April 2015 patch roundupIt has been a typical April here in north central Texas. After a long period of drought the much-needed spring rains came and have filled our half-empty lakes. Summer time is right around the corner! Meanwhile, it’s time to make sure that all of my non-Microsoft devices and applications are properly updated to keep that warm weather malware at bay.

On the patch front, we got a bit of a deluge this month, with a substantial six patches (again) from Apple that address a very large number of vulnerabilities (77 for OS X alone), three updates from Adobe, 16 from Mozilla, and 33 advisories (many addressing multiple vulnerabilities) for Ubuntu Linux. This is also the month for Oracle’s quarterly update release and the one update they released fixes a whopping 98 vulnerabilities, so IT pros have had a fairly heavy updating workload spread out over the last thirty days.

Now let’s take a look at the major fixes that were released in April.

Apple

Apple released all six of its patches in one fell swoop, on April 8. Four are for various versions of the Mac OS X operating system, one is for iOS devices and the last is for Apple TV.

  • Apple released Safari 8.0.5, 7.1.5 and 6.25 for OS X Mountain Lion, Mavericks and Yosemite, with fixes for ten security vulnerabilities. These include three vulnerabilities in Safari itself and seven vulnerabilities in the WebKit component. The Safari vulnerabilities include an issue in client certificate matching for SSL authentication, a problem by which responding to push notification requests in private browsing mode revealed users’ browsing history, and a state management issue that resulted in browsing history not being purged.  Exploits could allow users to be tracked by malicious web sites or have their browsing history exposed.The WebKit vulnerabilities include multiple memory corruption issues that could allow an attacker to execute arbitrary code, an issue with credential handling for FTP URLs that could lead to resources of another origin being accessed when visiting a malicious web site, and another state management issue that could cause the browsing history to be indexed in private mode.
  • Update 2015-004 for OS X Yosemite addresses a whopping 77 vulnerabilities in the operating system, including security holes in the kernel, WebKit, Open SSL, the Open Directory Client, Admin Framework, Apache, ATS, Certificate Trust Policy, CFNetwork HTTPProtocol, CFNetwork Session, CFURL, CoreAnimation, FontParser, the Graphics Driver, the Hypervisor, ImageIO, the IOHIDFamily, LaunchServices, libnetcore, ntp, OpenLDAP, PHP, QuickLook, SceneKit, Screen Sharing, Code Signing and Uniform YpeIdentifiers.  Many of these are critical vulnerabilities that an attacker could exploit to execute arbitrary code or elevate privileges. Some can lead to exposure of users’ passwords. Others can be used to create a denial of service attack. One would allow an attacker to redirect user traffic to arbitrary hosts.
  • iOS 8.3 for iPhone 4 and later, iPod Touch 5th generation and later and iPad 2 and later contains security fixes for 58 vulnerabilities. Many, including WebKit and Safari vulnerabilities, are of the same type as those fixed in OS X. There are also numerous kernel vulnerabilities and vulnerabilities in device OS components such as Keyboards, iWork Viewer, IOMobileFramebuffer, Podcasts and the Lock Screen.  In addition to the remote code execution and denial of service exploits made possible by these vulnerabilities, there is a NetworkExtension vulnerability that an attacker could use to recover a user’s VPN credentials, and several of the vulnerabilities put users’ passcodes at risk.
  • Apple released OS X Server 4.1 that includes security updates to fix 4 vulnerabilities in Dovecot (open source IMAP and POP3 email server), Postfix (open source mail transfer agent), the firewall, and Wiki Server.  These vulnerabilities could lead to attackers being able to decrypt SSL-encrypted data, custom firewall rules not being enforced, and access controls not being enforced on mobile devices.
  • Apple TV 7.2 contains security fixes for 38 vulnerabilities, including multiple memory corruption issues that could lead to arbitrary code execution, issues that could result in disclosure of kernel memory content, vulnerabilities that could allow malicious applications to escalate privileges or read kernel memory, and denial of service and traffic redirection issues.
  • Xcode 6.3 was released, containing security updates to fix vulnerabilities in Clang and Swift that could be used by an attacker to bypass stack guards or lead to certain types of conversions returning unexpectedly values.

For more information about each of these updates and the vulnerabilities they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued three updates this month, all on April 14 as part of their regular Patch Tuesday schedule. Only one – for Adobe Flash – will affect most typical users.

