J003-Content-3rdPartyRoundup_SQJune is the month of weddings, graduations, Father’s Day and the summer solstice. In many places, it’s when the weather heats up in earnest.  The end of June marks the halfway point in the year.  For IT pros, June often means being short-staffed as everyone flees to the beach or the mountains on summer vacation.

But no matter how hot the weather gets, vulnerabilities keep rearing their ugly heads and security updates keep on coming, and it’s up to us to see that our servers don’t melt down in a way that has nothing to do with the high temperatures.

In keeping with the vacation mentality, this month has been a relatively slow one for patches from most vendors. Microsoft released only eight updates and some third party vendors have, at the time of this writing (June 29) skipped this month altogether. Adobe however, is an exception. Let’s take a look at what did come down the pike.

Apple

Last month, Apple put out only two patches, one for Safari and one for the Apple Watch OS. This month, there have been no security updates at all from Cupertino.

That’s not to say that all is necessary well on the security front for users of Apple products. On June 17, Forbes published an article detailing how researchers at Indiana University, Peking University and the Georgia Institute of Technology showed how cybercriminals can get malware into the App Store and how rogue software on OS X and iOS can steal sensitive data in other apps.

But there is also some good news: Apple built in better support for two-factor authentication in iOS 9 and OS X 10.11.

Adobe

Adobe started out light this month, issuing only one patch – containing multiples updates for Flash Player – on its regular Patch Tuesday. However, the company ended up putting out not one, not two, but three out-of-band patches before the month was done, including another for Flash Player.

  • On June 9, Adobe issued APSB15-11, a security update for Flash Player that addresses 13 vulnerabilities, including critical vulnerabilities that could allow an attacker to take control of the system. These include bypass of same-origin policy that could lead to information disclosure, stack overflow that could lead to code execution, a permission issue that could lead to escalation of privilege, memory corruption vulnerability that could lead to code execution, use-after-free vulnerabilities that could lead to code execution, and memory leak that could be used to bypass ASLR. It also improves memory address randomization for Windows 7 64-bit. The update has a priority rating of 1 for Windows, Mac and Linux on Chrome, the Desktop runtime, and Flash for IE 10 and 11. Rating is 3 for Flash on Linux and AIR.
  • On June 16, Adobe released APSB15-12, an update for Adobe PhotoShop running on Windows and Mac OS X, which addresses four critical vulnerabilities, all of which could allow for code execution. These include an integer overflow vulnerability, a heap overflow vulnerability and two memory corruption vulnerabilities. The update has a priority rating of 3 on both platforms, due to the fact that historically this product has not been a target for attackers.
  • Also on June 16, Adobe released APSB15-13, an update for Adobe Bridge CC running on Windows and Mac OS X, which addresses three critical vulnerabilities, all of which could allow for code execution. These are the same vulnerabilities listed above for Adobe PhotoShop. Adobe Bridge is software for viewing, searching and managing files in Adobe Creative Cloud and Adobe Creative Suite. The priority rating is 3 since this product, like PhotoShop, has historically not been targeted by attackers.
  • On June 23, Adobe released APSB15-14, another update for Flash Player running on Windows, Mac OS X and Linux, that addresses one critical vulnerability which was being actively exploited in the wild. The vulnerability is a heap overflow issue that can lead to code execution. The update has a priority rating of 1 on Windows and Mac, and on Flash for Chrome on Linux. Priority rating for Flash on Linux is 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On June 22, Google released version 43.0.2357.130 of the Chrome browser for Windows, Mac OS X and Linux, which addresses at least four security vulnerabilities that were reported by third party researchers.  Two of these are rated as high severity and two as medium severity. They include a scheme validation error in WebUI, two cross-origin bypasses and a normalization error in HSTS/HPKP preload list

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next regular patch release is scheduled for July 14.  No out-of-band patches have been released this month.

For more information about Oracle security updates and a list of previously released patches, see http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

As of this writing, Mozilla has not issued any security updates for Firefox this month. The latest version is 38.0.5, first offered to Release channel users on June 2, which included a handful of bug fixes but no security patches.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. Ubuntu has issued 38 security advisories, many of which address multiple vulnerabilities. Other commercial Linux vendors issued similar advisories.

