Third Party Patch Roundup – January 2018

After the multiplicity of security issues – Equifax, Wannacry, and so many more – that we found ourselves dealing with in 2017, we’re all hoping that 2018 will be better, but the new year is barely off and running now and there have already been a few high profile data breaches, including a compromise of Aadhaar, a public database in India that contains information on a billion people.

Companies are also coming up fast this year against the deadline for compliance with the European General Data Protection Regulation (GDPR) that affects organizations all over the world, not just those based in the European Union.  That date is May 25, and many companies are still scrambling to meet the requirements.

Some may think that because more and more of our data and applications will be moving to the cloud this year, that means patching and patch management will soon be a thing of the past – at least for everyone except the cloud providers. Unfortunately, that’s not true.  Cloud security is a shared responsibility and customers still must shoulder a large part of that burden.

As long as you’re running operating systems and applications, whether on local devices that access the cloud or on virtual servers that “live” in a cloud datacenter somewhere, you must keep that software up to date and ensure that vulnerabilities are patched as quickly as possible to prevent your organization from being in the headlines as a victim of one of the breaches or scams that are sure to come down the pike in 2018.

For now, let’s take a look at the patches released by some of the main software players in this first month of this new year.

Apple

Perhaps you were thinking that because Apple put out 11 security updates last month, they would take a break this month. No such luck. As of January 29, we have 10 patches from Cupertino that reach across most of their products.

The first batch was released on January 8:

iOS 11.2.2 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation includes security improvements to Safari and WebKit to mitigate the effects of Spectre, the high profile processor vulnerability that affects most modern systems running Intel, AMD and ARM processors.

• Safari 11.02 for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6 includes security improvements to mitigate the effects of Spectre.
• macOS High Sierra 10.13.2 supplemental update includes security improvements to mitigate the effects of Spectre.
• The first of this month’s patches were released on January 23:
• tvOS 11.2.5 for apple TV 4K and Apple TV 4th generation fixes a total of 12 vulnerabilities in the Audio, Core Bluetooth, QuartzCore, WebKit and Security components of the operating system, as well as the OS kernel. The most serious can lead to arbitrary code execution.
• macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan fixes a total of 17 vulnerabilities in the same components mentioned above as well as wi-fi, the Sandbox, LinkPresentation, IOHIDFamily, and curl. The most serious can lead to arbitrary code execution.
• iOS 11.2.5 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation fixes a total of 13 vulnerabilities in many of the same components mentioned above. The most serious can lead to arbitrary code execution.
• watchOS 4.2.2 for all Apple watch models fixes a total of 12 vulnerabilities in many of the same components mentioned above. The most serious can lead to arbitrary code execution.
• Safari 11.0.3 for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.3 fixes a total of 3 memory corruption vulnerabilities in the WebKit component that may lead to arbitrary code execution.
• iCloud for Windows 7.3 for Windows 7 and later Windows operating systems fixes two memory corruption vulnerabilities in the WebKit component that may lead to arbitrary code execution.
• iTunes 12.7.3 for Windows for Windows 7 and later Windows operating systems fixes two memory corruption vulnerabilities in the WebKit component that may lead to arbitrary code execution.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued only one security update this month, which was released on their regular Patch Tuesday schedule, January 9:

• APSB18-01 – Security Updates for Adobe Flash Player for Google Chrome, Microsoft Edge, Internet Explorer 11, and the Desktop Runtime, running on Windows, Mac, Linux and Chrome OS. Priority rating is 2 and severity is important, and it addresses a single out-of-bounds read vulnerability.

For more information, see the security bulletin at https://helpx.adobe.com/security/products/flash-player/apsb18-01.html

Google

Google released Chrome 64 as a stable channel update on January 24. It includes 53 security fixes reported by external researchers, three of which are for high severity vulnerabilities, eight for low impact vulnerabilities, and the rest of them rated medium. Also included are various fixes contributed by the internal security team, and additional mitigations against speculative side-channel attacks.

For more information, see the Chrome releases blog: https://chromereleases.googleblog.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  A critical patch update was released on January 16, which includes fixes for the Spectre and Meltdown issues. In all, the update contains 238 new security fixes across Oracle product families. This Critical Patch Update contains 5 new security fixes for the Oracle Database Server.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

For more information, see: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Mozilla

Like most other vendors, Mozilla rushed to distribute a fix for the Spectre speculative execution side-channel attack vulnerability. This was released on January 4 as Firefox 57.0.4 and Firefox ESR 52.6. Two more updates were released in January, Firefox 58 on January 23 and Firefox 58.0.1 on January 29.

