Welcome to the first of many monthly third party patch roundups. Earlier in the month, we provided an overview of the security updates released by Microsoft™ on Patch Tuesday, and a few days ago, we discussed the Apple® product vulnerabilities listed by CERT-US for September. Here’s a summary of some of the other important vulnerability discoveries and update releases over this past month.
Many business users depend on Adobe software for creating and reading .PDF files. On September 10th, Adobe issued security updates for Reader and Acrobat XI for vulnerabilities that could be exploited to allow an attacker to take control of the system.
Updates for Windows
Updates for Mac OS X
Adobe also released security updates for Flash Player that fix four critical vulnerabilities involving corruption of memory. These could be exploited to allow an attacker to run arbitrary code on a system. Updates are available for Flash on Windows, Mac OS X, Linux and Android. Those who are using Chrome or IE 10 on Windows 8 get the Flash update automatically with the browser updates.
Security Updates for Adobe Flash Player
Shockwave is not as widespread as Reader and Flash, but for those who do have it installed, Adobe released an update for a vulnerability that’s similar to the Flash flaw (could allow remote code execution). This one applies to older versions of Windows and Mac OS X.
Security Update for Shockwave Player
Mozilla released an update for the Firefox browser on September 17th that provides 17 security fixes; 7 of them are rated critical, including several memory-related vulnerabilities. The updated version of Firefox is v24 and it’s available for Windows, Mac OS X and Linux.
Version 24 of Mozilla’s Thunderbird email client was also released on September 17th. It fixes six critical security issues, three high-severity vulnerabilities and four that are rated moderate. The critical vulnerabilities include a memory corruption issue involving scrolling, a buffer overflow issue and two “use-after-free” issues. Use-after-free vulnerabilities can result in data corruption and can be used by an attacker to execute arbitrary code.
The US-CERT September security bulletin lists ten critical vulnerabilities for Firefox and Thunderbrid pre-version 24 with consequences such as denial of service and arbitrary code execution so upgrading is important.
Many networks rely on Cisco equipment running the Cisco IOS software. On September 25th, Cisco released their semi-annual Security Advisory Bulletin, which addresses eight vulnerabilities in IOS. These include security flaws in the Multicast Network Time Protocol, IPv6, DHCP and Network Address Translation (NAT), a memory leak in Internet Key Exchange (IKE) and a couple of Queue Wedge vulnerabilities. Exploits could result in loss of connectivity, denial of service or device reload. Refer to individual security bulletins for workarounds and software fixes:
Semiannual Cisco IOS Software Security Advisory
Here’s a reminder that Oracle releases its critical security updates for their products to customers with support contracts on a quarterly basis, and the next scheduled update day is coming up next month, on October 15th. Beginning with the October update, Java SE security fixes will also be released on this schedule. The most recent critical update for Java was released on June 18.
The US-CERT September security bulletin lists eleven Linux kernel vulnerabilities relating to the Human Interface Device subsystem that could result in denial of service. These are rated as medium severity. There is also a critical vulnerability in RedHat OpenStack in the list, which could allow remote attackers to access arbitrary hosts.
A fix was released last week for two security vulnerabilities in the Apache Struts web application framework, which could allow an attacker to gain the privileges of the logged-on user and possibly take control of the system and remotely execute code. Those running Struts should upgrade to version 220.127.116.11. A workaround for previous version is to disable Dynamic Method Invocation (DMI) and run all software without admin privileges.