  • APSB15-06 is an update for Adobe Flash Player running on Windows, Macintosh and Linux that addresses 22 vulnerabilities.  The priority rating for this update is 1 on all versions and platforms except Flash Player v11.2.202.451 on Linux, which gets a priority rating of 3. Severity rating is critical on all platforms. The vulnerabilities include multiple memory corruption issues that could allow an attacker to take control of the system, and an exploit for one of them has been reported in the wild. Other vulnerabilities include type confusion, buffer overflow, use-after-free, double-free, security bypass and a memory leak.
  • APSB15-07 is a hot fix for ColdFusion 11 and 10, that fixes an input validation issue that an attacker could use to implement a cross-site scripting attack. It has  a priority rating of 2 and a severity rating of important for both versions of the software.
  • APSB15-08 is an advisory regarding the Adobe Flex ASdoc Tool that addresses a vulnerability in the JavaScript output of the tool that could result in cross-site scripting.  The advisory includes recommended actions to address the vulnerability, has a priority rating of 3 and a severity rating of important and affects versions 4.6 and earlier versions of Adobe Flex.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

The most recent stable channel update for Chrome OS was released on April 16, version 42.0.2311.87, and contains a number of security updates in addition to bug fixes and feature enhancements.

The most recent stable channel update for the Chrome web browser for Windows, Mac and Linux was released on April 28 as version 42.0.2311.135. It includes five security fixes including a use-after-free issue in DOM.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month Oracle released only one critical patch update, on April 15.  It contains 98 security fixes for a large number of affected software products, including Oracle Database Server, Fusion applications and middleware, Enterprise Manager, E-Business Suite, Oracle Supply Chain, PeopleSoft, JD Edwards Enterprise One Technology, Siebel Applications, Oracle Commerce Guided Search and Platform, Oracle Retail Back Office and Central Office, Health Sciences, Right Now Service Cloud, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle MySQL Product Suite and SQL Trace Analyzer support tool.  The highest CVSS base score rating is 10.0 and applies to three of the Java SE vulnerabilities.

For more information, see the Oracle Security blog:
https://blogs.oracle.com/security/

Mozilla

After releasing only two updates addressing two vulnerabilities in March, Mozilla went into overdrive this month and issued 16 security advisories for Firefox in April, seven of which are rated critical, four of high severity, five moderate and one low.

  • Firefox 37.0.2 fixes a high impact memory corruption issue during failed plugin initialization, which can result in an exploitable use-after-free vulnerability.
  • Firefox 37.0.1 fixes a critical certificate verification bypass issue and a high severity issue with loading privilege content through Reader more.
  • Firefox 37 fixes four critical issues: a use-after-free type confusion flaw, memory corruption crashes in main thread compositing, another use-after-free vulnerability when using Fluendo MP3 GStreamer plugin and miscellaneous memory safety hazards.  It also fixes two high rated vulnerabilities: a same-origin bypass through anchor navigation and a CORS request issue. Five moderate issues are addressed: one by which Windows can retain access to privileged content on navigation to unprivileged pages, a cursor clickjacking issue, an out-of-bounds read in QCMS library, an issue by which resource:// documents can load privileged pages and an add-on lightweight theme installation approval bypass through a MITM attack.  Finally there is a single low-rated issue whereby PRNG weakness allows for DNS poisoning on Android.

Linux

Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued 33 security advisories as of April 28, many of which address multiple vulnerabilities. Other commercial Linux vendors issued similar advisories.

