J003-Content-3rdPartyRoundup_SQAugust signals the last days of summer. For those of us in the hotter areas it means relief from 100°+ days and for those up north, it means starting to think ahead to prepare for winter and the extra work of dealing with snow, ice and freezing temperatures.  Either way, another month and another season is almost over, and as time moves on the software patches keep on coming.

It was another heavy month for Microsoft, with the release of Windows 10 to the general public at the end of July complicating things. Apple fixed a huge number of security issues across their product line. Other software vendors released a number of security updates for a variety of products.

Apple

Apple released no security fixes during the month of July, although they had several right at the end of June that we covered in last month’s roundup. This month, four of their five updates came out mid-month, on August 13.  This included:

  • Update for the Safari web browser for Yosemite, Mavericks and Mountain Lion. These updates are labeled as versions 8.0.8, 7.1.8 and 6.2.8 respectively. The update addresses 27 vulnerabilities in Safari Application, WebKit, WebKit Canvas, WebKit Page Loading and WebKit Process Model. Potential impacts include user interface spoofing, violation of a web site’s Content Security Policy directive, cookie leakage, exfiltrated image data cross-origin, exposure of private browsing history, unexpected application termination or arbitrary code execution.
  • Security Update 2015-006 for the Macintosh OS X Yosemite, Mavericks, and Mountain Lion operating systems that address 135 vulnerabilities in Apache, Apple ID OD Plug-in, AppleGraphicsControl, Bluetooth, bootp, CloudKit, CoreMedia Playback, CoreText, curl, Data Detectors Engine, Date & Time pref pane, Dictionary Application, DiskImages, dyld, FontParser, groff, ImageIO, Install Framework Legacy, IOFireWireFamily, IOGraphics, IOHIDFamily, the Kernel, Libc, Libinfo, libpthread, libxml2, libxpc, mail_cmds, Notification Center OSX, ntfs, OpenSHH, OpenSSL, perl, PostgreSQL, python, QL Office, Quartz Composer Framework, Quick Look, QuickTime 7, SceneKit, Security, SMBClient, Speech UI, sudo, tcpdump, Text Formats and udf. Potential impact ranges from denial of service to arbitrary code execution and includes information disclosure.
  • iOS 8.4.1 for the iPhone 4s and later, the iPod Touch 5th generation and later and the iPad 2 and later includes fixes for 71 security vulnerabilities in AppleFileConduit, Air Traffic, Backup, bootp, Certificate UI, CloudKit, CFPreferences, Code Signing, CoreMedia Playback, CoreText, DiskImages, FontParser, ImageIO, IOKit, IOHIDFamily, Kernel, Libc, Libinfo, libpthread, libxml2, libxpc, Location Framework, MobileInstallation, the MSVDX Driver, Office Viewer, QL Office, Safari, Sandbox_profiles, UIKit WebView, WebKit and Web. Potential impacts range from violation of a website’s Content Security Policy directive, cookie leakage and user interface spoofing to arbitrary code execution.
  • OS X Server 4.1.5 for OS X Yosemite 10.10.5 or later contains an update to address a single security vulnerability in BIND, by which a remote attacker might be able to cause a denial of service.

In addition to the four updates that were released on August 13, Apple then on August 20 released an update for QuickTime running on Windows 7 and Vista, QuickTime version 7.7.8. This update addresses nine vulnerabilities that relate to memory corruption issues and could be exploited by an attacker to cause unexpected application termination or for arbitrary code execution.

For more information about these updates, see Apple’s web site at
https://support.apple.com/en-us/HT201222

Adobe

Adobe normally releases security updates in conjunction with Microsoft on the second Tuesday of each month. This month, the company released one update on that day, and two more later in the month.

  • On August 11, Adobe released APSB15-19, a critical security update for Adobe Flash Player that addresses more than 30 vulnerabilities in Flash Player running on Windows, Mac and Linux operating systems. These include type confusion, vector length corruption, use-after-free vulnerabilities, heap buffer overflows, integer overflows and memory corruption vulnerabilities. Potential impacts include exploits that could lead to code execution. Priority rating is 1 on Windows and Mac, 3 on Linux.
  • On August 18, Adobe released APSB15-20, a security hotfix for vulnerability rated important in the LiveCycle Data Services versions 4.7, 4.6.2, 4.5, and 3.0x running on Windows, Mac and Unix operating systems. Adobe has assigned a priority 3 to this update on all platforms, but an exploit could lead to information disclosure.
  • On August 27, Adobe released APSB15-21, a security hotfix rated important for ColdFusion versions 10 and 11. It addresses a single vulnerability related to parsing of crafted XML external entities in BlazeDS, exploit of which could lead to information disclosure. Adobe has assigned a priority rating of 2.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On August 18, Google released an update to the Chrome web browser for Windows, Mac and Linux, version 44. This version contains all of the latest security fixes, which include 43 vulnerability patches. Of these, 13 were rated as high impact.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  On July 14, Oracle released a critical patch update that addresses 193 security vulnerabilities across multiple Oracle products. Oracle did not release any security updates in August.

