April went out with a big bang here in north Texas, as once again some big storms spawned tornadoes and many of us were affected or have friends and family members who were. My apologies for being a couple of days late with this month’s third party patch roundup due to that.

Let’s take a look at the details of some of the updates that third party vendors issued in April:

Apple

Last month, Apple overwhelmed us with 10 patches that addressed numerous vulnerabilities across their various operating systems and applications. This time, only two updates were released, one for the mobile operating system and one for their music app for Android.

  • On April 3, Apple released iOS 10.3.1 for iPhone 5 and above, iPad gen4 and above, and iPod Touch gen6 and above. This update addresses only a single vulnerability, a stack buffer overflow in the wi-fi component that could allow an attacker to execute arbitrary code; it was fixed by improving input validation.
  • On April 4, Apple released Apple Music 2.0 for Android 4.3 and later. It addresses a certificate validation issue that could allow an attacker to leak sensitive user information. It was fixed through improved certificate validation.

For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released six security updates in April.

On April 6, Adobe released:

  • APSB17-11 for Adobe Acrobat and Reader on Windows and Mac. It addresses 47 vulnerabilities that include use-after-free, memory corruption, integer overflow, and directory search path issues, many of which can lead to code execution. It is rated critical with a priority rating of 2.

On April 11, Adobe released four updates:

  • APSB17-09 for Adobe Campaign, which fixes a single vulnerability rated important, that is a validation bypass that could be used to read, write or delete data from the database. It applies to Campaign on Windows and Linux and has a priority rating of 2.
  • APSB17-10 for Adobe Flash Player on Windows, Mac, Linux and Chrome OS. It addresses seven vulnerabilities that include use-after-free and memory corruption issues that can lead to code execution, and is rated critical.
  • APSB17-12 for Adobe Photoshop CC on Windows and Mac. It addresses two vulnerabilities, an unquoted search path vulnerability (Windows version) and a memory corruption issue that could lead to code execution. The latter is rated critical. Priority rating is 3.
  • APSB17-13 for Creative Cloud Desktop Application on Windows. It addresses two vulnerabilities that include a directory search path issue and use of improper resource permissions during installation of Creative Cloud desktop applications. The update is rated important and priority rating is 3.

On April 25, Adobe released:

  • APSB17-14 hotfixes for Cold Fusion on all platforms. It addresses two vulnerabilities that include an important input validation issue (XSS vulnerability) and mitigation of an important Java deserialization vulnerability.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On April 19th, Google released Chrome v58.0.3029.81 for Windows, Mac and Linux, which addressed 29  vulnerabilities, including type confusion, heap use-after-free, URL spoofing, heap overflow, incorrect UI, incorrect signature handling and cross-origin bypass issues. Some of these could be exploited to take control of the system.

For more information, see the Chrome releases blog at https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Google also issued fixes for nine vulnerabilities in Android, including a critical remote code execution vulnerability in Mediaserver, another RCE issue in Qualcomm crypto engine driver and one in the kernel networking subsystem, and three elevation of privilege vulnerabilities in MediaTek driver, the HTC touchscreen driver, and the kernel ION subsystem.

For more information on these, see Jack Wallen’s article on the TechRepublic web site at http://www.techrepublic.com/article/android-security-bulletin-april-2017-what-you-need-to-know/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The April critical patch update contains 300 new security fixes for various products. Many of these can be exploited remotely without the requirement for authentication. Eight of the fixes are for Java and seven of those vulnerabilities can be exploited remotely. There are thirty-nine fixes for MySQL.

For more information about these patches, see Oracle’s Update Advisory at https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

On April 19, Mozilla released security advisory 2017-10 with Firefox v53. This version contains nine critical fixes, twenty that are rated high impact, seven classified as moderate, and four of low impact, for a total of forty vulnerabilities patched. These include memory safety bugs, use-after-free and out-of-bounds read and write issues, buffer overflows, and more.

