J003-Content-3rdPartyRoundup_SQAs I write this on New Year’s Eve, 2015 is drawing to a close, and what a year it’s been. On a personal note, for me it was a very good year with a not-so-good ending, as the town where I live was devastated by a tornado on the day after Christmas. My home was spared; we only suffered a three-day power outage, but I look out my window and see a whole row of houses across the lake from me that were demolished.

My takeaway from this experience as it applies to the IT security landscape is that it’s important to be prepared for anything. Disaster can strike from out of the blue – and that includes attacks on our networks that can suddenly destroy everything: our data, our ability to do business, and our organizations’ reputations.

Some of the tornado victims had shelters and safe rooms and had planned for what to do if this happened; others didn’t. We made it through the 72 hours without heat and lights more easily than some because we had plenty of flashlights, a large cache of batteries, candles, a DC inverter for charging devices from the car battery, a big emergency food supply, a gas cooktop and other such items. However, we weren’t as well prepared as some others, who had backup generators with automatic failover.  On the other hand, some of those who lost their homes didn’t even have insurance.

Similarly, some organizations are more diligent than others about preparing for the possibility of a hack attack or malware infestation. Some put off applying patches because they’re afraid of the updates causing problems, and some keep putting it off even after others have reported no problems simply because they don’t want to take the time.  Many suffer from the “It won’t happen to me” syndrome, which is usually true – until suddenly it isn’t.

If you’re one of those IT pros who doesn’t always get around to patching your machines, perhaps a good New Year’s resolution would be to consider reassessing that strategy. Meanwhile, let’s look at the patches that were released for some of the popular other-than-Microsoft products on this last month of 2015.

Apple

Remember November, when Apple took the month off and didn’t release any security updates? Well, they made up for it in December, with eight version updates that cover many of their operating systems and applications.

Six of the updates came out on December 8:

  • iOS 9.2 for iPhone 4s and above, iPod Touch gen 5 and above and iPad 2 and above addresses more than fifty vulnerabilities in almost thirty different OS components, including WebKit, the Sandbox, Safari web browser, Siri, the Photos component, iBooks, LaunchServices, CoreGraphics and a number in the kernel. These include memory corruption issues, access control issues, input validation issues, XML issues, parsing issues, buffer overflows, path validation issues, problems with the handling of SSL handshakes, issues with validation of ACLs for the keychain, and more. Many of these could be exploited to accomplish arbitrary code execution and thus are critical vulnerabilities. Other impacts include denial of service, unauthorized access to data, bypass of ASLR, application termination, information disclosure, and bypass of HSTS.
  • OS X 10.11.2 El Capitan, Security Update 2015-005 Yosemite and Security Update 2015-008 Mavericks were released as a single update for the respective versions of the Apple desktop/laptop client operating system. This update includes fixes for 54 vulnerabilities. Many of these are the same as listed for iOS 9.2 above, and in addition there are issues related to Apache web service, Bluetooth, compression, configuration profiles, and the hypervisor. In addition to the same types of vulnerabilities mentioned above, there are use-after-free issues with VM objects. Impacts are similar and again, many of the vulnerabilities allow for arbitrary code execution and are rated critical.
  • Safari 9.0.2 for OS X Mavericks, Yosemite and El Capitan addresses 12 vulnerabilities, all of which are related to the WebKit component. Of these, 11 are memory corruption issues that could be exploited to accomplish arbitrary code execution and one is an insufficient input validation issue in content blocking that could reveal a user’s browsing history. The update is critical.
  • WatchOS 2.1 for all editions of Apple Watch addresses 30 vulnerabilities in the watch operating system, including many of the same components as were fixed in iOS and OS X. These are memory corruption, hard link handling, segment validation, null pointer dereference, and buffer overflow issues, with arbitrary code execution being the most serious impact, causing the update to be critical.
  • tvOS 9.1 for Apple TV 4th generation addresses 43 vulnerabilities, most of which are the same issues in the same vulnerabilities listed for the operating systems above, with similar impact potential.
  • Xcode 7.2 for OS X Yosemite 10.10.5 or later addresses four vulnerabilities in Git, IDE SCM and otools. These include multiple memory corruption issues and the failure of the previous version of Xcode to honor the .gitignore directive, allowing intentionally untracked files to be uploaded to repositories. Arbitrary code execution could result from the memory corruption issues that exist in the processing of mach-o files.

