Third Party Patch Roundup – December 2017

Another year has come to an end, and it’s traditionally a time – both in the IT industry and in other aspects of our lives – to do two things:  1) look back at the past twelve months and all that has happened over its course, and 2) look ahead the coming new year and make plans (or resolutions) regarding what we hope to accomplish.

In the cybersecurity space, a recap of 2017 includes some major data breaches – exposure of millions of personal data records of customers of Verizon, Arby’s, America’s JobLink, InterContinental Hotels Group, payday loan company Wonga, eBay, a number of healthcare-related organizations, several universities, and most far-reaching of all, Equifax – and that’s only a few of the many databases that were breached.

According to DarkReading.com, by the end of September the year had already broken the record for the number of vulnerabilities reported, with more than 16,000 having been disclosed with 40% of those rated as severe.

Staying two steps ahead of the bad guys is an impossible challenge, especially when you throw BYOD and IoT into the mix, but the good news is that software vendors have gotten better over the years at responding to the discovery of security vulnerabilities. The other good news is that everyone from individual computer users to small businesses to large corporations seems to be taking security more seriously these days.

As the ball falls on 2017 and we venture into the unknown territory of 2018, we need to maintain vigilance and never let our guards down. That means doing our best to keep our devices and applications updated – and not just those from the popular vendors we cover here, but also all of those “things” out there on the IoT that are running custom operating systems and proprietary applications.  Those, however, are beyond the scope of this roundup, as is a summary of the entire year’s security updates.

For now, let’s just take a look at the patches released by the “usual suspects” in December. With the exception of Apple, the update load was relatively light this month. Even Ubuntu, which often gives us forty or more security notices, has issued only twenty-four this month.

Apple

Apple didn’t skimp when it came to filling our stockings with patches this month. They put out eleven security updates that covered most of their products. Specifically:

• On December 2, Apple released iOS 11.2, which addressed 23 vulnerabilities in various OS components such as IOKit, IOMobileFrameBuffer, IOSurface, the kernel, Mail, Mail Drafts and Mail Message Framework, WebKit and Wi-Fi. The most serious could be exploited to execute arbitrary code.
• On December 4, Apple released tvOS 11.2, which addressed many of the same vulnerabilities.
• On December 5, Apple released watchOS 4.2, which address 11 vulnerabilities.
• On December 6, Apple released Safari 11.0.2 for OS X El Capitan, macOS Sierra and High Sierra, which addressed six memory corruption vulnerabilities that could lead to arbitrary code execution.
• On December 6, Apple released macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan, which address 26 vulnerabilities in various OS components, including vulnerabilities that could be exploited to accomplish arbitrary code execution.
• On December 6, Apple released iTunes 12.7.2 for Windows 7 and above, which addressed seven vulnerabilities including six memory corruption issues that could lead to arbitrary code execution.
• On December 12, Apple release two patches for AirPort Base Station firmware: 7.6.9 and 7.7.9, which addressed four vulnerabilities including a remote code execution vulnerability.
• On December 13, Apple released iOS 11.2.1 for iPhone 5s and above, iPad Air and above, and iPod Touch 6th generation, which addressed one vulnerability in the HomeKit component.
• On December 13, Apple released tvOS 11.2.1 for Apple TV 4K and Apple TV 4th generation, which addressed the same HomeKit vulnerability.
• On December 13, Apple released iCloud for Windows 7.2 for Windows 7 and above, which addressed seven vulnerabilities, including six memory corruption issues that could lead to arbitrary code execution.
  
  For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support website at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued nine patches last month, so I guess they decided to let us take a rest during this holiday month. They came out with only one security bulletin, which was released on their regular Patch Tuesday schedule, December 12:

• APSB17-42 – Security Updates for Adobe Flash Player for Google Chrome, Microsoft Edge, Internet Explorer 11, and the Desktop Runtime, running on Windows, Mac, Linux and Chrome OS. Priority rating is 2 and severity is moderate, and it addresses a single business logic error vulnerability.

For more information, see the security bulletin at
https://helpx.adobe.com/security/products/flash-player/apsb17-42.html

Google

• On December 14, Google announced a stable channel update for the desktop version of the Chrome browser running on Windows, Mac, and Linux, version 63.0.3239.108. This update includes 2 security fixes.
• On December 15, Google announced a stable channel update for Chrome OS, version 63.0.3239.86 (Platform version: 10032.71.1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.

