J003-Content-May3rdPartyRoundupPlease note that the roundup covers updates issued between May 1 and the time of this writing, which is May 27.

 

Apple

Apple released five updates once again this month, most of which were for popular products; however, unlike the previous months, we did not see an update for its most popular product of all – the iOS operating system. It would be fair to say that only four Apple products actually required updating, since two of the patches are for the same software – iTunes – running on different operating systems.

 

  • On May 15, Apple released the latest update to its OS X Mavericks desktop OS, v10.9.3, which includes the security content of Update 2014-002. This addresses thirteen different issues that affected previous versions of OS X. Included are a vulnerability in the CFNetwork HTTPProtocol by which an attacker in a privileged network position could obtain web site credentials, a vulnerability in CoreServiceUIAgent by which visiting a malicious web site could result in an application crash or execution of arbitrary code, a vulnerability in FontParser that could cause application crash or arbitrary code execution upon opening a malicious PDF file, and a vulnerability in Heimdal Kerberos by which a remote attacker might be able to cause a denial of service (DoS).Also addressed are a vulnerability in ImageIO by which a malicious JPG could cause an application crash or code execution, a vulnerability in the Intel Graphics Driver that could enable a malicious application to take control of the system, a vulnerability in IOKit Kernel that could be exploited to read kernel points and bypass kernel ASLR (Address Space Layout Randomization) protections, and a kernel vulnerability that works similarly but using a kernel point stored in a XNU object.Additionally, this update addresses two vulnerabilities in Ruby that could be used to cause application crashes and/or remotely execute code, a Secure Transport vulnerability that could allow an attacker to capture data or change operations performed in an SSL session, and a WindowServer vulnerability that could be used by malicious applications to execute arbitrary code outside of the sandbox.
  • On the same day, May 15, Apple released an update to iTunes, v. 11.2 for Windows XP SP3, Vista, Windows 7 and Windows 8. This update addresses a vulnerability in Set-Cookie HTTP headers by which an attacker in a privileged network position could obtain the value of the unprotected cookie and thus obtain a user’s iTune credentials.
  • The next day, May 16, Apple released an update for iTunes, v. 11.2.1 for Mac OS X (v. 10.6.8 and later). This one addresses a different vulnerability pertaining to how permissions for /Users and /Users/Shared directories are handled, which could enable a local user to compromise other user accounts.
  • On May 20, Apple released an update for its OS X Server software, v.3.1.2, which fixes a vulnerability caused by a heap-based buffer overflow issue in Ruby that could be exploited to cause an application to hang/freeze or to run arbitrary code.
  • On May 21, Apple released an update for the Safari web browser, versions 6.1.4 and 7.0.4 running on OS X Lion, Mountain Lion and Mavericks, that addresses numerous memory corruption issues in WebKit by which visiting a malicious web site could result in an application crash or the execution of arbitrary code, as well as an encoding issue in WebKit that a malicious web site could use to send messages to a connected frame or window in a manner that could circumvent the origin check by the recipient.

 

Adobe

Adobe issued three security bulletins/advisories in May. Two are for the “usual suspects” – Reader/Acrobat and Flash Player – and there’s also one for Adobe Illustrator. All three were released on May 13, which is Microsoft Patch Tuesday and also Adobe’s regularly scheduled day for issuing security updates.

 

  • The first update is APSB14-11 for Adobe Illustrator CS6 for Windows and MacIntosh (subscription plan). It addresses a vulnerability which an attacker could exploit in order to remotely execute code. This is a critical vulnerability but has been given a priority rating of 3 on both Windows and Mac, because Illustrator is a product that historically has not been a target for attackers.
  • Next is APSB14-14 for Adobe Flash Player on all platforms. This addresses multiple vulnerabilities (six) in Windows, Macintosh and Linux versions of the software that, if exploited, could allow an attacker to take control of the system. Flash Player installed with Internet Explorer 10 and 11 will be automatically updated, as will Flash Player v13.0.0.206 installed with Google Chrome. Users of earlier versions should update to the latest version of Flash Player available for their respective platforms. The vulnerabilities addressed are critical and the update has been given a priority rating of 1 for most versions, with a rating of 3 for version 11.2.202.359 for Linux and 13.0.0.111 (Adobe Air SDK and Compiler) for Windows and Mac.
  • The third update is APSB14-15 for Adobe Reader and Acrobat running on Windows and Macintosh. It pertains to Reader X and XI and Acrobat X and XI, versions 11.0.6 and 10.1.9 respectively. The update addresses multiple vulnerabilities (11) that, if exploited, could result in a crash and/or allow an attacker to take over control of the system. This is a critical vulnerability and has been given a priority rating of 1 for all affected products on all platforms, because it involves vulnerabilities with a high risk of being targeted in the wild.

 

Google

Google released updates for Chrome OS and Chrome browser for Android. You can find more information about these updates in the Chrome Releases blog.

 

  • On May 20, Google released an update for Chrome OS, v.35.0.1916.116, which contains a number of security updates
  • On May 27, Google updated Chrome for Android to v. 35.0.1916.138; it will be available in the Google Play Store.

 

Oracle

Oracle releases security updates on a quarterly basis, in January, April, July and October. There were no updates released this month. The next regularly scheduled updates are expected to be released in July.

 

Linux

Ubuntu released a whopping forty security updates in May, with six released on the day of this writing (May 27) so there may be additional updates released after this roundup is submitted; check the Ubuntu Security Notices (USN) web site for more timely information.

