SECURITY UPDATES: Releasing patches to fix serious vulnerabilities | Wired

Heads up!

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

(Illustration: Elena Lacey)

 

Kate O'Flaherty

Wired

"May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

 

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

Other Android security fixes in May include 15 high-severity and one critical-severity vulnerability in Qualcomm components, two denial-of-service flaws in the Android System, and three high-severity issues in MediaTek components.

Google Pixel and Samsung users, in particular, should look out for the May update, as additional vulnerabilities have been fixed on these devices. The update has so far reached Android devices, including the Samsung Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra, as well as the Galaxy Tab S8 series, the Galaxy Watch 4 series, and the Galaxy S21 series.

Chrome 102

Another month, another major Google Chrome security update, this time for 32 issues, of which one is rated as critical and eight are deemed high severity. The critical issue, CVE-2022-1853, impacts the IndexedDB feature, while the high-rated flaws affect areas that include DevTools, UI foundations, and the user education function.

None of the flaws fixed in Chrome 102 have been exploited, Google says. This is in contrast to April, when the company issue emergency updates to fix several already exploited vulnerabilities in its Chromium-based browser.

Earlier in May, Google released 13 fixes in Chrome v101.0.4951.61 for Android, with eight of these rated as having a high-severity impact.

Cisco

Cisco has fixed multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software that could allow an attacker to escape from the guest virtual machine to the host machine, inject commands that execute at the root level, or leak system data from the host to the virtual machine.

It goes without saying that these high-severity issues—tracked as CVE-2022-20777, CVE-2022-20779, and CVE-2022-20780—are serious, so it’s a good idea to update as soon as possible.

Nvidia

Chip manufacturer Nvidia issued a security update in mid-May for its Nvidia GPU display driver to fix flaws that could allow denial of service, information disclosure, or data tampering. The list of 10 vulnerabilities includes issues in the Kernel mode layer on Windows and Linux devices. The updates themselves can be found on Nvidia’s downloads website.

Zoom

Video conferencing app Zoom has released version 5.10.0 to fix an issue found by security researchers at Google’s Project Zero in February. The flaw in messaging protocol XMPP doesn’t require any interaction from the user in order to execute the attack. “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” says security researcher Ivan Fratric, who describes how the attacker can force the victim client to connect to a malicious server, resulting in arbitrary code execution.

VMWare

Cloud provider VMWare has released patches to fix multiple issues, including a privilege escalation vulnerability (CVE-2022-22973) and an authentication bypass flaw (CVE-2022-22972), the latter of which it says must be applied immediately as “the ramifications are serious.”

More Great WIRED Stories

• 📩 The latest on tech, science, and more: Get our newsletters!

• Inside Shein's sudden, out-of-control rise

• Wanda Maximoff deserves better from the MCU

• The race to protect the US bioeconomy

• How to download videos to watch offline 

• People are dating all wrong, according to data science

• 👁️ Explore AI like never before with our new database

• 💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones

UKRAINE CALCULATES FINANCIAL AID FROM THE WEST

Intro: The country’s GDP last year was estimated at around $165 billion, and Kiev authorities say it has already dropped by between 30% and 50% during Russia’s military operation.

29 May, 2022 12:06

Ukraine calculates financial aid from West

Its central bank says the country has received over $6 billion so far, but needs more help

© Getty Images / Alex Potemkin

"Ukraine has received $6.5 billion in aid from Western countries since the start of Russia’s military operation in late February, said Kateryna Rozhkova, the first deputy head of the National Bank of Ukraine.

“Since the beginning of the war, Ukraine has received almost $6.5 billion from partner countries to support the economy,” Rozhkova stated on Sunday, adding that all funds have been directed to the country’s budget.

The total includes both grants and loans, she explained, but did not specify how much Kiev would have to pay back. The official added that the interest rate on loans to Ukraine is “low,” without providing further details.

Rozhkova noted that Kiev cannot address its budget deficit on its own due to declining export earnings, while the recent downgrade of the country’s credit rating to pre-default is also a problem, as money cannot be borrowed on international markets due to the high cost of such loans.