For more information, see the Chrome releases blog: https://chromereleases.googleblog.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The October update contained 252 new security fixes across Oracle product families. The latest version of the October updates is Rev. 5, released November 20th. The next scheduled updates will be released on January 16, 2018.  

For more information, see: https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

In mid-November, Mozilla released a major overhaul of the browser, which came out on November 14 and is called Firefox Quantum (version 57), which included major security improvements. They then released fixes for two vulnerabilities on November 29th (version 57.0.1).

This month, on December 7, the issued one security update (version 57.0.2) which addresses a buffer overflow issue that occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. Only Windows operating systems were affected.

For more information, see: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (December 29), Ubuntu has issued twenty-four separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

• USN-3382-2: PHP vulnerabilities – 18th December 2017. USN-3382-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the PHP URL parser incorrectly handled certain URI components. A remote attacker could possibly use this issue to bypass hostname-specific URL checks.
• USN-3509-4: Linux kernel (Xenial HWE) regression – 15th December 2017. USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem. We apologize for the inconvenience.
• USN-3509-3: Linux kernel regression – 15th December 2017. USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem. We apologize for the inconvenience.
• USN-3513-2: libxml2 vulnerability – 13th December 2017. USN-3513-1 fixed a vulnerability in libxml2. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libxml2 incorrectly handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
• USN-3513-1: libxml2 vulnerability – 13th December 2017. It was discovered that libxml2 incorrectly handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
• USN-3512-1: OpenSSL vulnerabilities – 11th December 2017. David Benjamin discovered that OpenSSL did not correctly prevent buggy applications that ignore handshake errors from subsequently calling certain functions. (CVE-2017-3737) It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery multiplication procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys.
• USN-3507-2: Linux kernel (GCP) vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3511-1: Linux kernel (Azure) vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3510-2: Linux kernel (Trusty HWE) vulnerabilities – 7th December 2017. USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel.
• USN-3510-1: Linux kernel vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities – 7th December 2017. USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel.
• USN-3509-1: Linux kernel vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3508-2: Linux kernel (HWE) vulnerabilities – 7th December 2017. USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel.
• USN-3508-1: Linux kernel vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3507-1: Linux kernel vulnerabilities – 7th December 2017. Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3506-2: rsync vulnerabilities – 7th December 2017. USN-3506-1 fixed two vulnerabilities in rsync. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that rsync proceeds with certain file metadata updates before checking for a filename. An attacker could use this to bypass access restrictions.
• USN-3506-1: rsync vulnerabilities – 7th December 2017. It was discovered that rsync proceeds with certain file metadata updates before checking for a filename. An attacker could use this to bypass access restrictions. (CVE-2017-17433) It was discovered that rsync does not check for fnamecmp filenames and also does not apply the sanitize_paths protection mechanism to pathnames.
• USN-3505-1: Linux firmware vulnerabilities – 6th December 2017. Mathy Vanhoef discovered that the firmware for several Intel WLAN devices incorrectly handled WPA2 in relation to Wake on WLAN. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information.
• USN-3504-2: libxml2 vulnerability – 5th December 2017. USN-3504-1 fixed a vulnerability in libxml2. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Wei Lei discovered that libxml2 incorrectly handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
• USN-3504-1: libxml2 vulnerability – 5th December 2017. Wei Lei discovered that libxml2 incorrectly handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
• USN-3498-2: curl vulnerability – 4th December 2017. USN-3498-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that curl incorrectly handled FTP wildcard matching. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service.
• USN-3503-1: Evince vulnerability – 4th December 2017. It was discovered that Evince incorrectly handled printing certain DVI files. If a user were tricked into opening and printing a specially-named DVI file, an attacker could use this issue to execute arbitrary code.
• USN-3477-3: Firefox regressions – 1st December 2017. USN-3477-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these.
• USN-3490-1: Thunderbird vulnerabilities – 1st December 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing-like context, an attacker could potentially exploit these to bypass same-origin restrictions, cause a denial of service via application crash, or execute arbitrary code.