3rdPartyRoundup_SQMost of us are already scrambling to juggle work and personal lives, then along comes the holiday season to fill our schedules to overflowing. It doesn’t help matters when software vendors decide to get into the act, too, and “gift” us with even more patches – and thus more work – than usual, but that’s what Microsoft did on Patch Tuesday.  Adobe joined in by fixing 18 vulnerabilities, but did so in a single patch. To the relief of IT admins everywhere, other major security vendors did not see fit to deluge us with more updates that usual.

Apple

  • Apple released three updates this month, all on November 17. The most far-reaching of these was iOS 8.1.1 for the iPhone 4 and subsequent generations, the fifth generation iPod Touch and later, and the iPad 2 and later versions. iOS 8.1.1 doesn’t have as many security fixes as some recent iOS updates, but it does fix a vulnerability in which the web site cache may not be fully cleared after you leave the private browsing mode. This could create a privacy issue if your “private” browsing data stayed in the cache. This update addresses the problem by changing the behavior of the web cache.More serious is a vulnerability whereby a local user might be able to execute unsigned code because of a state management issue in the handling of Mach-O executable files that have overlapping segments. Unsigned code can contain malicious elements. The update addresses the problem by improving the validation of segment sizes.There was also a lock screen vulnerability that could be exploited by an attacker who obtained physical possession of the device, to exceed the maximum number of failed attempts to enter the passcode. If the failed passcode limit isn’t enforced, it gives the attacker more chances to guess the passcode and unlock the phone. This was fixed by the update through improving the enforcement of the limit.Probably the most serious of the issues addressed by this update is kernel vulnerability CVE-2014-4461, by which a malicious application may be able to execute arbitrary code with system privileges. An attacker could exploit this to take control of many aspects of the device. The update addresses this problem by fixing a validation issue in the handling of certain metadata fields of IOSharedDataQueue objects by relocating that metadata.
  • The second update applies only to Yosemite v10.10.1. Yosemite is the latest version of Mac OS X, which was released to consumers in October. This update fixes four security vulnerabilities.  The first is the same basic problem as described above for iOS, where the web site cache isn’t fully cleared after leaving private browsing.The update also addresses a vulnerability in Spotlight, the system-wide search feature in OS X, which causes unnecessary information about the user’s location to be included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions server. The update addresses this privacy issue by removing this information from the initial connection.
    Another information disclosure issue had to do with unnecessary information being included as part of a connection to Apple to determine the system model. The information was part of unnecessary cookies that were sent when an “About this Mac” request was made. The problem was fixed by removing the cookies from the connection.The most serious vulnerability addressed by this update was yet another WebKit vulnerability, CVE-2014-4459, which could allow arbitrary code execution or termination of the application when a user visited a malicious web site. This was due to a use-after-free issue in the handling of page objects, and the update addresses the problem by improving memory management.
  • The last update for this month is one for third generation and later Apple TV software. This update addresses four vulnerabilities, two of which are memory corruption issues in WebKit that could allow an attacker with a privileged network position to cause an unexpected application termination or even execute arbitrary code. Improved memory handling fixes the problem.The same Mach-O handling issue and the same validation issue for IOSharedDataQueue objects as described above were also fixed by this update.

Adobe

Adobe patched 18 vulnerabilities this month, which we already covered in a separate article shortly after their release. See Adobe joins the patch party in a big way, published November 17 in this blog.

Google

On November 25, Google released update version 39.0.2171.71 for Google Chrome for Windows, Mac and Linux. It contains the update for Adobe Flash, along with several other fixes. This follows the release of version 39.0.2171.65 on November 19, which addressed multiple vulnerabilities, including one that could cause a denial of service issue.

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October. On November 21, they released a revision to the October critical patch update (Rev 5), which corrected that CVE-2014-2478 does not affect client-only installations.

Mozilla

After a security advisory in October that addressed nine security issues, Mozilla has released no security advisories in November.

Linux

Popular Linux distros, as usual, saw a number of security advisories and updates. Ubuntu issued thirty security advisories in November as of the time of this writing (November 28), which is about the average number. Other commercial Linux vendors issued similar advisories and updates.

