Another month has passed and you know what that means – time to take a look at the security patches that have been issued over the past 30 days by “the usual suspects” – the vendors who make some of the most popular desktop and mobile operating systems and applications.

Patch management has become more challenging as organizations support a greater diversity of different devices running different software platforms. Once upon a time, most IT departments were “Windows shops” or “UNIX shops” but today, enterprises and even small businesses mix server types, run some of their applications on virtual machines in the cloud, and subscribe to the BYOD (Bring Your Own Device) philosophy regarding client systems.

That means more convenience and flexibility for users but it also means more complexity for those who are tasked with supporting all those devices and ensuring that they are all fully updated.

Let’s take a look now at the patches that have come our way this month.

Apple

Apple issued eight patches at the end of March (after the submission of last month’s roundup). These contained fixes for a large number of vulnerabilities, including critical memory corruption issues that could be exploited to accomplish arbitrary code execution. The products patched by the March 29 updates are:

  • iOS for iPhone 5s and above, iPad Air and above, and iPod Touch gen 6 (v11.3)
  • macOS High Sierra and OS X El Capitan (High Sierra 10.12.6 and 10.13.3, and El Capitan 10.11.6)
  • Safari for OS X El Capitan and High Sierra (v11.1)
  • watchOS for all Apple watch models (v4.3)
  • tvOS for Apple TV 4K and Apple TV 4th generation (v11.3)
  • iTunes for Windows 7 and above (v12.7.4)
  • iCloud for Windows 7 and above v7.4)
  • Xcode for macOS High Sierra (v9.3)

The operating system updates contain fixes for a large number of vulnerabilities in various components (for example, iOS 11.3 addresses a total of forty-six different vulnerabilities).  The majority of security issues in all of these updates are in WebKit (19 vulnerabilities).

In addition to the late March updates, Apple released three updates on April 24 for the following products:

  • iOS for iPhone 5s and above, iPad Air and above, and iPod Touch gen 6 (v11.3.1)
  • macOS High Sierra 10.13.4 (Security Update 2018-001)
  • Safari for OS X El Capitan, macOS Sierra 10.12.6 and macOS High Sierra 10.13.4 (v11.1)

The April update for iOS fixes four vulnerabilities, two of them in WebKit.  The Safari update also addresses the two WebKit vulnerabilities. The update for OS X and macOS fix two vulnerabilities, one in Crash Reporter and one in LinkPresentation.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued six security updates in April. All were released on the regular Patch Tuesday date of April 10. These include updates for the following products:

The Flash Player update for Windows, Mac, Linux and Chrome OS will have the most widespread impact. It addresses six vulnerabilities, three of which are critical remote code execution issues. The other three are important information disclosure vulnerabilities. They include out-of-bounds read and out-of-bounds write issues, a use-after-free issue and a heap overflow vulnerability.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On April 17 Google announced the release of stable channel update v66 of the Chrome browser for desktop operating systems Windows, Mac and Linux, to roll out over the next days/weeks. This update contains a total of sixty-two security fixes, which include critical use-after-free vulnerabilities and the following high impact issues:

  • CVE-2018-6087: Use after free in WebAssembly.
  • CVE-2018-6088: Use after free in PDFium.
  • CVE-2018-6089: Same origin policy bypass in Service Worker.
  • CVE-2018-6090: Heap buffer overflow in Skia.
  • CVE-2018-6091: Incorrect handling of plug-ins by Service Worker.
  • CVE-2018-6092: Integer overflow in WebAssembly.

A large number of medium and low severity vulnerabilities are also addressed.

For more information, see https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html

The Android Security Bulletin for April was published on April 2. The most severe of the issues addressed by the Android updates is critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Other critical vulnerabilities include four remote code execution and one elevation of privilege issue in the system component and critical RCE vulnerabilities in Broadcom and Qualcomm components.

For more information about these and other vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-04-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The April 2018 update was released on April 18. It contains security fixes for a total of 254 vulnerabilities across many of Oracle’s products and versions. Many of the fixes are for third party (non-Oracle) open source components.

Oracle customers can read more about this month’s patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

Mozilla’s most recent release for Firefox was MFSA 2018-10 released on March 26th. No advisories or updates were released in April. To review past advisories, see
https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (April 30), Ubuntu has issued forty-two separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

