3rd Party Patch RoundupHere we go again. Yes, it’s already the end of another month and time to round up the patches that have been issued in July by various software vendors.

There have been a number of new, revived or heightened security threats in the news this month, including potential supply chain attacks, a new NetSpectre class attack, and Android malware that targets banking apps.  As always, the first step in protecting against cyber attacks is to make sure that all the systems (including Internet of Things devices) connected to your network have the latest security updates (unfortunately, a new study from Trend Micro indicates that two fifths of IT decision makers across several countries and continents consider IoT security an afterthought, and only about half of them believe IoT attacks pose a threat to their organizations.

Meanwhile, as Adobe Flash continues to be one of the top software products targeted by hackers and the object of frequent security patches that we cover here each month, a U.S. senator is hoping to convince federal agencies to transition away from the use of Flash, which Adobe has said will reach its end of life at the end of 2020.  

But we all know this won’t stop the bad guys, who will just look for vulnerabilities that they can exploit in other products and services. Staying half a step ahead of them is a never-ending battle for software vendors, IT pros, and users.

The good news is that researchers are diligently discovering security holes before the attackers get wind of them, vendors are working hard to create, test, and release patches for those vulnerabilities as quickly as possible after they find out about them, and organizations and individuals are more aware than ever of the importance of updating and have more tools than ever before at their disposal to help make the process easier.

So now let’s take a look at some of the security updates released in July. Note that at the time this article is being written and submitted (morning of July 30th), there is one more day left in the month. If additional updates are released later today or tomorrow, we will cover them in next month’s Roundup.

Apple

Apple released eight updates in July for various products, including their mobile and desktop operating systems. These include one patch released on July 5, a Wi-Fi Update for Boot Camp v6.4.0 for MacBook (Late 2009 and later), MacBook Pro (Mid 2010 and later), MacBook Air (Late 2010 and later), Mac mini (Mid 2010 and later), iMac (Late 2009 and later), and Mac Pro (Mid 2010 and later). It fixes three vulnerabilities, all of which have to do with logic issues.

On July 9, the company released seven more patches:

  • iTunes 12.8 for Windows for Windows 7 and later, to address fourteen vulnerabilities, all but one of which are in the WebKit component. Some of these are memory corruption issues that could be exploited to achieve arbitrary code execution.
  • iCloud for Windows 7.6 for Windows 7 and later, to address the same issues mentioned above for iTunes.
  • Safari 11.1.2 for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.6 to address sixteen vulnerabilities, including the WebKit issues included in the patches above.
  • macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 for El Capitan OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.5 to address twelve vulnerabilities in various operating system components, including the kernel, which include such impacts as address bar spoofing, unauthorized reading of restricted memory, privilege elevation, information disclosure, sandbox breach, interception of Bluetooth traffic, authorized root privileges, and more.
  • watchOS 4.3.2 for all Apple Watch models, to address vulnerabilities in CFNetwork, Emoji, the kernel, libxpc, LinkPresentation, and WebKit. The most serious impacts include arbitrary code execution, denial of service, and elevation of privileges.
  • tvOS 11.4.1 for Apple TV 4K and Apple TV (4th generation), to address many of the same vulnerabilities that are patched by the updates above.
  • iOS 11.4.1 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, to address many of the same vulnerabilities mentioned above as well as others. In all, this patch fixes twenty-two vulnerabilities in the mobile operating system.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

It was an average month for Adobe in terms of the number of updates, with four patches that were all released on July 19, which is Adobe’s standard Patch Tuesday.

  • APSB18-24 Security updates available for Adobe Flash Player. Tis is a critical update rated priority 2 for Windows, macOS, Linux and Chrome OS, the Chrome browser and Microsoft Edge and IE 11. It is rated priority 3 for the Desktop Runtime on Linux. It addresses two vulnerabilities, an out-of-bounds read and a type confusion issue; the former could lead to information disclosure and the latter to arbitrary code execution.
  • APSB18-23 Security update available for Adobe Experience Manager. This is an important update rated priority 2 on all platforms that addresses three server-side request forgery issues that could result in sensitive information disclosure.
  • APSB18-22 Security update available for Adobe Connect. This is an important update rated priority 2 that addresses three vulnerabilities: two authentication bypass issues and insecure library loading, the impacts of which include sensitive information disclosure, session hijacking, and privilege escalation.
  • APSB18-21 Security updates available for Adobe Acrobat and Reader. This is a critical update to address a whole slew of vulnerabilities – 104 in all – and is rated priority 2 on Windows and macOS. These include double free, heap overflow, use-after-free, out-of-bounds write and read, security bypass, buffer errors, type confusion, and untrusted pointer dereference issues that can lead to information disclosure, privilege escalation, and arbitrary code execution.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On July 24, Google released the stable channel update Chrome v68 for the Desktop (Windows, Mac, and Linux) along with Chrome 68 for Android. This new version of the web browser contains forty-two security fixes that include stck buffer overflow, heap buffer overflow, use-after-free, type confusion, same origin policy bypass, and URL spoof as well as others.