• Firefox 58 contains fixes for three critical vulnerabilities, which include memory corruption issues and a use-after-free vulnerability with DTMF timers.  Also fixed are 13 high impact vulnerabilities, another 13 of moderate impact, and three low impact issues.
• Firefox 58.0.1 contains a single fix for an arbitrary code execution through unsanitzed browser UI vulnerability that is rated critical. It does not affect Firefox for Android or Firefox 52 ESR. Here is more info about that one: https://www.ghacks.net/2018/01/29/mozilla-firefox-58-0-1-fix-for-white-pages-on-windows/

For more information about Firefox 58 vulnerabilities, see: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (January 29), Ubuntu has issued 51 separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. As with other software vendors this month, a number of these advisories are related to the Spectre and Meltdown processor vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

• USN-3549-1: Linux kernel (KVM) vulnerabilities – 29th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3548-2: Linux kernel (HWE) vulnerability – 26th January 2018. USN-3548-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Jay Vosburgh discovered a logic error in the x86-64 syscall entry implementation in the Linux kernel.
• USN-3548-1: Linux kernel vulnerability – 26th January 2018. Jay Vosburgh discovered a logic error in the x86-64 syscall entry implementation in the Linux kernel, introduced as part of the mitigations for the Spectre vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
• USN-3547-1: Libtasn1 vulnerabilities – 25th January 2018. It was discovered that Libtasn1 incorrectly handled certain files. If a user were tricked into opening a crafted file, an attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
• USN-3537-2: MySQL vulnerabilities – 25th January 2018.  USN-3537-1 fixed vulnerabilities in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.59 in Ubuntu 12.04 ESM LTS.
• USN-3544-1: Firefox vulnerabilities – 24th January 2018. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, spoof the origin in audio capture prompts, trick the user in to providing HTTP credentials.
• USN-3546-1: gcab vulnerability – 24th January 2018. Richard Hughes discovered that gcab incorrectly handled certain malformed cabinet files. If a user or automated system were tricked into opening a specially crafted cabinet file, a remote attacker could use this issue to cause gcab to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3543-2: rsync vulnerabilities – 23rd January 2018. USN-3543-1 fixed vulnerabilities in rsync. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that rsync incorrectly handled certain data input. An attacker could possibly use this to cause a denial of service or execute arbitrary code.
• USN-3543-1: rsync vulnerabilities – 23rd January 2018. It was discovered that rsync incorrectly handled certain data input. An attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2017-16548) It was discovered that rsync incorrectly parsed certain arguments. An attacker could possibly use this to bypass arguments and execute arbitrary code.
• USN-3542-2: Linux kernel (Trusty HWE) vulnerabilities – 22nd January 2018. USN-3542-1 addressed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.
• USN-3541-2: Linux kernel (HWE) vulnerabilities – 22nd January 2018. USN-3541-1 addressed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks.
• USN-3542-1: Linux kernel vulnerabilities – 22nd January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. This update provides mitigations for the i386 (CVE-2017-5753 only) and amd64 architectures.
• USN-3540-2: Linux kernel (Xenial HWE) vulnerabilities – 22nd January 2018. USN-3540-1 addressed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3541-1: Linux kernel vulnerabilities – 22nd January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. This update provides mitigations.
• USN-3540-1: Linux kernel vulnerabilities – 22nd January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. This update provides mitigations.
• USN-3539-1: GIMP vulnerabilities – 22nd January 2018. It was discovered that GIMP incorrectly handled certain images. If a user were tricked into opening a specially crafted image, an attacker could possibly use this to execute arbitrary code.
• USN-3538-1: OpenSSH vulnerabilities – 22nd January 2018. Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
• USN-3537-1: MySQL vulnerabilities – 22nd January 2018. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.59 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and Ubuntu 17.10 have been updated to MySQL 5.7.21.
• USN-3531-2: Intel Microcode regression – 22nd January 2018. USN-3531-1 updated Intel microcode to the 20180108 release. Regressions were discovered in the microcode updates which could cause system instability on certain hardware platforms. At the request of Intel, we have reverted to the previous packaged microcode version, the 20170707 release.
• USN-3535-2: Bind vulnerability – 17th January 2018. USN-3535-1 fixed a vulnerability in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Jayachandran Palanisamy discovered that the Bind resolver incorrectly handled fetch cleanup sequencing. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
• USN-3536-1: GNU C Library vulnerability – 17th January 2018. It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges.
• USN-3534-1: GNU C Library vulnerabilities – 17th January 2018. It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths()
• USN-3535-1: Bind vulnerability – 17th January 2018. Jayachandran Palanisamy discovered that the Bind resolver incorrectly handled fetch cleanup sequencing. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
• USN-3533-1: Transmission vulnerability – 16th January 2018. It was discovered that Transmission incorrectly handled certain POST requests to the RPC server and allowed DNS rebinding attack. An attacker could possibly use this issue to execute arbitrary code.
