![](\"https:\/\/media.wired.com\/photos\/6294c342754d8027a158d446\/master\/pass\/security-critical-update.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Kate O’Flaherty| Date: Tue, 31 May 2022 11:00:00 +0000<\/strong><\/p>\n Kate O'Flaherty<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n May has been<\/span> another busy month of security updates, with Google\u2019s Chrome browser and Android operating system, Zoom, and Apple\u2019s iOS releasing patches to fix serious vulnerabilities.<\/p>\n Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.<\/p>\n Here\u2019s what you need to know.<\/p>\n With Apple due to announce iOS 16 at its Worldwide Developers Conference<\/a> in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.<\/p>\n Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple\u2019s support page<\/a>. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn\u2019t mean they won\u2019t be if you don\u2019t update now.<\/p>\n Meanwhile, users of macOS<\/a>, tvOS<\/a>, and the Apple Watch<\/a> should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD<\/a>, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it\u2019s worth checking and updating your devices right away.<\/p>\n Microsoft\u2019s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.<\/p>\n On May 10, the firm issued security updates<\/a> to fix 75 vulnerabilities<\/a>, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May\u2019s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported<\/a> authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.<\/p>\n In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won\u2019t install automatically\u2014you need to download it from Microsoft\u2019s update catalog<\/a>.<\/p>\n In early May, Mozilla released Firefox 100<\/a>, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn<\/a> competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed<\/a> the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.<\/p>\n May\u2019s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited<\/a> flaw is a privilege escalation bug in the Linux Kernel known as \u201cThe Dirty Pipe<\/a>.\u201d<\/p>\n The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.<\/p>\n Other Android security fixes in May include 15 high-severity and one critical-severity vulnerability in Qualcomm components, two denial-of-service flaws in the Android System, and three high-severity issues in MediaTek components.<\/p>\n Google Pixel and Samsung users, in particular, should look out for the May update, as additional vulnerabilities<\/a> have been fixed on these devices<\/a>. The update has so far reached Android devices, including<\/a> the Samsung Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra, as well as the Galaxy Tab S8 series, the Galaxy Watch 4 series, and the Galaxy S21 series.<\/p>\n Another month, another major Google Chrome security update<\/a>, this time for 32 issues, of which one is rated as critical and eight are deemed high severity. The critical issue, CVE-2022-1853, impacts the IndexedDB feature, while the high-rated flaws affect areas that include DevTools, UI foundations, and the user education function.<\/p>\n None of the flaws fixed in Chrome 102 have been exploited, Google says. This is in contrast to April<\/a>, when the company issue emergency updates to fix several already exploited vulnerabilities in its Chromium-based browser.<\/p>\n Earlier in May, Google released 13 fixes in Chrome v101.0.4951.61 for Android, with eight of these rated as having a high-severity impact.<\/p>\n Cisco has fixed multiple vulnerabilities<\/a> in Cisco Enterprise NFV Infrastructure Software that could allow an attacker to escape from the guest virtual machine to the host machine, inject commands that execute at the\u00a0root\u00a0level, or leak system data from the host to the virtual machine.<\/p>\n It goes without saying that these high-severity issues\u2014tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780\u2014are serious, so it\u2019s a good idea to update as soon as possible.<\/p>\n Chip manufacturer Nvidia issued a security update<\/a> in mid-May for its Nvidia GPU display driver to fix flaws that could allow denial of service, information disclosure, or data tampering. The list of 10 vulnerabilities includes issues in the Kernel mode layer on Windows and Linux devices. The updates themselves can be found on Nvidia\u2019s downloads website<\/a>.<\/p>\n Video conferencing app Zoom<\/a> has released version 5.10.0 to fix an issue<\/a> found by security researchers at Google\u2019s Project Zero in February. The flaw in messaging protocol XMPP doesn\u2019t require any interaction from the user in order to execute the attack. \u201cUser interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,\u201d says security researcher Ivan Fratric, who describes<\/a> how the attacker can force the victim client to connect to a malicious server, resulting in arbitrary code execution.<\/p>\n Cloud provider VMWare has released patches<\/a> to fix multiple issues, including a privilege escalation vulnerability (CVE-2022-22973) and an authentication bypass flaw (CVE-2022-22972), the latter of which it says must be applied immediately as \u201cthe ramifications are serious.\u201d<\/p>\n