Third party patches February is the shortest month of the year, and in keeping with that overall fewer patches were issued by third parties than in the typical month. That doesn’t mean there wasn’t plenty of security-related news over the last month, though. In fact, the month began with a new zero day Flash vulnerability, reports of DNS hijacking in DLink routers, and a new wave of ransomware.

Meanwhile, software vendors scrambled to keep up, and given the smaller than usual slate of updates this month, it wouldn’t be surprising if March proves to be a busy month for patching.

Apple

As of this writing (February 26), Apple has released no security updates this month. The most recent updates were released on January 27, so there is a possibility that updates will come out in the remaining two days of the month, in which case we will include them in next month’s roundup.

Meanwhile, Apple security was very much in the news, thanks to the report from GFI showing that OS X is the most vulnerable operating system of those currently in popular use, with Apple’s mobile iOS platform ranking second.

Adobe

Adobe issued two security bulletins this month, both of them for Adobe Flash Player, which continues to be one of the most-patched software products on the market.

  • On February 2, Adobe released security advisory APSA15-02, addressing a critical vulnerability in Flash Player versions 16.0.0.296 and earlier running on Windows and Mac OS X, excluding Flash Player v11.x. This is a zero day vulnerability that was already being exploited in the wild. It could allow an attacker to crash the system and/or take control of the system. Trend Micro issued a report indicating that the exploit might have been launched via the Angler exploit kit, but later analysis indicated it was a different exploit kit, Hanjuan.  For more information about this vulnerability, see Adobe’s web site at
    https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
  • Three days later, on February 5, Adobe released an update almost a week ahead of its usual schedule (which corresponds to Microsoft’s Patch Tuesday releases). The update applies to all platforms – Windows, Mac and Linux – and addresses nineteen separate vulnerabilities, including CVE-2015-0313 which was the subject of the advisory discussed above. The update was given a priority rating of 1 for Flash Player on Windows and Mac as well as Flash Player for Google Chrome on Windows, Mac and Linux. Flash Player on Linux had a priority rating of 3. The vulnerabilities include use-after-free issues, memory corruption issues, type confusion vulnerabilities, all of which could allow an attack to execute code, as well as null pointer dereference issues.

Google

This month’s most high profile news about Google security updates has to do with the one that isn’t. A ransomware application called CTB-Locker was found to be representing itself as a Chrome security update.

Meanwhile, the latest stable channel update for Chrome is version 40.0.2214.115 for Windows, Mac and Linux.

Also of note, Google updated Chrome to add a new warning when the browser is about to visit a web site that encourages downloading of harmful or unwanted software.

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Oracle released one update in January and the next expected update release will be April 14.

Mozilla

Mozilla has released eighteen security advisories this month, as of February 26. One, MSFA-2015-10, was released on February 5 and the rest were released on February 24.  Four are rated critical, six are rated of high importance and the rest are rated moderate except for MSFA-2015-15, which is rated low.

The current updated version of Firefox is v36, which patches sixteen vulnerabilities, three of them critical.

Linux

Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued thirty-four security advisories during the time frame of February 1 through February 26 and may issue more in the last two days of this month. Other commercial Linux vendors issued similar advisories.

·         USN-2520-1: CUPS vulnerability – 26th February 2015. Peter De Wachter discovered that CUPS incorrectly handled certain malformed compressed raster files. A remote attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code.

·         USN-2519-1: GNU C Library vulnerabilities – 26th February 2015. Arnaud Le Blanc discovered that the GNU C Library incorrectly handled file descriptors when resolving DNS queries under high load. This may cause a denial of service in other applications, or an information leak. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

·         USN-2518-1: Linux kernel vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2517-1: Linux kernel (Utopic HWE) vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2516-1: Linux kernel vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2515-1: Linux kernel (Trusty HWE) vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2514-1: Linux kernel (OMAP4) vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2513-1: Linux kernel vulnerabilities – 26th February 2015. A flaw was discovered in the Kernel Virtual Machine’s (KVM) emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs.

·         USN-2512-1: Linux kernel (EC2) vulnerabilities – 26th February 2015. A race condition was discovered in the Linux kernel’s key ring. A local user could cause a denial of service (memory corruption or panic) or possibly have unspecified impact via the keyctl commands.

·         USN-2511-1: Linux kernel vulnerabilities – 26th February 2015. A race condition was discovered in the Linux kernel’s key ring. A local user could cause a denial of service (memory corruption or panic) or possibly have unspecified impact via the keyctl commands.

·         USN-2505-1: Firefox vulnerabilities – 25th February 2015. Matthew Noorenberghe discovered that whitelisted Mozilla domains could make UITour API calls from background tabs. If one of these domains were compromised and open in a background tab, an attacker could potentially exploit this to conduct clickjacking attacks.

·         USN-2510-1: FreeType vulnerabilities – 24th February 2015. Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges.

·         USN-2509-1: ca-certificates update – 23rd February 2015. The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20141019 package.

