3rd Party Patch RoundupJuly, in my part of the world, is a month that’s sometimes a little too hot to handle. Software vendors are certainly feeling the heat as security researchers discover more vulnerabilities that need to be fixed before hackers and attackers – who never seem to take a summer vacation – can start exploiting them in the wild.

This month we have a fairly heavy patch load from third party vendors, especially Apple. This was also the month for Oracle’s quarterly update, so those admins who have a number of different platforms running on and connecting to their networks have been kept busy – right at the time when most of us are most inclined to take time off to kick back and enjoy the beach before summer slips away again.

Unfortunately, an IT pro’s work is never done, but thank goodness there are companies like GFI that focus on offering products and services that make patch management a little easier. Now let’s take a look at the details of some of this month’s patches from major third party security vendors.

Apple

Apple seems to be following a one on/one off schedule, with no security updates issued in April, then seven large updates last month, none in June, and now – not unexpectedly – a heavy slate of patches in July.

Apple issued eight updates this month, all of them released on July 19th. These include new versions of their desktop, mobile, wearable device and TV operating systems, their web browser, their BootCamp multi-boot utility, and the iCloud and iTunes applications for Windows. A large number of these vulnerabilities are in the WebKit component of each operating system or application.

    • macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite. This update to supported desktop operating systems for Mac includes security fixes for 37 vulnerabilities that include memory corruption, buffer overflow, validation issues, and more. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • iOS 10.3.3. This update to Apple’s mobile operating system includes security fixes for 47 vulnerabilities that include memory corruption, memory initialization, a logic issue, a state management issue, an inconsistent user interface issue, a lock screen issue, out-of-bounds read issues, a resource exhaustion issue, buffer overflow, and more. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • watchOS 3.2.3. This update to Apple’s wearable device operating system includes security fixes for 16 vulnerabilities that include memory corruption, buffer overflow, out-of-bounds read, and validation issues. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • tvOS 10.2.2. This update to Apple’s TV operating system includes security fixes for 38 vulnerabilities that include memory corruption, logic issues, cross-origin, buffer overflow, out-of-bounds read, and validation issues. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • Safari 10.1.2. This update to Apple’s web browser includes security fixes for 25 vulnerabilities that include memory corruption, memory initialization, logic issues, state management, cross-origin, and print dialog issues. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • iCloud for Windows 6.2.2.    This update to Apple’s cloud application for Windows 7 and above includes security fixes for 22 vulnerabilities that include memory corruption, memory initialization, and out-of-bounds read issues. The most serious could potentially be exploited to accomplish arbitrary code execution.
    • iTunes 12.6.2 for Windows. This update to Apple’s music and media download and management application for Windows 7 and above includes security fixes for 38 vulnerabilities that include memory corruption, logic issues, cross-origin, buffer overflow, out-of-bounds read, and validation issues. The most serious could potentially be exploited to accomplish arbitrary code execution.

Wi-Fi Update for Boot Camp 6.1. This update to Apple’s Boot Camp software includes a security fix for a memory corruption vulnerability that could potentially be exploited to accomplish arbitrary code execution on the Wi-Fi chip.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe came out with only two new security bulletins this month, providing updates for Adobe Flash Player and Adobe Connect. All four of them were originally issued on Adobe’s traditional Patch Tuesday and one was updated later in the month.

On July 11 (Patch Tuesday), Adobe issued the following:

  • APSB17-21 is an update for Flash Player running on Windows, Linux, Mac and Chrome OS. It addresses a critical memory corruption issue that could be exploited to accomplish remote code execution along with an important security bypass issue. It is rated critical and assigned priority level 1 for all platforms except the Flash Player Desktop Runtime for Linux, which has priority rating 3.
  • APSB17-22 is an update for Adobe Connect running on Windows. This update resolves two input validation vulnerabilities that could be used in reflected and stored cross-site scripting attacks, and a mitigation to protect users from UI redressing (or clickjacking) attacks. The vulnerabilities are categorized as important and moderate, and the update has a priority rating of 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google Chrome web browser stable channel update for Windows, Mac and Linux was announced on  July 25 and contains 40 security fixes, which include use-after-free, UI spoofing, type confusion, out-of-bounds writes and reads, user information leak, uninitialized use, pointer disclosure, and URL spoofing.

