Summer is almost at an end, and the months ahead are sure to be hectic as always as we sail toward the holiday season and the end of yet another year. Because those holidays also serve as a prime time for spammers, scammers, and attackers, it’s important to get ahead of the game and start ramping up security now to help prevent the delivery of any unexpected and undesirable “gifts” to your network in the coming months.

Of course, security is a multi-faceted thing, but patching vulnerabilities is an important element in keeping systems and the network safe from intrusion and attack. From new variants of the well-known Intel processor vulnerabilities to infiltration of networks through exploits targeting HP printers to a critical remote code execution issue in Apache Struts, it’s been a good month for the bad guys, and a busy one for IT security pros and network admins scrambling to keep up.

So now let’s take a look at some of the security updates released in July. Note that at the time this article is being written and submitted (morning of July 30th), there is one more day left in the month. If additional updates are released later today or tomorrow, we will cover them in next month’s Roundup.

Apple

Apple released eight updates in July for various products, but as of the date of this writing (afternoon of August 28), there have been no security patches released this month. That usually means we can expect either a last minute release in the next few days (which I’ll cover in next month’s roundup) or a larger-than-usual number of patches in September.

Meanwhile, Apple was in the news – and not in a good way – when it was discovered that a security flaw in the Apple Store exposed the PIN codes of tens of millions of T-Mobile customers along with an unknown number of AT&T users.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

It if was a slow month for Apple updates, the same wasn’t true of Adobe. The company released six patches this month, slightly more than average. Four were released on their regular Patch Tuesday schedule (August 14):

  • APSB18-29 Security updates available for Adobe Acrobat and Reader. This is a priority 2 update that addresses two critical vulnerabilities, one out-of-bounds write issue and one untrusted pointer dereference vulnerability, both of which can be exploited to accomplish remote code execution.
  • APSB18-26 Security update available for Adobe Experience Manager. This is a priority 2 update that addresses three information disclosure and modification vulnerabilities and is rated moderate in severity.
  • APSB18-25 Security updates available for Adobe Flash Player. This is a priority 2 update for Flash Player on Windows, macOS, Linux and Chrome OS that addresses five important vulnerabilities, which include information disclosure, security mitigation bypass, and privilege escalation issues.
  • APSB18-20 Security update available for the Adobe Creative Cloud Desktop Application for Windows. This is a priority 3 update that addresses one important escalation of privilege vulnerability caused by insecure library loading (DLL hijacking).

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On August 8, Google released a stable channel  update for the Chrome desktop browser for Windows, Mac, and Linux.

On August 23, Google released a new stable channel update for the Chrome OS that includes security updates as well as bug fixes and feature enhancements.

The August security update for Android contains fixes for forty-two issues. The most severe of these issues is a critical vulnerability that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.  Google reported that they have had no reports of active customer exploitation or abuse of these newly reported issues. 

For more information, see https://chromereleases.googleblog.com/

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-08-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The most recent update was released on July 17th and contained 334 security fixes across the broad range of Oracle products and services. The next regular update is scheduled for October 16th.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

