August is over, and that always comes with a bittersweet aura. In Texas, we’re happy to see the intense heat take its leave and make way for the crisp coolness of fall – but it also signals the impending end of summer fun and the hectic holiday months ahead.3rd party patch roundup May 2015

August may be a “lazy” month for many, who seize the opportunity to take vacations before schools resume sessions and the weather turns cold, but it wasn’t a lazy one for hackers and attackers. We saw targeted ransomware attacks against dental offices, the hacking of Twitter CEO Jack Dorsey’s account made headlines, accused Capital One data thief Paige Thompson was indicted, and it was discovered that a popular mobile PDF creator that has been downloaded from Google Play more than 100 million times contains a malicious dropper component.

Data breaches abound. In August alone, Presbyterian Healthcare Services revealed that 183,000 of patients and health plan members may have had their personal data compromised due to a phishing scam.  Internet domain registrar Hostinger reported a breach that exposed data belonging to roughly 14 million users. Massachusetts General Hospital had a data breach that exposed private data, including genetic information, of 9,900 people.

As if all this weren’t enough, the month ended with a prediction from Juniper Research that the annual cost of worldwide data breaches will go over $5 trillion (that’s $5,000,000,000,000) by 2024—which, when you think about it, isn’t all that far in the future.

The good guys scored a few, though. The French National Gendarmerie’s Cybercrime Fighting Center and the FBI teamed up to rescue around 850,000 machines that had been infected with Retadup malware, and the U.S. launched a secret cyberattack that took out an Iranian database used by Islamic Revolutionary Guards Corps to plan attacks against oil tankers in the Persian Gulf.

And the major software companies continue to work hard to patch up the vulnerabilities that enable some of the attacks and breaches. Let’s take a look at what came our way from them this month.

Apple

Apple released a total of six updates for various products this month. These included one update released on August 1:

  • iCloud for Windows 10.6.1 for Windows 10 and later via the Microsoft Store

Another update was released on August 13:

  • SwiftNIO HTTP/2 1.5.0 SwiftNIO HTTP/2 1.0.0 through 1.4.0 on macOS Sierra 10.12 and later and Ubuntu 14.04 and later

And finally, four updates were released on August 26:

  • watchOS 5.3.1 for Apple Watch Series 1 and later
  • iOS 12.4.1 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later. Addresses a single vulnerability in the kernel that could be exploited to accomplish arbitrary code execution.
  • macOS Mojave 10.14.6 Supplemental Update for macOS Mojave 10.14.6. Addresses a single vulnerability in the kernel that could be exploited to accomplish arbitrary code execution.
  • tvOS 12.4.1 for Apple TV 4K and Apple TV HD. Addresses a single vulnerability in the kernel that could be exploited to accomplish arbitrary code execution.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released a whopping eight patches this month, which is more than average. All were released on their regular Patch Tuesday schedule (August 13):

  • APSB19-44 Security update available for Adobe Photoshop CC. These updates resolve multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
  • APSB19-42 Security update available for Adobe Experience Manager. These updates resolve a critical authentication bypass vulnerability in the Security Assertion Markup Language (SAML) handler in AEM versions 6.4 and 6.5. Successful exploitation could result in unauthorized access to the AEM environment.
  • APSB19-41 Security update available for Adobe Acrobat and Reader. These updates address important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.
  • APSB19-39 Security update available for Adobe Creative Cloud Desktop Application. This update resolves critical and important vulnerabilities. Successful exploitation could lead to Arbitrary code execution in the context of the current user.
  • APSB19-35 Security update available for Adobe Prelude CC. This update resolves an insecure library loading vulnerability that could lead to privilege escalation.
  • APSB19-33 Security update available for Adobe Premiere Pro CC. This update resolves an insecure library loading vulnerability that could lead to privilege escalation.
  • APSB19-32 Security update available for Adobe Character Animator CC. This update resolves an insecure library loading vulnerability that could lead to privilege escalation.
  • APSB19-31 Security update available for Adobe After Effects CC. This update resolves an insecure library loading vulnerability that could lead to privilege escalation.

Vulnerabilities addressed include heap overflow issues, type confusion, buffer overflow, out of bounds read, out of bounds write, use after free, double free, internal IP disclosure, untrusted pointer dereference, and command injection.