For more information, see the Google Chrome Releases blog at
https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html  

Android security bulletins for July were published by Google on July 1. Patches were issued addressing vulnerabilities in Runtime, Framework, Libraries, Media Framework, and system UI, as well as Kernel, Broadcom, HTC, MediaTek, NVIDIA, Qualcomm, and other components. The most severe could potentially be exploited to accomplish arbitrary code execution.

For more information, see the bulletin at https://source.android.com/security/bulletin/2017-07-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month’s patches were released on July 17th and include 308 new security fixes across the Oracle product families: Oracle Database, Fusion Middleware, PeopleSoft, Java SE, Oracle and Sun Systems products suite, Oracle Linux and Virtualization, Oracle MySQL and many more.

For more detailed information, see the Oracle Critical Patch Update Advisory for July 2017 at http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Mozilla

Mozilla released Firefox 54 with 24 security fixes in June, and Firefox 55 will ship on August 8. For more information, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (July 31), Ubuntu has issued 43 security advisories, which is about average and less than last month, which saw 50 updates. Many of them address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3374-1: RabbitMQ vulnerability – 31st July 2017. It was discovered that RabbitMQ incorrectly handled MQTT (MQ Telemetry Transport) authentication. A remote attacker could use this issue to authenticate successfully with an existing username by omitting the password.
  • USN-3363-2: ImageMagick regression – 31st July 2017. USN-3363-1 fixed vulnerabilities in ImageMagick. The update caused a regression for certain users when processing images. The problematic patch has been reverted pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that ImageMagick incorrectly handled certain malformed image files.
  • USN-3373-1: Apache HTTP Server vulnerabilities – 31st July 2017. Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw() function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components() function for use by third-party modules.
  • USN-3372-1: NSS vulnerability – 31st July 2017. It was discovered that NSS incorrectly handled certain empty SSLv2 messages. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2017-7502) Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks.
  • USN-3371-1: Linux kernel (HWE) kernel vulnerabilities – 28th July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel.
  • USN-3370-1: Apache HTTP Server vulnerability – 27th July 2017. Robert Święcki discovered that the Apache HTTP Server mod_auth_digest module incorrectly cleared values when processing certain requests. A remote attacker could use this issue to cause the server to crash, resulting in a denial or service, or possibly obtain sensitive information.
  • USN-3369-1: FreeRADIUS vulnerabilities – 27th July 2017. Guido Vranken discovered that FreeRADIUS incorrectly handled memory when decoding packets. A remote attacker could use this issue to cause FreeRADIUS to crash or hang, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3366-1: OpenJDK 8 vulnerabilities – 26th July 2017. It was discovered that the JPEGImageReader class in OpenJDK would incorrectly read unused image data. An attacker could use this to specially construct a jpeg image file that when opened by a Java application would cause a denial of service.
  • USN-3368-1: libiberty vulnerabilities – 26th July 2017. It was discovered that libiberty incorrectly handled certain string operations. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3367-1: gdb vulnerabilities – 26th July 2017. Hanno Böck discovered that gdb incorrectly handled certain malformed AOUT headers in PE executables. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause gdb to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3364-3: Linux kernel (AWS, GKE) vulnerabilities – 25th July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) It was discovered that the Linux kernel did not properly restrict access to /proc/iomem.
  • USN-3365-1: Ruby vulnerabilities – 25th July 2017. It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching.
  • USN-3364-2: Linux kernel (Xenial HWE) vulnerabilities – 24th July 2017. USN-3364-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure.
  • USN-3364-1: Linux kernel vulnerabilities – 24th July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) It was discovered that the Linux kernel did not properly restrict access to /proc/iomem.
  • USN-3357-2: MySQL vulnerabilities – 24th July 2017. USN-3357-1 fixed several vulnerabilities in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.57 in Ubuntu 12.04 ESM.
  • USN-3353-4: Samba vulnerability – 24th July 2017. USN-3353-1 fixed a vulnerability in Heimdal. This update provides the corresponding update for Samba. Original advisory details: Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Samba clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network services or perform other attacks.
  • USN-3363-1: ImageMagick vulnerabilities – 24th July 2017. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.