• USN-3532-1: GDK-PixBuf vulnerabilities – 15th January 2018. It was discoreved that GDK-PixBuf incorrectly handled certain gif images. An attacker could use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-1000422) Ariel Zelivansky discovered that GDK-PixBuf incorrectly handled certain images.
• USN-3531-1: Intel Microcode update – 11th January 2018. It was discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3530-1: WebKitGTK+ vulnerabilities – 11th January 2018. It was discovered that speculative execution performed by modern CPUs could leak information through a timing side-channel attack, and that this could be exploited in web browser JavaScript engines. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this.
• USN-3522-4: Linux kernel (Xenial HWE) regression – 10th January 2018. USN-3522-2 fixed a vulnerability in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS to address Meltdown (CVE-2017-5754). Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem. We apologize for the inconvenience.
• USN-3522-3: Linux kernel regression – 10th January 2018. USN-3522-1 fixed a vulnerability in the Linux kernel to address Meltdown (CVE-2017-5754). Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem. We apologize for the inconvenience.
• USN-3528-1: Ruby vulnerabilities – 10th January 2018. It was discovered that Ruby incorrectly handled certain terminal emulator escape sequences. An attacker could use this to execute arbitrary code via a crafted user name. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
• USN-3527-1: Irssi vulnerabilities – 10th January 2018. Joseph Bisch discovered that Irssi incorrectly handled incomplete escape codes. If a user were tricked into using malformed commands or opening malformed files, an attacker could use this issue to cause Irssi to crash, resulting in a denial of service.
• USN-3523-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 10th January 2018. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel did not properly check the relationship between pointer values and the BPF stack. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3523-2: Linux kernel (HWE) vulnerabilities – 10th January 2018. USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks.
• USN-3526-1: SSSD vulnerability – 10th January 2018. It was discovered that SSSD incorrectly handled certain inputs when querying its local cache. An attacker could use this to inject arbitrary code and expose sensitive information.
• USN-3525-1: Linux kernel vulnerability – 10th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3524-2: Linux kernel (Trusty HWE) vulnerability – 9th January 2018. USN-3524-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads.
• USN-3524-1: Linux kernel vulnerability – 9th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3522-1: Linux kernel vulnerability – 9th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3523-1: Linux kernel vulnerabilities – 9th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.
• USN-3522-2: Linux (Xenial HWE) vulnerability – 9th January 2018. USN-3522-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads.
• USN-3521-1: NVIDIA graphics drivers vulnerability – 9th January 2018. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. This update provides mitigations to address the issue, along with compatibility fixes.
• USN-3520-1: PySAML2 vulnerability – 8th January 2018. It was discovered that PySAML2 incorrectly accepted any password when run with python optimizations enabled. An attacker could use this issue to authenticate as any user without a valid password.
• USN-3519-1: Tomcat vulnerabilities – 8th January 2018. It was discovered that Tomcat incorrectly handled certain pipelined requests when sendfile was used. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. (CVE-2017-5647) It was discovered that Tomcat incorrectly used the appropriate facade object.
• USN-3518-1: AWStats vulnerability – 8th January 2018. It was discovered that AWStats incorrectly filtered certain parameters. A remote attacker could possibly use this issue to execute arbitrary code.
• USN-3517-1: poppler vulnerabilities – 8th January 2018. It was discovered that poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could execute arbitrary. (CVE-2017-1000456) It was discovered that poppler incorrectly handled certain files.
• USN-3516-1: Firefox vulnerabilities – 5th January 2018. It was discovered that speculative execution performed by modern CPUs could leak information through a timing side-channel attack, and that this could be exploited in web browser JavaScript engines. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this.
• USN-3515-1: Ruby vulnerability – 4th January 2018. It was discovered that Ruby allows FTP command injection. An attacker could use this to cause arbitrary command execution.
• USN-3430-3: Dnsmasq regression – 4th January 2018. USN-3430-2 fixed several vulnerabilities. The update introduced a new regression that breaks DNS resolution. This update addresses the problem. We apologize for the inconvenience. Original advisory details: Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher discovered that Dnsmasq incorrectly handled DNS requests.
• USN-3480-3: Apport regression – 3rd January 2018. USN-3480-2 fixed regressions in Apport. The update introduced a new regression in the container support. This update addresses the problem. We apologize for the inconvenience. Original advisory details: Sander Bos discovered that Apport incorrectly handled core dumps for setuid binaries.
• USN-3514-1: WebKitGTK+ vulnerabilities – 3rd January 2018. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
• USN-3477-1 fixed vulnerabilities in Firefox. The update introduced a crash reporting issue where background tab crash reports were sent to Mozilla without user opt-in. This update fixes the problem.