According to the official, Ukraine needs at least $5 billion in aid each month to cover the state budget deficit amid the current crisis. She reiterated previous calls from President Volodymyr Zelensky for this aid to be provided by Kiev’s Western partners.

Last month, Zelensky addressed the World Bank and the IMF, saying his country has already suffered more than half-a-trillion dollars’ worth of damage and needs around $7 billion in aid every month to stay afloat. The country’s GDP last year was estimated at around $165 billion, and Kiev authorities say it has already dropped by between 30% and 50% during Russia’s military operation."

For more stories on economy & finance visit RT's business section

TAIWAN JET SCRAMBLES: Top Gun Political Theater by China on Memorial Day

Intro: In recent months, the US has accused China of ratcheting up tensions across the Taiwan Strait, with Secretary of State Antony Blinken singling out aircraft incursions as an example of “increasingly provocative rhetoric and activity”.

Three reports from different sources - and another instance of state National Guard used for training.

1

China sends 30 planes into Taiwan air defence zone

The US has accused China of ratcheting up tensions across the strait with ‘provocative’ incursions.

(Taiwan says J-11 fighters were among the aircraft encroaching into its ADIZ on Monday

[File: US Navy/Handout via Reuters]

aljazeera.com |

China has made its second-largest incursion into Taiwan’s air defence zone this year, as Taipei signalled it planned to deepen security ties with the United States.

Taiwan’s defence ministry said that 30 Chinese military aircraft, two-thirds of them fighter jets, entered the southwestern part of its air defence identification zone (ADIZ) on Monday and that it had scrambled its own air force and deployed air defence missile systems in response.

The incursion was the biggest since January when Beijing sent 39 aircraft into the ADIZ. Earlier this month, it sent 18 warplanes into the area.

Beijing claims self-ruled Taiwan as its own and has not ruled out the use of force to take control of the island. . .

> Although the US has no formal diplomatic ties with Taiwan, it is the island’s most prominent international supporter and supplier of weapons, and follows what it calls a policy of “strategic ambiguity“.

> Following the latest incursion, Taiwan President Tsai Ing-wen on Tuesday said there were plans for “cooperation” between the Taiwan military and the US National Guard. . .

> Taiwanese media has previously reported that Taiwan could partner with Hawaii’s National Guard for the programme. . .

--- Last year, Taiwan recorded 969 incursions by Chinese warplanes into its ADIZ, according to an AFP news agency database, more than double the roughly 380 carried out in 2020.

--- So far in 2022, Taiwan has reported 465 incursions, a near 50 percent increase from the same period last year, AFP said.

The increasing activity is adding to pressure on Taiwan’s air force, which on Tuesday suspended flight training of new pilots after reporting its second fatal accident this year.

The defence ministry said the AT-3 jet crashed during a training mission from the southern Gangshan airbase, and the body of the 23-year-old pilot had already been found."

2

Politics

Top Gun's Maverick Risks China's Anger With Taiwan Flag on Jacket

• Tom Cruise’s character wears jacket featuring Taiwan flag
• Chinese tech giant Tencent withdrew to avoid angering Beijing

Tom Cruise in “Top Gun: Maverick.” Source: Paramount Pictures

Bloomberg News

May 31, 2022, 4:23 AM UTCUpdated onMay 31, 2022, 4:50 AM UTC

Tom Cruise isn’t simply taking on what appears to be Russian-made fighter jets in his remake of the 1986 classic “Top Gun”: He’s also angering China.    

The sequel “Top Gun: Maverick” features Cruise’s character wearing a bomber jacket with the Taiwanese flag, something considered an independence symbol by authorities in Beijing, who view the island as part of its territory. The government of President Tsai Ing-wen asserts Taiwan is already a de facto independent nation in need of wider international recognition.

3

Taiwan scrambles jets after China makes largest incursion into air defence zone since January

(A Taiwanese fighter jet flying next to a Chinese bomber (top) off the coast of Taiwan in February 2020. China has almost doubled its incursions this year.