·         USN-2508-1: Samba vulnerability – 23rd February 2015. Richard van Eeden discovered that the Samba smbd file services incorrectly handled memory. A remote attacker could use this issue to possibly execute arbitrary code with root privileges.

·         USN-2507-1: e2fsprogs vulnerabilities – 23rd February 2015. Jose Duart discovered that e2fsprogs incorrectly handled invalid block group descriptor data. A local attacker could use this issue with a crafted filesystem image to possibly execute arbitrary code.

·         USN-2504-1: NSS update – 19th February 2015. The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.17.4 which includes the latest CA certificate bundle.

·         USN-2503-1: Bind vulnerability – 18th February 2015. Jan-Piet Mens discovered that Bind incorrectly handled Trust Anchor Management. A remote attacker could use this issue to cause bind to crash, resulting in a denial of service.

·         USN-2502-1: unzip vulnerabilities – 17th February 2015. William Robinet discovered that unzip incorrectly handled certain malformed zip archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code.

·         USN-2501-1: PHP vulnerabilities – 17th February 2015.Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8142, CVE-2015-0231) Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could…

·         USN-2500-1: X.Org X server vulnerabilities – 17th February 2015. Olivier Fourdan discovered that the X.Org X server incorrectly handled XkbSetGeometry requests resulting in an information leak. An attacker able to connect to an X server, either locally or remotely, could use this issue to possibly obtain sensitive information.

·         USN-2488-2: ClamAV vulnerability – 12th February 2015. USN-2488-1 fixed a vulnerability in ClamAV for Ubuntu 14.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. This update provides the corresponding update for Ubuntu 10.04 LTS. Original advisory details: Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files.

·         USN-2499-1: PostgreSQL vulnerabilities – 11th February 2015. Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain access to seeing certain values, contrary to expected permissions.

·         USN-2498-1: Kerberos vulnerabilities – 10th February 2015. It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An authenticated remote attacker could use this issue to forge tickets by leveraging administrative access. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

·         USN-2495-1: Oxide vulnerabilities – 10th February 2015. A use-after-free bug was discovered in the DOM implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process.

·         USN-2496-1: GNU binutils vulnerabilities – 9th February 2015. Michal Zalewski discovered that the setup_group function in libbfd in GNU binutils did not properly check group headers in ELF files. An attacker could use this to craft input that could cause a denial of service (application crash) or possibly execute arbitrary code.

·         USN-2497-1: NTP vulnerabilities – 9th February 2015. Stephen Roettger, Sebastian Krahmer, and Harlan Stenn discovered that NTP incorrectly handled the length value in extension fields. A remote attacker could use this issue to possibly obtain leaked information, or cause the NTP daemon to crash, resulting in a denial of service.

·         USN-2469-2: Django regression – 4th February 2015. USN-2469-1 fixed vulnerabilities in Django. The security fix for CVE-2015-0221 introduced a regression on Ubuntu 10.04 LTS and Ubuntu 12.04 LTS when serving static content through GZipMiddleware. This update fixes the problem. We apologize for the inconvenience.

·         USN-2494-1: file vulnerabilities – 4th February 2015. Francisco Alonso discovered that file incorrectly handled certain ELF files. An attacker could use this issue to cause file to crash, resulting in a denial of service. (CVE-2014-3710) Thomas Jarosch discovered that file incorrectly handled certain ELF files. An attacker could use this issue to cause file to hang.

·         USN-2493-1: Linux kernel (OMAP4) vulnerabilities – 3rd February 2015. Andy Lutomirski discovered an information leak in the Linux kernel’s Thread Local Storage (TLS) implementation allowing users to bypass the espfix to obtain information that could be used to bypass the Address Space Layout Randomization (ASLR) protection mechanism.

·         USN-2492-1: Linux kernel vulnerabilities – 3rd February 2015. Andy Lutomirski discovered an information leak in the Linux kernel’s Thread Local Storage (TLS) implementation allowing users to bypass the espfix to obtain information that could be used to bypass the Address Space Layout Randomization (ASLR) protection mechanism.

·         USN-2491-1: Linux kernel (EC2) vulnerabilities – 3rd February 2015. Andy Lutomirski discovered that the Linux kernel does not properly handle faults associated with the Stack Segment (SS) register in the x86 architecture. A local attacker could exploit this flaw to gain administrative privileges.

·         USN-2490-1: Linux kernel vulnerabilities – 3rd February 2015. Andy Lutomirski discovered an information leak in the Linux kernel’s Thread Local Storage (TLS) implementation allowing users to bypass the espfix to obtain information that could be used to bypass the Address Space Layout Randomization (ASLR) protection mechanism.

·         USN-2489-1: unzip vulnerability – 3rd February 2015. Michal Zalewski discovered that unzip incorrectly handled certain malformed zip archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code.

USN-2488-1: ClamAV vulnerability – 2nd February 2015. Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files. An attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code.