Third Party Patch Roundup – April 2016

They say April showers bring May flowers. In that case, this coming month should be a blooming success here in north central Texas. In addition to a ton of rain (that flooded several areas; I’m fortunate to live in one that’s on high ground), two major hail storms did millions of dollars’ worth of damage to hundreds of homes a few miles north of us. Mother Nature has hurled her wrath at us frequently over the past few months – and then she gives us beautiful, perfect days like today. As I write this, I’m looking out over the lake that’s sparkling in the sunshine, everything fresh and green from all the watering, and thinking about how I’d rather be out there in the pool than patching computers.

But such is the life of the IT professional, and there are far worse jobs one could have. Today’s technology enables so much of what we do and the lifestyles that we take for granted. Even as pundits continue to predict the death of the PC and we turn more and more to tablets and smart phones (which, after all, are really only tiny computers), in our heart of hearts we suspect that updates will always be with us, regardless of the form factor of the devices running our operating systems and software.

This month has seen its share of data breaches and hack attacks, from the online $80+ million Bangladesh bank heist to the hybrid banking Trojan that has stolen millions, commercial systems are being compromised right and left. Keeping your organization’s network safe is an ongoing challenge, and of course applying security updates in a timely manner is a big part of that.

Now let’s take a look at this month’s patches from major third party security vendors.

Apple

Last month, Apple released eight big patches that addressed a large number of vulnerabilities and covered their mobile, desktop, watch and TV operating systems, as well as OS X Server and the Safari web browser.  I guess their patch team needed a rest after that, because as of this writing (April 28), Apple has released no updates this month.

Does that mean we’ll get slammed with another large slate of updates in May? We’ll have to wait and see.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222.

Adobe

Unlike Apple, Adobe has been busy again this month, coming out with five new security bulletins with four actual updates. Three of them were issued on Adobe’s traditional Patch Tuesday. Along with the almost obligatory Flash Player update, we got patches for several other Adobe products and components.

• On April 5, Adobe issued a security advisory for a critical vulnerability in Flash version 21.0.0.197 and earlier, which was actively being exploited on systems running Windows 10 and earlier. The vulnerability also affected Mac OS, Linux and Chrome OS.Then on April 12, Adobe issued a security update APSB16-10 that addressed the aforementioned vulnerability plus 23 others. It applies to Windows Mac OS X, Linux and Chrome OS and is rated critical, with a priority rating of 1 for all Flash Player software except Flash Player for Linux and AIR products. The vulnerabilities addressed include memory randomization bypass, type confusion, use-after-free, stack overflow, security bypass, and directory search path issues as well as multiple memory corruption vulnerabilities.
• Also on April 12, Adobe issued APSB16-11, which is an update for their Creative Cloud desktop application for Windows and Mac OS X which is their SaaS offering of Adobe’s graphics, video editing and web design software. The update is rated Important and addresses one vulnerability in the JavaScript API, by which an attacker could remotely abuse the sync process for Creative Cloud libraries in order to read and write files onto the system. This update has a priority rating of 2.
• The third update issued on April 12 is APSB16-12, which is a security hotfix for RoboHelp Server 9. It addresses a single critical vulnerability in the handling of SQL queries that could lead to information disclosure. It applies to RoboHelp Server 9 running on Windows and has a priority rating of 2.
• On April 21, Adobe issued an out-of-band security update, APSB16-13, for the Adobe Analytics AppMeasurement for Flash library that addresses one vulnerability that an attacker could use to conduct DOM-based cross-site scripting attacks when debugTracking is enabled. It is rated important and given a priority rating of 2.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google’s latest stable channel update for Chrome web browser was released on April 20, version 50.0.2661.87 for Windows and 50.0.2661.86 for Mac and Linux. It includes the most recent security fixes as well as bug fixes.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

An over-the-air (OTA) security update for Android on Nexus devices was released on April 4. It addresses 39 vulnerabilities: eight of moderate severity, 13 rated as moderate, and eight that are deemed critical. These include remote code execution, elevation of privilege, denial of service, and information disclosure issues. For more information, see the Nexus Security Bulletin at
http://source.android.com/security/bulletin/2016-04-02.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month’s regularly scheduled update includes 136 security fixes for Oracle products across a broad range of software. The patch is rated critical and affects Fusion Middleware, Enterprise Manager, E-Business Suite, Oracle Supply Chain products, PeopleSoft, JD Edwards tools, Siebel applications, Oracle retail products, Life Sciences Data Hub, FLEXCUBE, Oracle Java SE, Oracle and Sun Systems Products Suite (including Solaris and SPARC servers), Oracle Linux and Virtualization, MySQL, Berkeley DB, and Oracle DB.

For more detailed information, see the Oracle Critical Patch Update Advisory for April 2016 at
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Mozilla

On April 26, Mozilla released the latest version of its web browser, Firefox 46, which includes ten security fixes: one that addresses a vulnerability rated critical, four high severity vulnerabilities and five of moderate severity.

