The internet giant's Threat Analysis Group has been credited with discovering and reporting the two flaws on September 15, 2021, and October 26, 2021, respectively.
Big Sur gets a version-bump to 11.6.1, while Catalina gets an old-version-style patched labelled Security Update 2021-007, but not a version number change. Importantly, these updates retrofit the iOS 15.0.2 patch to the Watch and TV product lines.
Microsoft on Tuesday rolled out security patches to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems. At the top of the list is CVE-2021-40449, a use-after-free vulnerability in the Win32k kernel driver discovered by Kaspersky as being exploited in the wild in late August and early September 2021 as part of a widespread espionage campaign targeting IT companies, defense contractors, and diplomatic entities.
We were going to say "Unexpected updates", but all Apple security patches are, of course, unexpected by design. Apple deliberately announces security fixes only after they've been published, so you couldn't plan for them even if you wanted.
The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "Incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week. CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.
These exploits show that the scope of the vulnerability transcends path traversal, allowing attackers remote code execution abilities. The path traversal vulnerability in Apache's HTTP server, first reported by BleepingComputer, has actively been exploited in the wild before the Apache project was notified of the flaw in September, or had a chance to patch it.
Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.