J003-Content-3rdPartyRoundup_SQIT pros who are looking for relief from the heavy patch loads we’ve seen recently will find August is a mixed bag. Firefox 48 is here now, along with a bunch of security updates from other vendors.

Summer is drawing to an end and soon fall will be in the air. For those of us in hot climates, this time of the year always comes as a relief. IT pros who are looking for relief from the heavy patch loads we’ve seen recently will find August is a mixed bag.

Apple is following the light month/heavy month alternating schedule that has been the norm lately and only gives us two, Adobe released only a single security update this month, but Mozilla is making up for it with Firefox 48, which includes twenty-three security fixes. For Google and Linux, it’s business as usual.

Now let’s take a look at the details of some of this month’s patches from major third party security vendors. The following applies as of the date of this writing, which is August 29.

Apple

After a large number of patches in May, Apple released only one in June. In July, they had seven patches for us, addressing a few large number of vulnerabilities, and this month we’re back to “light” again with only two. Both are new versions of iOS for the iPhone 4s and above, iPad 2 and above, and iPod Touch fifth generation and later.

  • On August 4, Apple released iOS version 9.3.4 to address a single memory corruption vulnerability in IOMobileFrameBuffer, which could be exploited to execute arbitrary code with kernel privileges.
  • On August 25, Apple released iOS version 9.3.5, which addresses three separate vulnerabilities that include a validation issue that could allow disclosure of kernel memory, a memory corruption issue that could be used to execute arbitrary code with kernel privileges, and a memory corruption issue in the WebKit component that could lead to arbitrary code execution.

For more information about this and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe had an average month in July, with the issuance of three security updates. For August, they have released only one update.

  • APSB16-27 was released on August 9 in keeping with Adobe’s standard Patch Tuesday schedule, containing hotfixes for four vulnerabilities in Adobe Experience Manager. These include two input validation issues that could be used for cross-scripting attacks, an information disclosure vulnerability in backup functionality, and a vulnerability that could result in disclosure of audit log events to unprivileged users. These affect Windows, UNIX, Linux and OS X, are all rated important, and have a priority rating of 2.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google’s August Security Bulletin for Android contains security patch level 2016-08-01 that addresses twenty-two vulnerabilities, one critical, four high-severity and the rest moderate, along with patch level 2016-08-05, which addresses an additional eighty-one vulnerabilities. These include remote code execution, elevation of privilege, information disclosure and denial of service issues. For more information about the details, see the bulletin at https://source.android.com/security/bulletin/2016-08-01.html

Google also released a stable channel update for Chrome OS on August 3, which contains a fix for a heap overflow vulnerability of high severity. Also on August 3, Google released a stable channel update for the Chrome desktop browser for Windows, Mac and Linux that includes ten security fixes, four of which are of high severity. For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October, so the next regularly scheduled patch release will occur on October 18.

Mozilla

Mozilla released no security updates for Firefox last month, but they made up for it this month, with twenty-three security patches in Firefox v. 48, which was released on August 2.

  • 2016-84 Information disclosure through Resource Timing API during page navigation
  • 2016-83 Spoofing attack through text injection into internal error pages
  • 2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
  • 2016-81 Information disclosure and local file manipulation through drag and drop
  • 2016-80 Same-origin policy violation using local HTML file and saved shortcut file
  • 2016-79 Use-after-free when applying SVG effects
  • 2016-78 Type confusion in display transformation>
  • 2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
  • 2016-76 Scripts on marquee tag can execute in sandboxed iframes
  • 2016-75 Integer overflow in WebSockets during data buffering
  • 2016-74 Form input type change from password to text can store plain text password in session restore file
  • 2016-73 Use-after-free in service workers with nested sync events
  • 2016-72 Use-after-free in DTLS during WebRTC session shutdown
  • 2016-71 Crash in incremental garbage collection in JavaScript
  • 2016-70 Use-after-free when using alt key and toplevel menus
  • 2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
  • 2016-68 Out-of-bounds read during XML parsing in Expat library
  • 2016-67 Stack underflow during 2D graphics rendering
  • 2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
  • 2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
  • 2016-64 Buffer overflow rendering SVG with bidirectional content
  • 2016-63 Favicon network connection can persist when page is closed
  • 2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (August 29), Ubuntu has issued 32 security notices this month. Many of these address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. Here are the Ubuntu Security Notices (USNs) for August:

