patchupdatesnovIn the U.S. where I live, the end of November means celebrating our holiday of Thanksgiving, a time when we try to cultivate an “attitude of gratitude” for all the good things we have. On the professional level, I’m thankful for the progress that software vendors have made over the years in addressing security issues. As much as most of us dread the patching process, it’s a big improvement over the way it was a decade ago.

This month has been a relatively light one in the patching department, with fewer critical updates than usual and no reports of widespread patching fiascos or patches that had to be recalled.

Apple

As of November 25, Apple has released only one security update this month, and that’s for the iPhone and iPad. This is the fourth update released for iOS 7 since its release just two months ago. In addition to fixing a problem with the FaceTime feature dropping calls (which isn’t security-related), iOS 7.0.4 fixes an issue whereby a user who had signed in might be able to complete the transaction for an in-App purchase without having to enter a password when prompted to do so.  The update can, as usual, be installed by syncing with iTunes. You can read about the update on the Apple website.

Meanwhile, a sobering report came out this month from Hewlett-Packard, in regard to security testing the company conducted on more than 2,000 iOS apps developed for commercial use. According to HP’s vice president/general manager, a whopping 97 percent of these business-to-consumer or business-to-business apps were vulnerable to attacks or had other security issues such as inappropriate access to personal information.

This comes after security experts warned, late last month (after the date our Roundup was published) that a new LinkedIn app for the iPhone had multiple security issues and recommend that users shun it. It’s important to remember that with Apple products, as with Windows, third party applications present a large portion of the security risks.

For those who caught Larry Seltzer’s article in October postulating that Apple is quietly dropping support for OS X 10.8 (Mountain Lion), here’s a follow-up: A month later, the company still hasn’t released updates for the acknowledged vulnerabilities in Mountain Lion and Larry says there’s no indication that they plan to do so.  The equivalent would be if Microsoft stopped issuing security updates for Windows 8 (as well as Windows 7, Vista and XP) the day they released Windows 8.1. Choose not to run the latest version? Sorry, no security fixes for you. Can you imagine the uproar that would cause?

Adobe

You might recall that in early October, hackers penetrated Adobe’s internal network and stole source code for some of their products and there was speculation that the attackers would use it to discover vulnerabilities in those products. We don’t know whether that has happened, but Adobe released two official security updates this month.

ColdFusion
This month’s first update, released November 12, is a hotfix for ColdFusion, the company’s web application development platform. The update addresses two vulnerabilities. The first is rated important and would allow a reflected cross site scripting exploit when version 10 (the current version) or earlier is running. In order to exploit this vulnerability remotely, the attacker would have to be an authenticated user, so this ameliorates the impact somewhat. The second vulnerability addressed by this fix is rated critical, but it affects only version 10, and an attacker who exploits it could obtain unauthorized remote read access.  This update is for all three major operating system platforms: Windows, Linux and Mac OS X.

On November 21, Adobe released a mandatory update for ColdFusion 10 that updates the code signing certificate with which all ColdFusion updates are now signed, due to revocation of a previous certificate.

Adobe Flash Player
The second security update released on November 12 is an update for Adobe Flash Player versions 11.9.900.117 and prior for Windows and Mac, as well as versions 11.2.202.310 and prior for Linux distributions. The vulnerabilities that are addressed by these updates were identified by Secunia as memory corruption issues and are rated critical, as an attacker could exploit them to crash the entire system and/or take over control of the system. Users of Adobe AIR also need to update that software.

Google

During the first half of the month, Google released Chrome v31 for Windows, Linux, Mac, Android and Chrome OS. The latest version of the browser contains fixes for 25 security vulnerabilities. These included a number that were discovered by external researchers (who reportedly collected rewards ranging from $500 to $50,000 for their efforts).  Multiple memory corruption vulnerabilities, which could have been used by an attacker to execute arbitrary code, were addressed.

Other fixes included a vulnerability in Chrome on Mac that allowed unauthorized persons to see passwords saved by the browser and one that could allow automatic download of malware from an infected web site on Windows machines.

Last week, Google released an update, version 31.0.1650.57, which addresses a vulnerability that an attacker could exploit to run arbitrary code on a system or cause a denial of service. This release is for Windows, Linux and Mac OS X.

While not a patching issue, there’s more good news for Google security: the company met its year-end deadline to retire all the certificates on its site with 1024 bit keys, replacing them with certificates that are secured with much stronger 2048 bit keys.

Mozilla

Mozilla has, for the past few years, been releasing new versions of Firefox every six to eight weeks and they released Firefox 25 late last month. Because it happened after the publication of our Third Party Roundup, we’ll play catch-up and cover that release this time.  Security fixes included in v25 address memory vulnerabilities, a Javascript/PDF vulnerability and vulnerabilities that relate to image decoding, address bar spoofing and offline cache.

On October 29, Mozilla released ten patches for Firefox 25 and 24.1, as well as Thunderbird and Seamonkey, half of which were rated critical. These included multiple memory corruption vulnerabilities with the potential for an attacker to use them to run arbitrary code, along with several that could be used to crash a system and one that was capable of disclosing information. The latter did this by loading objects into an embedded PDF object.

Then last week, another update was released to patch five security issues in Firefox 25.0.1 that include a buffer overflow issue and security certificate issues, all of which pertain to the Network Security Services (NSS) library. In addition, the update addresses RC4, the stream cipher that, earlier this month, Microsoft recommended its customers retire due to security weaknesses.

Cisco IOS

In keeping with the trend toward fewer fixes this month, Cisco has thus far only released three security advisories, along with one update to an advisory originally published in September. The three new advisories were released on November 6.

The first addresses a vulnerability in IOS Software Session Initiation Protocol (SIP) that could be exploited to bring about a denial of service (DoS) attack by a remote user, and it could be accomplished by an unauthenticated user who sends specially crafted SIP messages to the SIP gateway on the Cisco device. The exploit causes a memory leak or device reload that makes the system unstable. Version 15.1(4) is affected.

The second advisory deals with a vulnerability in the Wide Area Application Services (WAAS) Mobile server, versions prior to 3.5.5. The problem is in the web management interface. Because of insufficient validation of data in an HTTP POST request, an attacker could send a specially crafted request and gain the ability to run arbitrary code on the system.

The third advisory is for a vulnerability in the Cisco TelePresence VX Clinical Assistant, whereby a coding error resets the administrative password to a blank password every time the system is rebooted. This obviously presents the opportunity for an attacker to log in with the admin account with a blank password and have administrative privileges to control the system. Version 1.2 of the TelePresence VX Clinical Assistant software is affected.

The September advisory that was updated on November 5 addresses multiple vulnerabilities in the Cisco Prime Data Center Network Manager prior to version 6.2.(1).

Oracle

Oracle now releases security updates, including those for Java SE, on a quarterly basis. Patches are scheduled to be released in January, April, July and October 2014.

In other security-related news, Oracle announced on November 15 that they have acquired Bitzer Mobile, which makes software that can be used for employees to more securely access corporate data and apps on their mobile devices.

Linux

Popular Linux distributions released security notices addressing their operating systems and included applications. Check the following web sites for your particular distro:

Ubuntu Security Notices
Debian Security Information
Redhat (Enterprise Linux Server)
SUSE Update Advisories

Redhat released a new version of Enterprise Linux, v6.5, which provides a centralized certification authority (CA) that can be used to issue digital certificates and create an internal public key infrastructure (PKI).

Summary

As we head into the holiday season, it’s good to see IT admins get a bit of a break on the patching front this month. Let’s hope it continues right through the new year.