J003-Content-June3rdPartyRoundupWe’re well into summer and the longest day of the year has come and gone. But for IT pros, the longest days are often patch days, which involve testing, roll-out, and – if you’re unlucky – troubleshooting problems caused by the patches.  This month’s Patch Tuesday appeared to go fairly smoothly at first, until it was discovered that one of the Office 2013 released by Microsoft rendered Office applications unusable for a small percentage of users.

 

With Patch Tuesday behind us, now let’s take a look at the security updates that have been released by other software vendors over the course of the month. This covers the period through June 26, the date of this writing. The good news is that it has been a relatively light patching month for most vendors and products.

Apple

Apple seems to have taken this summer month off when it comes to patches; they have released no new updates since the Safari patch that came out on May 21. This may be because the company has been focusing on new security features for iOS 8, such as randomization of MAC address during Wi-Fi scanning, in preparation for the launch of the iPhone 6.

 

Meanwhile, there are rumors that Apple will soon release an update for iOS (7.1.2) that will fix known issue with email attachment encryption and a lock screen vulnerability.  The update has reportedly been distributed to carriers for testing and a public release is imminent. The update is expected sometime around the first week of July.

 

And here’s something to be on the lookout for if you have BYOD users with iPhones: Chinese developers have released a jailbreak program for iOS 7.1.1. Jailbreaking can pose security risks, so you won’t want jailbroken phones connecting to the corporate network.

Adobe

Adobe has issued only one security update thus far in June. Labeled APSB14-16, it was released on June 10 in Adobe’s usual Patch Tuesday cycle, and addresses six vulnerabilities in Adobe Flash Player. This affects the following versions of Flash Player for Windows, Mac and Linux systems:

 

  • Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.359 and earlier versions for Linux
  • Adobe AIR 13.0.0.111 SDK and earlier versions
  • Adobe AIR 13.0.0.111 SDK & Compiler and earlier versions
  • Adobe AIR 13.0.0.111 and earlier versions for Android
  • Adobe AIR 13.0.0.111 and earlier versions for Windows and Macintosh

 

The vulnerabilities could allow an attacker to take over control of the system, and have a priority rating of 1 for Flash on Windows and Mac, with a priority rating of 3 on Linux. Adobe AIR and AIR SDK are also affected.

 

Photographers and digital artists may also be interested in the new release this month of Adobe’s Creative Cloud suite of apps. While not a security update, Adobe intimated that in addition to new features and functionalities, rigorous security mechanisms are incorporated into the software and services.

Google

On June 10, Google released an update for Chrome, version 35.0.1.1916.153, for the browser running on Windows, Mac and Linux operating systems. Two high priority vulnerabilities – one a free-after-use vulnerability and the other an out-of-bounds read vulnerability – are fixed, along with a medium priority buffer overflow vulnerability. All three were fixed by external researchers. The internal team also fixed a heap overflow vulnerability for this release.

 

Chrome for Android was updated to version 35.0.1916.141 to address an OpenSSL issue.

 

On the same date, they also released an update for Chrome OS that contains fixes for a memory corruption vulnerability and an SSL/TSL man-in-the-middle vulnerability.

 

On June 18, Google announced a new version of Chrome 35 for iPhone and iPad that was more of a bug fix than a security update.

Oracle

Oracle releases security updates on a quarterly basis, in January, April, July and October. There were no updates released this month. The next regularly scheduled updates are expected to be released in July.

Linux

As usual, popular Linux distros saw a plethora of security updates released this month. Ubuntu issued 32 patches between June 2 and June 25. Other commercial Linux vendors issued similar updates.

 

USN-2256-1: Swift vulnerability – 25th June 2014: John Dickinson discovered that Swift did not properly quote the WWW-Authenticate header value. If a user were tricked into navigating to a malicious Swift URL, an attacker could conduct cross-site scripting attacks.

 

USN-2255-1: OpenStack Neutron vulnerabilities – 25th June 2014: Darragh O’Reilly discovered that the Ubuntu packaging for OpenStack Neutron did not properly set up its sudo configuration. If a different flaw was found in OpenStack Neutron, this vulnerability could be used to escalate privileges.

 

USN-2254-2: PHP updates – 25th June 2014: USN-2254-1 fixed vulnerabilities in PHP. The fix for CVE-2014-0185 further restricted the permissions on the PHP FastCGI Process Manager (FPM) UNIX socket. This update grants socket access to the www-data user and group so installations and documentation relying on the previous socket permissions will continue to function.

