December is a magical month, for children and adults alike. It’s the beginning of winter, when – in many places at least (not usually here in north central Texas) blankets of soft white snow cover the landscape and ordinary houses and trees take on a pristine, other-worldly look. It’s the time for holiday celebrations that involve visions of sugarplums, hard-working elves, and flying reindeers.

It’s a time (let’s admit it) when many slack off a bit at work, hit the eggnog as often as possible, and spend as much time as possible – when not out there frantically shopping for presents – curled up by a cozy fire with a good book or a movie on the big screen TV.

Unfortunately, it’s not a time when hackers and attackers suspend their efforts to infiltrate or bring down our networks and steal our data or hold it for ransom. And that means we, as IT pros, can’t take it easy this month either.

December brought us the news that Wyze Labs security cam and smart device vendor had suffered a data breach exposing almost two and half million users’ records, that wealth management company Moss Adams reported unauthorized access to an undisclosed number of customer or employee records containing social security numbers, and that the Heritage Company, a telemarketing firm, was shut down due to ransomware. These were such a few examples of incidents that occurred in the last month of 2019.

We know that keeping systems patched with the latest security updates is one of the most basic steps in protecting against breaches and attacks, but it can be a challenge when there are so many software vendors out there, trying to keep up with the vulnerabilities discovered in their products. They, too, got no rest in December as they scrambled to fix security flaws that could be exploited by attackers to ruin the holidays for suspecting businesses and individuals.

Let’s take a look at some of the fixes issued this past month.

Apple

After only two updates issued in November, it was almost inevitable that this would be a big patch month for Apple, and indeed it was. December 10th saw the release of eight patches, with three more coming out a day later. These include:

  • iCloud for Windows 10.9 for Windows 10 and later via the Microsoft Store
  • iCloud for Windows 7.16 (includes AAS 8.2) for Windows 7 and later
  • iTunes 12.10.3 for Windows for Windows 7 and later
  • Xcode 11.3 for macOS Mojave 10.14.4 and later
  • watchOS 5.3.4 for Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to a device with iOS 12 installed
  • watchOS 6.1.1 for Apple Watch Series 1 and later
  • tvOS 13.3 for Apple TV 4K and Apple TV HD
  • macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 for High Sierra macOS Catalina 10.15, macOS Mojave 10.14.6, macOS High Sierra 10.13.6
  • Safari 13.0.4 for macOS Mojave and macOS High Sierra, and included in macOS Catalina
  • iOS 12.4.4 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.
  • iOS 13.3 and iPadOS 13.3 for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

The iCloud and iTunes updates for Windows fix five vulnerabilities that include elevation of privilege, information disclosure, multiple memory corruption issues, and a use-after-free issue. The most serious of these could allow for arbitrary code execution and should be considered critical.

The update for XCode addresses a single out-of-bounds read vulnerability that could be exploited to accomplish arbitrary code execution.

The watchOS 6.11 update fixes ten separate vulnerabilities in a number of different OS components, including multiple memory corruption issues (three of them in the kernel) that could lead to arbitrary code execution, a user information disclosure issue, a remote code execution vulnerability in FaceTime, an elevation of privileges issue in CFNetwork Proxies, and a vulnerability in Siri’s CallKit.

The tvOS update addresses the same vulnerabilities as those in watchOS.

The largest update is that for macOS Catalina, Mojave, and High Sierra, which fixes fifty-two vulnerabilities, the most of which are in the tcpdump component. A number of the vulnerabilities are of the arbitrary code execution type, with elevation of privilege and access to restricted memory and restricted files also listed as possible exploits.

The Safari update fixes three vulnerabilities in the WebKit component that could be exploited to accomplish arbitrary code execution.

The two iOS updates address fifteen vulnerabilities that include issues in CallKit, FaceTime, WebKit, the kernel, and other OS components. The most serious of these are arbitrary code execution vulnerabilities.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released four updates again this month, the same number they issued in October and November. All four were released on their standard Patch Tuesday, December 10th.