  • USN-3362-1: X.Org X server vulnerabilities – 24th July 2017. It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to crash the server, or possibly execute arbitrary code as an administrator.
  • USN-3353-3: Heimdal vulnerability – 24th July 2017. USN-3353-1 fixed a vulnerability in Heimdal. This update provides the corresponding updade for Ubuntu 12.04 ESM. Original advisory details: Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Heimdal clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network services.
  • USN-3360-2: Linux kernel (Trusty HWE) vulnerabilities – 21st July 2017. USN-3360-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure.
  • USN-3361-1: Linux kernel (HWE) vulnerabilities – 21st July 2017. USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.
  • USN-3360-1: Linux kernel vulnerabilities – 21st July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) It was discovered that the Linux kernel did not properly restrict access to /proc/iomem.
  • USN-3359-1: Linux kernel vulnerabilities – 20th July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory).
  • USN-3358-1: Linux kernel vulnerabilities – 20th July 2017. It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel.
  • USN-3357-1: MySQL vulnerabilities – 20th July 2017. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.57 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 17.04 have been updated to MySQL 5.7.19.
  • USN-3356-2: Expat vulnerability – 19th July 2017. USN-3356-1 fix a vulnerability in Expat. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Expat incorrectly handled certain external entities. A remote attacker could possibly use this issue to cause Expat to hang, resulting in a denial of service.
  • USN-3356-1: Expat vulnerability – 19th July 2017. It was discovered that Expat incorrectly handled certain external entities. A remote attacker could possibly use this issue to cause Expat to hang, resulting in a denial of service.
  • USN-3212-3: LibTIFF vulnerabilities – 19th July 2017. USN-3212-1 and USN-3212-2 fixed a vulnerability in LibTIFF. This update provides a subset of corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that LibTIFF incorrectly handled certain malformed images.
  • USN-3355-1: Spice vulnerability – 19th July 2017. Frediano Ziglio discovered that Spice incorrectly handled certain invalid monitor configurations. A remote attacker could use this issue to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3307-2: OpenLDAP vulnerability – 19th July 2017. USN-3307-1 fixed a vulnerability in OpenLDAP. This update provides the corresponding update for ubuntu 12.04 ESM. Original advisory details: Karsten Heymann discovered that OpenLDAP incorrectly handled certain search requests. A remote attacker could use this issue to cause slapd to crash, resulting in a denial of service.
  • USN-3309-2: Libtasn1 vulnerability – 18th July 2017. Jakub Jirasek discovered that GnuTLS incorrectly handled certain assignments files. If a user were tricked into processing a specially crafted assignments file, a remote attacker could possibly execute arbitrary code.
  • USN-3354-1: Apport vulnerability – 18th July 2017. Felix Wilhelm discovered a path traversal vulnerability in Apport when handling the ExecutablePath field in crash files. An attacker could trick a user into opening a specially crafted crash file and execute arbitrary code with the user’s privileges.
  • USN-3274-2: ICU vulnerabilities – 18th July 2017. USN-3274-1 fixed a vulnerability in icu. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash
  • USN-3347-2: Libgcrypt vulnerability – 17th July 2017. USN-3347-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding update for Ubuntu 12.04 ESM.
  • USN-3353-2: Samba vulnerability – 14th July 2017. USN-3353-1 fixed a vulnerability in Heimdal. This update provides the corresponding update for Samba. Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Samba clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network servers or perform other attacks.
  • USN-3353-1: Heimdal vulnerability – 14th July 2017. Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Heimdal clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network services or perform other attacks.
  • USN-3352-1: nginx vulnerability – 13th July 2017. It was discovered that an integer overflow existed in the range filter feature of nginx. A remote attacker could use this to expose sensitive information.
  • USN-3351-1: Evince vulnerability – 13th July 2017. Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious cbt comic book format file that, when opened in Evince, executes arbitrary code.
  • USN-3350-1: poppler vulnerabilities – 7th July 2017. Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program.
  • USN-3321-1: Thunderbird vulnerabilities – 5th July 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information or execute arbitrary code.
  • USN-3349-1: NTP vulnerabilities – 5th July 2017. Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS.
  • USN-3348-1: Samba vulnerability – 5th July 2017. It was discovered that Samba incorrectly handled dangling symlinks. A remote attacker could possibly use this issue to cause Samba to hang, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  • USN-3347-1: Libgcrypt vulnerabilities – 3rd July 2017. Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover RSA private keys.