Interestingly, no update was released for Flash Player this month.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

Chrome browser for the desktop has been updated to 76.0.3809.132 for Windows, Mac, and Linux, and started rolling out on August 26. This update includes 3 security fixes that include a high severity use-after-free issue in Blink.

Chrome 76 for Android was also released on August 26.

Chrome OS v76.0.3809.102 for most Chrome OS devices was released on August 12. This build contains a number of bug fixes and security updates.

For more information, see https://chromereleases.googleblog.com/

Android updates for August include a fix for a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process. Vulnerabilities addressed include issues in Android runtime, Framework, Media Framework, System, Broadcom and Qualcomm components.

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-08-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The most recent update was released in July. The next scheduled release will be in October.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

Mozilla released the following security advisory in August:

Security Advisory 2019-24 for Firefox. Stored passwords in ‘Saved Logins’ can be copied without master password entry.

Firefox 68 was released in July and the next full version, Firefox 69, will be released in September.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (September 1), Ubuntu has issued the following forty-four security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-4113-1: Apache HTTP Server vulnerabilities. Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service (daemon crash).
  • USN-4112-1: Ceph vulnerability. Abhishek Lekshmanan discovered that the RADOS gateway implementation in Ceph did not handle client disconnects properly in some situations. A remote attacker could use this to cause a denial of service.
  • USN-4111-1: Ghostscript vulnerabilities. Hiroki Matsukuma discovered that the PDF interpreter in Ghostscript did not properly restrict privileged calls when ‘-dSAFER’ restrictions were in effect. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files.
  • USN-4110-4: Dovecot regression. USN-4110-1 fixed a vulnerability in Dovecot. The update introduced a regression causing a wrong check. This update fixes the problem for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. We apologize for the inconvenience. Original advisory details: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data.
  • USN-4110-3: Dovecot regression. USN-4110-1 fixed a vulnerability in Dovecot. The update introduced a regression causing a wrong check. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service.
  • USN-4110-2: Dovecot vulnerability. USN-4110-1 fixed a vulnerability in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
  • USN-4110-1: Dovecot vulnerability. Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
  • USN-4109-1: OpenJPEG vulnerabilities. It was discovered that OpenJPEG incorrectly handled certain PGX files. An attacker could possibly use this issue to cause a denial of service or possibly remote code execution. (CVE-2017-17480) It was discovered that OpenJPEG incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4108-1: Zstandard vulnerability. It was discovered that Zstandard incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
  • USN-4107-1: GIFLIB vulnerabilities. It was discovered that GIFLIB incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2016-3977) It was discovered that GIFLIB incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4106-1: NLTK vulnerability. Mike Salvatore discovered that NLTK mishandled crafted ZIP archives during extraction. A remote attacker could use this vulnerability to write arbitrary files to the file system.
  • USN-4105-1: CUPS vulnerabilities. Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic.
  • USN-4104-1: Nova vulnerability. Donny Davis discovered that the Nova Compute service could return configuration or other information in response to a failed API request in some situations. A remote attacker could use this to expose sensitive information.
  • USN-4103-2: Docker vulnerability. Jasiel Spelman discovered that a double free existed in the docker-credential- helpers dependency of Docker. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code. Original advisory details: Jasiel Spelman discovered that a double free existed in docker-credential- helpers.
  • USN-4103-1: docker-credential-helpers vulnerability. Jasiel Spelman discovered that a double free existed in docker-credential- helpers. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code.
  • USN-4078-2: OpenLDAP vulnerabilities. USN-4078-1 fixed several vulnerabilities in openldap. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that OpenLDAP incorrectly handled rootDN delegation.
  • USN-4102-1: LibreOffice vulnerabilities. It was discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code.
  • USN-4100-1: KConfig and KDE libraries vulnerabilities. It was discovered that KConfig and KDE libraries have a vulnerability where an attacker could hide malicious code under desktop and configuration files. (CVE-2019-14744) It was discovered that KConfig allows remote attackers to write to arbitrary files via a ../ in a filename in an archive file.
