As we reported (in several blog posts, as the situation unfolded), Microsoft’s batch of second-Tueday patches this month resulted in ongoing problems that led to revocations and re-releases and some very unhappy computer users and IT admins. On the third party front, things were a little quieter – and that’s a very good thing. Having to deal with one set of patch problems at the same time that many are saying goodbye to summer and preparing for the start of a new school year is quite enough stress.
Last month, Apple issued no security updates, despite the fact that Apple vulnerabilities were in the headlines thanks to security researcher Jonathon Zdziarski’s paper regarding iOS “back doors” and how they could be exploited. That apparently didn’t inspire the company to issue any patches for the mobile operating system. We have only one security update this month from Apple, and it’s for their desktop OS web browser.
On August 13, Apple released a patch for Safari versions 6.1.6 and 7.06, running on OS X Lion, Mountain Lion and Mavericks (versions 10.7.5, 10.8.5 and 10.9.4). Although Apple doesn’t assign a severity rating to their security updates as other vendors do, this should be considered a critical update since the result of an exploit can be arbitrary execution of code. The exploit would come about as a result of the user visiting a maliciously crafted web site and could also lead to unexpected application termination.
The problem is multiple memory corruption issues that exist in WebKit. WebKit is the OS X system framework version of an open source web browser engine, which is used by Safari as well as other OS X applications. There are seven separate vulnerabilities involved, five of which were discovered by Apple, one that was reported by the Google Chrome Security Team and one by an anonymous researcher.
The security update improves the way memory is handled to fix the problem.
Adobe issued two security updates this month, both on August 12 (Patch Tuesday) in keeping with the company’s usual practice of timing its releases to correspond with Microsoft’s monthly updates.
Update APSB14-19 is an update for Adobe Reader and Adobe Acrobat XI and earlier, running on the Windows operating systems. The affected software includes Reader XI (version 11.0.07) and Reader X (version 10.1.10) and earlier, as well as Acrobat XI (version 11.0.07) and Acrobat X (version 10.1.10) and earlier, for Windows. Adobe Reader and Acrobat running on non-Microsoft operating systems are not affected.
The update addresses one critical vulnerability, which was reported by researchers at Kaspersky Labs, the exploit of which could result in an attacker circumventing the sandbox protection on Windows machines. Adobe has assigned this update a priority 1 severity rating on all products.
Update APSB14-18 is an update for Adobe Flash Player running all all three major operating systems: Windows, OS X and Linux. It addresses eight different vulnerabilities that were reported by several different security researchers.
The vulnerabilities include memory leakage issues that could be exploited by an attacker to bypass memory address randomization, a security bypass vulnerability, and a use-after-free vulnerability that could lead to arbitrary code execution. The updates fix the problems by addressing these issues and including a new validation check to handle specially crafted SWF content and by preventing Flash Player from being used for cross-site request forgery attacks.
On August 26, Google released a stable channel update of Chrome version 37 for Windows, Mac and Linux. This is version 37.0.2062.94. This update contains a total of fifty security fixes, including one critical vulnerability that could lead to remote code execution, four high priority vulnerabilities that include three use-after-free vulnerabilities and one extension permission dialog spoofing vulnerability, as well as three medium priority vulnerabilities, all of which were discovered by external researchers, as well as bugs discovered by Google’s internal security team.
Oracle is on a quarterly release cycle, and July was the most recent month for updates. The next updates are scheduled to be released on October 14.
As usual, popular Linux distros saw a large number of updates issued in August. Ubuntu issued 26 patches between August 1 and August 27. This was ten fewer than in July. Other commercial Linux vendors issued similar updates.
• USN-2327-1: Squid 3 vulnerability – 27th August 2014. Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing. A remote attacker could send crafted Range requests to cause a denial of service. CVE-2014-3609
• USN-2319-2: OpenJDK 7 regression – 25th August 2014. USN-2319-1 fixed vulnerabilities in OpenJDK 7. Due to an upstream regression, verifying of the init method call would fail when it was done from inside a branch when stack frames are activated. This update fixes the problem. LP: 1360392
• USN-2325-1: OpenStack Nova vulnerability – 21st August 2014. Alex Gaynor discovered that OpenStack Nova would sometimes respond with variable times when comparing authentication tokens. If nova were configured to proxy metadata requests via Neutron, a remote authenticated attacker could exploit this to conduct timing attacks and ascertain configuration details of another instance. CVE-2014-3517
• USN-2324-1: OpenStack Keystone vulnerabilities – 21st August 2014. Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain privileges by creating a new token with additional roles. (CVE-2014-3476) Jamie Lennox discovered that OpenStack Keystone did not properly validate the project id. CVE-2014-3476 CVE-2014-3520 CVE-2014-5251 CVE-2014-5252 CVE-2014-5253