  • APSB19-58 Security update available for Adobe ColdFusion – this update addresses a single escalation of privilege vulnerability on all platforms. It is rated important and has a priority rating of 2.
  • APSB19-57 Security update available for Brackets – this update applies to Brackets on Windows, macOS, and Linux and addresses a critical arbitrary code execution vulnerability. It has a priority rating of 3.
  • APSB19-56 Security update available for Adobe Photoshop CC – this update applies to Photoshop CC running on Windows and macOS and addresses multiple critical memory corruption vulnerabilities that could be exploited to accomplish arbitrary code execution. It has a priority rating of 3.
  • APSB19-55 – Security update available for Adobe Acrobat and Reader – this update applies to Acrobat and Reader running on Windows and macOS and addresses twenty-one vulnerabilities, with fourteen rated critical and seven rated important. These include out-of-bounds read and write vulnerabilities, use-after-free, heap overflow, untrusted pointer dereference and binary planting issues, buffer error and security bypass. The most serious of these could be exploited to accomplish arbitrary code execution. The update has a priority rating of 2 on both platforms.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

Google released the latest stable channel update for the Chrome OS on December 18 (v. 79.0.3945.86 (Platform version: 12607.58.0), which contains new features, bug fixes and security updates.

The latest stable channel update for the Chrome browser on Windows, Mac, and Linux desktops was released on December 17. This is v.79.0.3945.88, and it contains one security fix for a high severity use-after-free vulnerability in media picker.

For more information, see https://chromereleases.googleblog.com/

Android

The December security update for Android fixes twenty vulnerabilities in the framework, media framework, system, Google Play, and kernel, along with fixes for vulnerabilities in Qualcomm components. These include six that are rated critical, the most severe of which are remote code execution and denial of service vulnerabilities.

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2019-12-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next regular release is scheduled for January 14th, 2020.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

On December 3rd, Firefox released fixes for eleven vulnerabilities in Firefox 71. Seven of these are rated high severity. None are rated critical. They include:

