Third Party Patch roundup

July: for those of us who live in the U.S., it conjures up images of red, white and blue banners, Independence Day parades and outdoor barbeque cookouts. The month was, of course, named after Julius Caesar, and in the northern hemisphere it’s usually one of the hottest months of the year. July is also designated, at least in the United States, as National Ice Cream Month, which makes sense as a way to relieve some of that summer heat.

I’m sure at least a few of the admins who are reading this would prefer to be floating in the pool and enjoying a tall cold drink, instead of stuck inside scrambling to make sure all of the software is up to date. Unfortunately, hackers don’t all lay down their keyboards for summer vacation, and the vulnerabilities – and patches to fix them – just keep on coming.

This month is no exception. With a hefty number of vulnerabilities fixes included in the latest versions of Apple’s software, more updates than usual from Adobe and the usual dozens of vulnerabilities patched by Linux vendors, there was no rest for the weary.

Apple

Last month, Apple waited until the very end of the month to release iOS 8.4 and OS X 10.10.4, thus missing the publication of our June Roundup. Thus far this month (as of July 29) there have been no further security updates. Let’s take a quick look at those June 30 releases, which contain fixes for a ton of vulnerabilities:

iOS 8.4 addresses 33 vulnerabilities in the App Store, Certificate Trust Policy, CFNetwork HTTP Authentication, CoreGraphics, CoreText, coreTLS, DiskImages, FontParser, ImageIO, Mail, MobileInstallation, the Security framework code, SQLite, Telephony, WebKit, wi-if connectivity, Safari and the OS kernel. Impacts range from preventing the launching of apps to interception of network traffic to arbitrary code execution by which an attacker could take over the system.
OS X 10.10.4 (Yosemite) and Security Update 2015-005 address a whopping 76 vulnerabilities in the Admin Framework, the AFP server, Apache, AppleGraphicsControl, Apple FS Compression, Apple Thunderbolt EDM Service, ATS (Apple Type Services) font handling, Bluetooth, Certificate Trust Policy, CFNetwork HTTP Authentication, CoreText, coreTLS, DiskImages, Display Drivers, EFI flash memory handling, Font Parser, the Nvidia graphics driver, the Intel graphics driver, ImageIO, Install Framework Legacy, IOAcceleratorFamily, the FireWire driver, kext tools, Mail, NTFS, the authentication of NTP packets, OpenSSL, QuickTime, the Security Framework code, Spotlight, SQLite, System Stats, the TrueType scaler, handling of ZIP files, and the OS kernel. Many of these are memory corruption issues. Impacts range from unexpected application termination to arbitrary code execution by which an attacker could take over the system. The security content of Safari 8.0.7 is also included in OS X 10.10.4.
Safari 8.0.7, 7.1.7 and 6.2.7 (for Yosemite, Mavericks and Mountain Lion) addresses an additional four vulnerabilities in WebKit itself, WebKit page loading, WebKit PDF and WebKit Storage, which include an issue in authorization checks for renaming WebSQL tables, an issue relating to preservation of the Origin request header for cross-origin redirects, an issue with PDF-embedded links that could execute JavaScript in a hosting web page’s context, and an insufficient comparison issue in SQLite authorizer that could allow invocation of arbitrary SQL functions. Impacts range from cookie theft to unexpected application termination to arbitrary code execution by which an attacker could take control of the system.
Mac EFI Security Update 2015-001 for OS X Mountain Lion and Mavericks addresses two vulnerabilities, one related to an insufficient locking issue with EFI flash memory that could allow an attacker to modify the memory and a disturbance error known as Rowhammer that could lead to memory corruption with some DDR3 RAM.
iTunes 12.2 addresses 39 vulnerabilities in Apple’s iTunes application for Windows 7 and 8 that stem from multiple memory corruption issues that could allow for impact ranging from unexpected application termination to arbitrary execution of code.
QuickTime 7.7.7 addresses nine vulnerabilities in Apple’s QuickTime Media Foundation running on Windows Vista and Windows 7 that stem from multiple memory corruption issues that could allow for impact ranging from unexpected application termination to arbitrary execution of code.

For more information about these updates, see Apple’s web site at
https://support.apple.com/en-us/HT201222

Adobe

Adobe usually releases a couple of updates per month. This time, they came out with two advisories and four updates, two for Flash Player, one for Shockwave and one for Acrobat/Reader.

