Third Party Patch Roundup – February 2017

I have always had a bit of a love/hate relationship with February. Because it has only 28 (or occasionally 29) days, it means I have less time to get the same amount of work done. Here in Texas, it’s often the coldest time of the year; I can remember more than once when we were wearing shorts in December but slipping and sliding through an ice storm two months later. On the other hand, it’s also the month of my daughter’s birthday and that’s cause for celebration. In addition, for the last few years I’ve taken a Caribbean cruise sometime during February, so that’s something to look forward to.

When it comes to software patches, we always hope for a light load in February since our to-do list is cramped into a smaller space to begin with. Microsoft gifted us with a month off this time, postponing its normal Patch Tuesday updates until March (although they did sneak in a patch for Adobe Flash Player). Apple didn’t go that far, but released only two security updates (as of early the morning of February 28) and neither of them is an operating system update. Adobe had an average update month, Google had several fixes, and Mozilla’s latest release of Firefox had the fewest security fixes of any release in recent memory.

Let’s take a look at the details of some of the updates that third party vendors issued in this shortest month of 2017:

Apple

Apple released nine big updates in January, so this month’s slate of just a pair of new ones is a bit of a relief.

On February 13, GarageBand got an update (v. 10.1.6) for the software running on OS X Yosemite and later, that addresses a single vulnerability by which opening a malicious project file could allow an attack to accomplish arbitrary code execution due to a memory corruption issue.

On February 17, Logic Pro running on OS X El Capitan and later got an update for the same problem described above (v. 10.3.1). Logic Pro is is a digital audio workstation and MIDI sequencer software application for the Mac OS platform that can open GarageBand project files.

For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe served up three patches in January, and they released the same number this month. Two were released on their regularly scheduled Patch Tuesday, and another was issued a few days later, on February 17.

APSB17-04, released on Patch Tuesday, is this month’s update to Adobe Flash Player running on Windows, Mac OS, Linux, and Chrome OS, and addresses thirteen security issues. These include type confusion, integer overflow, use-after-free, heap buffer overflow and memory corruption vulnerabilities. The most serious could be exploited to accomplish code execution; thus the update has a severity rating of critical and a priority rating of 1.

APSB17-06 for Adobe Campaign also came out on Patch Tuesday and addresses two vulnerabilities in Campaign running on Windows and Linux. One vulnerability is a security bypass in the client console that could be exploited to gain read and write access to the system and the other is an input validation issue that could be exploited to accomplish cross-site scripting attacks. Both have a severity rating of moderate and a priority rating of 3. Adobe Campaign is a marketing management and automation solution.

APSB17-05 for Adobe Digital Editions running on Windows, Mac OS, iOS and Android was released on February 17. It addresses nine vulnerabilities. These include buffer overflow issues that could lead to a memory leak and one heap buffer overflow that could be exploited to accomplish code execution. The latter is rated critical, but the priority rating for all operating systems is 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On February 6, Google released an update for Android that contains a whopping 58 security fixes, with eight of the vulnerabilities rated critical. These include memory corruption and elevation of privilege issues. The most serious are vulnerabilities  that can be exploited to accomplish remote code execution. Read more here:
http://www.eweek.com/security/google-patches-58-android-vulnerabilities-in-february-security-update.html

The February stable channel release of the Chrome browser on the desktop, v. 56.0.2924.87 for Windows, Mac, and Linux, aims to fix a Gmail phishing scam problem by displaying a warning in the address bar when you encounter a web page that uses this phishing tactic. Read more about that here:
http://fortune.com/2017/02/27/google-gmail-chrome-fix-phishing/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Last month they released a collection of patches (Critical Patch Update) that addressed 270 security issues across a wide range of product families. The next regularly scheduled update is scheduled to take place on April 18.

For more information about previously released patches, see Oracle’s Update Advisory at https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Advisory 2017-04 for Firefox was released by Mozilla on February 9. It addresses a single critical vulnerability on an Android-only release of Firefox, related to the cache directory on the local file system, which is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by Firefox with their own versions.

