Here we are again in February, the shortest month of the year. What that means to most of us in the IT world is that we have two fewer days to get the same amount of work done. No, February is not my favorite month.

Given that we ended 2017 with many still reeling from the effect of the Equifax data breach, and started 2018 with the spectre of a meltdown from processor vulnerabilities that potentially impacted almost everyone who uses a modern computing device, keeping systems updated is a top priority in most organizations’ IT security strategy now if it wasn’t already.

To add to the pressure, those in regulated industries also have compliance issues to worry about, and patching is a key element in demonstrating compliance with requirements to take steps to protect data. Even if you aren’t in the healthcare, financial services, and other sectors that have traditionally been the subject of government and industry regulation, in only a few months all organizations that collect, store, process or transfer personal data belonging to residents of the European Union – whether or not those orgs have a presence in the EU – will fall under the General Data Protection Regulation (GDPR) that mandates protection of the privacy of that data and imposes hefty fines on those that fail to comply.

With all this going on, we can’t overemphasize the importance of applying security patches as quickly as is feasible. So now we’ll take a look at the patches released by some of the main software players in this second month of this new year.  

The good news is that we do have, overall, a smaller number of updates to deal with than the average.

Apple

After the 10 security updates that were released by Apple in January, February feels like a light month with only four, and it turns out that each of these address the same single vulnerability. All four were issued on February 19, and all are operating system updates. There are no patches this time for application software such as iTunes, iCloud, and Safari. Here are the updates we’re looking at:

  • macOS High Sierra 10.13.3 Supplemental Update – This update addresses a single vulnerability in the CoreText component, which is a memory corruption issue that could lead to heap corruption when processing a maliciously crafted string. The fix involves improvements to the input validation process.
  • iOS 11.2.6 is the latest version of the mobile OS for iPhone 5s and above, iPad Air and above, and iPod Touch gen 6. It contains the same security fix described above in High Sierra 10.13.3.
  • watchOS 4.2.3 applies the fix for the same memory corruption vulnerability to all models of the Apple watch.
  • tvOS 11.26 also addresses – you guessed it – the memory corruption/heap corruption vulnerability referenced above.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued only one security update last month. This time, they issued four security bulletins, only one of which was released on their regular Patch Tuesday schedule.

  • APSB18-01 Security Advisory for Adobe Flash Player was released on February 1 to advise users of a vulnerability, rated critical, that affects Flash Player v28.0.0.137 and prior, which at the time had already been found to be exploited in targeted attacks in the wild. This affects Flash Player running on Windows, Mac, Linux and Chrome OS. The exploit was using Office documents that had embedded Flash content to accomplish remote code execution through a use-after-free vulnerability. The bulletin contains mitigations.
  • APSB18-03 Security Updates for Flash Player pertain to the fix for the vulnerabilities referenced in APSB18-01 above. The updates were released on February 6, an out-of-band release that addresses a pair of critical use-after-free vulnerabilities. The updates are assigned a priority rating of 1 for Windows, Mac, Linux and Chrome OS, with the exception of the Desktop Runtime running on Linux, which has a priority rating of 3.
  • APSB18-02 Security updates for Adobe Acrobat and Reader was originally posted on February 8, to address five vulnerability categories that include security mitigation bypass, heap overflow, use-after-free, and both out of bounds write and an out of bounds read vulnerabilities. A large number of individual vulnerabilities are addressed, with sixteen rated critical and the rest important. Priority rating for Windows and Mac are set at 2.
  • APSB18-04 Security updates for Adobe Experience Manager was released on the normal Patch Tuesday date of February 13 for v6.0, 6.1, 6.2 and 6.3. The updates have a priority rating of 3 and address a reflected cross-site scripting vulnerability rated moderate, and a cross-site scripting vulnerability rated important, both of which could be exploited to accomplish information disclosure.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

Google released a stable channel update for the desktop version of Chrome, 4.0.3282.186 for Mac, Linux, and Windows, on February 22. Google also released a stable channel update Chrome OS on February 23, which contains a number of security fixes. This is version 64.0.3282.167 / 64.0.3282.169 (Platform version: 10176.72.0 / 10176.73.0) for most Chrome OS devices.

For more information, see the Chrome Releases blog at https://chromereleases.googleblog.com/

Google’s Android security bulletin for this month addresses seven vulnerabilities for 2018-02-01 patch level, two rated critical. Five are of high severity and one moderate. The most severe are remote code execution issues; others include elevation of privilege, information disclosure and denial of service.

