The first month of this new year is almost over, but it has already started out as a big one for security patches. Although Microsoft issued only eight updates this month, Apple and Linux systems both saw fixes for more vulnerabilities than usual, Oracle released its regular quarterly critical update, and Adobe found itself having to get out not just one but two out-of-band updates.
Apple waited until almost the end of the month to release any updates, and then put out four of them on January 27, affecting their desktop and mobile operating systems, web browser and Apple TV devices.
- iOS 8.1.3 is the latest update for Apple’s phone and tablet operating system. This update is for the iPhone 4 and later, the 5th generation iPod Touch, and the iPad 2 and later. It addresses twenty separate issues encompassing more than thirty vulnerabilities. These include vulnerabilities in Apple File Conduit (AFC), Core Graphics, the dyld API, Font Parser, the XML parser, IOAcceleratorFamily, IOHIDFamily, the iTunes store, the iOS kernel, libnetcore, MobileInstallation, Springboard, and 16 vulnerabilities in WebKit. For more information, see Apple’s web site at http://support.apple.com/en-us/HT204245
- OS X Yosemite 10.10.2 security update 2015-001 addresses more than fifty separate vulnerabilities in OS X components including AFP server, bash, Bluetooth, CFNetwork Cache, CoreGraphics, CPU software, CommerceKit Framework, CoreSymbolication, FontParser, Foundation (XML parser), Intel Graphics Driver, IOAcceleratorFamily, IOHIDFamily, IOKit, IOUSBFamily, the OS X kernel, LaunchServices, libnetcore, LoginWindow, lukemftp, OpenSSL, Sandbox, SceneKit, security_taskgate, Spotlight, SpotlightIndex, sysmond and UserAccountUpdater. For more information and specifics about each of the vulnerabilities, see Apple’s web site at http://support.apple.com/en-us/HT204244
- Safari 8.0.3, 7.1.3 and 6.2.3 updates for OS X Mountain Lion, Mavericks and Yosemite address four vulnerabilities in WebKit related to multiple memory issues that could allow a maliciously crafted website to cause application termination or arbitrary execution of code. For more information, see the Apple web site at http://support.apple.com/en-us/HT204243
- AppleTV 7.0.3 update contains security fixes for twenty-nine vulnerabilities in various components, including multiple memory corruption issues in WebKit that could allow a maliciously crafted website to arbitrarily execute code or terminate the application. For more information about the rest of these vulnerabilities, see the Apple web site at http://support.apple.com/en-us/HT204246
The new year didn’t get off to a very start for Adobe. They only released one patch on their regular Patch Tuesday schedule, but then had to come back with out-of band advisories and updates later in the month, which we covered in depth in separate blog posts:
Exploit Kit strikes again: Attackers taking advantage of unpatched Flash vulnerability
Adobe fixes second vulnerability in Flash
- On January 13 (Patch Tuesday), Adobe released APSB15-01, an update to Flash Player running on Windows, Mac OS X and Linux, that addressed seven vulnerabilities, which could potentially allow an attacker to take control of the system. These include improper file validation, information disclosure, memory corruption, heap-based buffer overflow, type confusion, an out-of-bounds read vulnerability and a use-after-free vulnerability. Priority rating is 1 for Windows and Mac, 3 for Linux. For more information about this update, see Adobe’s web site at http://helpx.adobe.com/security/products/flash-player/apsb15-01.html
- On January 22, Adobe released APSB15-02, another update to Flash Player for Windows, Mac OS X and Linux, to address a memory leak vulnerability that could be used to circumvent memory randomization mitigations and that was already being exploited in the wild. Priority rating is 2 for Windows and Mac, 3 for Linux. For more information about this vulnerability, see Adobe’s web site at http://helpx.adobe.com/security/products/flash-player/apsb15-02.html
- On January 27, Adobe released APSB15-03, yet another update for the Flash Player on Windows, Mac OS X and Linux, which addressed two vulnerabilities, one of which was being actively exploited in the wild, which could potentially allow an attacker to take control of the system. Priority rating is 1 on Windows and Mac, 3 on Linux. For more information about these vulnerabilities, see the Adobe web site at http://helpx.adobe.com/security/products/flash-player/apsb15-03.html
On January 26, Google released a stable channel update for the Chrome web browser, version 40.0.2214.93 for Windows, Mac OS X and Linux, that contains the latest security updates.
Oracle normally releases security updates on a quarterly cycle, in January, April, July and October. On January 20, Oracle released a critical patch update containing 169 new security fixes across their family of products. Affected products include Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
Several of the 8 vulnerabilities in the Oracle database are severe, but cannot be exploited without authentication. For more information about these vulnerabilities, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
On January 13, Mozilla released nine security advisories (the same number as in December), including the following:
- MSFA-2015-09 XrayWrapper bypass through DOM objects
- MSFA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
- MSFA-2015-07 Gecko Media Plugin sandbox escape
- MSFA-2015-06 Read-after-free in WebRTC
- MSFA-2015-05 Read of uninitialized memory in Web Audio
- MSFA-2015-04 Cookie injection through Proxy Authenticate responses
- MSFA-2015-03 sendBeacon requests lack an Origin header
- MSFA-2015-02 Uninitialized memory use during bitmap rendering
- MSFA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
The current version of Mozilla Firefox as of January 26, 2015 is v35.0.1. It contains security, performance and reliability fixes.
Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued forty-two security advisories during the time frame of January 1 through January 28 and may issue more this month. Other commercial Linux vendors issued similar advisories.