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/advisories/mfsa2017-04/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing, the morning of February 28, Ubuntu has issued 42 security notices this month, which is somewhat more than usual. Many of these address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Here are Ubuntu’s security advisories for February:

• USN-3212-1: LibTIFF vulnerabilities – 27th February 2017. It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
• USN-3211-1: PHP vulnerabilities – 23rd February 2017. It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3210-1: LibreOffice vulnerability – 23rd February 2017. Ben Hayak discovered that it was possible to make LibreOffice Calc and Writer disclose arbitrary files to an attacker if a user opened a specially crafted file with embedded links.
• USN-3142-2: ImageMagick regression – 22nd February 2017. USN-3142-1 fixed vulnerabilities in ImageMagick. The security fixes introduced a regression with text labels and a regression with the text coder. This update fixes the problem. Original advisory details: It was discovered that ImageMagick incorrectly handled certain malformed image files.
• USN-3209-1: Linux kernel vulnerabilities – 22nd February 2017. It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
• USN-3208-2: Linux kernel (Xenial HWE) vulnerabilities – 22nd February 2017. USN-3208-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3208-1: Linux kernel vulnerabilities – 22nd February 2017. It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
• USN-3207-2: Linux kernel (Trusty HWE) vulnerabilities – 21st February 2017. USN-3207-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. It was discovered that a use-after-free vulnerability existed in the block device layer of the Linux kernel.
• USN-3207-1: Linux kernel vulnerabilities – 21st February 2017. It was discovered that a use-after-free vulnerability existed in the block device layer of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
• USN-3206-1: Linux kernel vulnerabilities – 21st February 2017. It was discovered that a use-after-free vulnerability existed in the block device layer of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
• USN-3205-1: tcpdump vulnerabilities – 21st February 2017. It was discovered that tcpdump incorrectly handled certain packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the tcpdump AppArmor profile.
• USN-3204-1: Tomcat vulnerability – 20th February 2017. It was discovered that Tomcat incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to cause Tomcat to consume resources, resulting in a denial of service.
• USN-3203-1: gtk-vnc vulnerabilities – 20th February 2017. It was discovered that gtk-vnc incorrectly validated certain data. A malicious server could use this issue to cause gtk-vnc to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3202-1: Spice vulnerabilities – 20th February 2017. Frediano Ziglio discovered that Spice incorrectly handled certain client messages. A remote attacker could use this issue to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3199-2: Python Crypto regression – 17th February 2017. USN-3199-1 fixed a vulnerability in the Python Cryptography Toolkit. Unfortunately, various programs depended on the original behavior of the Python Cryptography Toolkit which was altered when fixing the vulnerability. This update retains the fix for the vulnerability but issues a warning rather than throwing an exception.
• USN-3199-1: Python Crypto vulnerability – 16th February 2017. It was discovered that the ALGnew function in block_templace.c in the Python Cryptography Toolkit contained a heap-based buffer overflow vulnerability. A remote attacker could use this flaw to execute arbitrary code by using a crafted initialization vector parameter.
• USN-3201-1: Bind vulnerabilities – 16th February 2017. It was discovered that Bind incorrectly handled rewriting certain query responses when using both DNS64 and RPZ. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
• USN-3200-1: WebKitGTK+ vulnerabilities – 16th February 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
• USN-3198-1: OpenJDK 6 vulnerabilities – 15th February 2017. Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set.  
• USN-3197-1: libgc vulnerability – 15th February 2017. Kuang-che Wu discovered that multiple integer overflow vulnerabilities existed in libgc. An attacker could use these to cause a denial of service (application crash) or possibly execute arbitrary code.
• USN-3196-1: PHP vulnerabilities – 14th February 2017. It was discovered that PHP incorrectly handled certain arguments to the locale_get_display_name function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3195-1: Nova-LXD vulnerability – 9th February 2017. James Page discovered that Nova-LXD incorrectly set up virtual network devices when creating LXD instances. This could result in an unintended firewall configuration.