Patch level 2018-02-05 addresses nineteen vulnerabilities, only two of which are critical. Most of these are issues in Qualcomm components, including the two critical remote code execution vulnerabilities in the WLAN component.

For more information, see the bulletin at https://source.android.com/security/bulletin/2018-02-01  

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The most recent critical patch update was released on January 16, and the next release is scheduled for April 17th.

For more information, see: https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Mozilla did not release any security advisories in February. As of this writing (March 1), its most recent advisory, MFS 2018-05, was released on January 29, and addressed a single critical issue in Firefox that could lead to  remote code execution and was patched in Firefox 58.0.1.

For more information, see https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (March 1), Ubuntu has issued thirty-nine separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

  • USN-3579-2: LibreOffice regression – 28th February 2018. USN-3579-1 fixed a vulnerability in LibreOffice. After upgrading, it was no longer possible for LibreOffice to open documents from certain locations outside of the user’s home directory. This update fixes the problem. We apologize for the inconvenience. Original advisory details:
  • USN-3584-1: sensible-utils vulnerability – 26th February 2018. Gabriel Corona discovered that sensible-utils incorrectly validated strings when launcher a browser with the sensible-browser tool. A remote attacker could possibly use this issue with a specially crafted URL to conduct an argument injection attack and execute arbitrary code.
  • USN-3583-2: Linux kernel (Trusty HWE) vulnerabilities – 23rd February 2018. USN-3583-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System (f2fs).
  • USN-3583-1: Linux kernel vulnerabilities – 23rd February 2018. It was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System (f2fs) in the Linux kernel. An attacker could construct a malicious file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3581-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 23rd February 2018. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition leading to uninitialized pointer usage. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
  • USN-3582-2: Linux kernel (Xenial HWE) vulnerabilities – 22nd February 2018. USN-3582-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition.
  • USN-3582-1: Linux kernel vulnerabilities – 22nd February 2018. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition leading to uninitialized pointer usage. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
  • USN-3581-2: Linux kernel (HWE) vulnerabilities – 22nd February 2018. USN-3581-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition.
  • USN-3581-1: Linux kernel vulnerabilities – 22nd February 2018. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition leading to uninitialized pointer usage. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
  • USN-3578-1: WavPack vulnerabilities – 21st February 2018. It was discovered that WavPack incorrectly handled certain DSDIFF files. An attacker could possibly use this to execute arbitrary code or cause a denial of service. (CVE-2018-7253) It was discovered that WavPack incorrectly handled certain CAF files. An attacker could possibly use this to cause a denial of service.
  • USN-3580-1: Linux kernel vulnerabilities – 21st February 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.
  • USN-3579-1: LibreOffice vulnerability – 21st February 2018. It was discovered that =WEBSERVICE calls in a document could be used to read arbitrary files. If a user were tricked in to opening a specially crafted document, a remote attacker could exploit this to obtain sensitive information.
  • USN-3577-1: CUPS vulnerability – 20th February 2018. Jann Horn discovered that CUPS permitted HTTP requests with the Host header set to “localhost.localdomain” from the loopback interface. If a user were tricked in to opening a specially crafted website in their web browser, an attacker could potentially exploit this to obtain sensitive information or control printers.
  • USN-3576-1: libvirt vulnerabilities – 20th February 2018. Vivian Zhang and Christoph Anton Mitterer discovered that libvirt incorrectly disabled password authentication when the VNC password was set to an empty string. A remote attacker could possibly use this issue to bypass authentication, contrary to expectations. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  • USN-3575-1: QEMU vulnerabilities – 20th February 2018. It was discovered that QEMU incorrectly handled guest ram. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  • USN-3574-1: Bind vulnerability – 19th February 2018. It was discovered that Bind incorrectly handled DNSSEC validation. An attacker could possibly use this to cause a denial of service.
  • USN-3573-1: Quagga vulnerabilities – 15th February 2018. It was discovered that a double-free vulnerability existed in the Quagga BGP daemon when processing certain forms of UPDATE message. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.
  • USN-3572-1: FreeType vulnerability – 14th February 2018. It was discovered that FreeType incorrectly handled certain files. An attacker could possibly use this to cause a denial of service.