  • USN-2581-1: NetworkManager vulnerability – 28th April 2015. Tavis Ormandy discovered that NetworkManager incorrectly filtered paths when requested to read modem device contexts. A local attacker could possibly use this issue to bypass privileges and manipulate modem device configuration or read arbitrary files.
  • USN-2570-1: Oxide vulnerabilities – 27th April 2015.  An issue was discovered in the HTML parser in Blink. If a user was tricked into opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-1235). An issue was discovered in the Web Audio API implementation in Blink.
  • USN-2580-1: tcpdump vulnerabilities – 27th April 2015. It was discovered that tcpdump incorrectly handled printing certain packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the tcpdump AppArmor profile.
  • USN-2579-1: autofs vulnerability – 27th April 2015. It was discovered that autofs incorrectly filtered environment variables when using program maps. When program maps were configured, a local user could use this issue to escalate privileges. This update changes the default behaviour by adding a prefix to environment variables.
  • USN-2578-1: LibreOffice vulnerabilities – 27th April 2015. Alexander Cherepanov discovered that LibreOffice incorrectly handled certain RTF files. If a user was tricked into opening a specially crafted RTF document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.
  • USN-2571-1: Firefox vulnerability – 24th April 2015.  Robert Kaiser discovered a use-after-free during plugin initialization in some circumstances. If a user was tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox.
  • USN-2577-1: wpa_supplicant vulnerability – 23rd April 2015. It was discovered that wpa_supplicant incorrectly handled SSID information when creating or updating P2P peer entries. A remote attacker could use this issue to cause wpa_supplicant to crash, resulting in a denial of service, expose memory contents, or possibly execute arbitrary code.
  • USN-2576-2: usb-creator vulnerability – 23rd April 2015. USN-2576-1 fixed a vulnerability in usb-creator. This update provides the corresponding fix for Ubuntu 15.04. Original advisory details: Tavis Ormandy discovered that usb-creator was missing an authentication check. A local attacker could use this issue to gain elevated privileges.
  • USN-2576-1: usb-creator vulnerability – 23rd April 2015.  Tavis Ormandy discovered that usb-creator was missing an authentication check. A local attacker could use this issue to gain elevated privileges.
  • USN-2575-1: MySQL vulnerabilities – 21st April 2015.  Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.43. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
  • USN-2574-1: OpenJDK 7 vulnerabilities – 21st April 2015.  Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.
  • USN-2573-1: OpenJDK 6 vulnerabilities – 21st April 2015. Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.
  • USN-2572-1: PHP vulnerabilities – 20th April 2015. It was discovered that PHP incorrectly handled cleanup when used with Apache 2.4. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2569-2: Apport vulnerability – 16th April 2015. USN-2569-1 fixed a vulnerability in Apport. Tavis Ormandy discovered that the fixed packages were still vulnerable to a privilege escalation attack. This update completely disables crash report handling for containers until a more complete solution is available.
  • USN-2569-1: Apport vulnerability – 14th April 2015. Stéphane Graber and Tavis Ormandy independently discovered that Apport incorrectly handled the crash reporting feature. A local attacker could use this issue to gain elevated privileges.
  • USN-2568-1: libx11, libxrender vulnerability – 13th April 2015. Abhishek Arya discovered that libX11 incorrectly handled memory in the MakeBigReq macro. A remote attacker could use this issue to cause applications to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2567-1: NTP vulnerabilities – 13th April 2015. Miroslav Lichvar discovered that NTP incorrectly validated MAC fields. A remote attacker could possibly use this issue to bypass authentication and spoof packets. (CVE-2015-1798) Miroslav Lichvar discovered that NTP incorrectly handled certain invalid packets. A remote attacker could possibly use this issue to cause a denial of service.
  • USN-2566-1: dpkg vulnerability – 9th April 2015. Jann Horn discovered that dpkg incorrectly validated signatures when extracting local source packages. If a user or an automated system was tricked into unpacking a specially crafted source package, a remote attacker could bypass signature verification checks.
  • USN-2565-1: Linux kernel vulnerabilities – 9th April 2015.  An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism.
  • USN-2564-1: Linux kernel (Utopic HWE) vulnerabilities – 9th April 2015.  An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism.
  • USN-2563-1: Linux kernel vulnerabilities – 8th April 2015. Sun Baoliang discovered a use after free flaw in the Linux kernel’s SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system.
  • USN-2562-1: Linux kernel (Trusty HWE) vulnerabilities – 8th April 2015. Sun Baoliang discovered a use after free flaw in the Linux kernel’s SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system.
  • USN-2561-1: Linux kernel (OMAP4) vulnerabilities – 8th April 2015.  It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.
  • USN-2560-1: Linux kernel vulnerabilities – 8th April 2015.  An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism.
  •  USN-2559-1: Libtasn1 vulnerability – 8th April 2015. Hanno Böck discovered that Libtasn1 incorrectly handled certain ASN.1 data. A remote attacker could possibly exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service, or possibly execute arbitrary code.
  •  USN-2558-1: Mailman vulnerability – 7th April 2015.  It was discovered that Mailman incorrectly handled special characters in list names. A local attacker could use this issue to perform a path traversal attack and execute arbitrary code as the Mailman user.
  • USN-2556-1: Oxide vulnerabilities – 7th April 2015. It was discovered that Chromium did not properly handle the interaction of IPC, the gamepad API and V8. If a user was tricked into opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking the program.
  •  USN-2557-1: Firefox vulnerability – 7th April 2015. Muneaki Nishimura discovered a flaw in Mozilla’s HTTP Alternative Services implementation which meant SSL certificate verification could be bypassed in some circumstances. A remote attacker could potentially exploit this to conduct a man in the middle attack.
  • USN-2552-1: Thunderbird vulnerabilities – 2nd April 2015.  Olli Pettay and Boris Zbarsky discovered an issue during anchor navigations in some circumstances. If a user was tricked into opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to bypass same-origin policy restrictions.
  • USN-2553-2: LibTIFF regression – 1st April 2015.  USN-2553-1 fixed vulnerabilities in LibTIFF. One of the security fixes caused a regression when saving certain TIFF files with a Predictor tag. The problematic patch has been temporarily backed out until a more complete fix is available. Linux apologizes for the inconvenience.
  • USN-2550-1: Firefox vulnerabilities – 1st April 2015. Olli Pettay and Boris Zbarsky discovered an issue during anchor navigations in some circumstances. If a user was tricked into opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin policy restrictions.
  •  USN-2555-1: Libgcrypt vulnerabilities – 1st April 2015.  Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer discovered that Libgcrypt was susceptible to an attack via physical side channels. A local attacker could use this attack to possibly recover private keys.
  • USN-2554-1: GnuPG vulnerabilities – 1st April 2015.  Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer discovered that GnuPG was susceptible to an attack via physical side channels. A local attacker could use this attack to possibly recover private keys.