There’s an old saying that March comes in like a lion and goes out like a lamb. At first glance, one would think this month went out pretty gently – but things are not always as they seem. Although the number of updates for most brands is low, the number of vulnerabilities addressed is high – in large part because of the many security fixes in Apple’s iOS and Apple TV updates and the extra large number of updates released for popular Linux distros.
For the second month in a row, Apple issued only two security updates and only one of them will affect a large number of users, but that one includes fixes for numerous vulnerabilities. Both were released on March 10.
The first update is a far-reaching one that impacts the millions of people who are using the iPhone 4 and later, the fifth generation iPod Touch and the iPad 2 and later. This is iOS 7.1, which makes a number of changes to the mobile operating system, both security and non-security related. Specifically on the security front, 21 separate vulnerabilities are addressed:
- Root certificates were updated.
- An issue with CoreCapture’s handling of IOKit API calls that could allow a malicious application to crash the system was fixed.
- The crash reporting feature was changed so that local users can no longer change permissions on arbitrary files.
- A code signing requirements bypass vulnerability was addressed.
- A problem with FaceTime allowed an unauthorized person who had physical access to the device to access contacts from the lock screen by making a failed FaceTime call from the lock screen; this was addressed.
- A buffer overflow issue that could allow remote code execution if a user viewed a malicious TIFF file was addressed by adding more validation of TIFF images.
- An uninitialized memory access issue that could result in disclosure of memory contents by viewing a malicious JPEG file was fixed.
- A problem with the access control policies in the IOKit framework that allowed malicious apps to monitor user actions in other apps has been addressed.
- The ability of an attacker to spoof network communications to create a man-in-the-middle attack enticing users to download a malicious app was mitigated by using SSL and user prompts when URL redirects occur.
- An out of bounds memory access issue that could allow a local user to execute arbitrary code in the kernel was fixed with better bounds checking.
- A double free memory issue that could allow arbitrary code execution or crashes upon opening a malicious Word document was addressed by improving memory management.
- A problem whereby deleted images still appeared in the Photos app was fixed.
- The ability to hide a configuration profile from the user by giving it a long name was fixed.
- A problem in Safari whereby user credentials could be disclosed to an unexpected web site via autofill was addressed by improving origin tracking.
- The ability of an unauthorized person with physical access to disable the Find My iPhone feature without entering a password was addressed.
- The ability of an unauthorized person with physical access to see the home screen of the device, even though the device hadn’t been activated, was addressed.
- An issue that enabled a remote attacker to cause the lock screen to stop responding was fixed by improving state management.
- A problem by which a web page could cause FaceTime to make an audio call without user interaction was addressed by adding a confirmation prompt before the call is made.
- A memory corruption issue with handling of USB messages that allowed an unauthorized person with physical access to execute arbitrary code in kernel mode was addressed.
- A problem with the way MPEG-4 files were handled that could allow an attacker to render the device unresponsive if a malicious video was played has been addressed.
- Multiple memory corruption issues in WebKit that could lead to arbitrary code execution or crashes when a malicious web site is visited were fixed.
Apple’s second update, although it also addresses quite a few vulnerabilities, will impact fewer users – just those who use Apple TV. This is, however, a growing market, with Apple CEO Tim Cook claiming around $1 billion in sales at the annual shareholder’s meeting last month. Estimates are that Apple sold around 15.5 million devices in 2012 and 2013 combined. On the other hand, not everybody is impressed. In any event, those number certainly pale in comparison to the 150 million iPhones and 71 million iPads that were said to have been sold in 2013 alone.
For those who do own Apple’s TV streaming device, though, Apple TV 6.1 brings 13 updates:
- An issue whereby an attacker could access sensitive user information from Apple TV logs was addressed by logging less information.
- An issue with profile expiration dates was fixed by improving the handling of configuration profiles.
- The same issue in CoreCapture described above was fixed.
- The same crash reporting problem described above was fixed.
- The same code signing requirements bypass described above was fixed.
- A buffer overflow issue with JPEG images in PDF files was fixed.
- The same buffer overflow with TIFF files described above was fixed.
- The same uninitialized memory access issue with JPEG files described above was fixed.
- The same out of bounds memory access issue described above was fixed.
- The same hidden configuration profile issue described above was fixed.
- The same memory corruption issue with USB messages described above was fixed.
- The same multiple memory corruption issues in WebKit described above were fixed.