• 2016-39 addresses several memory safety hazards and is rated critical. These include memory corruption issues that could possibly to exploited to run arbitrary code.
• 2016-42 addresses two vulnerabilities in Service Workers using Address Sanitizer. One is a use-after-free issue and the other is a race condition leading to a buffer overflow that could be exploited to lead to an exploitable crash. It is rated high severity.
• 2016-43 addresses a high severity vulnerability in Firefox for Android that could compromise user privacy and lead to disclosure of user actions through JavaScript when using orientation data and mobile sensors on mobile devices. It does not affect the desktop versions of Firefox.
• 2016-44 is also a high severity update that addresses a single vulnerability in libstagefright with CENC offsets and the sizes table that causes a buffer overflow and could lead to a potentially exploitable crash that could be triggered via web content.
• 2016-47 is rated high severity and addresses a single vulnerability that can be used to overflow and write to an invalid hash map entry through JavaScript.watch().
• 2016-40 is the first of the moderate severity issues fixed in this version and it addresses a file deletion issue with the Mozilla Maintenance Service updater on Windows, which can delete arbitrary files because it has privileged system access. This could be used by an attacker to accomplish escalation of privilege. It affects only Firefox on Windows, and not on other operating systems.
• 2016-41 is a moderate severity issue in Firefox for Android that allows a malicious app previously installed to bypass signature protections, access content provider permissions and read data such as browser history and locally saved passwords. It does not affect Firefox on desktop operating systems.
• 2016-45 is also of moderate severity, and is related to a situation whereby Content Security Policy (CSP) is not applied correctly to web content, allowing script to run and possibly allowing a cross-site scripting (XSS) attack as well as other types of attacks.
• 2016-46 is another moderate severity issue that addresses the possibility of a malicious web extension elevating privileges to perform a universal XSS attack or to inject content into other extensions that load content within browser tabs, due to the fact that the chrome.tabs.update API allows for navigation to javascript: URLs without additional permissions.
• 2016-48 is last of the updates rated moderate, and addresses a single vulnerability in the Firefox Health Report that could accept events from untrusted domains under certain circumstances.

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (April 28), Ubuntu has issued 22 security advisories, which is fewer than usual. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2934-1: Thunderbird vulnerabilities – April 27

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, and Randell Jesup discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash.

USN-2955-1: Oxide vulnerabilities – April 27

A use-after-free was discovered when responding synchronously to permission requests. An attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2016-1578) An out-of-bounds read was discovered in V8.

USN-2950-2: libsoup update – April 27

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation.

USN-2952-2: PHP regression – April 27

USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files.

USN-2936-1: Firefox vulnerabilities – April 27

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup, Andrew McCreight, and Steve Fink discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these.

USN-2954-1: MySQL vulnerabilities – April 25

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.7.12 in Ubuntu 16.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

USN-2953-1: MySQL vulnerabilities – April 21

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.49 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.10 has been updated to MySQL 5.6.30.

USN-2952-1: PHP vulnerabilities – April 21

It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types.

USN-2917-3: Firefox regressions – April 19

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several web compatibility regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.

USN-2951-1: OptiPNG vulnerabilities – April 18

Gustavo Grieco discovered that OptiPNG incorrectly handled memory. A remote attacker could use this issue with a specially crafted image file to cause OptiPNG to crash, resulting in a denial of service. (CVE-2015-7801) Gustavo Grieco discovered that OptiPNG incorrectly handled memory.

USN-2950-1: Samba vulnerabilities – April 18

Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code.

USN-2948-2: Linux kernel (Utopic HWE) regression – April 11

USN-2948-1 fixed vulnerabilities in the Ubuntu 14.10 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect reference counting fix in the radeon driver introduced a regression that could cause a system crash. This update fixes the problem. We apologize for the inconvenience.

USN-2917-2: Firefox regressions – April 7

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several regressions that could result in search engine settings being lost, the list of search providers appearing empty or the location bar breaking after typing an invalid URL. This update fixes the problem.

USN-2949-1: Linux kernel (Vivid HWE) vulnerabilities – April 6

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel’s CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8812) Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux Extended Verification Module (EVM).

USN-2948-1: Linux kernel (Utopic HWE) vulnerabilities – April 6

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2947-3: Linux kernel (Raspberry Pi 2) vulnerabilities – April 6

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833) Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel’s CXGB3 driver.

USN-2947-2: Linux kernel (Wily HWE) vulnerabilities – April 6

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2947-1: Linux kernel vulnerabilities – April 6

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2946-2: Linux kernel (Trusty HWE) vulnerabilities – April 6

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel’s CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8812) Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux Extended Verification Module (EVM).

USN-2946-1: Linux kernel vulnerabilities – April 6

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel’s CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8812) Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux Extended Verification Module (EVM).

USN-2945-1: XChat-GNOME vulnerability – April 4

It was discovered that XChat-GNOME incorrectly verified the hostname in an SSL certificate. An attacker could trick XChat-GNOME into trusting a rogue server’s certificate, which was signed by a trusted certificate authority, to perform a man-in-the-middle attack.

USN-2944-1: Libav vulnerabilities – April 4

It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.