July3rdPartyRoundup_SQMaybe it’s just the lazy days of summer, but this month seemed to go by more slowly than most. It feels as if July Patch Tuesday was a long time ago. But we’re finally nearing the end, and it’s time to round up the past few weeks’ third party patches and new vulnerability disclosures. There have been several interesting ones this time, so let’s skip the formalities and get right down to business. We’ll start with a follow-up on a Microsoft patch that caused some problems.

Microsoft Patch Tuesday Follow-up

The Internet Explorer cumulative roll-up that was issued on July 8 (MS 14-037) has been reported to have a conflict with InstallShield 2012 and 2013, causing them to crash on startup after the application of the patch. The problem is related to handling of .HTM files. Flexersoft, which makes InstallShield, issued a warning and also posted a workaround.

Apple

As of the date of this writing (July 28), Apple has not released any security updates since the four that came out on June 30. This is the first month in at least a year that the company has released no updates at all. That doesn’t mean that Apple vulnerabilities haven’t been in the headlines, though.  As I discussed in some detail in my blog post Poisoned Apple: Is iOS Intentionally Insecure?, a recent paper from security researcher Jonathon Zdziarski reveals that the iPhone and iPad operating system has built-in “back doors” to allow the company to access personal data in the default apps such as users’ call histories SMS messages, photos, videos, audio recordings, and contacts – and others may be able to exploit the vulnerability to access even more. Apple first denied the claims and then, according to a report from Reuters, admitted to the security flaw. It’s been pointed out that CALEA (the U.S. Communications Assistance for Law Enforcement Act that was passed during the Clinton administration), actually requires the company to build in surveillance capabilities. Meanwhile in China, the Chinese state broadcast medium has targeted the location-tracking feature in iPhones and called it a “national security threat.” While all this is going on, Apple has reportedly applied for a patent for technology that detect behavior patterns of users and stores them. The purpose is to prevent unauthorized use, but some privacy advocates are bound to see this as intrusive. Whether justified or not, Apple has been in the crosshairs of the security folks this month.

Adobe

Adobe released only one update this month, APSB14-17. Not surprisingly, it was for the “usual suspect,” Adobe Flash Player. This includes Flash on all three of the major operating systems – Windows, Linux and Mac. The vulnerability is a serious one that could potentially allow an attacker to take control of the system, and has a severity rating of 1 for Windows and Mac, IE 11 and Chrome for Windows, Linux and Mac. It’s rated 3 for Linux. Some popular sites, such as Google services, Twitter, eBay and Instagram, were targeted before the release of the update. You can find details about the vulnerability and how the attack scenario works in Michele Spagnuolo’s blog.

Google

Chrome v.36 was released as a stable channel update on July 16, fixing 26 security issues, including a wildcard DNS issue and a problem that could enable web sites to carpet bomb with external protocol dialogs. The Chrome operating system was updated to version 36.0.1985.126 on a number of Chromebook devices; this fixed several security issues as well as adding some feature enhancements. Google released an update for Chrome for Android on July 25 that fixes a problem with WebRTC permissions. It’s not just the software on your local computers that is prone to vulnerabilities, of course. Cloud services have them, too. This month Google fixed a vulnerability in the Google Drive cloud storage service that could be exploited if the user uploaded a shared file in original format and changed the share settings to be visible to anyone with a link. The doc also had to contain an HTTPS link or links to third party sites. All of those criteria had to be met in order for the vulnerability to exist, so the risk wasn’t high, but if this “perfect storm” of circumstances came about, unauthorized persons might be able to see the URL of the original document. Google also laid out steps that could be taken to protect links that had already been shared before the fix.

Oracle

Oracle is on a quarterly release cycle, and July is the month for updates. This month, they released a cumulative update that contains 113 new vulnerability fixes for a wide variety of their products, including Oracle Database, Fusion Middleware, E-Business Suite, Oracle Supply Chain, PeopleSoft, Siebel, Oracle Communications Messaging Server, Oracle Retail products, Java SE, Oracle Linux and Virtualization and the Oracle MySQL product suite. Five of the security fixes are for Oracle Database Server and one of them can be exploited remotely without authentication. Twenty-nine fixes are for Fusion Middleware and a whopping twenty-seven of them can be remotely exploited without authentication.  There are seven fixes for Oracle Hyperion, with two of them exploitable without authentication. Five fixes are for PeopleSoft with one that can be remotely exploited without authentication. There are twenty security issues fixed in Java SE and all of twenty of the vulnerabilities can be remotely exploited without authentication. This is a summary of the updates for the most popular Oracle products. For the full list and details on the vulnerabilities and risk matrices, see the Oracle web site.

Linux

As usual, popular Linux distros saw a plethora of security updates released this month. Ubuntu issued 36 patches between July 2 and July 24 (four more than last month), with July 16 being a particularly heavy day. Other commercial Linux vendors issued similar updates.

1.      USN-2301-1: Jinja2 vulnerabilities – July 24, 2014 It was discovered that Jinja2 incorrectly handled temporary cache files and directories. A local attacker could use this issue to possibly gain privileges.

2.      USN-2300-1: LZO vulnerability – July 24, 2014 Don A. Bailey discovered that LZO incorrectly handled certain input data. An attacker could use this issue to cause LZO to crash, resulting in a denial of service, or possibly execute arbitrary code.