Photograph: Taiwan's Defence Ministry)

the Guardian |

China has almost doubled its incursions this year, as it attempts to keep island under pressure

China has made the second largest incursion into Taiwan’s air defence zone this year with Taipei reporting 30 jets entering the area, including more than 20 fighters.

Taiwan’s defence ministry said late on Monday it had scrambled its own aircraft and deployed air defence missile systems to monitor the latest Chinese activity.

In recent years, Beijing has begun sending large sorties into Taiwan’s defence zone to signal dissatisfaction, and to keep Taipei’s ageing fighter fleet regularly stressed.

Self-ruled democratic Taiwan lives under the constant threat of invasion by China, which views the island as its territory and has vowed to one day seize it, by force if necessary.

The US last week accused Beijing of raising tensions over the island, with secretary of state Antony Blinken specifically mentioning aircraft incursions as an example of “increasingly provocative rhetoric and activity”.

Blinken’s remarks came after US president Joe Biden appeared to break decades of US policy when in response to a question on a visit to Japan he said Washington would defend Taiwan militarily if it was attacked by China. . .

> The ADIZ is not the same as Taiwan’s territorial airspace but includes a far greater area that overlaps with part of China’s own air defence identification zone and even includes some of the mainland. A flight map provided by the Taiwanese defence ministry showed the planes entered the south-western corner of the ADIZ before they looping back out again. . .

So far in 2022 Taiwan has reported 465 incursions, a near 50% increase on the same period last year. The sheer number of sorties has put the air force under immense pressure, and it has suffered a string of fatal accidents in recent years.

On Tuesday local media reported that a pilot had died after crashing a trainer jet in southern Kaohsiung. It is not the first deadly crash this year – in January one of Taiwan’s most advanced fighter jets, an F-16V, plunged into the sea.

Last March, Taiwan grounded all military aircraft after a pilot was killed and another went missing when their fighters collided mid-air in the third fatal crash in less than six months."

 

BUMPY UNCERTAIN DESTABILIZING PHASE: Growing Worries About Global Growth + Corporate Earnings

Intro:

Private equity cannot avoid the reckoning in markets

Both the real economy and the financial system are in a destabilising phase for both public and private investors

Mohamed El-Erian

ft.com |

The writer is president of Queens’ College, Cambridge, and an adviser to Allianz and Gramercy

"At a conference of investment professionals I recently attended, several private equity funds argued with considerable vigour that this year’s large losses in public markets would drive even more investors their way.

They were confident that their asset class would avoid the reckoning that stocks and bonds have been exposed to this year because they were structurally immunised against disruptive changes in the investment landscape.

I fear that this may prove to be too much bravado and misplaced self-confidence. Both the real economy and the financial system have entered a phase that is uncertain and destabilising for private as well as public market investors.

As noted recently in the Financial Times by Katie Martin, “adherents to the classic portfolio split — 60 per cent stocks and 40 per cent bonds — have not had it so bad in half a century”. Both equities, usually dubbed as risk assets, and the “risk free” alternatives of government bonds have experienced large losses this year.

In the traditional correlation between such assets, if stocks sold off, government bonds rose. That correlation has broken down as all these assets (understandably) suffered from worries about higher interest rates and tightening financial conditions.

While the last couple of weeks have seen some reversion to the more traditional correlation, that is not without its own problems. The reason is growing worries about global growth and corporate earnings. They point to further volatility for equities which constitute the largest part of most public market portfolios.

> In contrast to this year’s brutal sell-off in stocks and bonds, private equity valuations have remained robust. As often pointed out by their marketers, the conventionally longer holding period reduces the disruptive influence of speculative money looking to get out quickly. As does the fact that private equity investments are usually focused on single assets as opposed to indices, limiting the scope for contagion.

Such factors fuel expectations of an acceleration of what already has been a considerable multiyear increase in the strategic allocation of investment flows, and not just from public pension funds, foundations, endowments and sovereign wealth institutions. Private equity fans also expect the asset class to get a boost from ongoing efforts to make private equity more accessible for retail money.