On July 7, ahead of the usual Patch Tuesday release, a security advisory (APSA15-03) for Flash Player was issued in response to the Hacking Team zero day critical vulnerability that I wrote about here. This is a critical vulnerability and there were reports that it was already being exploited in the wild. Adobe recommended upgrading Flash Player to the latest version.
On July 8, Adobe released an update, APSB15-16, for Flash Player running on Windows, Macintosh and Linux, which addresses 37 vulnerabilities that include memory address randomization of the Flash heap, buffer overflows, memory corruption issues, security bypass, use-after-free, type confusion, null pointer dereference issues and same-origin-policy bypass. The most serious of these could allow for arbitrary execution of code by which an attacker could take control of the system, so the update is rated critical, but with a priority rating of 1 for Windows and Macintosh systems and a priority rating of 3 for most Linux systems.
On July 8, Adobe released an update, APSB15-15, for Acrobat and Reader that addressed 46 vulnerabilities that include buffer overflow exploits, memory corruption issues, security bypass, use-after-free vulnerabilities and more. The most serious of these could allow for arbitrary execution of code by which an attacker could take control of the system, so the update is rated critical, but with a priority rating of 2 for Windows and Macintosh systems. Linux systems are not affected.
On July 10, Adobe issued another security advisory (APSA1504) for Flash Player, this time in response to reports of exploits in the wild of two critical vulnerabilities that affect Windows, Mac and Linux systems and could allow an attacker to take control of the system if exploited. Adobe recommended that users update their Flash Players to the latest version.
On July 14, Adobe’s usual monthly patch release day, they released APSB15-18, an update for the two critical vulnerabilities that included a use-after-free vulnerability and a memory corruption vulnerability. This update has a priority rating of 1 for all Flash Players on Windows and Mac and for Flash Player for Chrome on Linux.
Also on July 14, Adobe also issued a security update for Shockwave Player (APSB15-17), for two critical memory corruption vulnerabilities in Windows and Macintosh that could allow an attacker to take control of the system. It has a priority rating of 1 for all affected systems.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

The most recent version of Google Chrome with the latest security updates, released on July 28, is stable channel update 44.0.2403.125 for Windows, Mac and Linux.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October. On July 14, Oracle released a critical patch update that addresses 193 security vulnerabilities across multiple Oracle products, including Fusion middleware, Enterprise Manager, Oracle Supply Chain products, PeopleSoft, Siebel apps, Oracle Commerce, Communications, Java SE, Oracle and Sun Systems Product Suite, Oracle Linux and Virtualization, Oracle MySQL and Berkeley DB.

For more information about Oracle security updates and a list of previously released patches, see http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

On July 2, Mozilla released Firefox 39.0 to release channel users. It includes fixes related to 13 security updates: four containing fixes for critical vulnerabilities, two of high severity and six of moderate severity. There is also one low-severity update. The critical vulnerabilities include vulnerabilities found through code inspection, use-after-free issues, and miscellaneous memory safety hazards.

The two high severity updates include patches for privilege escalation and type confusion vulnerabilities. The six moderate severity patches fix two NSS-related vulnerabilities, a key pinning problem, incorrect handling of some signatures by ECDSA signature validation, an out-of-bound read vulnerability, and an issue with local files or privileged URLs in pages that can be opened into new tabs. The low severity fix pertains to OS X crash reports that may contain entered key press information.

For more information about these fixes, see the Mozilla Security Advisories web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. Ubuntu has issued 38 security advisories, many of which address multiple vulnerabilities. Other commercial Linux vendors issued similar advisories.

USN-2695-1: HTML Tidy vulnerabilities – July 29

Fernando Muñoz discovered that HTML Tidy incorrectly handled memory. If a user or automated system were tricked into processing specially crafted data, applications linked against HTML Tidy could be made to crash, leading to a denial of service, or possibly execute arbitrary code.

USN-2694-1: PCRE vulnerabilities – July 29

Michele Spagnuolo discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.

USN-2693-1: Bind vulnerabilities – July 28

Jonathan Foote discovered that Bind incorrectly handled certain TKEY queries. A remote attacker could use this issue with a specially crafted packet to cause Bind to crash, resulting in a denial of service. (CVE-2015-5477) Pories Ediansyah discovered that Bind incorrectly handled certain configurations involving DNS64.

USN-2692-1: QEMU vulnerabilities – July 28

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a non-default configuration, a malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation.