  • USN-4101-1: Firefox vulnerability. It was discovered that passwords could be copied to the clipboard from the “Saved Logins” dialog without entering the master password, even when a master password has been set. A local attacker could potentially exploit this to obtain saved passwords.
  • USN-4099-1: nginx vulnerabilities. Jonathan Looney discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to consume resources, leading to a denial of service.
  • USN-4098-1: wpa_supplicant and hostapd vulnerability. It was discovered that wpa_supplicant and hostapd were vulnerable to a side channel attack against EAP-pwd. A remote attacker could possibly use this issue to recover certain passwords.
  • USN-4097-1 fixed several vulnerabilities in php5. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
  • USN-4097-1: PHP vulnerabilities. It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
  • USN-4095-2: Linux kernel (Xenial HWE) vulnerabilities. USN-4095-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve.
  • USN-4096-1: Linux kernel (AWS) vulnerability. Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory).
  • USN-4095-1: Linux kernel vulnerabilities. Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information.
  • USN-4094-1: Linux kernel vulnerabilities. It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations.
  • USN-4093-1: Linux kernel vulnerabilities. It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-4070-3: MariaDB vulnerabilities. USN-4070-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2628, CVE-2019-2627, CVE-2019-2614 in MariaDB 10.3.
  • USN-4070-2: MariaDB vulnerabilities. USN-4070-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2805 in MariaDB 10.1. Ubuntu 18.04 LTS has been updated to MariaDB 10.1.41.
  • USN-4092-1: Ghostscript vulnerability. Netanel Fisher discovered that the font handler in Ghostscript did not properly restrict privileged calls when ‘-dSAFER’ restrictions were in effect. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files.
  • USN-4091-1: poppler vulnerability. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4090-1: PostgreSQL vulnerabilities. Tom Lane discovered that PostgreSQL did not properly restrict functions declared as “SECURITY DEFINER”. An attacker could use this to execute arbitrary SQL with the permissions of the function owner. (CVE-2019-10208) Andreas Seltenreich discovered that PostgreSQL did not properly handle user-defined hash equality operators.
  • USN-4089-1: Rack vulnerability. It was discovered that Rack incorrectly handled carefully crafted requests. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack.
  • USN-4088-1: PHP vulnerability. It was discovered that PHP incorrectly handled certain regular expressions. An attacker could possibly use this issue to expose sensitive information, cause a denial of service or execute arbitrary code.
  • USN-4087-1: BWA vulnerability. It was discovered that Burrows-Wheeler Aligner (BWA) mishandled certain crafted .alt files. An attacker could use this vulnerability to cause a denial of service (crash) or possibly execute arbitrary code.
  • USN-4086-1: Mercurial vulnerability. It was discovered that Mercurial mishandled symlinks in subrepositories. An attacker could use this vulnerability to write arbitrary files to the target’s filesystem.
  • USN-4049-4: GLib regression. USN-4049-1 fixed a vulnerability in GLib. The update introduced a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that GLib created directories and files without properly restricting permissions.
  • USN-4049-3: GLib regression. USN-4049-1 fixed a vulnerability in GLib. The update introduced a regression in Ubuntu 16.04 LTS causing a possibly memory leak. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that GLib created directories and files without properly restricting permissions.
  • USN-4058-2: Bash vulnerability. USN-4058-1 fixed a vulnerability in bash. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that Bash incorrectly handled the restricted shell. An attacker could possibly use this issue to escape restrictions and execute any command.
  • USN-4079-2: SoX vulnerabilities. USN-4079-1 fixed vulnerabilities in SoX. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 19.04. Original advisory details: It was discovered that SoX incorrectly handled certain MP3 files. An attacker could possibly use this issue to cause a denial of service.
  • USN-4085-1: Sigil vulnerability. Mike Salvatore discovered that Sigil mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem.
  • USN-4084-1: Django vulnerabilities. It was discovered that Django incorrectly handled the Truncator function. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service. (CVE-2019-14232) It was discovered that Django incorrectly handled the strip_tags function.
  • USN-4069-2: Linux kernel (HWE) vulnerabilities. USN-4069-1 fixed vulnerabilities in the Linux kernel for Ubuntu 19.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.04 for Ubuntu 18.04 LTS. It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issue.