- The same MPEG-4 handling issue described above was fixed.
Updates seem to be coming in pairs this month. Adobe also issued two updates for March:
- On March 11, which is their normal “Patch Tuesday” scheduled release date, Adobe came out with only one patch, for Flash Player 184.108.40.206 and earlier versions. It was given a priority rating of 2 for Windows and Mac, and 3 for Linux and the update was labeled “important.” The two vulnerabilities that were addressed were a bypass of the same origin policy and a vulnerability that could be used to read the contents of the clipboard.
- Two days later, on March 13, the company released an out-of-band patch to address a critical vulnerability in Shockwave Player 220.127.116.11 and earlier, which could allow an attacker to take control of the system, which we covered in detail in a previous blog post.
On March 3, Google released an update (version 33.0.1750.146 for Chrome on Windows, Linux and Mac that includes nineteen security fixes. This is down from the 28 fixes that were included in the February release of Chrome 33. These fixes include heap buffer overflow vulnerability, allowing requests in flash header requests, use-after-free vulnerabilities in svg images and speech recognition, and more.
A little over a week later – and probably not coincidentally, just in time for the yearly Pwn2Own hacking contest – the company fixed another seven security issues for Chrome on all three operating systems, which included more use-after-free vulnerabilities. Four were labeled as “high” level (equivalent of “important,” just below “critical”). This release is 33.0.1750.149.
Cisco Systems released 12 security updates in March, with half of them applying to the IOS software. These include:
- IOS Software Resource Reservation Protocol Interface Queue Wedge vulnerability
- IOS Network Address Translation (NAT) vulnerabilities
- IOS denial of service (DoS) vulnerability from a specially crafted IPv6 packet
- IOS DoS vulnerability related to Internet Key Exchange (IKE) v2
- IOS DoS vulnerability related to Session Initiation Protocol (SIP)
- IOS DoS vulnerability related to SSL VPN
Other fixes include:
- Multiple vulnerabilities in Cisco wireless LAN controllers
- Password disclosure vulnerability in Small Business Router
- Vulnerability in Prime Infrastructure Command execution
- DoS vulnerability in 7600 series route switch processor 720 with 10 GB Ethernet uplinks
- Code execution vulnerability in AsyncOS software
- Undocumented test interface in small business devices
Oracle releases security updates on a quarterly basis, in January, April, July and October, so we’ve seen nothing from them this month. Look for new releases next month.
Ubuntu released a whopping 32 security updates in March:
· USN-2155-1: OpenSSH vulnerability – March 25
· USN-2154-1: ca-certificates update – March 24
· USN-2153-1: initramfs-tools vulnerability – March 24
· USN-2152-1: Apache HTTP Server vulnerabilities – March 24
· USN-2151-1: Thunderbird vulnerabilities – March 21
· USN-2150-1: Firefox vulnerabilities – March 18
· USN-2149-2: GTK+ update – March 17
· USN-2149-1: librsvg vulnerability – March 17
· USN-2148-1: FreeType vulnerabilities – March 17
· USN-2147-1: Mutt vulnerability – March 17
· USN-2146-1: Sudo vulnerabilities – March 17
· USN-2145-1: libssh vulnerability – March 17
· USN-2144-1: CUPS vulnerabilities – March 12
· USN-2143-1: cups-filters vulnerabilities – March 12
· USN-2142-1: UDisks vulnerability – March 10
· USN-2141-1: Linux kernel (OMAP4) vulnerabilities – March 7
· USN-2140-1: Linux kernel vulnerabilities – March 7
· USN-2139-1: Linux kernel (OMAP4) vulnerabilities – March 7
· USN-2138-1: Linux kernel vulnerabilities – March 7
· USN-2134-1: Linux kernel (OMAP4) vulnerabilities – March 7
· USN-2133-1: Linux kernel vulnerabilities – March 7
· USN-2132-1: ImageMagick vulnerabilities – March 6
· USN-2131-1: IcedTea Web vulnerability – March 6
· USN-2130-1: Tomcat vulnerabilities – March 6
· USN-2129-1: Linux kernel (EC2) vulnerabilities – March 5
· USN-2128-1: Linux kernel vulnerabilities – March 5
· USN-2127-1: GnuTLS vulnerability – March 4
· USN-2126-1: PHP vulnerabilities – March 3
· USN-2125-1: Python vulnerability – March 3
RedHat released a comparable number of updates for Enterprise RedHat Linux.