• USN-3190-2: Linux kernel (Raspberry Pi 2) vulnerabilities – 9th February 2017. Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
• USN-3187-2: Linux kernel (OMAP4) vulnerabilities – 9th February 2017. Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash). (CVE-2016-9555) It was discovered that multiple memory leaks existed in the XFS implementation in the Linux kernel.
• USN-3194-1: OpenJDK 7 vulnerabilities – 8th February 2017. Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions.
• USN-3180-1: Oxide vulnerabilities – 8th February 2017. Multiple vulnerabilities were discovered in Chromium. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, read uninitialized memory, obtain sensitive information, spoof the webview URL or other UI components, bypass same origin restrictions.
• USN-3175-2: Firefox regression – 6th February 2017. USN-3175-1 fixed vulnerabilities in Firefox. The update caused a regression on systems where the AppArmor profile for Firefox is set to enforce mode. This update fixes the problem. Original advisory details: Multiple memory safety issues were discovered in Firefox.
• USN-3193-1: Nettle vulnerability – 6th February 2017. It was discovered that Nettle incorrectly mitigated certain timing side-channel attacks. A remote attacker could possibly use this flaw to recover private keys.
• USN-3192-1: Squid vulnerabilities – 6th February 2017. Saulius Lapinskas discovered that Squid incorrectly handled processing HTTP conditional requests. A remote attacker could possibly use this issue to obtain sensitive information related to other clients’ browsing sessions. (CVE-2016-10002) Felix Hassert discovered that Squid incorrectly handled certain HTTP Request headers when using the Collapsed Forwarding feature.
• USN-3191-1: WebKitGTK+ vulnerabilities – 6th February 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
• USN-3190-1: Linux kernel vulnerabilities – 3rd February 2017. Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
• USN-3189-2: Linux kernel (Xenial HWE) vulnerabilities – 3rd February 2017. USN-3189-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3189-1: Linux kernel vulnerabilities – 3rd February 2017. Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
• USN-3188-2: Linux kernel (Trusty HWE) vulnerability – 3rd February 2017. USN-3188-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data.
• USN-3188-1: Linux kernel vulnerability – 3rd February 2017. Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash).
• USN-3187-1: Linux kernel vulnerabilities – 3rd February 2017. Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash). (CVE-2016-9555) It was discovered that multiple memory leaks existed in the XFS implementation in the Linux kernel.
• USN-3177-2: Tomcat regression – 2nd February 2017. USN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. Original advisory details: It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn’t exist.
• USN-3186-1: iucode-tool vulnerability – 1st February 2017. It was discovered that iucode-tool incorrectly handled certain microcodes when using the -tr loader. If a user were tricked into processing a specially crafted microcode, a remote attacker could use this issue to cause iucode-tool to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3185-1: libXpm vulnerability – 1st February 2017. It was discovered that libXpm incorrectly handled certain XPM files. If a user or automated system were tricked into opening a specially crafted XPM file, a remote attacker could use this issue to cause libXpm to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3184-1: Irssi vulnerabilities – 1st February 2017. It was discovered that the Irssi buf.pl script set incorrect permissions. A local attacker could use this issue to retrieve another user’s window contents. (CVE-2016-7553) Joseph Bisch discovered that Irssi incorrectly handled comparing nicks. A remote attacker could use this issue to cause Irssi to crash, resulting in a denial of service.
• USN-3183-1: GnuTLS vulnerabilities – 1st February 2017. Stefan Buehler discovered that GnuTLS incorrectly verified the serial length of OCSP responses. A remote attacker could possibly use this issue to bypass certain certificate validation measures. This issue only applied to Ubuntu 16.04 LTS. (CVE-2016-7444) Shi Lei discovered that GnuTLS incorrectly handled certain warning alerts.
• USN-3182-1: NTFS-3G vulnerability – 1st February 2017. Jann Horn discovered that NTFS-3G incorrectly filtered environment variables when using the modprobe utility. A local attacker could possibly use this issue to load arbitrary kernel modules.