2013 tech in reviewThis is the season for giving, and software vendors must be feeling extra generous this year. Microsoft gifted us with 11 patches, Mozilla dropped 14 updates for Firefox down the chimney, and Adobe wrapped up a shiny package with Priority 1 fixes for Flash, Air and Shockwave.  So what else might we find under the tree from other software companies?

In this article, I’ll bring you up to date on updates released by some of the major software vendors as of December 19th. Because of the holiday schedules, I’m preparing this round-up earlier than usual, so any important patches that are released after that date will be addressed in special “one off” posts or will be included in next month’s roundup.

Apple

The most recent version of the Mac operating system, Mavericks (also known as OS X 10.9) got an update on December 16 that includes a new version of Safari (7.0.1), which patches security vulnerabilities in the web browser. The update is OS X 10.9.1. Specific fixes included in the Mavericks update include fixes for Gmail support and for the Mail application, an issue that may cause multiple prompts to unlock “Local items” keychain, several issues related to non-English language problems, and in Safari, issues related to filling out forms, improvement to credit card autofill compatibility with web sites, a fix that makes VoiceOver more compatible with Facebook, and updating of Shared Links in the Safari Sidebar.

The security-specific fixes include:

  • A vulnerability that could allow user credentials to be disclosed to an unexpected web site through the autofill feature, whereby Safari could autofill user names and passwords into a subframe from a different domain.
  • A vulnerability that could allow arbitrary code execution or cause unexpected termination (crash) when a user visited a malicious web site, due to multiple memory corruption issues in WebKit.

The Safari fixes are also available separately from the Mavericks update for the browser running on OS X 10.7.5 (Lion) and 10.8.5 (Mountain Lion), as Safari 6.1.1.

For more information and to get the updates, see the Apple Support web site.

Google

Early this month, Google released an update for its Android Mobile OS, KitKat (version 4.4.1), which as usual rolled out first over the air to Nexus devices. Less than a week later, some Nexus 4, 5 and 7 devices received another OS update, version 4.4.2. Interestingly, users whose devices were upgraded to 4.4.2 discovered that something was missing: the App Opps feature that allowed you to individually control which permissions you gave to specific apps. Google said the feature was experimental and was originally released “by accident” and said it was removed because it could break apps. There has been quite a bit of backlash in the tech press about the removal of this privacy feature. Third party solutions are available that provide the same sort of control, but require rooting the device.

For those lucky few who happen to be testing Google Glass, the company’s wearable computer that takes the form of eyeglasses, an update was released this week that includes (along with other non-security features) a mechanism by which users can lock their screens so that nobody else can use the glasses until the owner unlocks it.

There have been no major updates to the Chrome browser this month, although a beta update for the mobile browser was released for those adventurous folks who can’t wait for general release.

Cisco IOS

Cisco has published 27 security notices thus far in December that affect their products, but are not serious enough to require a Security Advisory. You can find these listed on the Cisco web site.  The company has not issued any advisories thus far this month.

Oracle

Oracle has released no critical updates or security alerts in December. Their regular quarterly release of security fixes is scheduled for January 14, 2014.

Linux

SUSE released a number of security updates for their products, but only two are rated critical. Both of these are ruby. The first was released December 5, and the second was released December 16 for ruby19. Both address a heap overflow in float point parsing. You can find the full list of updates on the SUSE web site.

Red Hat has likewise released a number of non-critical updates for its Enterprise Server, along with two critical updates. One is an update for Firefox referenced in a separate blog post. The other is a php53 and php update that addresses a memory corruption vulnerability in the HTML-embedded scripting language used with the Apache web server. You can find the full list of updates on the Red Hat web site. You can also check updates for other editions of Red Hat Linux on the web site.

Ubuntu has released 24 security notices as of December 19th that include vulnerabilities in the Linux kernel, PHP, Samba, GIMP, and other components, as well as Thunderbird and Firefox. The Ubuntu site does not rate the severity of the vulnerabilities. The issues fixed in the kernel update include an information leak in ICMP messages, vulnerabilities in the Human Interface Device subsystem, a flaw in the dm snapshot facility, and a flaw in handling of IPv6 UDP fragmentation offloading. You can see a full list of security notices and updates on the Ubuntu web site.

Debian issued 16 security advisories between December 1 and December 19. These address a number of vulnerabilities that include heap and integer overflow issues, denial of service, privilege escalation, buffer overflow, restriction bypass, side channel attack and command injection and affect a number of different software components. You can find the list on the Debian web site.

Summary

We’re quickly approaching the end of this year and it’s been a big one for patching. That’s both a good thing and a bad thing. It’s good because it means software vendors are working hard to fix security holes in their products, and each patch we apply makes our networks and systems a little more secure. It’s a bad thing because it involves a lot of work, and in a few instances the “cure” can even prove to be worse than the “disease,” breaking functionality and requiring that we spend even more time “fixing the fix.”  I wish I could say it will get better in the new year, but chances are we’ll be seeing more of the same as attackers, too, work overtime to discover and exploit new vulnerabilities.  Here’s wishing you happy patching and happy holidays!