Third Party Patch Roundup  – January 2019

The first month of this new year is ending with an arctic blast in many parts of the United States. Here in Texas, it’s our usual winter: lows in the 30s, highs in the 50s and 60s. Some parts of the country, though, are almost completely shut down due to extreme temperatures way below the norm.

As I write this, some IT departments may be operating with skeleton crews, but with more people than usual working from home, the network has to stay up and running. And that means keeping systems patched and protected from attackers who, unfortunately, often do their dirty work from halfway around the world and don’t let a little cold weather deter them.

Apple security has been in the news, and not in a good way, as users learned that a bug in its FaceTime app was transmitting audio and even video to callers before the recipient answers the call. The company disabled the feature that enabled this scenario.

Meanwhile, the Department of Homeland Security (DHS) issued a “rare emergency directive” this month requiring that federal agencies audit the DNS security for their domains, after multiple agencies were targeted for DNS hijacking attacks.

Securonix warned of an increase in the number of multi-vector and multi-platform automated attacks against cloud infrastructure, many of which combine cryptomining, ransomware and botnet malware, while a study by Singapore-based Cyber Risk Management (CyRiM) project, reported that a major global ransomware attack could cost organizations an estimated $193 billion. Overall, most security experts seem to agree that the upward trend in data breaches and leaks – many of them accomplished by hackers exploiting software vulnerabilities – is likely to continue in 2019 and beyond.

Let’s take a look at some of the fixes released this month by the major software vendors.

Apple

Apple released new versions of its mobile, desktop, watch, and TV operating systems that contain vulnerability fixes, as well as a new version of the Safari web browser and both the iCloud and iTunes apps for Windows. These include:

  • iTunes 12.9.3 for Windows for Windows 7 and later, released on Jan 24.

The following were released on Jan 22nd:

  • iCloud for Windows 7.10 for Windows 7 and later
  • Safari 12.0.3 for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3
  • watchOS 5.1.3 for Apple Watch Series 1 and later
  • tvOS 12.1.2 for Apple TV 4K and Apple TV (4th generation)
  • macOS Mojave 10.14.3, Security Update 2019-001 for High Sierra, for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.2
  • iOS 12.1.3 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

These updates include fixes for a wide variety of security issues in AppleKeyStore, Bluetooth, Core Media, CoreAnimation, IOKit, the kernel, WebKit, and other components. Many of these are remote code execution vulnerabilities.

They also include an update to Facetime to address a buffer overflow issue and provide improved memory handling to prevent remote attackers from being able to initiate a FaceTime call causing arbitrary code execution.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe has released updates to many of its software products this month, including the standard fixes for Flash Player, Reader and Acrobat. These include three updates issued on the regular Patch Tuesday date (January 8) and two more (both for Experience Manager) that were issued out of band on January 22nd. Only one of the updates, for Adobe Acrobat and Reader, addresses critical vulnerabilities.

  • APSB19-09 Security update available for Adobe Experience Manager – priority 2, fixes two cross site scripting vulnerabilities.
  • APSB19-03 Security updates available for Adobe Experience Manager Forms – priority 2, fixes one cross-site scripting vulnerability.
  • APSB19-05 Security update available for Adobe Connect – priority 3, fixes an important session token exposure vulnerability.
  • APSB19-04 Security update available for Adobe Digital Editions – priority 3, fixes an important information disclosure vulnerability.
  • APSB19-01 Security updates available for Adobe Flash Player – priority 3, fixes performance bugs (despite its name, does not address any security vulnerabilities).
  • APSB19-02 Security updates available for Adobe Acrobat and Reader – priority 2, addresses two critical vulnerabilities, one of which is a use-after-free issue that can result in arbitrary code execution with the other being a security bypass that can be exploited to accomplish escalation of privilege.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On January 29th, Google released Chrome 72.0.3626.81, the latest version of Chrome 72 for Windows, Linux, and Mac, which fixes 58 security vulnerabilities. One was rated critical and 17 were rated high impact. The rest are considered medium or low severity. The vulnerabilities include use-after-free issues, insufficient policy enforcement, buffer overflow issues, inappropriate implementation, type confusion, and more.

For more information about this update and the vulnerabilities it addresses, see the Chrome Releases blog at https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html

On January 7th, the Android security bulletin detailing the past month’s vulnerability fixes was published to summarize the issues addressed by the patch level. Vulnerabilities were patched in Framework, System, Kernel components, NVIDIA components, and Qualcomm components. The most severe is a critical security vulnerability in System that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-11-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month Oracle released a Critical Patch Update that addressed 284 security fixes across their product families.

