Third party patch and vulnerability roundup – April 2014

The month of April began with a day for playing pranks, but the vulnerabilities that have come to light this month – especially the Heartbleed vulnerability in OpenSSL that we discussed in an earlier blog post – are deadly serious. The real April fools are those who are too busy, too lazy or too unaware to keep all of the software they run on critical systems up to date and patched to protect against new exploits that come out on an almost continuous basis.

There are some who believe that open source software is inherently secure, and that it’s only proprietary products from the likes of Microsoft and Adobe that they need to worry about. The truth is: no code is perfectly secure in a world where our computers are connected to the Internet 24/7 and the ‘Net is teeming with skilled hackers, many of them with malevolent intent.  Their ability to ferret out flaws in the coding that can be exploited is increasing and thus attacks are growing ever more sophisticated.

Patching should be only one component in your defense arsenal, but it’s a vitally important one.  With so much at stake, you would think all large companies would keep all of their systems patched, but that assumption would be wrong. Just this past week, several tech news sites reported that researchers with security company Bkav had discovered Amazon cloud servers hosting their IaaS were running Windows 2003 Server operating systems that hadn’t been updated for years.

And we’re talking there about Microsoft updates, which generally come out on a known, set schedule and can be done via automatic updates. It’s not always as easy to find and apply needed patches to third party software made by smaller vendors, or open source software. And remember, it’s not just the operating systems that must be patched. Applications provide another avenue of entry that’s being utilized more and more frequently. In fact, the 2013 Global Information Security Workforce Study demonstrated that security professionals rate application vulnerabilities as the number one threat.

With all that in mind, let’s take a look at some of vendor updates that, along with Microsoft’s four updates that we discussed in the April Patch Tuesday Roundup and the emergency advisory for an IE zero day vulnerability that we reported in a separate post, were released this month.

Apple

Apple released five updates this month, one of which was for the Safari web browser, one of which was for the OS X operating system and one of which was for iOS devices. They also released an update for Apple TV and one for their router/wireless access point devices.

• On April 1, Apple released Safari 6.1.3 and 7.0.3, for the Lion, Lion Server, Mountain Lion and Mavericks versions of OS X. It addresses multiple memory corruption issues in WebKit, which is a software component that handles page rendering. One of the vulnerabilities corrected by this update could allow an attacker to crash the application or run arbitrary code if a user visits a malicious web site. Another vulnerability involves improper handling of IPC messages from the WebProcess, which could allow an attacker to read arbitrary files in spite of sandbox restrictions.
• On April 22, Apple released Security Update 2014-002 for the Lion, Mountain Lion and Mavericks versions of OS X. It addresses thirteen vulnerabilities, some of which apply to all versions of the OS and some of which apply only to specific versions. These include a flaw in the CFNetwork HTTPProtocol by which attackers could obtain information from cookies, a problem with CoreServicesUIAgent by which a malicious web site could cause application termination or arbitrary execution of code, and a buffer underflow vulnerability in FontParser that could result in application termination or arbitrary code violation upon opening a malicious PDF. It also addresses a denial of service vulnerability in Heimal Kerberos, an arbitrary code execution vulnerability in ImageIO and a validation issue in the Intel Graphics Driver that could allow an attacker to take control of the system. There are also kernel vulnerabilities that could allow local users to read kernel pointers and bypass ASLR protections, a power management issue preventing the screen from locking, and a couple of vulnerabilities in Ruby that could allow arbitrary code execution. Finally, there is a flaw in Secure Transport that could allow an attacker to capture data or make changes to SSL-encrypted communications and one in WindowServer that could be used to execute arbitrary code outside the sandbox.
• On April 22, Apple released iOS 7.1.1 for the iPhone 4 and later, 5^th generation iPod Touch and later, and the iPad 2 and later.  It fixes four of the same types of vulnerabilities described above in the patch for OS X: CFNetwork HTTPProtocol, IOKit Kernal, Secure Transport and WebKit.
• On April 22, Apple released version 6.1.1 for Apple TV (2^nd generation and later). It addresses four issues, including one that could allow an attacker to obtain web site credentials, one by which a local user could read kernel pointers and bypass ASLR, one that could allow capturing data or making changes in an SSL session and one that could result in arbitrary code execution.
• On April 22, Apple released Update 7.7.3 for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. This is a firmware update that addresses an out-of-bounds issue in the OpenSSL library when handling TLS heartbeat extension packets. This is the infamous Heartbleed vulnerability that an attacker could exploit to obtain the contents of memory

Adobe

Adobe released two security updates on their regular Patch Tuesday schedule this month:

• On April 8, Adobe released an update for Flash Player version 12.0.0.77 and earlier for Windows and Mac and version 11.2.202.346 and earlier for Linux. It addresses multiple vulnerabilities that could allow an attacker to take control of the system. It has a priority rating of 1 for Flash Player on Windows and Mac, IE 10 and 11 and Chrome for Windows, Mac and Linux. It has a priority rating of 3 on Linux and Android.
• On April 14, Adobe released an update for Adobe Reader Mobile, versions 11.1.3 and earlier for Android. It addresses a vulnerability that could be used to arbitrarily execute code, and has a priority rating of 2.

