Third Party Patch Roundup – January 2016

A brand new year brings brand new opportunities and brand new challenges for all of us, and for IT professionals, it brings brand new security vulnerabilities and brand new patches.  As we reported in our monthly Patch Tuesday article earlier this month, Microsoft kicked off 2016 with nine updates.  In January’s Third Party Patch Roundup we list Apple’s five updates, Adobe’s, Google’s and Oracle’s one, Mozilla officially released Firefox v.44, while Ubuntu issued 35 security advisories.

Apple

Apple had a heavy update month in December, gifting us with eight updates that addressed a very large number of vulnerabilities across their product lineup.  This month is slightly more tame, with five updates released, comprised of OS patches for their mobile and desktop operating systems, along with updates for Safari, QuickTime and Apple TV.  For more information, see the Apple Support web site at https://support.apple.com/en-us/HT201222 .

On January 7, Apple released a single update:

• QuickTime version 7.7.9 for Windows Vista and Windows 7.  This does not apply to later versions of Windows.  This update patches nine memory corruption vulnerabilities in QuickTime that could allow an attacker to run arbitrary code and/or terminate an application if a maliciously crafted movie is viewed in QuickTime.

On January 19, Apple released three updates:

• Version 9.2.1 for iOS running on iPhone 4 and above, iPod Touch Gen 5 and above and iPad 2 and above. This update addresses 13 vulnerabilities in various components including Disk Images, IOHIDFamily, IOKit, the kernel, libxslt, syslog, WebKit, WebKit CSS and WebSheet.  Impacts range from access to a user’s cookies and privacy issues regarding links visited to arbitrary code execution, making this patch critical for iOS users.
• Version 10.11.3 of OS X El Capitan and and Security Update 2016-001 which applies to El Capitan, Yosemite and Mavericks. Together, these updates address nine separate vulnerabilities in AppleGraphicsPowerManagement, Disk Images, IOAcceleratorFamily, IOHIDFamily, IOKit, the kernel, libxslt, OSA Scripts, and syslog. These include seven memory corruption issues, a type confusion issue and an issue with quarantined applications overriding OSA script libraries installed by a user. Impact includes arbitrary code execution, making this patch critical for OS X users.
• Version 9.0.3 of Safari web browser running on OS X Mavericks, Yosemite and El Capitan. This update addresses six vulnerabilities five of which are memory corruption issues in WebKit itself and one is a privacy issue in WebKit CSS whereby web sites may know if a user has visited a link. Impact of the memory corruption vulnerabilities includes arbitrary code execution if a maliciously crafted web site is visited, making this patch critical for OS X users.

On January 25, Apple released one update:

• Version 9.1.1 for Apple TV gen 4. This update addresses eight vulnerabilities in the TV streaming device, in some of the same components affected by the iOS and OS X updates: Disk Images, IOHIDFamily, IOKit, the kernel, libxslt, syslog and WebKit. As with these same vulnerabilities in the other operating systems, most are memory corruption issues that can be used by an attacker to accomplish arbitrary code execution, thus making this patch critical for users of Apple TV.

Adobe

Adobe released only one patch in January:

• APSB16-02, released on January 12, is a security update for Adobe Acrobat and Reader. This update addresses 17 vulnerabilities in these products running on Windows and Mac OS X systems. Vulnerability types include use-after-free, double-free, memory corruption, an issue in the directory search path and bypass of restrictions on JavaScript API execution, some of which can allow for arbitrary code execution. The vulnerabilities are rated critical and assigned a priority rating of 2 on all affected platforms.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On January 4, Google released a security patch for Android that will be delivered OTA to Nexus devices (other devices purchased through wireless providers receive updates as decided by the provider).  The update addresses 12 vulnerabilities, five of which are rated critical, two as high severity and the remaining five as moderate. These include seven elevation of privilege issues, two information disclosure issues, a denial of service vulnerability, a remote code execution vulnerability and attack surface reduction for Nexus kernels.  For more information about these updates, see the Android security bulletin at http://source.android.com/security/bulletin/2016-01-01.html

On January 27, Google released stable channel update version 48.0.2564.97 for Chrome on Windows, Mac OS X and Linux, containing the latest security fixes.  The day before, January 26, Google released stable channel update 48.2564.92 for Chrome OS which contains a fix for a kernel keyring refcount leak. For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  On January 15, Oracle released a critical patch update that contains fixes for multiple security vulnerabilities across their product line. Fifty-one different products are affected, including the Oracle Database, Java SE, Fusion applications, Enterprise Manager, the E-Business Suite, PeopleSoft Enterprise, Communications Applications Suite, Retail Applications Suite, and Oracle’s Linux, virtualization products and MySQL implementation. For more information about specific products, see the Oracle security bulletin at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

For a more detailed summary of vulnerabilities and fixes, see the Oracle security blog at https://blogs.oracle.com/security/

Mozilla

Mozilla officially released Firefox v.44 in January, which contains 12 security fixes. These include three that are rated critical, two of high severity, six that are moderate and one of low impact.

