3rdPartyRoundup_SQAs this year draws to a close, holiday schedules result in early deadlines that mean this month’s roundup may or may not be incomplete. Some vendors may release patches during the last week of December that don’t make it into this post. In that case, I’ll add them to January’s roundup or, if there are a large number of such patches or some of them are especially important, I’ll cover them in an “out of band” article in early January.

Meanwhile, here’s wishing all of you happy holidays spent enjoying time with family and friends and not having to deal with vulnerabilities or patches for a few days.

The following are the patches that have been released up to the point of this writing.

Apple

Thus far this month, Apple has released three updates officially labeled security updates on its security/support web site, two of them for the Safari web browser and one for the iOS mobile operating system. Two of these, however, don’t add any new security content. For additional information, see the Apple Security Updatespage on the Apple Support web site.

  • On December 3, Apple released Safari 8.0.1, 7.1.1 and 6.2.1 for the Mountain Lion, Mavericks and Yosemite versions of the OS X desktop operating system. Thirteen vulnerabilities (CVE IDs) are addressed by these updates. All of the vulnerabilities are in WebKit, which is the layout engine software that renders pages in Safari. They include a style sheet vulnerability that could load a CSS file cross-origin and allow data exfiltration, a UI spoofing vulnerability caused by the handling of scrollbar boundaries, and multiple memory corruption issues that could allow for arbitrary code execution when visiting a maliciously crafted web site.
  • On December 9, Apple released iOS 8.1.2 for the iPhone 4 and above, iPod Touch 5th generation and above, and iPad 2 and above.  Although listed as a security update, this version includes the same security content as iOS 8.1.1, which was released in November and address nine vulnerabilities.
  • On December 11, Apple released Safari 8.0.2, 7.1.2, and 6.2.2 for the Mountain Lion, Mavericks and Yosemite versions of the OS X desktop operating system. The security content is the same as described above for Safari 8.0.1, 7.1.1 and 6.2.1.

Adobe

On its usual Patch Tuesday release schedule of December 9, Adobe put out three security updates: one for Flash Player, one for Reader and Acrobat, and one for ColdFusion. For additional information, see the Security Bulletins and Advisories page on the Adobe web site.

  • APSB14-27 addresses six vulnerabilities in Adobe Flash Player for Windows, Linux and Mac desktop operating systems. These include memory corruption vulnerabilities that can be exploited to allow arbitrary code execution, a use-after-free vulnerability that can also result in code execution, and a stack-based buffer overflow vulnerability that can be used to execute code. Also addressed are an information disclosure vulnerability and a vulnerability that an attacker could exploit to circumvent the same-origin policy.  This update has a priority rating of 1 on Chrome and IE, with a 3 rating on Linux v11.2.202.424 and earlier. It is rated critical. There have been reports of CVE-2014-9163 – the buffer overflow vulnerability – being exploited in the wild, so it’s important to apply this update to all systems running Flash Player.
  • APSB14-28 addresses a whopping twenty different vulnerabilities in Adobe Reader and Adobe Acrobat running on Windows and Macintosh operating systems. These vulnerabilities include use-after-free, heap-based buffer overflow, integer overflow, memory corruption, time-of-check time-of-use (TOCTOU), improper implementation of Javascript API, handling of XML external entities and circumvention of the same-origin policy.  Several of these can be exploited to allow arbitrary code execution, three can lead to information disclosure, and one can be exploited to allow arbitrary write access to the file system. The update has a priority rating of 1 on all systems and is rated critical.
  • APSB14-29 is a hotfix for ColdFusion v11 and v10 (v9.x is not affected). It addresses one resource consumption vulnerability that could be exploited to create a denial of service. The update has a priority rating of 2 and severity rating of important on all platforms.

Google

On December 9, Google released its latest stable channel update for Chrome running on Windows, Mac and Linux operating systems, version 39.0.2171.95. It includes an update for Adobe Flash but lists no other security-related fixes. For more information, see the Chrome Releases blog which includes a link to the complete change log.

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October. The next patches are expected to be released on January 20, 2015.

Mozilla

On December 2, Mozilla released security advisories for nine vulnerabilities in Firefox, Firefox ESR, SeaMonkey and Thunderbird as follows:

The most recent version of Firefox is 34.0.5, released on December 1.  It includes fixes for the vulnerabilities listed above.

