Here we go again – another end-of-month has rolled around and it’s time to check out the security updates, other than those issued by Microsoft on Patch Tuesday, that have hit the streets since last we met here.
It was a big month for Apple updates, beginning on September 29 (after I had already submitted my September roundup summary on September 26) with a bash fix.
Apple has released 10 security patches since September 26, most of them for various versions of their OS X desktop operating system, as well as patches for their popular iTunes and QuickTime applications that run on Microsoft Windows systems. For those who think Apple products don’t have any vulnerabilities, a read through some of the lists of issues addressed by some of these updates could be an eye-opener. You can find more details about these fixes on Apple’s support web site at http://support.apple.com/kb/ht1222.
- On September 29, Apple released OS X bash update 1.0 for Lion, Lion Server, Mountain Lion and Mavericks (versions 10.7.5, 10.8.5 and 10.9.5) in response to the much-publicized bash vulnerability (a.k.a. Shellshock) in UNIX-based systems, by which an attacker can remotely execute shell commands. Millions of attacks were noted after the disclosure of the vulnerability early in September.
- Apple released six patches on October 16, the first of which was a patch for OS X Yosemite (10.10), to address a whopping forty issues. These included fixes for 802.1X (making wi-fi credentials vulnerability to theft), AFP file server (by which an attacker could obtain network addresses), Apache (multiple vulnerabilities, including a denial of service vulnerability), App Sandbox (misuse of accessibility API), and the aforementioned bash vulnerability. Also addressed were patches for Bluetooth, CFPreferences (password required after sleep), Certificate Trust Policy update, a CoreStorage issue, a vulnerability in CUPS which could be used to execute arbitrary code, a problem with fdesetup providing misleading information about encryption, and a vulnerability by which the iCloud lost mode PIN could be brute forced. There were also fixes for IOAcceleratedFamily and IOHIDFamily (malicious apps could execute code with system privileges and denials of service), as well as IOKit and a number of kernel vulnerabilities. There are also patches for QuickTime and Safari. Some of these are serious issues with severe potential impact.
- Also released October 16 was Security Update 2014-15 for Mountain Lion and Mavericks. This is for an SSL vulnerability that could allow an attacker to decrypt data sent over an SSL connection. The fix disables cipher block suites when TLS connection attempts fail.
- The next three October 16 updates are for OS X Server, versions 2.2.5, 3.2.2 and 4.0 (Mountain Lion, Mavericks and Yosemite). They fix the SSL issue for the first two server operating systems and a number of vulnerabilities for Yosemite in BIND, CoreCollaboration, Mail Service, Profile Manager, and Server Ruby.
- Finally, October 16 also brought a patch for iTunes (12.0.1) that addresses more than eighty memory corruption vulnerabilities in this software running on Windows XP, Vista, 7 and 8 that could allow arbitrary code execution or unexpected application termination.
- On October 20, Apple released iOS 8.1 for iPhone 4 and later, iPad 2 and later and iPod Touch Gen 5 or later. This update for the mobile OS includes fixes for vulnerabilities in Bluetooth (pairing bypass), House Arrest (insufficient cryptographic protection), iCloud Data Access (data leakage), Keyboards (user credentials exposure) and Secure Transport (SSL).
- Also on October 20, Apple released a fix for Apple TV Gen 3 and later, version 7.0.1. This update addresses two of the same issues we saw in the iOS update: the Bluetooth and SSL vulnerabilities.
- On October 22, Apple released a fix for QuickTime (version 7.7.6) on Windows XP, Vista and 7. This patch addresses four vulnerabilities, all of which can allow arbitrary code execution if exploited.
We saw three security bulletins from Adobe this month, including one for Adobe Digital Editions, one for ColdFusion and one for Adobe Flash Player that I have already discussed in a separate blog post because the vulnerability can be exploited by those without technical skills using the Fiesta exploit kit.
- The Flash Player update was released on October 14 and addresses three different vulnerabilities that apply to Windows, Mac OS X and Linux systems running the software. It has a priority 1 rating for Windows and Mac, as does the Google Chrome version for Linux. Flash Player 220.127.116.116 and earlier for Linux has a priority rating of 3, and so do Adobe AIR SDK and AIR Desktop Runtime. The severity rating is critical, as these vulnerabilities could be used to take control of a system.
- The ColdFusion update was also released on October 14 and also addresses three vulnerabilities, which include a bypass for IP address access control restrictions, cross-site scripting and a cross-site request forgery vulnerability. The priority rating is 2 for all affected versions of ColdFusion (9.0 through 11) and the severity rating is important.