Apple released two more security updates on December 11:

  • iTunes 12.3.2 for Windows 7 or above addresses 12 vulnerabilities in the WebKit component. These are the same as the twelve issues fixed in Safari 9.0.2 described above.
  • Security Update 2015-006 for OS X Yosemite includes the content of Security Update 2015-005 that was released on December 8 and discussed above.

For more information about December’s updates and to keep an eye out for new ones, see Apple’s web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released two patches in December, both of which are for Adobe Flash Player and the first of which is a big one:

  • APSB15-32 was released on December 8 and contains fixes for a whopping 79 vulnerabilities. It applies to Flash on Windows, Mac, Linux and ChromeOS, on Edge and Internet Explorer 10 and 11 and the Chrome web browser version 19.0.0.245 and earlier, AIR Desktop Runtime, SDK & Compiler and AIR for Android. Priority rating is 1 for all except Flash Player for Linux and AIR, which are priority 3. The vulnerabilities include memory corruption, security bypass, heap buffer overflow, stack overflow, type confusion, integer overflow and a very large number of use-after-free issues. The update is designated as critical because many of these could be exploited to allow an attacker to take control of the system.
  • APSB16-01 was released on December 28 but numbered as the first update of the new year. It addresses 19 vulnerabilities in Flash Player for Windows, Mac, Linux and ChromeOS, the Chrome, Edge and IE 10 and 11 web browsers, Flash Player for Linux, AIR Desktop Runtime, SDK & Compiler and AIR for Android. There are reports that one of the vulnerabilities has been exploited in limited targeted attacks. These vulnerabilities include type confusion, integer overflow, use-after-free and memory corruption issues. Priority rating and severity rating are 1 (all except Flash for Linux and AIR, which are 3) and critical.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On December 15, Google released Chrome version 47.0.2526.106, which addressed multiple security vulnerabilities in the browser running on Windows, Linux and Mac OS X. The most severe of the vulnerabilities could be exploited to allow for a remote attacker to take control of the system.  The update fixes two issues:

https://www.us-cert.gov/ncas/current-activity/2015/12/15/Google-Releases-Security-Update-Chrome

Then on December 18, Google announced that the next version of Chrome, v. 48 to be released in early January, will no longer support SHA-1 certificates due to the risk of collision attacks – https://threatpost.com/google-announces-sha-1-deprecation-timeline/115681/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Last month they released an October update that patched a very large number of vulnerabilities. The next regularly scheduled update will be on January 19, 2016.

For a more detailed summary of previous vulnerabilities and fixes, see the Oracle security blog at https://blogs.oracle.com/security/

Mozilla

Mozilla officially released Firefox v.43 on December 15, which contains 16 security fixes. These include four that are rated critical, seven of high severity, three that are moderate and two of low impact.

The critical vulnerabilities include:

  • A cross-site reading issue
  • Privilege escalation vulnerabilities in WebExtension APIs
  • Use-after-free issue in WebRTC
  • Miscellaneous memory safety issues

The high severity vulnerabilities include:

  • Integer underflow and buffer overflow in libstagefright
  • Integer overflow in MP4 playback (64 bit versions)
  • Underflow through code inspection
  • Cross-origin information leak through web workers errors events
  • Integer overflow allocating extremely large textures
  • Same origin policy violation
  • Crash with JavaScript variable assignment with unboxed objects

The moderate severity vulnerabilities include:

  • Buffer overlfows found through code inspection
  • Linux file chooser crash on malformed images
  • Control characters allowed to be set in cookies

The low severity vulnerabilities include:

  • Denial of service due to malformed frames in HTTP/2
  • Hash in data URI incorrectly parsed