The most recent version of the Firefox web browser was released on June 26, version 61, which fixed the nineteen vulnerabilities that we described in the June Third Party Patch Roundup.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (July 30th), Ubuntu has issued the following forty-six security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3756-1: Intel Microcode vulnerabilities It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information.
  • USN-3755-1: GD vulnerabilities It was discovered that GD incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1000222) It was discovered that GD incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access.
  • USN-3752-2: Linux kernel (HWE) vulnerabilities USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.
  • USN-3754-1: Linux kernel vulnerabilities Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash).
  • USN-3753-1: Linux kernel vulnerabilities It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges.
  • USN-3752-1: Linux kernel vulnerabilities It was discovered that, when attempting to handle an out-of-memory situation, a null pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash).
  • USN-3751-1: Spice vulnerability It was discovered that Spice incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service.
  • USN-3750-1: Pango vulnerability Jeffrey M. discovered that Pango incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3749-1: Spidermonkey vulnerabilities Multiple memory safety issues were fixed in Spidermonkey. An attacker could potentially exploit these to cause a denial of service, or execute arbitrary code.
  • USN-3748-1: base-files vulnerability Sander Bos discovered that the MOTD update script incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.
  • USN-3747-1: OpenJDK 10 vulnerabilities It was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826) It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it.
  • USN-3742-3: Linux kernel (Trusty HWE) regressions USN-3742-2 introduced mitigations in the Linux Hardware Enablement (HWE) kernel for Ubuntu 12.04 ESM to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting.
  • USN-3746-1: APT vulnerability It was discovered that APT incorrectly handled the mirror method (mirror://). If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages in environments configured to use mirror:// entries.
  • USN-3745-1: wpa_supplicant and hostapd vulnerability It was discovered that wpa_supplicant and hostapd incorrectly handled certain messages. An attacker could possibly use this to access sensitive information.
  • USN-3741-3: Linux kernel regressions USN-3741-1 introduced mitigations in the Linux kernel for Ubuntu 14.04 LTS to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting.
  • USN-3658-3: procps-ng vulnerabilities USN-3658-1 fixed a vulnerability in procps. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the procps-ng top utility incorrectly read its configuration file from the current working directory. A local attacker could possibly use this issue to escalate privileges.
  • USN-3744-1: PostgreSQL vulnerabilities Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
  • USN-3743-1: WebKitGTK+ vulnerabilities A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3733-2: GnuPG vulnerability USN-3733-1 fixed a vulnerability in GnuPG. This update provides the corresponding update for Ubuntu 12.04 ESM.
  • USN-3742-2: Linux kernel (Trusty HWE) vulnerabilities USN-3742-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 for Ubuntu 12.04 ESM.
  • USN-3741-2: Linux kernel (Xenial HWE) vulnerabilities USN-3741-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
  • USN-3742-1: Linux kernel vulnerabilities It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS).
  • USN-3741-1: Linux kernel vulnerabilities It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS).
  • USN-3740-1: Linux kernel vulnerabilities It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS).
  • USN-3740-2: Linux kernel (HWE) vulnerabilities USN-3740-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing.
  • USN-3739-2: libxml2 vulnerabilities USN-3739-1 fixed a vulnerability in libxml2. This update provides the corresponding update for Ubuntu 12.04. Original advisory details: Matias Brutti discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.
  • USN-3739-1: libxml2 vulnerabilities Matias Brutti discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. (CVE-2016-9318) It was discovered that libxml2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3738-1: Samba vulnerabilities Svyatoslav Phirsov discovered that the Samba libsmbclient library incorrectly handled extra long filenames. A malicious server could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-10858) Volker Mauel discovered that Samba incorrectly handled database output.
  • USN-3737-1: GDM vulnerability A use-after-free was discovered in GDM. A local user could exploit this to cause a denial of service, or potentially execute arbitrary code as the administrator.
  • USN-3736-1: libarchive vulnerabilities It was discovered that libarchive incorrectly handled certain archive files. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  • USN-3735-1: OpenJDK 7 vulnerability It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to potentially construct a class that caused a denial of service (excessive memory consumption).
  • USN-3734-1: OpenJDK 8 vulnerability It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to possibly construct a class that caused a denial of service (excessive memory consumption).
  • USN-3733-1: GnuPG vulnerability Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom discovered that GnuPG is vulnerable to a cache side-channel attack. A local attacker could use this attack to recover RSA private keys.
  • USN-3732-1: Linux kernel vulnerability Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service.
  • USN-3732-2: Linux kernel (HWE) vulnerability USN-3732-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.
  • USN-3731-2: LFTP vulnerability USN-3731-1 fixed a vulnerability in LFTP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that LFTP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3731-1: LFTP vulnerability It was discovered that LFTP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3730-1: LXC vulnerability Matthias Gerstner discovered that LXC incorrectly handled the lxc-user-nic utility. A local attacker could possibly use this issue to open arbitrary files.
  • USN-3729-1: libxcursor vulnerability It was discovered that libxcursor incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3728-3: ClamAV vulnerabilities USN-3728-2 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3728-2: ClamAV vulnerabilities USN-3728-1 fixed several vulnerabilities in libmspack. In Ubuntu 14.04 libmspack is included into ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory details: Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3728-1: libmspack vulnerabilities Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-14679, CVE-2018-14680) Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An attacker could possibly use this issue to execute arbitrary code.
  • USN-3727-1: Bouncy Castle vulnerabilities It was discovered that Bouncy Castle incorrectly handled certain crypto algorithms. A remote attacker could possibly use these issues to obtain sensitive information, including private keys.
  • USN-3726-1: Django vulnerability Andreas Hug discovered that Django contained an open redirect in CommonMiddleware. A remote attacker could possibly use this issue to perform phishing attacks.
  • USN-3725-2: MySQL vulnerabilities USN-3725-1 fixed several vulnerabilities in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.