  • USN-3072-2: Linux kernel (OMAP4) vulnerabilities – 29th August 2016. Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory.
  • USN-3072-1: Linux kernel vulnerabilities – 29th August 2016. Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory.
  • USN-3071-2: Linux kernel (Trusty HWE) vulnerabilities – 29th August 2016. USN-3071-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
  • USN-3071-1: Linux kernel vulnerabilities – 29th August 2016. Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory.
  • USN-3070-1: Linux kernel vulnerabilities – 29th August 2016. A missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL.
  • USN-3069-1: Eye of GNOME vulnerability – 25th August 2016. It was discovered that Eye of GNOME incorrectly handled certain invalid UTF-8 strings. If a user were tricked into opening a specially-crafted image, a remote attacker could use this issue to cause Eye of GNOME to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3067-1: HarfBuzz vulnerabilities – 24th August 2016. Kostya Serebryany discovered that HarfBuzz incorrectly handled memory. A remote attacker could use this issue to cause HarfBuzz to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8947) It was discovered that HarfBuzz incorrectly handled certain length checks.
  • USN-3068-1: Libidn vulnerabilities – 24th August 2016. Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory.
  • USN-3066-1: PostgreSQL vulnerabilities – 18th August 2016. Heikki Linnakangas discovered that PostgreSQL incorrectly handled certain nested CASE/WHEN expressions. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2016-5423) Nathan Bossart discovered that PostgreSQL incorrectly handled special characters in database and role names.
  • USN-3065-1: Libgcrypt vulnerability – 18th August 2016. Felix Dörre and Vladimir Klebanov discovered that Libgcrypt incorrectly handled mixing functions in the random number generator. An attacker able to obtain 4640 bits from the RNG can trivially predict the next 160 bits of output.
  • USN-3064-1: GnuPG vulnerability – 18th August 2016. Felix Dörre and Vladimir Klebanov discovered that GnuPG incorrectly handled mixing functions in the random number generator. An attacker able to obtain 4640 bits from the RNG can trivially predict the next 160 bits of output.
  • USN-3063-1: Fontconfig vulnerability – 17th August 2016. Tobias Stoeckmann discovered that Fontconfig incorrectly handled cache files. A local attacker could possibly use this issue with a specially crafted cache file to elevate privileges.
  • USN-3062-1: OpenJDK 7 vulnerabilities – 16th August 2016. Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.
  • USN-3061-1: OpenSSH vulnerabilities – 15th August 2016. Eddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could perform a timing attack and enumerate valid users.
  • USN-3047-2: QEMU regression – 12th August 2016. USN-3047-1 fixed vulnerabilities in QEMU. The patch to fix CVE-2016-5403 caused a regression which resulted in save/restore failures when virtio memory balloon statistics are enabled. This update temporarily reverts the security fix for CVE-2016-5403 pending further investigation. We apologize for the inconvenience.
  • USN-3060-1: GD library vulnerabilities – 10th August 2016. It was discovered that the GD library incorrectly handled certain malformed TGA images. If a user or automated system were tricked into processing a specially crafted TGA image, an attacker could cause a denial of service.
  • USN-3059-1: xmlrpc-epi vulnerability – 10th August 2016. It was discovered that xmlrpc-epi incorrectly handled lengths in the simplestring_addn function. A remote attacker could use this issue to cause applications using xmlrpc-epi such as PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3057-1: Linux kernel (Qualcomm Snapdragon) vulnerabilities – 10th August 2016. Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3056-1: Linux kernel (Raspberry Pi 2) vulnerabilities – 10th August 2016. Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3055-1: Linux kernel vulnerabilities – 10th August 2016. Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3054-1: Linux kernel (Xenial HWE) vulnerabilities – 10th August 2016. Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3053-1: Linux kernel (Vivid HWE) vulnerabilities – 10th August 2016. A missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL.
  • USN-3052-1: Linux kernel vulnerabilities – 10th August 2016. It was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash).
  • USN-3051-1: Linux kernel (Trusty HWE) vulnerabilities – 10th August 2016. It was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash).
  • USN-3050-1: Linux kernel (OMAP4) vulnerabilities – 10th August 2016. Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3049-1: Linux kernel vulnerabilities – 10th August 2016. Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
  • USN-3048-1: curl vulnerabilities – 8th August 2016. Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations.
  • USN-3041-1: Oxide vulnerabilities – 5th August 2016. Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service (application crash) or execute arbitrary code.
  • USN-3044-1: Firefox vulnerabilities – 5th August 2016. Gustavo Grieco discovered an out-of-bounds read during XML parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information.
  • USN-3047-1: QEMU vulnerabilities – 4th August 2016. Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host.
  • USN-3046-1: LibreOffice vulnerability – 4th August 2016. Yves Younan and Richard Johnson discovered that LibreOffice incorrectly handled presentation files. If a user were tricked into opening a specially crafted presentation file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.
  • USN-3045-1: PHP vulnerabilities – 2nd August 2016. It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

For more information about these, see the Ubuntu web site at http://www.ubuntu.com/usn/