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (December 31), Ubuntu has issued 41 security advisories, which is slightly higher than the past few months. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-2854-1: Linux kernel (Vivid HWE) vulnerabilities– 20th December 2015.  Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2853-1: Linux kernel (Wily HWE) vulnerabilities– 20th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2852-1: Linux kernel (Raspberry Pi 2) vulnerability– 19th December 2015. Jann Horn discovered a ptrace issue with user namespaces in the Linux kernel. The namespace owner could potentially exploit this flaw by ptracing a root owned process entering the user namespace to elevate its privileges and potentially gain access outside of the namespace. (http://bugs.launchpad.net/bugs/1527374)
  • USN-2851-1: Linux kernel vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2850-1: Linux kernel vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2849-1: Linux kernel (Utopic HWE) vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2848-1: Linux kernel vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2847-1: Linux kernel (Trusty HWE) vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2846-1: Linux kernel vulnerabilities– 19th December 2015. Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host.
  • USN-2845-1: SoS vulnerabilities– 17th December 2015. Dolev Farhi discovered an information disclosure issue in SoS. If the /etc/fstab file contained passwords, the passwords were included in the SoS report. This issue only affected Ubuntu 14.04 LTS.
  • USN-2840-2: Linux kernel (OMAP4) vulnerability– 17th December 2015. Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash).
  • USN-2843-3: Linux kernel (Raspberry Pi 2) vulnerabilities– 17th December 2015. 郭永刚 discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash).
  • USN-2843-2: Linux kernel (Wily HWE) vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2844-1: Linux kernel (Utopic HWE) vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2843-1: Linux kernel vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2842-2: Linux kernel (Vivid HWE) vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2842-1: Linux kernel vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2841-2: Linux kernel (Trusty HWE) vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2841-1: Linux kernel vulnerabilities– 17th December 2015. Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
  • USN-2840-1: Linux kernel vulnerabilities– 17th December 2015. Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash).
  • USN-2839-1: CUPS update– 16th December 2015. As a security improvement against the POODLE attack, this update disables SSLv3 support in the CUPS web interface. For legacy environments where SSLv3 support is still required, it can be re-enabled by adding “SSLOptions AllowSSL3” to /etc/cups/cupsd.conf.
  • USN-2838-2: foomatic-filters vulnerability– 16th December 2015. Adam Chester discovered that the foomatic-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.
  • USN-2838-1: cups-filters vulnerability– 16th December 2015. Adam Chester discovered that the cups-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.
  • USN-2833-1: Firefox vulnerabilities– 15th December 2015. Andrei Vaida, Jesse Ruderman, Bob Clary, Christian Holler, Jesse Ruderman, Eric Rahm, Robert Kaiser, Harald Kirschner, and Michael Henretty discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
  • USN-2837-1: Bind vulnerability– 15th December 2015. It was discovered that Bind incorrectly handled responses with malformed class attributes. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service.
  • USN-2836-1: GRUB vulnerability– 15th December 2015. Hector Marco and Ismael Ripoll discovered that GRUB incorrectly handled the backspace key when configured to use authentication. A local attacker could use this issue to bypass GRUB password protection.
  • USN-2835-1: Git vulnerability– 15th December 2015. Blake Burkhart discovered that the Git git-remote-ext helper incorrectly handled recursive clones of git repositories. A remote attacker could possibly use this issue to execute arbitrary code by injecting commands via crafted URLs.
  • USN-2834-1: libxml2 vulnerabilities– 14th December 2015. Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.
  • USN-2825-1: Oxide vulnerabilities– 10th December 2015. Multiple use-after-free bugs were discovered in the application cache implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user.
  • USN-2832-1: libsndfile vulnerabilities– 7th December 2015. It was discovered that libsndfile incorrectly handled memory when parsing malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
  • USN-2831-2: foomatic-filters vulnerability– 7th December 2015. Michal Kowalczyk discovered that the foomatic-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.
  • USN-2831-1: cups-filters vulnerability– 7th December 2015. Michal Kowalczyk discovered that the cups-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.
  • USN-2830-1: OpenSSL vulnerabilities– 7th December 2015. Guy Leaver discovered that OpenSSL incorrectly handled a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10.
  • USN-2829-2: Linux kernel (Vivid HWE) vulnerabilities– 4th December 2015. It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash).
  • USN-2829-1: Linux kernel vulnerabilities– 4th December 2015. It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash).
  • USN-2828-1: QEMU vulnerabilities– 3rd December 2015. Jason Wang discovered that QEMU incorrectly handled the virtio-net device. A remote attacker could use this issue to cause guest network consumption, resulting in a denial of service.
  • USN-2827-1: OpenJDK 6 vulnerabilities– 3rd December 2015. Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.
  • USN-2826-1: Linux kernel (Trusty HWE) vulnerabilities– 3rd December 2015. It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash).
  • USN-2824-1: Linux kernel (Utopic HWE) vulnerability– 1st December 2015. Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash).
  • USN-2823-1: Linux kernel vulnerabilities– 1st December 2015. It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash).
  • USN-2819-1: Thunderbird vulnerabilities– 1st December 2015. Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service.