3.      USN-2298-1: Oxide vulnerabilities – July 23, 2014 A type confusion bug was discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.

4.      USN-2299-1: Apache HTTP Server vulnerabilities – July 23, 2014 Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS. USN-2296-1: Thunderbird vulnerabilities – 22nd July 2014 Christian Holler, David Keeler and Byron Campen discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.

5.      USN-2295-1: Firefox vulnerabilities – July 22, 2014 Christian Holler, David Keeler, Byron Campen, Gary Kwong, Jesse Ruderman, Andrew McCreight, Alon Zakai, Bobby Holley, Jonathan Watt, Shu-yu Guo, Steve Fink, Terrence Cole, Gijs Kruitbosch and Cătălin Badea discovered multiple memory safety issues in Firefox.

6.      USN-2297-1: acpi-support vulnerability – July 22, 2014 CESG discovered that acpi-support incorrectly handled certain privileged operations when checking for power management daemons. A local attacker could use this flaw to execute arbitrary code and elevate privileges to root.

7.      USN-2294-1: Libtasn1 vulnerabilities – July 22, 2014 It was discovered that Libtasn1 incorrectly handled certain ASN.1 data structures. An attacker could exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service. (CVE-2014-3467) It was discovered that Libtasn1 incorrectly handled negative bit lengths.

8.      USN-2293-1: CUPS vulnerability – July 21, 2014 Francisco Alonso discovered that the CUPS web interface incorrectly validated permissions on rss files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.

9.      USN-2292-1: LWP::Protocol::https vulnerability – July 17, 2014 It was discovered that the LWP::Protocol::https perl module incorrectly disabled peer certificate verification completely when only hostname verification was requested to be disabled. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could possibly be exploited in certain scenarios to alter or compromise confidential information.

10.  USN-2291-1: MySQL vulnerabilities – July 17, 2014 Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.38. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

11.  USN-2290-1: Linux kernel vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

12.  USN-2289-1: Linux kernel vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

13.  USN-2288-1: Linux kernel (Trusty HWE) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges. (CVE-2014-4943) Salva Peiró discovered an information leak in the Linux kernel’s media- device driver.

14.  USN-2287-1: Linux kernel (Saucy HWE) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

15.  USN-2286-1: Linux kernel (Raring HWE) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

16.  USN-2285-1: Linux kernel (Quantal HWE) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

17.  USN-2284-1: Linux kernel (OMAP4) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges. (CVE-2014-4943) Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors.

18.  USN-2283-1: Linux kernel vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges. (CVE-2014-4943) Michael S. Tsirkin discovered an information leak in the Linux kernel’s segmentation of skbs.

19.  USN-2282-1: Linux kernel vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges. (CVE-2014-4943) A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls.

20.  USN-2281-1: Linux kernel (EC2) vulnerabilities – July 16, 2014 Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges.

21.  USN-2280-1: MiniUPnPc vulnerability – July 16, 2014 It was discovered that MiniUPnPc incorrectly handled certain buffer lengths. A remote attacker could possibly use this issue to cause applications using MiniUPnPc to crash, resulting in a denial of service.

22.  USN-2279-1: Transmission vulnerability – July 16, 2014 Ben Hawkes discovered that Transmission incorrectly handled certain peer messages. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

23.  USN-2278-1: file vulnerabilities – July 15, 2014 Mike Frysinger discovered that the file awk script detector used multiple wildcard with unlimited repetitions. An attacker could use this issue to cause file to consume resources, resulting in a denial of service. (CVE-2013-7345) Francisco Alonso discovered that file incorrectly handled certain CDF documents.

24.  USN-2277-1: Libav vulnerabilities – July 15, 2014 It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

25.  USN-2276-1: PHP vulnerabilities – July 9, 2014 Francisco Alonso discovered that the PHP Fileinfo component incorrectly handled certain CDF documents. A remote attacker could use this issue to cause PHP to hang or crash, resulting in a denial of service. (CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487) Stefan Esser discovered that PHP incorrectly handled unserializing SPL extension objects.

26.  USN-2275-1: DBus vulnerabilities – July 8, 2014 Alban Crequy discovered that dbus-daemon incorrectly sent AccessDenied errors to the service instead of the client when enforcing permissions. A local user can use this issue to possibly deny access to the service. (CVE-2014-3477) Alban Crequy discovered that dbus-daemon incorrectly handled certain file descriptors.

27.  USN-2274-1: Linux kernel vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

28.  USN-2273-1: Linux kernel vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

29.  USN-2272-1: Linux kernel (Trusty HWE) vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

30.  USN-2271-1: Linux kernel (Saucy HWE) vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

31.  USN-2270-1: Linux kernel (Raring HWE) vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

32.  USN-2269-1: Linux kernel (Quantal HWE) vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

33.  USN-2268-1: Linux kernel vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

34.  USN-2267-1: Linux kernel (EC2) vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

35.  USN-2266-1: Linux kernel vulnerability – July 5, 2014 Andy Lutomirski discovered a flaw with the Linux kernel’s ptrace syscall on x86_64 processors. An attacker could exploit this flaw to cause a denial of service (System Crash) or potential gain administrative privileges.

36.  USN-2265-1: NSPR vulnerability – July 2, 2014 Abhishek Arya discovered that NSPR incorrectly handled certain console functions. A remote attacker could use this issue to cause NSPR to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.