For more information about Oracle security updates and a list of previously released patches, see http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Mozilla put out updates for seven vulnerabilities on August 6, 14 on August 11, one on August 12 and two on August 27, for a total of 24 security flaws patched this month.  Seven of these were rated as critical and ten  were high impact.  The vulnerabilities include multiple use-after-free issues, buffer overflows, arbitrary file overwriting, out-of-bounds write and read issues and miscellaneous memory safety hazards, among others.  The most serious could be exploited to accomplish arbitrary code execution.

For more information about these fixes, see the Mozilla Security Advisories web site at https://www.mozilla.org/en-US/security/advisories/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (August 27), Ubuntu has issued 27 security advisories, many of which address multiple vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2723-1: Firefox vulnerabilities – August 27

A use-after-free was discovered when resizing a canvas element during restyling in some circumstances. If a user was tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.

USN-2725-1: cups-filters vulnerability – August 27

Seth Arnold discovered that ippusbxd in the cups-filters package would incorrectly listen to all configured network interfaces. A remote attacker could use this issue to possibly access locally-connected printers.

USN-2724-1: QEMU vulnerabilities – August 27

It was discovered that QEMU incorrectly handled a PRDT with zero complete sectors in the IDE functionality. A malicious guest could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2722-1: GDK-PixBuf vulnerability – August 26

Gustavo Grieco discovered that GDK-PixBuf incorrectly handled scaling bitmap images. If a user or automated system were tricked into opening a BMP image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2712-1: Thunderbird vulnerabilities – August 25

Gary Kwong, Christian Holler, and Byron Campen discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user.

USN-2702-3: Firefox regression – August 20

USN-2702-1 fixed vulnerabilities in Firefox. After upgrading, some users in the US reported that their default search engine switched to Yahoo. This update fixes the problem. We apologize for the inconvenience.

USN-2721-1: Subversion vulnerabilities – August 20

It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2720-1: Django vulnerability – August 18

Lin Hua Cheng discovered that Django incorrectly handled the session store. A remote attacker could use this issue to cause the session store to fill up, resulting in a denial of service.

USN-2710-2: OpenSSH regression – August 18

USN-2710-1 fixed vulnerabilities in OpenSSH. The upstream fix for CVE-2015-5600 caused a regression resulting in random authentication failures in non-default configurations. This update fixes the problem. Original advisory details: Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication.

USN-2719-1: Linux kernel vulnerability – August 17

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel’s SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

USN-2711-1 through USN-2719-1: Net-SNMP vulnerabilities – August 17

It was discovered that Net-SNMP incorrectly handled certain trap messages when the -OQ option was used. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service. (CVE-2014-3565) Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures.

USN-2710-1: OpenSSH vulnerabilities – August 14

Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. (CVE number pending) Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM.

USN-2709-1: pollinate update – August 14

The pollinate package bundles the certificate for entropy.ubuntu.com. This update refreshes the certificate to match the new certificate for the server.

USN-2702-2: Ubufox update – August 11

USN-2702-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubufox. Original advisory details: Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox.

USN-2702-1: Firefox vulnerabilities – August 11

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user was tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash.

USN-2707-1: Firefox vulnerability – August 7

Cody Crews discovered a way to violate the same-origin policy to inject script in to a non-privileged part of the PDF viewer. If a user was tricked in to opening a specially crafted website, an attacker could exploit this to read sensitive information from local files. (CVE-2015-4495)

USN-2706-1: OpenJDK 6 vulnerabilities – August 6

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.

USN-2705-1: Keystone vulnerabilities – August 5

Qin Zhao discovered Keystone disabled certification verification when the “insecure” option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

USN-2704-1: Swift vulnerabilities – August 5

Rajaneesh Singh discovered Swift does not properly enforce metadata limits. An attacker could abuse this issue to store more metadata than allowed by policy. (CVE-2014-7960) Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow version is configured.

USN-2703-1: Cinder vulnerability – August 5

Bastian Blank discovered that Cinder guessed image formats based on untrusted data. An attacker could use this to read arbitrary files from the Cinder host.

USN-2677-1: Oxide vulnerabilities – August 4

An uninitialized value issue was discovered in ICU. If a user was tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-1270) A use-after-free was discovered in the GPU process implementation in Chromium.