Then on April 28, Adobe released an emergency update for Flash Player on Windows, Mac and Linux, to patch a remote code execution vulnerability that was already being exploited in the wild; in conjunction, Microsoft released an emergency advisory of its own pushed the Windows version of the patch through Windows Update. We reported on this one in detail in a previous blog post.

Google

Google released updates for ChromeOS and the Chrome web browser:

• On April 15, Google released an update for all ChromeOS devices except HP Chromebook Pavillion. This update the OS to version 34.0.1847.120 and contains security updates, bug fixes and feature enhancements. There have been some reports of system crashes after installing the update.
• On April 24, Google released an update for the Chrome web browser running on Windows, Mac and Linux. The Windows and Mac version is 34.0.1847.131 and the Linux version is 34.0.1847.132. This update also contains an update for Adobe Flash Player.

Oracle

Oracle releases security updates on a quarterly basis, in January, April, July and October. This month, they released one critical patch update that addresses multiple security vulnerabilities in a number of Oracle products, including Oracle Database, Fusion Middleware and Applications, Access Manager, MySQL, OpenSSO, PeopleSoft Enterprise, JavaFX and Java SE and several more. For more information and links to the applicable patches, see the CPU Advisory.

Linux

Ubuntu released considerably fewer updates this month than last. After 32 updates in March, April brings only 17. These include:

USN-2172-1: CUPS vulnerability – 24th April 2014

The CUPS web interface incorrectly protected against cross-site scripting (XSS) attacks. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data.

USN-2171-1: rsync vulnerability – 23rd April 2014

The rsync daemon incorrectly handled invalid usernames. A remote attacker could use this issue to cause rsync to consume resources, resulting in a denial of service.

USN-2170-1: MySQL vulnerabilities – 23rd April 2014

Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.37. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

USN-2169-2: Django regression – 22nd April 2014

The upstream security patch for CVE-2014-0472 introduced a regression for certain applications. This update fixes the problem. Original advisory details: Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function.

USN-2169-1: Django vulnerabilities – 22nd April 2014

Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. Django incorrectly cached certain pages that contained CSRF.

USN-2168-1: Python Imaging Library vulnerabilities – 15th April 2014

The Python Imaging Library incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files, or gain access to temporary file contents.

USN-2167-1: curl vulnerabilities – 14th April 2014

libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. Also, libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses.

USN-2166-1: Net-SNMP vulnerabilities – 14th April 2014

Net-SNMP incorrectly handled AgentX timeouts. A remote attacker could use this issue to cause the server to crash or to hang, resulting in a denial of service. It was discovered that the Net-SNMP ICMP-MIB incorrectly validated input.

USN-2124-2: OpenJDK 6 regression – 7th April 2014

USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream regression, memory was not properly zeroed under certain circumstances which could lead to instability. This update fixes the problem.

USN-2165-1: OpenSSL vulnerabilities – 7th April 2014

OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information. This is the infamous Heartbleed vulnerability.

USN-2164-1: OpenSSH vulnerability – 7th April 2014

OpenSSH did not correctly check SSHFP DNS records if a server presented an unacceptable host certificate. A malicious server could use this issue to disable SSHFP checking.

USN-2163-1: PHP vulnerability – 7th April 2014

PHP’s embedded libmagic library incorrectly handled PE executables. An attacker could use this issue to cause PHP to crash, resulting in a denial of service.

USN-2162-1: file vulnerability – 7th April 2014

File incorrectly handled PE executable files. An attacker could use this issue to cause file to crash, resulting in a denial of service.

USN-2161-1: libyaml-libyaml-perl vulnerabilities – 3rd April 2014

libyaml-libyaml-perl incorrectly handled certain large YAML documents. An attacker could use this issue to cause libyaml-libyaml-perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2160-1: LibYAML vulnerability – 3rd April 2014

LibYAML incorrectly handled certain malformed YAML documents. An attacker could use this issue to cause LibYAML to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2159-1: NSS vulnerability – 2nd April 2014

NSS incorrectly handled wildcard certificates when used with internationalized domain names. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to spoof SSL servers.

USN-2158-1: Linux kernel (Raring HWE) vulnerabilities – 1st April 2014

An error in the Linux kernel’s ansi cprng random number generator makes it easier for a local attacker to break cryptographic protections.

Other Linux vendors comparable patches.