As a new security feature, Chrome 68 now displays a “not secure” warning on all HTTP web pages as Google continues to encourage web sites to use HTTPS encryption.

For more information, see https://chromereleases.googleblog.com/

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-06-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month’s update was released on July 17 and contains 334 security fixes across the broad range of Oracle products and services. Many of the issues that are addresses

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

The most recent version of the Firefox web browser was released on June 26, version 61, which fixed the nineteen vulnerabilities that we described in the June Third Party Patch Roundup.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (July 30th), Ubuntu has issued the following forty-eight security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

  • USN-3725-2: MySQL vulnerabilities USN-3725-1 fixed several vulnerabilities in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.61 in Ubuntu 12.04 ESM.
  • USN-3725-1: MySQL vulnerabilities Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.61 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.23.
  • USN-3722-4: ClamAV regression USN-3722-1 fixed vulnerabilities in ClamAV. The updated ClamAV version removed some configuration options which caused the daemon to fail to start in environments where the ClamAV configuration file was manually edited. This update fixes the problem.
  • USN-3722-3: ClamAV regression USN-3722-1 fixed vulnerabilities in ClamAV. The updated ClamAV version removed some configuration options which caused the daemon to fail to start in environments where the ClamAV configuration file was manually edited. This update fixes the problem.
  • USN-3724-1: Evolution Data Server vulnerability Jon Kristensen discovered that Evolution Data Server would automatically downgrade a connection to an IMAP server if the IMAP server did not support SSL. This would result in the user’s password being unexpectedly sent in clear text, even though the user had requested to use SSL.
  • USN-3723-1: Tomcat vulnerabilities It was discovered that Tomcat incorrectly handled decoding certain UTF-8 strings. A remote attacker could possibly use this issue to cause Tomcat to crash, resulting in a denial of service. (CVE-2018-1336) It was discovered that the Tomcat WebSocket client incorrectly performed hostname verification.
  • USN-3722-2: ClamAV vulnerabilities USN-3722-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing certain HWP files. A remote attacker could use this issue to cause ClamAV to hang, resulting in a denial of service.
  • USN-3721-1: Apache Ant vulnerability Danny Grander discovered that Apache Ant incorrectly handled certain compressed files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could use this issue to overwrite arbitrary files.
  • USN-3722-1: ClamAV vulnerabilities It was discovered that ClamAV incorrectly handled parsing certain HWP files. A remote attacker could use this issue to cause ClamAV to hang, resulting in a denial of service. (CVE-2018-0360) It was discovered that ClamAV incorrectly handled parsing certain PDF files. A remote attacker could use this issue to cause ClamAV to hang.
  • USN-3720-1: python-cryptography vulnerability It was discovered that python-cryptography incorrectly handled certain inputs. An attacker could possibly use this to get access to sensitive information.
  • USN-3719-2: Mutt vulnerabilities USN-3719-1 fixed a vulnerability in Mutt. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code.
  • USN-3719-1: Mutt vulnerabilities It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code. (CVE-2018-14350, CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353 ,CVE-2018-14357) It was discovered that Mutt incorrectly handled certain inputs.
  • USN-3718-2: Linux kernel (HWE) regression USN-3695-2 fixed vulnerabilities in the Linux Hardware Enablement Kernel (HWE) kernel for Ubuntu 16.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue.
  • USN-3718-1: Linux kernel regression USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. Unfortunately, the fix for CVE-2018-1108 introduced a regression where insufficient early entropy prevented services from starting, leading in some situations to a failure to boot, This update addresses the issue. We apologize for the inconvenience.
  • USN-3717-2: PolicyKit vulnerabilities USN-3717-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that PolicyKit incorrectly handled certain duplicate action IDs. A local attacker could use this issue to cause PolicyKit to crash, resulting in a denial of service.
  • USN-3717-1: PolicyKit vulnerabilities Tavis Ormandy discovered that PolicyKit incorrectly handled certain invalid object paths. A local attacker could possibly use this issue to cause PolicyKit to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3218) It was discovered that PolicyKit incorrectly handled certain duplicate action IDs.
  • USN-3714-1: Thunderbird vulnerabilities Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass CORS restrictions, obtain sensitive information, or execute arbitrary code.
  • USN-3716-1: Dnsmasq update This update adds the latest DNSSEC validation trust anchor required for the upcoming Root Zone KSK Rollover.
  • USN-3715-1: dns-root-data update This update adds the latest DNSSEC validation trust anchor required for the upcoming Root Zone KSK Rollover and refreshes the list of root hints.