 

USN-2254-1: PHP vulnerabilities – 23rd June 2014: Christian Hoffmann discovered that the PHP FastCGI Process Manager (FPM) set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges.

 

USN-2232-3: OpenSSL regression – 23rd June 2014: USN-2232-1 fixed vulnerabilities in OpenSSL. The upstream fix for CVE-2014-0224 caused a regression for certain applications that use renegotiation, such as PostgreSQL. This update fixes the problem.

 

USN-2253-1: LibreOffice vulnerability – 23rd June 2014: It was discovered that LibreOffice unconditionally executed certain VBA macros, contrary to user expectations.

 

USN-2252-1: Linux kernel (EC2) vulnerabilities – 20th June 2014: A bounds check error was discovered in the socket filter subsystem of the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) via crafted BPF instructions.

 

USN-2251-1: Linux kernel vulnerabilities – 20th June 2014: A bounds check error was discovered in the socket filter subsystem of the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) via crafted BPF instructions.

 

USN-2250-1: Thunderbird vulnerabilities – 19th June 2014: Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden and Kyle Huey discovered multiple memory safety issues in Thunderbird.

 

USN-2249-1: OpenStack Heat vulnerability – 18th June 2014: Jason Dunsmore discovered that OpenStack heat did not properly restrict access to template information. A remote authenticated attacker could exploit this to see URL provider templates of other tenants for a limited time.

 

USN-2248-1: OpenStack Cinder vulnerability – 18th June 2014: Darragh O’Reilly discovered that the Ubuntu packaging for OpenStack Cinder did not properly set up its sudo configuration. If a different flaw was found in OpenStack Cinder, this vulnerability could be used to escalate privileges.

 

USN-2247-1: OpenStack Nova vulnerabilities – 17th June 2014: Darragh O’Reilly discovered that the Ubuntu packaging for OpenStack Nova did not properly set up its sudo configuration. If a different flaw was found in OpenStack Nova, this vulnerability could be used to escalate privileges. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS.

 

USN-2246-1: APT vulnerability – 17th June 2014: Jakub Wilk discovered that APT did not correctly validate signatures when downloading source packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered source packages.

 

USN-2214-3: libxml2 regression – 17th June 2014: USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a number of regressions. This update fixes the problem.

 

USN-2232-2: OpenSSL regression – 12th June 2014: USN-2232-1 fixed vulnerabilities in OpenSSL. The upstream fix for CVE-2014-0224 caused a regression for certain applications that use tls_session_secret_cb, such as wpa_supplicant. This update fixes the problem.

 

USN-2245-1: json-c vulnerabilities – 12th June 2014: Florian Weimer discovered that json-c incorrectly handled buffer lengths. An attacker could use this issue with a specially-crafted large JSON document to cause json-c to crash, resulting in a denial of service.

 

USN-2244-1: Libav vulnerability – 11th June 2014: It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

 

USN-2243-1: Firefox vulnerabilities – 11th June 2014: Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey, Jesse Ruderman, Gregor Wagner, Benoit Jacob and Karl Tomlinson discovered multiple memory safety issues in Firefox.

 

USN-2242-1: dpkg vulnerabilities – 10th June 2014: It was discovered that dpkg incorrectly handled certain patches when unpacking source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access.

 

USN-2214-2: libxml2 regression – 9th June 2014: USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a regression when using xmllint with the –postvalid option. This update fixes the problem.

 

USN-2241-1: Linux kernel vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2240-1: Linux kernel vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2239-1: Linux kernel (Saucy HWE) vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2238-1: Linux kernel (Raring HWE) vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2237-1: Linux kernel (Quantal HWE) vulnerability – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2236-1: Linux kernel (OMAP4) vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2235-1: Linux kernel vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2234-1: Linux kernel (EC2) vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2233-1: Linux kernel vulnerabilities – 5th June 2014: Pinkie Pie discovered a flaw in the Linux kernel’s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

 

USN-2232-1: OpenSSL vulnerabilities – 5th June 2014: Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS fragments. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS.

 

USN-2230-1: chkrootkit vulnerability – 4th June 2014: Thomas Stangner discovered that chkrootkit incorrectly quoted certain values. A local attacker could use this issue to execute arbitrary code when chkrootkit is run and gain root privileges.

 

USN-2229-1: GnuTLS vulnerability – 2nd June 2014: Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.