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox52.0.1

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. Ubuntu issued twenty-four security notices in April, which is somewhat fewer than usual. Many of these address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Here are Ubuntu’s security advisories for April:

  • USN-3272-1: Ghostscript vulnerabilities – 28th April 2017. It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash).
  • USN-3271-1: Libxslt vulnerabilities – 27th April 2017. Holger Fuhrmannek discovered an integer overflow in the xsltAddTextString() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possible execute arbitrary code. (CVE-2017-5029) Nicolas Gregoire discovered that Libxslt mishandled namespace nodes.
  • USN-3270-1: NSS vulnerabilities – 27th April 2017. Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update causes NSS to limit use of the same symmetric key.
  • USN-3269-1: MySQL vulnerabilities – 27th April 2017. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.
  • USN-3268-1: QEMU vulnerabilities – 25th April 2017. Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
  • USN-3267-1: Samba vulnerability – 25th April 2017. Jann Horn discovered that Samba incorrectly handled symlinks. An authenticated remote attacker could use this issue to access files on the server outside of the exported directories.
  • USN-3266-2: Linux kernel (HWE) vulnerability – 24th April 2017. USN-3266-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel.
  • USN-3266-1: Linux kernel vulnerability – 24th April 2017. Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
  • USN-3265-2: Linux kernel (Xenial HWE) vulnerabilities – 24th April 2017. USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel.
  • USN-3265-1: Linux kernel vulnerabilities – 24th April 2017. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux.
  • USN-3264-2: Linux kernel (Trusty HWE) vulnerability – 24th April 2017.USN-3264-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation.
  • USN-3264-1: Linux kernel vulnerability – 24th April 2017. Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
  • USN-3260-1: Firefox vulnerabilities – 21st April 2017. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, spoof the addressbar contents or other UI elements, escape the sandbox to read local files, conduct cross-site scripting,
  • USN-3263-1: FreeType vulnerability – 20th April 2017. It was discovered that a heap-based buffer overflow existed in the FreeType library. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3262-1: curl vulnerability – 20th April 2017. It was discovered that curl incorrectly handled client certificates when resuming a TLS session. A remote attacker could use this to hijack a previously authenticated connection.
  • USN-3261-1: QEMU vulnerabilities – 20th April 2017. Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
  • USN-3259-1: Bind vulnerabilities – 17th April 2017. It was discovered that the resolver in Bind made incorrect assumptions about ordering when processing responses containing a CNAME or DNAME. An attacker could use this cause a denial of service. (CVE-2017-3137) Oleg Gorokhov discovered that in some situations, Bind did not properly handle DNS64 queries.
  • USN-3258-2: Dovecot regression – 11th April 2017. USN-3258-1 intended to fix a vulnerability in Dovecot. Further investigation revealed that only Dovecot versions 2.2.26 and newer were affected by the vulnerability. Additionally, the change introduced a regression when Dovecot was configured to use the “dict” authentication database. This update reverts the change. We apologize for the inconvenience.
  • USN-3258-1: Dovecot vulnerability – 10th April 2017. It was discovered that Dovecot incorrectly handled some usernames. An attacker could possibly use this issue to cause Dovecot to hang or crash, resulting in a denial of service.
  • USN-3257-1: WebKitGTK+ vulnerabilities – 10th April 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code.
  • USN-3256-2: Linux kernel (HWE) vulnerability – 4th April 2017. USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel for each of the respective prior Ubuntu LTS releases. Andrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel.
  • USN-3256-1: Linux kernel vulnerability – 4th April 2017. Andrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel did not properly validate certain block-size data. A local attacker could use this to cause a denial of service (system crash).
  • USN-3255-1: LightDM vulnerability – 4th April 2017. It was discovered that LightDM incorrectly handled home directory creation for guest users. A local attacker could use this issue to gain ownership of arbitrary directory paths and possibly gain administrative privileges.
  • USN-3254-1: Django vulnerabilities – 4th April 2017. It was discovered that Django incorrectly handled numeric redirect URLs. A remote attacker could possibly use this issue to perform XSS attacks, and to use a Django server as an open redirect. (CVE-2017-7233) Phithon Gong discovered that Django incorrectly handled certain URLs when the jango.views.static.serve() view is being used.