The critical vulnerabilities that are patched in this update include:

• An unsafe memory manipulation issue
• A buffer overflow in WebGL after out-of-memory allocation
• Miscellaneous memory safety hazards

The high severity vulnerabilities include:

• Addressbar spoofing
• Errors in cryptographic functions in NSS

The moderate severity vulnerabilities include:

• Application reputation service disabled in FF43
• Delay following click events in file download dialog too short on OS X
• Missing delay following user click events in protocol handler dialog
• Addressbar spoofing through stored data URL shortcuts on Android
• Firefox allows for control characters to be set in cookie names
• Out of memory crash when parsing GIF format images

The low severity vulnerabilities include:

• Lightweight themes on Android do not verify a secure connection

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (January 28), Ubuntu has issued 35 security advisories, which is pretty typical. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2883-1: OpenSSL vulnerability – 28th January 2016. Antonio Sanso discovered that OpenSSL reused the same private DH exponent for the life of a server process when configured with a X9.42 style parameter file. This could allow a remote attacker to possibly discover the server’s private DH exponent when being used with non-safe primes.

USN-2882-1: curl vulnerability – 27th January 2016. Isaac Boukris discovered that curl could incorrectly re-use NTLM proxy credentials when subsequently connecting to the same host.

USN-2877-1: Oxide vulnerabilities – 27th January 2016.  A bad cast was discovered in V8. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process.

USN-2880-1: Firefox vulnerabilities – 27th January 2016.  Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, Nicolas Pierron, Eric Rescorla, Tyson Smith, and Gabor Krizsanits discovered multiple memory safety issues in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these.

USN-2881-1: MySQL vulnerabilities – 26th January 2016. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.47 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.04 and Ubuntu 15.10 have been updated to MySQL 5.6.28.

USN-2879-1: rsync vulnerability – 21st January 2016. It was discovered that rsync incorrectly handled invalid filenames. A malicious server could use this issue to write files outside of the intended destination directory.

USN-2878-1: Perl vulnerability – 21st January 2016. David Golden discovered that the canonpath function in the Perl File::Spec module did not properly preserve the taint attribute. An attacker could possibly use this issue to bypass the taint protection mechanism.

USN-2876-1: eCryptfs vulnerability – 20th January 2016. Jann Horn discovered that mount.ecryptfs_private would mount over certain directories in the proc filesystem. A local attacker could use this to escalate their privileges.

USN-2875-1: libxml2 vulnerabilities – 19th January 2016. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.

USN-2874-1: Bind vulnerability – 19th January 2016. It was discovered that Bind incorrectly handled certain APL data. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.

USN-2870-2: Linux kernel (Trusty HWE) vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2872-3: Linux kernel (Raspberry Pi 2) vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2872-2: Linux kernel (Wily HWE) vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2871-2: Linux kernel (Vivid HWE) vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2873-1: Linux kernel (Utopic HWE) vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2872-1: Linux kernel vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2871-1: Linux kernel vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2870-1: Linux kernel vulnerability – 19th January 2016. Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2869-1: OpenSSH vulnerabilities – 14th January 2016. It was discovered that the OpenSSH client experimental support for resuming connections contained multiple security issues. A malicious server could use this issue to leak client memory to the server, including private client user keys.

USN-2859-1: Thunderbird vulnerabilities – 13th January 2016. Andrei Vaida, Jesse Ruderman, Bob Clary discovered multiple memory safety issues in Thunderbird. If a user were tricked into opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.

USN-2868-1: DHCP vulnerability – 13th January 2016. Sebastian Poehn discovered that the DHCP server, client, and relay incorrectly handled certain malformed UDP packets. A remote attacker could use this issue to cause the DHCP server, client, or relay to stop responding, resulting in a denial of service.