Linux

Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued twenty-five security advisories during the time frame of December 1 through 17 and will most likely issue more this month. Other commercial Linux vendors issued similar advisories

  • USN-2448-1: Linux kernel vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2447-1: Linux kernel (Utopic HWE) vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2446-1: Linux kernel vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2445-1: Linux kernel (Trusty HWE) vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2444-1: Linux kernel (OMAP4) vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2443-1: Linux kernel vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2442-1: Linux kernel (EC2) vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2441-1: Linux kernel vulnerabilities – 12th December 2014. An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests.
  • USN-2440-1: Mutt vulnerability – 11th December 2014. Jakub Wilk discovered that the write_one_header function in mutt did not properly handle newline characters at the beginning of a header. An attacker could specially craft an email to cause mutt to crash, resulting in a denial of service.
  • USN-2439-1: QEMU vulnerabilities – 11th December 2014. Michael S. Tsirkin discovered that QEMU incorrectly handled certain parameters during ram load while performing a migration. An attacker able to manipulate savevm data could use this issue to possibly execute arbitrary code on the host.
  • USN-2438-1: NVIDIA graphics drivers vulnerabilities – 10th December 2014. It was discovered that the NVIDIA graphics drivers incorrectly handled GLX indirect rendering support. An attacker able to connect to an X server, either locally or remotely, could use these issues to cause the X server to crash or execute arbitrary code resulting in possible privilege escalation.
  • USN-2436-2: X.Org X server vulnerabilities – 9th December 2014. USN-2436-1 fixed vulnerabilities in the X.Org X server. Since publication, additional fixes have been made available for these issues. This update adds the additional fixes. Original advisory details: Ilja van Sprundel discovered a multitude of security issues in the X.Org X server.
  • USN-2437-1: Bind vulnerability – 9th December 2014. Florian Maury discovered that Bind incorrectly handled delegation. A remote attacker could possibly use this issue to cause Bind to consume resources and crash, resulting in a denial of service.
  • USN-2436-1: X.Org X server vulnerabilities – 9th December 2014. Ilja van Sprundel discovered a multitude of security issues in the X.Org X server. An attacker able to connect to an X server, either locally or remotely, could use these issues to cause the X server to crash or execute arbitrary code resulting in possible privilege escalation.
  • USN-2435-1: Graphviz vulnerability – 8th December 2014. It was discovered that graphviz incorrectly handled parsing errors. An attacker could use this issue to cause graphviz to crash or possibly execute arbitrary code.
  • USN-2434-2: Ghostscript vulnerability – 8th December 2014. USN-2434-1 fixed a vulnerability in JasPer. This update provides the corresponding fix for the JasPer library embedded in the Ghostscript package. Original advisory details: Jose Duart discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files.
  • USN-2434-1: JasPer vulnerability – 8th December 2014. Jose Duart discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges.
  • USN-2431-2: MAAS regression – 4th December 2014. USN-2431-1 fixed vulnerabilities in mod_wsgi. The security update exposed an issue in the MAAS package, causing a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights.
  • USN-2433-1: tcpdump vulnerabilities – 4th December 2014. Steffen Bauch discovered that tcpdump incorrectly handled printing OSLR packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8767) Steffen Bauch discovered that tcpdump incorrectly handled printing GeoNet packets.
  • USN-2432-1: GNU C Library vulnerabilities – 3rd December 2014. Siddhesh Poyarekar discovered that the GNU C Library incorrectly handled certain multibyte characters when using the iconv function. An attacker could possibly use this issue to cause applications to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
  • USN-2428-1: Thunderbird vulnerabilities – 3rd December 2014. Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas Werner discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash.
  • USN-2431-1: mod_wsgi vulnerability – 3rd December 2014. It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode.
  • USN-2424-1: Firefox vulnerabilities – 2nd December 2014. Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas Werner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, Eric Rescorla, and Xidorn Quan discovered multiple memory safety issues in Firefox.
  • USN-2430-1: OpenVPN vulnerability – 2nd December 2014. Dragana Damjanovic discovered that OpenVPN incorrectly handled certain control channel packets. An authenticated attacker could use this issue to cause an OpenVPN server to crash, resulting in a denial of service.
  • USN-2429-1: ppp vulnerability – 1st December 2014. It was discovered that ppp incorrectly handled certain options files. A local attacker could possibly use this issue to escalate privileges.