Patch and Vulnerability Roundup October 2013As we approach the end of this month, it’s time to take a look at the non-Microsoft™ security fixes that have come down the pike over the last four weeks. In case you missed it, you can check out my synopsis of Microsoft’s October Patch Tuesday updates at https://www.techtalk.gfi.com/october-patch-tuesday-roundup/.

NOTE: I’m writing this roundup a week early this time because I’m going to be out of the country the last week of the month. If important patches are released during that last week, we’ll either include them in the end-of-November roundup or, if they’re critical, I’ll address them in a special post the first week of November.

It can be easy to overlook the updates released by third party vendors, but it’s important to keep non-Microsoft devices and non-Microsoft programs running on Windows devices patched. The vulnerabilities in these products often don’t get as much publicity as those that affect Microsoft products, so they can sneak up on you. However, before you apply updates, be sure they’re really what they claim to be. Larry Seltzer, over on ZDNet, warned of two fake updates that are circulating, which purport to be updates for Google Chrome and Adobe “media player” but are actually malware.

Apple®

Apple has had far fewer patches this month than in September – only a couple as of October 24. On October 3, Apple released a security update (OS X v10.8.5 Supplemental) for OS X Mountain Lion Directory Services to fix a vulnerability in the way Directory Services verifies authentication credentials that could allow an attacker with local access to the computer to bypass password validation and make changes to the Directory Services records with system privileges.
http://support.apple.com/kb/HT5964

On October 15, another update was released that impacts OS X v10.6.8 (both client and server), OS X Lion v10.7 or later (both client and server), and OS X Mountain Lion 10.8 or later. This is a Java update that addresses several vulnerabilities in that technology. One of these vulnerabilities can allow an attacker to create a Java applet on a web site that, when a user visits that site, will execute arbitrary code outside of the Java sandbox with the same privileges as the user who’s currently logged on. This is obviously a serious security issue.
http://support.apple.com/kb/HT5982

On October 22, Apple Product Security released a message regarding the latest version of OS X, Mavericks v10.9. It lists the vulnerabilities in previous versions that the new version addresses. The list includes more than 40 security flaws, many of which are kernel issues. You can view the list here:
http://prod.lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

Shortly after the Mavericks release, Larry Seltzer opined that Apple might be changing its (unwritten) policy to stop providing security updates for prior versions of OS X but he had received no confirmation or denial from Apple at the time of this writing.

Meanwhile, in the mobile space (to which Apple seems to pay a good deal more attention these days than it does to its OS X desktop operating system), the company released iOS 7.0.3 on October 22, which includes some security-related new features. It brings iCloud Keychain for storing credit card and log-in info and similar sensitive data, and a new feature in Safari for iOS can create complex passwords.
http://news.cnet.com/8301-13579_3-57608805-37/apples-ios-7.0.3-arrives-adds-icloud-keychain-motion-fixes/

Adobe®

On October 8, Adobe released security updates for Reader and Acrobat (on Windows) that deals with a vulnerability in the JavaScript security controls. This only affects version 11.0.4, not earlier versions, and doesn’t affect Reader and Acrobat on Mac computers.
http://www.adobe.com/support/security/bulletins/apsb13-25.html

Adobe also released an update for RoboHelp 10 running on Windows, for a vulnerability that could allow an attacker to run arbitrary code. RoboHelp is HTML5 authoring and publishing software for help content, so this one will only affect the limited audience that uses this software.

Adobe was making headlines in the security space early this month, and it wasn’t good news. The company announced that their network had been hacked, exposing the personal information of almost three million customers, including encrypted credit card information. Possibly even worse, source code for Adobe products was also exposed, which could result in widespread exploit of Adobe Acrobat and other products. Here are some recommendations for Adobe customers to minimize risk.

Google

In early October, Google released version 30.0.1599.66 of the Chrome browser for Windows, Mac, Linux and Chrome Frame, containing fixes for 50 security vulnerabilities, along new versions of Chrome for Android and iOS.
http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html

On October 15, this was superceded by version 30.0.1599.101 for Windows, Mac, Linux and Chrome Frame, fixing five more vulnerabilities.
http://googlechromereleases.blogspot.com/2013/10/stable-channel-update_15.html

Another update, for Linux only (v30.0.1599.114) was released on October 22 to fix an issue users were having with installing the 32 bit version, but this update did not contain security fixes.
http://googlechromereleases.blogspot.com/2013/10/stable-channel-update_22.html

In good news for Windows XP users, Google has announced that they plan to continue support for Chrome on XP until at least April of 2015, even though Microsoft itself will end support for the XP OS in April 2014. Since the end of Microsoft supports means no more security updates, XP users who still resist upgrading may want to consider switching to Chrome if they haven’t already, to at least get protection from browser-based malware and attacks.