  • USN-3713-1: CUPS vulnerabilities It was discovered that CUPS incorrectly handled certain print jobs with invalid usernames. A remote attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS.
  • USN-3712-2: libpng vulnerability USN-3712-1 fixed a vulnerability in libpng. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service.
  • USN-3712-1: libpng vulnerabilities Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10087) Thuan Pham discovered that libpng incorrectly handled certain PNG files.
  • USN-3711-1: ImageMagick vulnerabilities It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
  • USN-3710-1: curl vulnerability Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3705-2: Firefox regressions USN-3705-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
  • USN-3709-1: Xapian-core vulnerability It was discovered that Xapian-core incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code.
  • USN-3706-2: libjpeg-turbo vulnerabilities USN-3706-1 fixed a vulnerability in libjpeg-turbo. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libjpeg-turbo incorrectly handled certain malformed JPEG images.
  • USN-3708-1: OpenSLP vulnerabilities It was discovered that OpenSLP incorrectly handled certain memory operations. A remote attacker could use this issue to cause OpenSLP to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3707-1: NTP vulnerabilities Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182) Michael Macnair discovered that NTP incorrectly handled certain responses.
  • USN-3706-1: libjpeg-turbo vulnerabilities It was discovered that libjpeg-turbo incorrectly handled certain malformed JPEG images. If a user or automated system were tricked into opening a specially crafted JPEG image, a remote attacker could cause libjpeg-turbo to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3690-2: AMD Microcode regression USN-3690-1 provided updated microcode for AMD processors to address CVE-2017-5715 (aka Spectre). Unfortunately, the update caused some systems to fail to boot. This update reverts the update for Ubuntu 14.04 LTS. We apologize for the inconvenience.
  • USN-3705-1: Firefox vulnerabilities Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, bypass same-origin restrictions, bypass CORS restrictions, bypass CSRF protections, obtain sensitive information.
  • USN-3704-1: devscripts vulnerability It was discovered that devscripts incorrectly handled certain YAML files. An attacker could possibly use this to execute arbitrary code.
  • USN-3702-2: PHP vulnerability USN-3702-1 fixed a vulnerability in PHP. PHP 7.2.7 did not actually include the fix for CVE-2018-12882. This update adds a backported patch to correct the issue. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled exif tags in certain images.
  • USN-3703-2: Archive Zip vulnerability USN-3703-1 fixed a vulnerability in Archive Zip module. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the Archive Zip module incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information.
  • USN-3703-1: Archive Zip It was discovered that the Archive Zip module incorrectly handled certain inputs. An attacker could possibly use this to access sensitive information.
  • USN-3702-1: PHP vulnerability It was discovered that PHP incorrectly handled exif tags in certain images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3701-1: libsoup vulnerability It was discovered that libsoup incorrectly handled certain cookie requests. An attacker could possibly use this to cause a denial of service.
  • USN-3700-1: Exiv2 vulnerabilities It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. (CVE-2018-10958, CVE-2018-10998) It was discovered that Exiv2 incorrectly handled certain PNG files. An attacker could possibly use this to access sensitive information.
  • USN-3699-1: zziplib vulnerabilities It was discovered that zziplib incorrectly handled certain malformed ZIP files. If a user or automated system were tricked into opening a specially crafted ZIP file, a remote attacker could cause zziplib to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3698-2: Linux kernel (Trusty HWE) vulnerabilities USN-3698-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.
  • USN-3698-1: Linux kernel vulnerabilities It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).
  • USN-3697-2: Linux kernel (OEM) vulnerabilities It was discovered that a null pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130) Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize.
  • USN-3697-1: Linux kernel vulnerabilities It was discovered that a null pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130) Jann Horn discovered that the 32 bit adjtimex() syscall implementation for 64 bit Linux kernels did not properly initialize.
  • USN-3696-2: Linux kernel (Xenial HWE) vulnerabilities USN-3696-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel.
  • USN-3696-1: Linux kernel vulnerabilities It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) Wei Fang discovered an integer overflow in the F2FS filesystem implementation in the Linux kernel. A local attacker could use this to cause a denial of service.
  • USN-3695-1: Linux kernel vulnerabilities Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1094) It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check.
  • USN-3695-2: Linux kernel (HWE) vulnerabilities USN-3695-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. Wen Xu discovered that the ext4 file system implementation in the Linux kernel did not properly initialize the crc32c checksum driver.