USN-2691-1: Linux kernel vulnerabilities – July 28

Andy Lutomirski discovered a flaw in the Linux kernel’s handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2690-1: Linux kernel (Vivid HWE) vulnerabilities – July 28

USN-2689-1: Linux kernel (Utopic HWE) vulnerabilities – July 28

USN-2688-1: Linux kernel vulnerabilities – July 28

USN-2687-1: Linux kernel (Trusty HWE) vulnerabilities – July 28

USN-2686-1: Apache HTTP Server vulnerabilities – July 27

It was discovered that the Apache HTTP Server incorrectly parsed chunk headers. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that the Apache HTTP Server incorrectly handled the ap_some_auth_required API.

USN-2684-1: Linux kernel vulnerabilities – July 23

A flaw was discovered in the kvm (kernel virtual machine) subsystem’s kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692) Daniel Borkmann reported a kernel crash in the Linux kernel’s BPF filter JIT optimization.

USN-2683-1: Linux kernel (Vivid HWE) vulnerabilities – July 23

USN-2682-1: Linux kernel (Utopic HWE) vulnerabilities – July 23

A flaw was discovered in the kvm (kernel virtual machine) subsystem’s kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692) A flaw was discovered in how the Linux kernel handles invalid UDP checksums.

USN-2681-1: Linux kernel vulnerabilities – July 23

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805)

USN-2680-1: Linux kernel (Trusty HWE) vulnerabilities – July 23

USN-2679-1: Linux kernel (OMAP4) vulnerabilities – July 23

USN-2678-1: Linux kernel vulnerabilities – July 23

USN-2676-1: NBD vulnerabilities – July 22

It was discovered that NBD incorrectly handled IP address matching. A remote attacker could use this issue with an IP address that has a partial match and bypass access restrictions. This issue only affected Ubuntu 12.04 LTS.

USN-2675-1: LXC vulnerabilities – July 22

Roman Fiedler discovered that LXC had a directory traversal flaw when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user. (CVE-2015-1331) Roman Fiedler discovered that LXC incorrectly trusted the container’s proc filesystem to set up AppArmor profile changes and SELinux.

USN-2674-1: MySQL vulnerabilities – July 21

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.44 in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10. Ubuntu 15.04 has been updated to MySQL 5.6.25.

USN-2673-1: Thunderbird vulnerabilities – July 20

Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property.

USN-2656-2: Firefox vulnerabilities – July 15

USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and later releases. This update provides the corresponding update for Ubuntu 12.04 LTS. Original advisory details: Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack.

USN-2656-1: Firefox vulnerabilities – July 9

USN-2672-1: NSS vulnerabilities – July 9

USN-2671-1: Django vulnerabilities – July 9

Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled session records. A remote attacker could use this issue to cause a denial of service. (CVE-2015-5143) Sjoerd Job Postmus discovered that DJango incorrectly handled newline characters when performing validation.

USN-2670-1: libwmf vulnerabilities – July 8

Fernando Muñoz and Stefan Cornelius discovered that libwmf incorrectly handled certain malformed images. If a user or automated system were tricked into opening a crafted image file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program.

USN-2669-1: Bind vulnerability – July 7

Breno Silveira Soares discovered that Bind incorrectly handled certain zone data when configured to perform DNSSEC validation. A remote attacker could use this issue with specially crafted zone data to cause Bind to crash, resulting in a denial of service.

USN-2668-1: HAProxy vulnerability – July 7

It was discovered that HAProxy incorrectly handled certain buffers. A remote attacker could possibly use this issue to obtain sensitive information belonging to previous requests.

USN-2667-1: Linux kernel vulnerabilities – July 7

A race condition was discovered in the Linux kernel’s file_handle size verification. A local user could exploit this flaw to read potentially sensitive memory locations. (CVE-2015-1420) A underflow error was discovered in the Linux kernel’s Ozmo Devices USB over WiFi host controller driver.

USN-2666-1: Linux kernel vulnerabilities – July 7

USN-2665-1: Linux kernel (Vivid HWE) vulnerabilities – July 7

USN-2664-1: Linux kernel (Utopic HWE) vulnerabilities -July 7

USN-2663-1: Linux kernel vulnerabilities – July 7

Alexandre Oliva reported a race condition flaw in the btrfs file system’s handling of extended attributes (xattrs). A local attacker could exploit this flaw to bypass ACLs and potentially escalate privileges. (CVE-2014-9710) A race condition was discovered in the Linux kernel’s file_handle size verification.

USN-2662-1: Linux kernel (Trusty HWE) vulnerabilities – July 7

USN-2661-1: Linux kernel (OMAP4) vulnerability – July 7

A race condition was discovered in the Linux kernel’s file_handle size verification. A local user could exploit this flaw to read potentially sensitive memory locations.

USN-2660-1: Linux kernel vulnerability – July 7