  • CVE-2019-11756: Use-after-free of SFTKSession object – Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service).
  • CVE-2019-17008: Use-after-free in worker destruction – When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash.
  • CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code – When setting a thread name on Windows in WebRTC, an incorrect number of arguments could have been supplied, leading to stack corruption and a potentially exploitable crash. This issue only occurs on Windows. Other operating systems are unaffected.
  • CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher – When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash.
  • CVE-2019-17014: Dragging and dropping a cross-origin resource, incorrectly loaded as an image, could result in information disclosure – If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak.
  • CVE-2019-17009: Updater temporary files accessible to unprivileged processes – When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service. This attack requires local system access and only affects Windows. Other operating systems are not affected.
  • CVE-2019-17010: Use-after-free when performing device orientation checks – Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash.
  • CVE-2019-17005: Buffer overflow in plain text serializer – The plain text serializer used a fixed-size array for the number of elements it could process; however it was possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash.
  • CVE-2019-17011: Use-after-free when retrieving a document in antitracking – Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash.
  • CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 – Mozilla developers Christoph Diehl, Nathan Froyd, Jason Kratzer, Christian Holler, Karl Tomlinson, Tyson Smith reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2019-17013: Memory safety bugs fixed in Firefox 71 – Mozilla developers and community members Philipp, Diego Calleja, Mikhail Gavrilov, Jason Kratzer, Christian Holler, Markus Stange, Tyson Smith reported memory safety bugs present in Firefox 70. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of October 31, Ubuntu has issued the following twenty-nine security advisories (fewer than usual) since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-4224-1: Django vulnerability – Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.
  • USN-4223-1: OpenJDK vulnerabilities – Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side- channel vulnerability existed in the ECDSA implementation in OpenJDK. An Attacker could use this to expose sensitive information.
  • USN-4222-1: GraphicsMagick vulnerabilities – It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
  • USN-4216-2: Firefox vulnerabilities – USN-4216-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
  • USN-4214-2: RabbitMQ vulnerability – USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
  • USN-4217-2: Samba vulnerabilities – USN-4217-1 fixed several vulnerabilities in Samba. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service.
  • USN-4221-1: libpcap vulnerability – It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).
  • USN-4202-2: Thunderbird regression – USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading, Thunderbird created a new profile for some users. This update fixes the problem. We apologize for the inconvenience.
  • USN-4220-1: Git vulnerabilities – Joern Schneeweisz and Nicolas Joly discovered that Git contained various security flaws. An attacker could possibly use these issues to overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.
  • USN-4219-1: libssh vulnerability – It was discovered that libssh incorrectly handled certain scp commands. If a user or automated system were tricked into using a specially-crafted scp command, a remote attacker could execute arbitrary commands on the server.
  • USN-4218-1: GNU C Library vulnerability –Jakub Wilk discovered that GNU C Library incorrectly handled certain memory alignments. An attacker could possibly use this issue to execute arbitrary code or cause a crash.
  • USN-4217-1: Samba vulnerabilities – Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service.
  • USN-4216-1: Firefox vulnerabilities
  • Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code.
  • USN-4215-1: NSS vulnerability – It was discovered that NSS incorrectly handled certain certificates. An attacker could possibly use this issue to cause a denial of service.
  • USN-4214-1: RabbitMQ vulnerability – It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
  • USN-4213-1: Squid vulnerabilities – Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote attacker could possibly use this issue to bypass access checks and access restricted servers. This issue was only addressed in Ubuntu 19.04 and Ubuntu 19.10.
  • USN-4212-1: HAProxy vulnerability – Tim Düsterhus discovered that HAProxy incorrectly handled certain HTTP/2 headers. An attacker could possibly use this issue to execute arbitrary code through CRLF injection.
  • USN-4182-4: Intel Microcode regression – USN-4182-2 provided updated Intel Processor Microcode. A regression was discovered that caused some Skylake processors to hang after a warm reboot. This update reverts the microcode for that specific processor family. We apologize for the inconvenience.
  • USN-4182-3: Intel Microcode regression – USN-4182-1 provided updated Intel Processor Microcode. A regression was discovered that caused some Skylake processors to hang after a warm reboot. This update reverts the microcode for that specific processor family. We apologize for the inconvenience.
  • USN-4194-2: postgresql-common vulnerability – USN-4194-1 fixed a vulnerability in postgresql-common. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Rich Mirch discovered that the postgresql-common pg_ctlcluster script incorrectly handled directory creation. A local attacker could possibly use this issue to escalate privileges.
  • USN-4207-1: GraphicsMagick vulnerabilities – It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
  • USN-4211-2: Linux kernel (Xenial HWE) vulnerabilities – USN-4211-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. Zhipeng Xie discovered that an infinite loop could be triggered in the CFS Linux kernel process scheduler.
  • USN-4211-1: Linux kernel vulnerabilities – Zhipeng Xie discovered that an infinite loop could be triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel did not properly validate SSID lengths.
  • USN-4210-1: Linux kernel vulnerabilities – It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-4209-1: Linux kernel vulnerabilities – Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux kernel did not properly handle reference counting during memory mapping operations when used in conjunction with AUFS. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-4208-1: Linux kernel vulnerabilities – Jann Horn discovered that the OverlayFS and ShiftFS Drivers in the Linux kernel did not properly handle reference counting during memory mapping operations when used in conjunction with AUFS. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-4206-1: GraphicsMagick vulnerabilities – It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-10794, CVE-2017-10799, CVE-2017-11102, CVE-2017-11140, CVE-2017-11403, CVE-2017-11636, CVE-2017-11637, CVE-2017-13147, CVE-2017-14042, CVE-2017-6335)
  • USN-4205-1: SQLite vulnerabilities – It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service.