The year has gotten off to an interesting start in the patching and vulnerability arena. So far, we’ve had a couple of light Patch Tuesdays from Microsoft, although Oracle came out of the gate with a bang with 144 patches in January. As 2014 rocks along, we’re seeing plenty of the “usual suspects” – remote code execution, denial of service and memory corruption exploits – with the popular operating systems and application software.
We continue to see that applications present more security issues than the operating system these days and a recent report from Cnezic, their Application Vulnerability Trends Report 2014, describes applications as “soft targets.” In military terminology, the label refers to an undefended or poorly defended target that can be easily destroyed (in contrast to a hard target such as a military base or a presidential retreat). According to the report, a whopping 96 percent of all applications that were tested in 2013 contained one or more security vulnerabilities.
And that’s why third party patching is so important. Although awareness is growing, many IT departments and security professionals still focus more on the operating system than on the applications that are installed on it. Keeping application software up to date is just as necessary as patching the OS, but sometimes falls by the wayside. CERT-In, the Computer Emergency Response Team of India, reported this month that many users of both Chrome and Mozilla Firefox are at risk due to multiple vulnerabilities allowing remote code execution, privilege escalation, information disclosure, denial of service and security bypass. Their advisory referred to Chrome versions prior to 32.0.1700.102 and Firefox versions prior to 27.0.
Of course, it’s also important to remember that it’s not just applications on desktop and laptop computers that can provide a vector for attack. Smart phones and tablets present their own security risks. As Android gains more of the smart phone market, there are growing concerns over Google’s lack of an effective way to distribute security updates to the millions of devices running the mobile OS. This is due to the way responsibilities have been divided among the OS maker (Google), device makers (such as Samsung or HTC) and wireless carriers (such as Verizon or AT&T). In most cases, the hardware manufacturer or the carrier roll out the updates, and they’re often not quick about it.
However, it goes beyond phones, too. The firmware that runs on network-connected hardware devices can also be vulnerable. Belkin just patched multiple vulnerabilities in the firmware of their WeMo home automation modules that could be used to access a home’s local area network, Asus wi-fi routers have been reported to have serious vulnerabilities allowing access to drives on the network that have gone unfixed, and Linksys home and small business routers have a well-known vulnerability, also unpatched, that could be used by an attacker to access the router’s administrative settings and upload malicious code.
The takeaway is obvious: Any device that connects to the Internet, even those we don’t traditionally think of as “computers,” run code – firmware, operating systems and applications – and any of that code can contain security flaws.
Let’s look at what’s been going on for the past few weeks on the vulnerability front with the most popular software vendors.
Adobe traditionally releases its security updates on a monthly basis on the same Patch Tuesday as Microsoft, but this month they’re had three different release dates. The company put out a critical patch on February 11 for Shockwave Player to fix two vulnerabilities. This applies to versions 220.127.116.11 and earlier, running on both Windows and Mac OS X. The vulnerabilities are of the memory corruption type, and were reported by FortiGuard Labs. An exploit could lead to remote code execution that would allow an attacker to take control of the computer.
Although this update is rated critical due to the severity of impact on affected systems, its scope is narrower than that of the Flash Player vulnerability that was addressed in an emergency out-of-band patch the first week in February and which we reported on in this blog. The installed base of Shockwave Player is smaller, and there was no known exploit being distributed in the wild for this one at the time it was disclosed.
Another set of Flash Player security updates were released as emergency updates on February 20. These affect versions 18.104.22.168 and earlier, running on Windows and Mac OS X, as well as versions 22.214.171.1246 and earlier running on Linux. Adobe AIR for Android is also affected. Once again, this patch is critical because it is already being exploited in the wild, having been exploited on web sites of several nonprofit organizations. It can allow an attacker to install malware remotely and take control of the system; it’s rated priority 1 on Windows and Mac and is rated priority 3 on Linux and Android. The good news is that ASLR (Address Space Layout Randomization) can mitigate the attacks on the latest operating systems.
Thus far in February, Apple has only released one security update, for Boot Camp 5.1. Boot Camp is an OS X utility that allows you to dual boot the Mac OS and Windows on a modern Intel-based Mac machine. Boot Camp 5.1 supports installation of Windows 7, 8 or 8.1. This vulnerability in Boot Camp can allow an attacker to load a malformed portable executable file that could cause memory corruption in the OS X kernel. On February 11, Apple released an update that fixes the problem by improving the bounds checking process.
Cisco published four security advisories on February 19:
- Multiple vulnerabilities in IPS Software, Cisco’s Intrusion Prevention System software, that can result in denial of service.
- Unauthorized access vulnerability in Unified SIP Phone 3905 that affect only this specific product, which could allow an unauthenticated, remote attacker to gain root-level access to the device.
- Firewall Service Module Cut-through proxy denial of service vulnerability that could allow an unauthenticated, remote attacker to cause a reload of an affected system and create a denial of service condition.
- UCS Director default credentials vulnerability in Cisco’s Unified Computing System Director that could allow an unauthenticated, remote attacker to take complete control of the device.
Google released an update to their Chrome browser which, rather than being a fix for specific vulnerability, adds a feature to automatically warn users if malware makes changes to the browser’s settings. This can help to prevent common browser hijacking attacks.
On February 20, Google released version 33 of Chrome, which patched 28 security vulnerabilities. Five of these were rated of high impact. The new version (126.96.36.1990.117 for Windows, Mac and Linux) also installs the updated version of Adobe Flash Player that was released earlier the same day. On the Windows version of the browser, it also permanently disables browser extensions that didn’t come from the official Chrome Web Store.
Ubuntu has released 23 security updates this month as of February 20, 11 of which are Linux kernel vulnerabilities. The rest are in various components such as LibYAML, MAAS, Libav and Libgadu, as well as Firefox and Thunderbird vulnerabilities.
During the same time frame, Red Hat released 9 security updates for their Enterprise Linux Server v.6, but the only one rated critical is the firefox update. There are five moderate updates, two rated important, and one of low impact.
On February 4, Mozilla released the latest version of the Firefox web browser, version 27. The Firefox update includes 13 security fixes, which consist of 4 that are rated critical, 4 rated with high impact, 4 rated moderate, and one of low impact. The four critical vulnerabilities include:
- Miscellaneous memory safety hazards
- Incorrect use of discarded images by RasterImage
- Use-after-free vulnerability with imgRequestProxy and image processing
- Crash when using web workers with asm.js
Such vulnerabilities could be exploited to run arbitrary code, or write to unowned memory and cause an exploitable crash.