- The update for Adobe Digital Editions was released on October 23. It addresses a single vulnerability in versions 4.0.98786 for both Windows and Mac OS. Digital Editions is an ebook program. This vulnerability pertains to secure transfer of rights management and licensing validation info and has a priority rating of 2 and severity rating of important.
On October 14, Google released an update for the Chrome browser running on Windows, Mac and Linux. It includes an update for Adobe Flash Player and additional fixes. A list of all the changes is available on the Chromium web site.
On October 16, Google released an update for Chrome OS (version 38.0.2125.110). This applies to all Chrome devices except Dell, Asus and Samsung Chromeboxes. It includes several security updates. A list of all the changes is available on the Chromium web site.
Oracle is on a quarterly release cycle, and July was the most recent month for updates, releasing patches in January, April, July and October.
This month, Oracle released one critical patch update on October 20. This is a cumulative update that contains fixes for 154 vulnerabilities for various Oracle products, including four for Oracle database and patches for Fusion Middleware, Enterprise Manager, E-Business Suite, Oracle Supply Chain, PeopleSoft, Communications, Retail and Health Sciences products. There are also four fixes for Java SE, as well as fixes for vulnerabilities in the Oracle and Sun Systems Products Suite, MySQL suite and Oracle Linux and Virtualization.
You can read about the details of these patches on the Oracle web site.
On October 13, Mozilla released Firefox v33, which fixed nine issues, three of which are critical. The critical vulnerabilities include MFSA 2014-74, pertaining to miscellaneous memory safety hazards, MSFA 2014-77, an out-of-bounds write with WebM video, and MFSA 2014-79, a use-after-free issue with text directionality. There are also four high severity vulnerabilities and two moderate ones. For more details about these vulnerabilities, see the Mozilla web site.
Popular Linux distros saw a number of updates issued in October. Ubuntu issued twenty-four updates between September 1 and the time of this writing (October 24); this was sixteen fewer than the forty that were issued in September. Other commercial Linux vendors issued similar updates.
- USN-2388-2: OpenJDK 7 vulnerabilities – 23rd October 2014. USN-2388-1 fixed vulnerabilities in OpenJDK 7 for Ubuntu 14.04 LTS. This update provides the corresponding updates for Ubuntu 14.10. Original advisory details: A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network.
- USN-2388-1: OpenJDK 7 vulnerabilities – 22nd October 2014. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network.
- USN-2387-1: pollinate update – 22nd October 2014. The pollinate package bundles the certificate for entropy.ubuntu.com. This update refreshes the certificate to match the one currently used on the server.
- USN-2386-1: OpenJDK 6 vulnerabilities – 16th October 2014. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network.
- USN-2385-1: OpenSSL vulnerabilities – 16th October 2014. It was discovered that OpenSSL incorrectly handled memory when parsing DTLS SRTP extension data. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
- USN-2384-1: MySQL vulnerabilities – 15th October 2014. Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.40. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
- USN-2373-1: Thunderbird vulnerabilities – 15th October 2014. Bobby Holley, Christian Holler, David Bolter, Byron Campen and Jon Coppeard discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.
- USN-2383-1: wpa_supplicant vulnerability – 14th October 2014. Jouni Malinen discovered that the wpa_cli tool incorrectly sanitized strings when being used with action scripts. A remote attacker could possibly use this issue to execute arbitrary commands.
- USN-2372-1: Firefox vulnerabilities – 14th October 2014. Bobby Holley, Christian Holler, David Bolter, Byron Campen, Jon Coppeard, Carsten Book, Martijn Wargers, Shih-Chiang Chien, Terrence Cole and Jeff Walden discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
- USN-2345-1: Oxide vulnerabilities – 14th October 2014. Multiple use-after-free issues were discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.
- USN-2382-1: Requests vulnerabilities – 14th October 2014. Jakub Wilk discovered that Requests incorrectly reused authentication credentials after being redirected. An attacker could possibly use this issue to obtain authentication credentials intended for another site.
- USN-2381-1: Rsyslog vulnerabilities – 9th October 2014. It was discovered that Rsyslog incorrectly handled invalid PRI values. An attacker could use this issue to send malformed messages to the Rsyslog server and cause it to stop responding, resulting in a denial of service and possibly message loss.
- USN-2380-1: Bash vulnerabilities – 9th October 2014. Michal Zalewski discovered that Bash incorrectly handled parsing certain function definitions. If an attacker were able to create an environment variable containing a function definition with a very specific name, these issues could possibly be used to bypass certain environment restrictions and execute arbitrary code.
- USN-2379-1: Linux kernel vulnerabilities – 9th October 2014. Steven Vittitoe reported multiple stack buffer overflows in Linux kernel’s magicmouse HID driver. A physically proximate attacker could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code via specially crafted devices.