 

USN-2228-1: Linux kernel vulnerabilities – 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2227-1: Linux kernel (OMAP4) vulnerabilities – 27th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2226-1: Linux kernel vulnerabilities – 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2225-1: Linux kernel (Saucy HWE) vulnerabilities – 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2224-1: Linux kernel (Raring HWE) vulnerabilities – 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2223-1: Linux kernel (Quantal HWE) vulnerabilities – 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2222-1: mod_wsgi vulnerabilities – 26th May 2014

Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode.

 

USN-2221-1: Linux kernel vulnerabilities – 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2220-1: Linux kernel (EC2) vulnerabilities – 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2219-1: Linux kernel vulnerabilities – 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.

 

USN-2218-1: Xalan-Java vulnerability – 21st May 2014

Nicolas Gregoire discovered that Xalan-Java incorrectly handled certain properties when the secure processing feature was enabled. An attacker could possibly use this issue to load arbitrary classes or access external resources.

 

USN-2217-1: lxml vulnerability – 21st May 2014

It was discovered that the lxml.html.clean module incorrectly stripped control characters. An attacked could potentially exploit this to conduct cross-site scripting (XSS) attacks.

 

USN-2216-1: Pidgin vulnerability – 21st May 2014

It was discovered that Pidgin incorrectly handled certain messages from Gadu-Gadu file relay servers. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code.

 

USN-2215-1: libgadu vulnerability – 21st May 2014

It was discovered that libgadu incorrectly handled certain messages from file relay servers. A malicious remote server or a man in the middle could use this issue to cause applications using libgadu to crash, resulting in a denial of service, or possibly execute arbitrary code.

 

USN-2214-1: libxml2 vulnerability – 15th May 2014

Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.

 

USN-2213-1: Dovecot vulnerability – 15th May 2014

It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. A remote attacker could use this issue to cause Dovecot to stop responding to new connections, resulting in a denial of service.

 

USN-2212-1: Django vulnerabilities – 14th May 2014

Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches.

 

USN-2211-1: libXfont vulnerabilities – 14th May 2014

Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges.

 

USN-2210-1: cups-filters vulnerability – 8th May 2014

Sebastian Krahmer discovered that cups-browsed incorrectly filtered remote printer names and strings. A remote attacker could use this issue to possibly execute arbitrary commands. (CVE-2014-2707) Johannes Meixner discovered that cups-browsed ignored invalid BrowseAllow directives. This could cause it to accept browse packets from all hosts, contrary to intended configuration.

 

USN-2209-1: libvirt vulnerabilities – 7th May 2014

It was discovered that libvirt incorrectly handled symlinks when using the LXC driver. An attacker could possibly use this issue to delete host devices, create arbitrary nodes, and shutdown or power off the host.

 

USN-2208-2: OpenStack Quantum vulnerability – 6th May 2014

USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides the corresponding updates for OpenStack Quantum.

 

USN-2208-1: OpenStack Cinder vulnerability – 6th May 2014

JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to ‘ssl’. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

 

USN-2207-1: OpenStack Swift vulnerability – 6th May 2014

Samuel Merritt discovered a timing attack vulnerability in OpenStack Swift. If Swift was configured to use the TempURL middleware, an attacker could exploit this to guess valid secret URLs and obtain unintended access to objects publicly shared with specific recipients.

 

USN-2206-1: OpenStack Horizon vulnerability – 6th May 2014

Cristian Fiorentino discovered that OpenStack Horizon did not properly perform input sanitization for Heat templates. If a user were tricked into using a specially crafted Heat template, an attacker could conduct cross-site scripting attacks.

 

USN-2205-1: LibTIFF vulnerabilities – 6th May 2014

Pedro Ribeiro discovered that LibTIFF incorrectly handled certain malformed images when using the gif2tiff tool. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code.

 

USN-2204-1: Linux kernel vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2203-1: Linux kernel vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2202-1: Linux kernel vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2201-1: Linux kernel (Saucy HWE) vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2200-1: Linux kernel (Raring HWE) vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2199-1: Linux kernel (Quantal HWE) vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2198-1: Linux kernel vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2197-1: Linux kernel (EC2) vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2196-1: Linux kernel vulnerability – 5th May 2014

A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

 

USN-2194-1: OpenStack Neutron vulnerability – 5th May 2014

Aaron Rosen discovered that OpenStack Neutron did not properly perform authorization checks when creating ports when using plugins relying on the l3-agent. A remote authenticated attacker could exploit this to access the network of other tenants.

 

USN-2193-1: OpenStack Glance vulnerability – 5th May 2014

Paul McMillan discovered that the Sheepdog backend in OpenStack Glance did not properly handle untrusted input. A remote authenticated attacker exploit this to execute arbitrary commands as the glance user.

 

USN-2192-1: OpenSSL vulnerabilities – 5th May 2014

It was discovered that OpenSSL incorrectly handled memory in the ssl3_read_bytes() function. A remote attacker could use this issue to possibly cause OpenSSL to crash, resulting in a denial of service.

 

USN-2191-1: OpenJDK 6 vulnerabilities – 1st May 2014

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.

 

USN-2190-1: JBIG-KIT vulnerability – 1st May 2014

Florian Weimer discovered that JBIG-KIT incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, JBIG-KIT could be made to crash, or possibly execute arbitrary code.

 

USN-2183-2: dpkg vulnerability – 1st May 2014

USN-2183-1 fixed a vulnerability in dpkg. Javier Serrano Polo discovered that the fix introduced a vulnerability in releases with an older version of the patch utility. This update fixes the problem.