  • USN-3571-1: Erlang vulnerabilities – 14th February 2018. It was discovered that the Erlang FTP module incorrectly handled certain CRLF sequences. A remote attacker could possibly use this issue to inject arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-1693) It was discovered that Erlang incorrectly checked CBC padding bytes.
  • USN-3570-1: AdvanceCOMP vulnerability – 14th February 2018. Joonun Jang discovered that AdvanceCOMP incorrectly handled certain malformed zip files. If a user or automated system were tricked into processing a specially crafted zip file, a remote attacker could cause AdvanceCOMP to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3569-1: libvorbis vulnerabilities – 13th February 2018. It was discovered that libvorbis incorrectly handled certain sound files. An attacker could possibly use this to execute arbitrary code. (CVE-2017-14632) It was discovered that libvorbis incorrectly handled certain sound files. An attacker could use this to cause a denial of service.
  • USN-3544-2: Firefox regressions – 12th February 2018. USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
  • USN-3568-1: WavPack vulnerabilities – 12th February 2018. Hanno Böck discovered that WavPack incorrectly handled certain WV files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10169) Joonun Jang discovered that WavPack incorrectly handled certain RF64 files.
  • USN-3567-1: Puppet vulnerability – 12th February 2018. It was discovered that Puppet incorrectly handled permissions when unpacking certain tarballs. A local user could possibly use this issue to execute arbitrary code.
  • USN-3566-1: PHP vulnerabilities – 12th February 2018. It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2018-5712) It was discovered that PHP incorrectly handled memory when unserializing certain data.
  • USN-3565-1: Exim vulnerability – 12th February 2018. Meh Chang discovered that Exim incorrectly handled memory in certain decoding operations. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3564-1: PostgreSQL vulnerability – 9th February 2018. It was discovered that PostgreSQL incorrectly handled certain temp files. An attacker could possibly use this to access sensitive information.
  • USN-3563-1: Mailman vulnerability – 8th February 2018. It was discovered that Mailman incorrectly handled certain web scripts. An attacker could possibly use this to inject arbitrary code.
  • USN-3562-1: MiniUPnP vulnerabilities – 7th February 2018. It was discovered that MiniUPnP incorrectly handled memory. A remote attacker could use this issue to cause a denial of service or possibly execute arbitrary code with privileges of the user running an application that uses the MiniUPnP library.
  • USN-3561-1: libvirt update – 7th February 2018. It was discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. An attacker in the guest could use this to expose sensitive guest information, including kernel memory.
  • USN-3560-1: QEMU update – 7th February 2018. It was discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. An attacker in the guest could use this to expose sensitive guest information, including kernel memory.
  • USN-3559-1: Django vulnerabilities – 7th February 2018. It was discovered that Django incorrectly handled certain requests. An attacker could possibly use this to access sensitive information.
  • USN-3558-1: systemd vulnerabilities – 5th February 2018. Karim Hossen & Thomas Imbert and Nelson William Gamazo Sanchez independently discovered that systemd-resolved incorrectly handled certain DNS responses. A remote attacker could possibly use this issue to cause systemd to temporarily stop responding, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS.
  • USN-3557-1: Squid vulnerabilities – 5th February 2018. Mathias Fischer discovered that Squid incorrectly handled certain long strings in headers. A malicious remote server could possibly cause Squid to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 16.04 LTS.
  • USN-3550-2: ClamAV vulnerabilities – 5th February 2018. USN-3550-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing certain mail messages. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service.
  • USN-3556-2: Dovecot vulnerabilities – 1st February 2018. USN-3556-1 fixed vulnerabilities in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that Dovecot incorrectly handled certain authentications. An attacker could possibly use this to bypass authentication and access sensitive information.
  • USN-3556-1: Dovecot vulnerability – 1st February 2018. It was discovered that Dovecot incorrectly handled certain authentications. An attacker could possibly use this to cause a denial of service.
  • USN-3555-2: w3m vulnerabilities – 1st February 2018. USN-3555-2 fixed vulnerabilities in w3m. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that w3m incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-6196, CVE-2018-6197) It was discovered that w3m incorrectly handled temporary files.
  • USN-3555-1: w3m vulnerabilities – 1st February 2018. It was discovered that w3m incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-6196, CVE-2018-6197) It was discovered that w3m incorrectly handled temporary files. An attacker could possibly use this to overwrite arbitrary files.