  • USN-3637-1: WavPack vulnerabilities. An attacker could possibly use this to execute arbitrary code or cause a denial of service.
  • USN-3636-1: Ghostscript vulnerabilities. It was discovered that Ghostscript incorrectly handled certain PostScript files. An attacker could possibly use this to cause a denial of server. (CVE-2016-10317) It was discovered that Ghostscript incorrectly handled certain PDF files. An attacker could possibly use this to cause a denial of service. (CVE-2018-10194).
  • USN-3627-2: Apache HTTP Server vulnerabilities. USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory details: Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server mod_authnz_ldap module incorrectly handled missing charset encoding headers.
  • USN-3629-3: MySQL vulnerabilities. USN-3629-1 fixed vulnerabilities in MySQL. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.
  • USN-3635-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3629-2: MySQL vulnerabilities. USN-3629-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.60 in Ubuntu 12.04 ESM.
  • USN-3634-1: PackageKit vulnerability. Matthias Gerstner discovered that PackageKit incorrectly handled authentication. A local attacker could possibly use this issue to install arbitrary packages and escalate privileges.
  • USN-3633-1: Linux kernel (Intel Euclid) vulnerability. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3632-1: Linux kernel (Azure) vulnerabilities. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)
  • USN-3631-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel.
  • USN-3631-1: Linux kernel vulnerabilities. It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start.
  • USN-3630-2: Linux kernel (HWE) vulnerability. USN-3630-1 fixed a vulnerability in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources.
  • USN-3630-1: Linux kernel vulnerability. It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash).
  • USN-3629-1: MySQL vulnerabilities. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and Ubuntu 17.10 have been updated to MySQL 5.7.22.
  • USN-3628-2: OpenSSL vulnerability. USN-3628-1 fixed a vulnerability in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key generation.
  • USN-3628-1: OpenSSL vulnerability. Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private RSA keys.
  • USN-3627-1: Apache HTTP Server vulnerabilities. Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server mod_authnz_ldap module incorrectly handled missing charset encoding headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service.
  • USN-3625-2: Perl vulnerabilities. USN-3625-1 fixed a vulnerability in Perl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Perl incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause Perl to hang, resulting in a denial of service.
  • USN-3611-2: OpenSSL vulnerabilities. USN-3611-1 fixed a vulnerability in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that OpenSSL incorrectly parsed the IPAddressFamily extension in X.509 certificates, resulting in an erroneous display of the certificate in text format. (CVE-2017-3735)
  • USN-3626-1: Ruby vulnerabilities. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. (CVE-2018-6914) It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information. (CVE-2018-8778, CVE-2018-8780)
  • N-3624-2: Patch vulnerabilities. USN-3624-1 fixed a vulnerability in Patch. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Patch incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. (CVE-2016-10713)
  • USN-3625-1: Perl vulnerabilities. It was discovered that Perl incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause Perl to hang, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8853) It was discovered that Perl incorrectly loaded libraries from the current working directory.
  • USN-3621-2: Ruby regression. USN-3621-1 fixed vulnerabilities in Ruby. The update caused an issue due to an incomplete patch for CVE-2018-1000074. This update reverts the problematic patch pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that Ruby incorrectly handled certain inputs.
  • USN-3624-1: Patch vulnerabilities. It was discovered that Patch incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. (CVE-2016-10713) It was discovered that Patch incorrectly handled certain input validation. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000156)
  • USN-3623-1: ubuntu-release-upgrader vulnerability. It was discovered that ubuntu-release-upgrader did not correctly drop permissions before opening a browser to view the release notes. This update fixes the issue.
  • USN-3622-1: Wayland vulnerability. It was discovered that the Wayland Xcursor support incorrectly handled certain files. An attacker could use these issues to cause Wayland to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3616-2: Python Crypto vulnerability. USN-3616-1 fixed a vulnerability in Python Crypto. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Python Crypto incorrectly generated ElGamal key parameters. A remote attacker could possibly use this issue to obtain sensitive information.
  • USN-3596-2: Firefox regression. USN-3596-1 fixed vulnerabilities in Firefox. The update caused an issue where it was not possible to customize the toolbars when running Firefox in Unity. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
  • USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
  • USN-3621-1: Ruby vulnerabilities. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information. (CVE-2018-1000073) It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1000074)
  • USN-3620-2: Linux kernel (Trusty HWE) vulnerabilities. USN-3620-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads.
  • USN-3620-1: Linux kernel vulnerabilities. It was discovered that the netlink 802.11 configuration interface in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11089)
  • USN-3619-1: Linux kernel vulnerabilities. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995)
  • USN-3617-3: Linux kernel (Raspberry Pi 2) vulnerabilities. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3618-1: LibVNCServer vulnerability. It was discovered that LibVNCServer incorrectly handled certain packet lengths. A remote attacker able to connect to a LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code.
  • USN-3617-2: Linux (HWE) vulnerabilities. USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel.
  • USN-3617-1: Linux kernel vulnerabilities. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3616-1: Python Crypto vulnerability. It was discovered that Python Crypto incorrectly generated ElGamal key parameters. A remote attacker could possibly use this issue to obtain sensitive information.
  • USN-3615-1: LibRaw vulnerabilities. It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3614-1: OpenJDK 7 vulnerabilities. It was discovered that a race condition existed in the cryptography implementation in OpenJDK. An attacker could possibly use this to expose sensitive information. (CVE-2018-2579) It was discovered that the LDAP implementation in OpenJDK did not properly encode login names.
  • USN-3613-1: OpenJDK 8 vulnerabilities. It was discovered that a race condition existed in the cryptography implementation in OpenJDK. An attacker could possibly use this to expose sensitive information. (CVE-2018-2579) It was discovered that the Hotspot component of OpenJDK did not properly validate uses of the invokeinterface JVM instruction.
  • USN-3587-2: Dovecot vulnerabilities. USN-3587-1 fixed a vulnerability in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Dovecot incorrectly handled parsing certain email addresses. A remote attacker could use this issue to cause Dovecot to crash, resulting in a denial of service.