Oracle customers can read more about this update in the executive summary on the Oracle Support site at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html.

Mozilla

On January 29th, Mozilla released fixes for Thunderbird 60.5, Firefox ESR 60.5, and Firefox 65. The update for Firefox contains fixes for seven vulnerabilities, three of which are rated critical. These include:

A use-after-free vulnerability (CVE-2018-18500) that can occur while parsing an HTML5 stream in concert with custom HTML elements

Memory safety bugs (CVE-2018-18501 and 18502) that could possibly be exploited to run arbitrary code.

The remaining four vulnerabilities include three of high severity and one of moderate severity.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories//mfsa2018-26/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of November, Ubuntu issued the following security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3875-1: OpenJDK vulnerability. It was discovered that a memory disclosure issue existed in the OpenJDK Library subsystem. An attacker could use this to expose sensitive information and possibly bypass Java sandbox restrictions.
  • USN-3874-1: Firefox vulnerabilities. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, gain additional privileges by escaping the sandbox, or execute arbitrary code.
  • USN-3873-1: Open vSwitch vulnerabilities. It was discovered that Open vSwitch incorrectly decoded certain packets. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2018-17204) It was discovered that Open vSwitch incorrectly handled processing certain flows.
  • USN-3872-1: Linux kernel (HWE) vulnerabilities. It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory).
  • USN-3871-1: Linux kernel vulnerabilities. Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3870-1: Spice vulnerability. Christophe Fergeau discovered that Spice incorrectly handled memory. A remote attacker could use this to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3868-1: Thunderbird vulnerabilities. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass same-origin restrictions, or execute arbitrary code.
  • USN-3869-1: Subversion vulnerability. Ivan Zhakov discovered that Subversion incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service.
  • USN-3867-1: MySQL vulnerabilities. Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to MySQL 5.7.25. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
  • USN-3866-1: Ghostscript vulnerability. Tavis Ormandy discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files, execute arbitrary code, or cause a denial of service.
  • USN-3707-2: NTP vulnerabilities. USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service.
  • USN-3865-1: poppler vulnerabilities. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3864-1: LibTIFF vulnerabilities. It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
  • USN-3863-2: APT vulnerability. USN-3863-1 fixed a vulnerability in APT. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Max Justicz discovered that APT incorrectly handled certain parameters during redirects.
  • USN-3863-1: APT vulnerability. Max Justicz discovered that APT incorrectly handled certain parameters during redirects. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages.
  • USN-3862-1: Irssi vulnerability. It was discovered that Irssi incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.
  • USN-3861-2: PolicyKit vulnerability. USN-3861-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.
  • USN-3861-1: PolicyKit vulnerability. It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.
  • USN-3860-2: libcaca vulnerabilities. USN-3860-1 fixed a vulnerability in libcaca. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service.
  • USN-3860-1: libcaca vulnerabilities. It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20544) It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3858-1: HAProxy vulnerabilities. It was discovered that HAProxy incorrectly handled certain requests. An attacker could possibly use this to expose sensitive information. (CVE-2018-20102) It was discovered that HAProxy incorrectly handled certain requests. A attacker could possibly use this issue to cause a denial of service.
  • USN-3857-1: PEAR vulnerability. Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code.
  • USN-3856-1: GNOME Bluetooth vulnerability. Chris Marchesi discovered that BlueZ incorrectly handled disabling Bluetooth visibility. A remote attacker could possibly pair to devices, contrary to expectations. This update adds a workaround to GNOME Bluetooth to fix the issue.
  • USN-3855-1: systemd vulnerabilities. It was discovered that systemd-journald allocated variable-length buffers for certain message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code.
  • USN-3854-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3853-1: GnuPG vulnerability. Ben Fuhrmannek discovered that GnuPG incorrectly handled Web Key Directory lookups. A remote attacker could possibly use this issue to cause a denial of service, or perform Cross-Site Request Forgery attacks.
  • USN-3852-1: Exiv2 vulnerabilities. It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3851-1: Django vulnerability. It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL.

USN-3850-1: NSS vulnerabilities. Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. It was discovered that NSS incorrectly handled certain v2-compatible ClientHello messages.