update2This is the beginning of a brand new year for software vendors and IT pros, both of whom probably share the same wish for 2014: fewer new vulnerabilities and hence a need for fewer patches. Vendors work hard to make their programs as secure as possible “out of the box” (although that term is becoming antiquated, given that software is rarely bought in boxes anymore).

Most major software vendors (including big names such as Microsoft, Adobe, EMC, Google, Symantec, SAP, VMware and many more) belong to the BSIMM (Building Security in Maturity Model) group, which is dedicated to helping companies develop the best software security initiatives. Microsoft, for example, has adopted the Security Development Lifecycle (SDL) process for establishing best practices to create more secure software.

Yet despite all these efforts, vulnerabilities inevitably slip through. This isn’t surprising, considering the complexity of today’s operating systems and applications and the sheer number of lines of code involved, which easily reaches into the millions. Windows 7, for instances, has around 40 million (about 10 million less than Vista), while Mac OS X “Tiger” is estimated to have more than twice that number.

This means we probably aren’t going to see a zero-patch month anytime soon. Microsoft began the year with a relatively light slate of four patches, as I reported in this blog on January 15th, but experience leads us to fear that might very well be the “calm before the storm”, as one commenter put it. Oracle, on the other hand, came roaring into 2014 with an incredible 144 fixes, 36 of which were for Java. Let’s look at what we got from other vendors.

Apple

Like Microsoft, Apple has been letting us take it easy this month. They’ve released only two patches, both of which are of concern due to the possibility of arbitrary code execution.

  • The first update was released on January 22, for iTunes running on OS X 10.6.8 or later, Windows XP, Vista, 7 or 8. Since many computer users have the iTunes software installed on their Macs or Windows computers, the risk could be widespread. It sounds innocuous at first: the vulnerability could allow an attacker to control the contents of the iTunes tutorial window. On a Mac, this could result in the injection of arbitrary contents. On a Windows machine, however, an attacker can exploit this vulnerability to allow arbitrary code execution if a user views a maliciously crafted movie file. The update fixes the problem by changing the handling of validating text tracks.
  • An update for OS X 10.9 and later and for iOS 7 or later that was released on January 23 applies to Apple Pages versions 5.1 and 2.1. Pages is Apple’s free word processing alternative to Microsoft Word, and there are versions for both iOS and OS X.  It’s compatible with the file formats used by Word and can open Word documents – and therein lies this particular security problem.  If a maliciously crafted Word doc is opened by one of the affected versions of Pages, it can crash the application (which isn’t such a big deal) or it could allow arbitrary execution of code, which is a much more serious matter. The update fixes the problem by improving the way memory is managed in the handling of Word documents.

Adobe

Adobe released three sets of updates this month, including one that affects Adobe Reader, which is installed on millions of computers worldwide. Even though I normally use an alternate PDF reader, I recently had no choice but to install Reader on one of my computers because the government web site from which I needed to print a file would display it only in Reader. Many systems come from OEMs with Reader already installed.

  • On January 14, Adobe released updates for both Adobe Reader and Acrobat for Windows and Mac. This applies to Reader X and XI (versions 10.x and 11.x) and Acrobat Standard and Pro. The vulnerability is rated as priority 1, which means the vulnerabilities have a high risk of being targeted. Exploit of this vulnerability could result in an attacker being able to take over control of the system. Because of the widespread exposure, this is a serious matter that IT admins need to address as soon as possible. The updates fix the problem by addressing memory corruption vulnerabilities and a use-after-free vulnerability, either of which can result in execution of code.
  • Also on January 14, Adobe released an update for Flash Player and Adobe AIR. This affects Flash and AIR for Windows, Mac, Linux and Android. It has a priority 1 rating for most versions of Flash Player and a priority 3 rating (which is Adobe’s lowest rating) for AIR. At the time of release, Adobe said they were not aware of any active exploits, but the vulnerabilities could potentially be used to crash the systems and/or take control of the machine. The updates fix the problem by plugging a hole that can be used to bypass Flash security and resolving an address leak problem that an attacker could use to circumvent address space layout randomization (ASLR), which is a security feature used to protect from buffer overflow attacks.
  • On January 22, Adobe released an update for Adobe Digital Editions for Windows and Mac. This is software that’s used to purchase, download, view and manage ebooks and other digital publications. This vulnerability, like the others, has the potential to allow attackers to crash the system and/or take control of it. The priority rating is a 3 because this product has not historically been a target for attackers, but the severity rating is critical.  The update fixes the problem by resolving a memory corruption vulnerability.

Google

Google released an update for its Chrome web browser running on Windows, Mac, Linux and Chrome Frame on January 28, which addresses multiple vulnerabilities, including Denial of Service (DoS) vulnerability and flaws that could allow an attacker to bypass security restrictions were set on the browser.  The latest version for Windows is 32.0.1700.102

A new version of Chrome for iOS was also released this month, with security enhancements. It includes Safe Browsing for protecting against malware, which will give you a warning when it detects that you’re going to go to a dangerous web site.

Two extensions for Chrome were removed from Google’s store earlier in January because they included adware code.

Cisco IOS

Cisco released five security updates in January, most of which apply to Cisco Telepresence components. These include:

  • A vulnerability in the Telepresence ISDN Gateway could allow an unauthenticated remote attacker to create a denial of service that would terminate all current calls and prevent users from making any new calls. All releases of the product prior to 2.2(1.92) are affected. The update fixes the problem by changing the way Q.931 STATUS messages are handled.
  •  A vulnerability in the Telepresence System Software could allow an unauthenticated attacker to execute arbitrary commands with root user privileges. To exploit the vulnerability, an attacker would send a specially crafted XML-RPC message. The update fixes this problem by changing the validation of parameters that are passed to the SSCD code using an XML remote procedure call.
  • A vulnerability in the SIP module of the Telepresence Video Communication Server (VCS) could be exploited by an attacker to allow an unauthenticated remote user to create a denial of service by dropping active calls and preventing users from making new calls. This affects both VCS hardware and virtual appliances. The attacker can trigger an exploit by sending SDP (Session Description Protocol) messages over UDP or TCP. The update fixes the problem by changing the handling of specially crafted SDP messages.
  • Multiple vulnerabilities in Cisco’s Secure Access Control System (ACS) include a privilege escalation vulnerability in the RMI (Remote Method Invocation) interface, an unauthenticated user access vulnerability in the same interface, and a system command injection vulnerability in the web interface. Exploiting these vulnerabilities could result in an authenticated remote attacker performing superadmin functions or an unauthenticated remote attacker performing administrative functions, or operating system level commands could be injected by an authenticated remote attacker. The update fixes these problems by improving authorization enforcement and input validation.
  • A vulnerability in certain models of Cisco wireless access points and routers can allow an unauthenticated remote attacker to obtain root level access to the device. This applies to the RVS4000 4-port gigabit security router, the WRVS4400N Wireless-N gigabit security router and the WAP4410 Wireless-N Access Point. The update fixes the problem by closing the hole caused by an undocumented test interface in the TCP service.

Linux

Ubuntu released 28 security updates for Ubuntu Linux between January 1 and January 27, including 13 kernel vulnerabilities, Puppet-related vulnerabilities, and vulnerabilities in a number of other components. Consequences of exploits range from system crashes to execution of arbitrary code. You can find a full list of the updates that affect currently supported releases of Ubuntu here:
http://www.ubuntu.com/usn/