USN-2867-1: libvirt vulnerabilities – 12th January 2016. It was discovered that libvirt incorrectly handled the firewall rules on bridge networks when the daemon was restarted. This could result in an unintended firewall configuration. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-4600) Peter Krempa discovered that libvirt incorrectly handled locking when certain ACL checks failed.

USN-2860-1: Oxide vulnerabilities – 11th January 2016.  A race condition was discovered in the MutationObserver implementation in Blink. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.

USN-2866-1: Firefox vulnerability – 8th January 2016. Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

USN-2865-1: GnuTLS vulnerability – 8th January 2016. Karthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

USN-2864-1: NSS vulnerability – 7th January 2016. Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

USN-2863-1: OpenSSL vulnerability – 7th January 2016. Karthikeyan Bhargavan and Gaetan Leurent discovered that OpenSSL incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

USN-2862-1: Pygments vulnerability – 7th January 2016. It was discovered that Pygments incorrectly sanitized strings used to search system fonts. An attacker could possibly use this issue to execute arbitrary code.

USN-2861-1: libpng vulnerabilities – 6th January 2016. It was discovered that libpng incorrectly handled certain small bit-depth values. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program.

USN-2858-3: Linux kernel (Raspberry Pi 2) vulnerability – 5th January 2016. Nathan Williams discovered that overlayfs in the Linux kernel incorrectly handled setattr operations. A local unprivileged attacker could use this to create files with administrative permission attributes and execute arbitrary code with elevated privileges.

USN-2858-2: Linux kernel (Wily HWE) vulnerability – 5th January 2016. Nathan Williams discovered that overlayfs in the Linux kernel incorrectly handled setattr operations. A local unprivileged attacker could use this to create files with administrative permission attributes and execute arbitrary code with elevated privileges.

USN-2858-1: Linux kernel vulnerability – 5th January 2016. Nathan Williams discovered that overlayfs in the Linux kernel incorrectly handled setattr operations. A local unprivileged attacker could use this to create files with administrative permission attributes and execute arbitrary code with elevated privileges.

USN-2857-2: Linux kernel (Vivid HWE) vulnerability – 5th January 2016. Nathan Williams discovered that overlayfs in the Linux kernel incorrectly handled setattr operations. A local unprivileged attacker could use this to create files with administrative permission attributes and execute arbitrary code with elevated privileges.

USN-2857-1: Linux kernel vulnerability – 5th January 2016. Nathan Williams discovered that overlayfs in the Linux kernel incorrectly handled setattr operations. A local unprivileged attacker could use this to create files with administrative permission attributes and execute arbitrary code with elevated privileges.

USN-2856-1: ldb vulnerabilities – 5th January 2016. Thilo Uttendorfer discovered that the ldb incorrectly handled certain zero values. A remote attacker could use this issue to cause applications using ldb, such as Samba, to stop responding, resulting in a denial of service. (CVE-2015-3223) Douglas Bagnall discovered that ldb incorrectly handled certain string lengths.

USN-2855-1: Samba vulnerabilities – 5th January 2016.  Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.

Other

DHCP. A patch for a denial of service vulnerability in most versions of DHCP was issued on January 12 by the Internet Systems Consortium (ISC). It affects IPv4 DHCP clients, relays and servers. It does not affect those that are designed to process only unicast packets. ISC urges network admins to upgrade their DHCP implementations to version 4.1-ESV-R12-P1 or version 4.3.3.-P1.

Cisco Firewall. A critical vulnerability in its Wireless Network Security Firewall (EV220W) is able to get around the authentication requirement and an attacker could use it to remotely gain administrative access. Cisco released a patch on January 27 and urged users to install it as soon as possible. For more information, see this article on the SCMagazine web site:
http://www.scmagazine.com/cisco-advises-firewall-users-to-patch-critical-vulnerability/article/469184/

OpenSSL. The OpenSSL Project patched two vulnerabilities in their cryptographic library on January 28; one is a high priority issue based on the method by which Diffie-Hellman parameters are generated.  This could be exploited by an attacker to find out the Diffie-Hellman exponent being used by a targeted TLS server.  The other is a low priority issue with SSLv2 ciphers. OpenSSL also noted that they will be ending support for version 1.0.1 at the end of this year (0.9.8 and 1.0.0 are already out of support) so all OpenSSL users should upgrade to version 1.0.2. For more information about this patch, see this article on the InfoWorld site: http://www.infoworld.com/article/3027557/security/openssl-patches-two-vulnerabilities-in-cryptographic-library.html