Such optimism about the robustness of the asset class may, however, be excessive. Private equity valuations are updated much less regularly than for public investments. Indeed, historically, revaluations have tended to lag behind public markets by a minimum of six to nine months. Moreover, several of the factors that have recently undermined the public markets are also worrisome for private equity.

Higher interest rates and tightening financial conditions will complicate the refinancing of leveraged take-private transactions. They make the paths back into the public markets less secure and the exit valuation less certain. They also curtail new investors’ enthusiasm for buying private equity stakes in the secondary market, putting pressure both on prices and volumes.

The worsening global economic outlook is also a problem. Downturns rob companies of actual and prospective revenues, leading to faster burning of cash reserves, increased debt burdens relative to equity and capital erosion.

There are two additional risks that are specific to private equity in the period ahead. First, that one of its often-cited structural strengths — that of illiquidity that damps unfavourable price volatility — turns into a weakness; and second, that financial regulators and supervisors pay a lot more attention to conduct in private markets.

Private equity is just as likely to experience a shift in operating paradigm this year as the public markets have been undergoing — from a seller’s to a buyer’s market. Indeed, both are in the process of exiting from a world of massive and predictable central bank liquidity injections that over-facilitated a seemingly endless flow of money into a smaller set of investment opportunities. What lies ahead is a world in which the cost of money will be higher and financial flows more selective as they become less ample.

With time, genuinely attractive value will be restored to private and public markets. The process of doing so, however, is likely to be as bumpy."

El-Erian: The Fed is Going to Have to Decide Between Two Policy ...

www.youtube.com › watch

3 days ago · Mohamed El-Erian, Bloomberg Opinion Columnist and President of Queens' College ...
Duration: 9:00
Posted: 3 days ago

 

> RELATED CONTENT...............................................................................

El-Erian: 'Stop and Go' Fed Risks Extending Inflation's Run

Bloomberg.com

Mohamed El-Erian, a Bloomberg Opinion contributor, says the Federal Reserve faces a decision between two "policy mistakes" after failing to...
3 days ago

THE OBSERVER: Peter Pomerantsev, Mouth-Piece for Zelenskiy's Media Machine...add "The Terminator"

What's this from Peter Pomerantsev?

"Putin’s Russia is not an ordinary country seeking some rational security guarantees.

It’s a predator that works according to its own logic of internal oppression and external aggression. . ."

"We have launched a form of economic warfare, without backing it up with advocacy and engagement. This is absurd, allowing the Kremlin to manage perceptions."

It wouldn’t be hard to get Russians’ attention. A short video from Arnold Schwarzenegger directed at his Russian fans and condemning the war got millions of views. The Russian internet firewall is feeble: you can still use radio, WhatsApp, Telegram and YouTube. The more understanding there is that the Kremlin has led people into a dead end, that this is permanent, the more impetus there is for elites to change the direction of the country.

 

Ukraine must negotiate from a position of strength. But the world’s attention is fading

Peter Pomerantsev writing in the Guardian

Sun 29 May 2022 03.00 EDT Last

modified on Mon 30 May 2022 08.40 EDT

 

Peter Pomerantsev is the author of

Nothing Is True and Everything Is Possible: Adventures in Modern Russia

 

". . .When I met President Zelenskiy, together with colleagues from the Atlantic magazine a few weeks ago, his greatest fear was that the victory in the battle for Kyiv meant that too many people would think the war over when it was just shifting to a different, more deadly phase in the Donbas. The world’s attention has faded. Allies are being slow to arm Ukraine sufficiently. Positions are being ceded daily because of a lack of basic munitions for artillery. This needs to change fast. Any eventual negotiations have to be taken from a position of Ukrainian strength, not weakness, or else they risk being another deal that gives up all the leverage to Russia, only augmenting the threat it poses.

Russia attacked Ukraine in 2022 because, after its 2014 invasion, Putin thought he could get away with it

 

As we work out what minimising Russia’s threat means in practice, we may also get to something bigger: a set of security, humanitarian and economic interconnections that redefine how we reduce aggression in an interconnected age.