  • USN-2427-1: Libksba vulnerability – 27th November 2014. Hanno Böck discovered that Libksba incorrectly handled certain S/MIME messages or ECC based OpenPGP data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2426-1: FLAC vulnerabilities – 27th November 2014. Michele Spagnuolo discovered that FLAC incorrectly handled certain malformed audio files. An attacker could use this issue to cause FLAC to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2425-1: DBus vulnerability – 27th November 2014. It was discovered that DBus incorrectly handled a large number of file descriptor messages. A local attacker could use this issue to cause DBus to stop responding, resulting in a denial of service.
  • USN-2423-1: ClamAV vulnerabilities – 26th November 2014. Kurt Seifried discovered that ClamAV incorrectly handled certain JavaScript files. An attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6497) Damien Millescamp discovered that ClamAV incorrectly handled certain PE files.
  • USN-2422-1: Squid vulnerabilities – 25th November 2014. Sebastian Krahmer discovered that the Squid pinger incorrectly handled certain malformed ICMP packets. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service.
  • USN-2421-1: Linux kernel vulnerabilities – 24th November 2014. A flaw was discovered in how the Linux kernel’s KVM (Kernel Virtual Machine) subsystem handles the CR4 control register at VM entry on Intel processors. A local host OS user can exploit this to cause a denial of service (kill arbitrary processes, or system disruption) by leveraging /dev/kvm access.
  • USN-2420-1: Linux kernel vulnerabilities – 24th November 2014. A flaw was discovered in how the Linux kernel’s KVM (Kernel Virtual Machine) subsystem handles the CR4 control register at VM entry on Intel processors. A local host OS user can exploit this to cause a denial of service (kill arbitrary processes, or system disruption) by leveraging /dev/kvm access.
  • USN-2419-1: Linux kernel (Trusty HWE) vulnerabilities – 24th November 2014. A flaw was discovered in how the Linux kernel’s KVM (Kernel Virtual Machine) subsystem handles the CR4 control register at VM entry on Intel processors. A local host OS user can exploit this to cause a denial of service (kill arbitrary processes, or system disruption) by leveraging /dev/kvm access.
  • USN-2418-1: Linux kernel (OMAP4) vulnerabilities – 24th November 2014. Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest.
  • USN-2417-1: Linux kernel vulnerabilities – 24th November 2014. Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest.
  • USN-2416-1: Linux kernel (EC2) vulnerabilities – 24th November 2014. Don Bailey discovered a flaw in the LZO decompress algorithm used by the Linux kernel. An attacker could exploit this flaw to cause a denial of service (memory corruption or OOPS). (CVE-2014-4608) Andy Lutomirski discovered that the Linux kernel was not checking the CAP_SYS_ADMIN when remounting filesystems to read-only.
  • USN-2415-1: Linux kernel vulnerability – 24th November 2014. Andy Lutomirski discovered that the Linux kernel was not checking the CAP_SYS_ADMIN when remounting filesystems to read-only. A local user could exploit this flaw to cause a denial of service (loss of writability).
  • USN-2414-1: KDE-Runtime vulnerability – 24th November 2014. Tim Brown and Darron Burton discovered that KDE-Runtime incorrectly handled input validation. An attacker could possibly use this issue to execute arbitrary javascript.
  • USN-2413-1: AppArmor vulnerability – 20th November 2014. An AppArmor policy miscompilation flaw was discovered in apparmor_parser. Under certain circumstances, a malicious application could use this flaw to perform operations that are not allowed by AppArmor policy. The flaw may also prevent applications from accessing resources that are allowed by AppArmor policy.
  • USN-2412-1: Ruby vulnerability – 20th November 2014. Tomas Hoger discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service.
  • USN-2410-1: Oxide vulnerabilities – 19th November 2014. A buffer overflow was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacked could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process.
  • USN-2411-1: mountall vulnerability – 18th November 2014. Saurav Sengupta discovered that mountall incorrectly handled umask when calling the mount utility, resulting in certain filesystems possibly being mounted with incorrect permissions.
  • USN-2409-1: QEMU vulnerabilities – 13th November 2014. Laszlo Ersek discovered that QEMU incorrectly handled memory in the vga device. A malicious guest could possibly use this issue to read arbitrary host memory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
  • USN-2408-1: OpenStack Neutron vulnerability – 11th November 2014. Elena Ezhova discovered that OpenStack Neutron did not properly perform access control checks for attributes. A remote authenticated attacker could exploit this to bypass intended access controls and reset admin-only attributes to default values.
  • USN-2407-1: OpenStack Nova vulnerabilities – 11th November 2014. Garth Mollett discovered that OpenStack Nova did not properly clean up an instance when using rescue mode with the VMWare driver. A remove authenticated user could exploit this to bypass intended quota limits. By default, Ubuntu does not use the VMWare driver.
  • USN-2406-1: OpenStack Keystone vulnerability – 11th November 2014. Brant Knudson discovered that OpenStack Keystone did not properly perform input sanitization when performing endpoint catalog substitution. A remote attacker with privileged access for creating endpoints could exploit this to obtain sensitive information.
  • USN-2405-1: OpenStack Cinder vulnerabilities – 11th November 2014. Duncan Thomas discovered that OpenStack Cinder did not properly track the file format when using the GlusterFS of Smbfs drivers. A remote authenticated user could exploit this to potentially obtain file contents from the compute host. (CVE-2014-3641) Amrith Kumar discovered that OpenStack Cinder did not properly sanitize log message contents.
  • USN-2404-1: libvirt vulnerabilities – 11th November 2014. Pavel Hrdina discovered that libvirt incorrectly handled locking when processing the virConnectListAllDomains command. An attacker could use this issue to cause libvirtd to hang, resulting in a denial of service. (CVE-2014-3657) Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command.
  • USN-2403-1: GnuTLS vulnerability – 11th November 2014. Sean Burford discovered that GnuTLS incorrectly handled printing certain elliptic curve parameters. A malicious remote server or client could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2402-1: KDE workspace vulnerability – 10th November 2014. David Edmundson discovered that the KDE Clock KCM policykit helper did not properly guard against untrusted input. Under certain circumstances, a process running under the user’s session could exploit this to run programs as the administrator.
  • USN-2401-1: Konversation vulnerability – 10th November 2014. Manuel Nickschas discovered that Konversation did not properly perform input sanitization when using Blowfish ECB encryption. A remote attacker could exploit this to cause a denial of service.
  • USN-2400-1: LibreOffice vulnerability – 10th November 2014. It was discovered that LibreOffice incorrectly handled OLE preview generation. If a user were tricked into opening a crafted document, an attacker could possibly exploit this to embed arbitrary data into documents.
  • USN-2399-1: curl vulnerability – 10th November 2014. Symeon Paraschoudis discovered that curl incorrectly handled memory when being used with CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle(). This may result in sensitive data being incorrectly sent to the remote server.
  • USN-2398-1: LibreOffice vulnerability – 5th November 2014. It was discovered that LibreOffice incorrectly handled the Impress remote control port. An attacker could possibly use this issue to cause Impress to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2397-1: Ruby vulnerabilities – 4th November 2014. Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.