Google also announced this month that they are offering rewards for updates to improve the security of OpenSSL, OpenSSH, BIND, ISC DHCP and other open source software, in amounts ranging from $500 to over $3000.
http://arstechnica.com/security/2013/10/google-offers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/

Mozilla®

Many computer users switch to Firefox® because they believe it to be more secure than other browsers. However, all browsers have vulnerabilities, so it’s important to keep them all up to date, regardless of which one(s) you use. That applies to mobile versions, too. In early October, a security researcher revealed a flaw in the Android version of Firefox that could allow hackers to access the device’s SD card and steal data; however, the issue is fixed in the latest version, released in September, so those who keep their software up to date are protected.

The most recent version of Mozilla Firefox that came out in September is v24.0. As of October 24, Mozilla has not released any updates for the browser this month. The company is reportedly considering changing to a 9 week release cycle for new browser versions. Currently the cycle is 18 weeks, with new stable builds released every 6 weeks.

Mozilla did announce early in the month that they have a new version of the Firefox OS, v.1.1, an operating system that runs on low-end mobile phones. On October 21, SC Magazine reported that a 17 year old researcher has developed the first malware for Firefox OS, but it’s not clear whether he was using the new version.

Cisco  IOS®

Cisco® released six security bulletins in October. The first was released October 2, pertaining to a vulnerability in Cisco IOS XR v4.3.1 on all supported hardware, which could be exploited to create a denial of service attack.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131002-iosxr

On October 9, they released an advisory regarding two vulnerabilities in the Cisco Firewall Services Module software for Catalyst 6500 switches and 7600 series routers, which could result in denial of service and/or a complete compromise of the affected system. Attackers could delete, change or view the configuration and an unauthenticated attacker could create a DoS remotely.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm

Also on October 9, Cisco released an advisory for ten different vulnerabilities in their Adaptive Security Appliance (ASA) software, exploitation of which could lead to a DoS attack and/or the ability of an attacker to bypass authentication and access the internal network.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

On October 23, the company released three security advisories. The first addresses two vulnerabilities in the Cisco Identity Services Engine that could allow an attacker (with authentication) to execute arbitrary code and/or access sensitive information, including product configuration information and administrative credentials.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-ise

The next advisory affects Cisco products that implement the Apache Struts 2 component. It addresses a vulnerability that could result in an attacker running arbitrary code on the system.  Affected products are Cisco Business Engine 3000, Cisco Identity Services Engine, Cisco Media Experience Engine, and Cisco Unified SIP Proxy.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

The last October 23 release addresses a vulnerability in the Cisco IOS XR software (versions 3.3.0 through 4.2.0) that could result in a DoS attack by preventing the route processor from transmitting packets. It can be exploited with both IPv4 and IPv6 traffic.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-iosxr

Oracle®

Oracle released critical patches for thirteen product groups in its October update cycle. These include  patches for Java, Oracle Database, MySQL and Linux and Virtualization products. http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

In all, there are 127 security vulnerabilities addressed by these releases. More than 50 of them are for Java SE. These are serious because all but one can be executed remotely with no authentication required, and the most serious could allow an attacker to take control of the system.

Most of the rest of the fixes are for various business products, including:

  • Oracle Fusion Middleware (17 vulnerabilities)
  • Oracle Enterprise Manager Grid Control (4 vulnerabilities)
  • Oracle business applications (22 vulnerabilities)
  • Oracle and Sun Systems Products Suite (12 vulnerabilities)

Linux®

On October 12, Debian released an update, v7.2, for its Linux distro, which makes “corrections for security problems.” There are 67 security advisories that are addressed by this update, including DoS vulnerabilities, buffer and heap overflows, code execution, privilege escalation and other serious security issues.
http://www.debian.org/News/2013/20131012

Apache Camel™

US CERT’s Vulnerability summary for the week of October 7 includes a security flaw in Apache Camel that allows remote attackers to execute arbitrary simple language expressions, which could result in unauthorized disclosure of information, unauthorized modifications and disruption of service. The vulnerability is rated critical.
http://camel.apache.org/security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380535446943