> Russia’s aim in its invasion of Ukraine was to reset the world order, tilt it towards dictatorships, impunity and the right of great powers to crush the small.

> Instead, it may produce a desire to strengthen rights, sovereignty and democracy.

In pushing for the worst, it might produce something better.

 

Russia needs to stop being a threat: to its neighbours, to its own people, to the world.

 

Minimising that threat should be the goal of our policies and the only way to face up to the reality of the Kremlin’s boot stamping on so many faces. The hope that the current iteration of Russia is ready to recognise that other states have rights is gone.

> Putin’s Russia is not an ordinary country seeking some rational security guarantees. It’s a predator that works according to its own logic of internal oppression and external aggression.

With such a state there is no going back to “normal”. No clever “deal” that can be cut to restore previous relations.

 

PLEASE NOTE WHAT POMERANTSEV ASSERTS: The first place where Russia’s threat has to be minimised is in Ukraine itself. This will be achieved on the battlefield.

Ukraine is still vastly outnumbered in both men and arms.

The situation in the Donbas is tenuous. Every day, about 100 Ukrainian soldiers are killed.

And it’s no longer hardened professional fighters – it’s IT specialists, sociologists, students.

 

[    ] The Russian invasion is relevant to any nation that lives unprotected in the neighbourhood of nuclear bullies: think Moldova, Georgia and the central Asian states around Russia; Japan, Australia and Taiwan around China. . .How can you protect such countries from aggression, given they are not Nato members and the nuclear status of the states that threaten them?

The ad hoc support to Ukraine gives us a clue: a mix of economic warfare and provision of arms. But to act as a deterrent this threat has to be made clear and be coordinated before any invasion. . .

The moment sanctions kick in should not be up for debate: a war of aggression should trigger harsh measures.Moreover, we need to tie crimes against humanity to even more aggressive sanctions...We need to reconnect humanitarian norms to economics.

[   ] Russia holds the world hostage to hunger by limiting its own grain exports and blocking Ukraine’s, demanding sanctions against Russia are lifted.

In central Europe, a gruesome calculation is emerging: what hike in gas prices are people willing to bear before they close their eyes to Putin’s crimes against humanity?

Everywhere, human rights are subservient to economic needs. For us to rein in the aggression of the Russias and Chinas of this world, it needs to be the other way round.

> While such measures can act as a deterrent, Russia will also have to change internally before it stops being a threat. Can we ever hope for a Russia that is ready to give up imperial pretensions, live in harmony with its neighbours and even establish rule of law at home? It seems a far-off dream.

> All talk about “regime change” from outside is foolish: Russia is a great power no one can influence or attack that brazenly. But what we can do is remain steadfast in our sanctions and commitment to indicting war criminals, showing Russian elites that their punishment is long and serious.

> Anecdotal research from inside the country suggests many think the sanctions will be lifted soon. This betrays great weakness. In his memoirs of life in Nazi concentration camps, the psychiatrist Viktor Frankl noted that those who thought their imprisonment would end soon were in denial of reality – and the first to then break and collapse.

Who will communicate this? Currently, we are not explaining the meaning and intent of sanctions and western policy to the Russian people. If they are perceived purely as random and poorly motivated economic weapons, this will actually risk strengthening the cleaving of Russian society to the state. .

It’s no wonder that Kremlin propaganda is always celebrating any cracks in western resolve towards Russia: from Tucker Carlson’s pro-Russian diatribes through to Italian and French “peace” proposals favourable to Moscow. The Kremlin knows many Russians don’t want to feel completely isolated and rejected from the world.

We have launched a form of economic warfare, without backing it up with advocacy and engagement. This is absurd, allowing the Kremlin to manage perceptions. It wouldn’t be hard to get Russians’ attention.

A short video from Arnold Schwarzenegger directed at his Russian fans and condemning the war got millions of views. The Russian internet firewall is feeble: you can still use radio, WhatsApp, Telegram and YouTube.

The more understanding there is that the Kremlin has led people into a dead end, that this is permanent, the more impetus there is for elites to change the direction of the country."