• USN-2323-1: OpenStack Horizon vulnerabilities – 21st August 2014. Jason Hullinger discovered that OpenStack Horizon did not properly perform input sanitization on Heat templates. If a user were tricked into using a specially crafted Heat template, an attacker could conduct cross-site scripting attacks. CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 CVE-2014-3594
• USN-2322-1: OpenStack Glance vulnerability – 21st August 2014. Thomas Leaman and Stuart McLaren discovered that OpenStack Glance did not properly honor the image_size_cap configuration option. A remote authenticated attacker could exploit this to cause a denial of service via disk consumption. CVE-2014-5356
• USN-2321-1: OpenStack Neutron vulnerabilities – 21st August 2014. Liping Mao discovered that OpenStack Neutron did not properly handle requests for a large number of allowed address pairs. A remote authenticated attacker could exploit this to cause a denial of service. (CVE-2014-3555) Zhi Kun Liu discovered that OpenStack Neutron incorrectly filtered certain tokens. CVE-2014-3555 CVE-2014-4615
• USN-2311-2: OpenStack Ceilometer vulnerability – 21st August 2014. USN-2311-1 fixed vulnerabilities in pyCADF. This update provides the corresponding updates for OpenStack Ceilometer. Original advisory details: Zhi Kun Liu discovered that pyCADF incorrectly filtered certain tokens. An attacker could possibly use this issue to obtain authentication tokens used in REST requests. CVE-2014-4615
• USN-2320-1: Oxide vulnerabilities – 20th August 2014. A use-after-free was discovered in the websockets implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash. CVE-2014-3165 CVE-2014-3166 CVE-2014-3167 LP: 1356372
• USN-2319-1: OpenJDK 7 vulnerabilities – 19th August 2014. Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. CVE-2014-2483 CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 CVE-2014-4219 CVE-2014-4221 CVE-2014-4223 CVE-2014-4244 CVE-2014-4252 CVE-2014-4262 CVE-2014-4263 CVE-2014-4264CVE-2014-4266 CVE-2014-4268
• USN-2232-4: OpenSSL regression – 18th August 2014. USN-2232-1 fixed vulnerabilities in OpenSSL. One of the patch backports for Ubuntu 10.04 LTS caused a regression for certain applications. This update fixes the problem. LP: 1356843
• USN-2318-1: Linux kernel vulnerabilities – 18th August 2014. Eric W. Biederman discovered a flaw with the mediation of mount flags in the Linux kernel’s user namespace subsystem. An unprivileged user could exploit this flaw to by-pass mount restrictions, and potentially gain administrative privileges. CVE-2014-5206 CVE-2014-5207
• USN-2317-1: Linux kernel (Trusty HWE) vulnerabilities – 18th August 2014. Eric W. Biederman discovered a flaw with the mediation of mount flags in the Linux kernel’s user namespace subsystem. An unprivileged user could exploit this flaw to by-pass mount restrictions, and potentially gain administrative privileges. CVE-2014-5206 CVE-2014-5207
• USN-2316-1: Subversion vulnerabilities – 14th August 2014. Lieven Govaerts discovered that the Subversion mod_dav_svn module incorrectly handled certain request methods when SVNListParentPath was enabled. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. CVE-2014-0032 CVE-2014-3522 CVE-2014-3528
• USN-2315-1: serf vulnerability – 14th August 2014. Ben Reser discovered that serf did not correctly handle SSL certificates with NUL bytes in the CommonName or SubjectAltNames fields. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. CVE-2014-3504
• USN-2314-1: Linux kernel vulnerability – 13th August 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service. CVE-2014-3917
• USN-2313-1: Linux kernel (Trusty HWE) vulnerability– 13th August 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service. CVE-2014-3917
• USN-2312-1: OpenJDK 6 vulnerabilities – 12th August 2014. Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 CVE-2014-4219 CVE-2014-4244 CVE-2014-4252 CVE-2014-4262 CVE-2014-4263 CVE-2014-4266 CVE-2014-4268
• USN-2311-1: pyCADF vulnerability – 11th August 2014. Zhi Kun Liu discovered that pyCADF incorrectly filtered certain tokens. An attacker could possibly use this issue to obtain authentication tokens used in REST requests. CVE-2014-4615
• USN-2310-1: Kerberos vulnerabilities – 11th August 2014. It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. CVE-2012-1016 CVE-2013-1415 CVE-2013-1416 CVE-2013-1418 CVE-2013-6800 CVE-2014-4341 CVE-2014-4342 CVE-2014-4343 CVE-2014-4344 CVE-2014-4345
• USN-2309-1: Libav vulnerabilities – 11th August 2014. It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. LP: 1354755
• USN-2308-1: OpenSSL vulnerabilities – 7th August 2014. Adam Langley and Wan-Teh Chang discovered that OpenSSL incorrectly handled certain DTLS packets. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 CVE-2014-5139
• USN-2307-1: GPGME vulnerability – 6th August 2014. Tomáš Trnka discovered that GPGME incorrectly handled certain certificate line lengths. An attacker could use this issue to cause applications using GPGME to crash, resulting in a denial of service, or possibly execute arbitrary code. CVE-2014-3564
• USN-2306-2: GNU C Library regression – 5th August 2014. USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the security update cause a regression in certain environments that use the Name Service Caching Daemon (nscd), such as those configured for LDAP or MySQL authentication. LP: 1352504
• USN-2306-1: GNU C Library vulnerabilities – 4th August 2014. Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS. (CVE-2013-4357) It was discovered that the GNU C Library incorrectly handled the getaddrinfo() function. CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043
• USN-2305-1: Samba vulnerability – 1st August 2014. Volker Lendecke discovered that the Samba NetBIOS name service daemon incorrectly handled certain memory operations. A remote attacker could use this issue to execute arbitrary code as the root user. CVE-2014-3560