USN-2655-1: Tomcat vulnerabilities – June 25

It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service.

USN-2654-1: Tomcat vulnerabilities – June 25

It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0119). It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding.

USN-2653-1: Python vulnerabilities – June 25

It was discovered that multiple Python protocol libraries incorrectly limited certain data when connecting to servers. A malicious ftp, http, imap, nntp, pop or smtp server could use this issue to cause a denial of service.

USN-2651-1: GNU patch vulnerabilities – June 25

Jakub Wilk discovered that GNU patch did not correctly handle file paths in patch files. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS.

USN-2646-2: Linux kernel regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2644-2: Linux kernel (Utopic HWE) regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2643-2: Linux kernel regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2642-2: Linux kernel (Trusty HWE) regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2641-2: Linux kernel (OMAP4) regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2640-2: Linux kernel regression – June 21

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic.

USN-2650-1: wpa_supplicant and hostapd vulnerabilities –  June 16

Kostya Kortchinsky discovered multiple flaws in wpa_supplicant and hostapd. A remote attacker could use these issues to cause wpa_supplicant or hostapd to crash, resulting in a denial of service.

USN-2649-1: devscripts vulnerability – June 16

It was discovered that the uupdate tool incorrectly handled symlinks. If a user or automated system were tricked into processing specially crafted files, a remote attacker could possibly replace arbitrary files, leading to a privilege escalation.

USN-2648-1: Aptdaemon vulnerability – June 16

Tavis Ormandy discovered that Aptdeamon incorrectly handled the simulate dbus method. A local attacker could use this issue to possibly expose sensitive information, or perform other file access as the root user.

USN-2647-1: Linux kernel vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2646-1: Linux kernel vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2645-1: Linux kernel (Vivid HWE) vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2644-1: Linux kernel (Utopic HWE) vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2643-1: Linux kernel vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2642-1: Linux kernel (Trusty HWE) vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2641-1: Linux kernel (OMAP4) vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2640-1: Linux kernel vulnerability – June 15

Philip Pettersson discovered a privilege escalation when using overlayfs mounts inside of user namespaces. A local user could exploit this flaw to gain administrative privileges on the system.

USN-2639-1: OpenSSL vulnerabilities – June 11.

Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered that OpenSSL incorrectly handled memory when buffering DTLS data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2638-1: Linux kernel vulnerabilities – June 10

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash).

USN-2637-1: Linux kernel vulnerabilities – June 10

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash).

USN-2636-1: Linux kernel (Vivid HWE) vulnerabilities – June 10

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash).

USN-2635-1: Linux kernel (Utopic HWE) vulnerabilities – June 10

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash).

 USN-2634-1: Linux kernel vulnerabilities – June 10

Wen Xu discovered a use-after-free flaw in the Linux kernel’s ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system.

USN-2633-1: Linux kernel (Trusty HWE) vulnerabilities – June 10

Wen Xu discovered a use-after-free flaw in the Linux kernel’s ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system.

USN-2632-1: Linux kernel (OMAP4) vulnerabilities – June 10

Jan Beulich discovered the Xen virtual machine subsystem of the Linux kernel did not properly restrict access to PCI command registers. A local guest user could exploit this flaw to cause a denial of service (host crash).

USN-2631-1: Linux kernel vulnerabilities –  June 10

Jan Beulich discovered the Xen virtual machine subsystem of the Linux kernel did not properly restrict access to PCI command registers. A local guest user could exploit this flaw to cause a denial of service (host crash).

USN-2630-1: QEMU vulnerabilities – June 10

Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers.

USN-2629-1: CUPS vulnerabilities –  June 10

It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code.

USN-2628-1: strongSwan vulnerability – June 8

Alexander E. Patrakov discovered that strongSwan incorrectly handled certain IKEv2 setups. A malicious server could possibly use this issue to obtain user credentials.

USN-2627-1: t1utils vulnerability – June 3

Jakub Wilk discovered that t1utils incorrectly handled certain malformed fonts. If a user or automated system were tricked into opening a specially crafted font, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

USN-2626-1: Qt vulnerabilities – June 3

Wolfgang Schenk discovered that Qt incorrectly handled certain malformed GIF images. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service. This issue only applied to Ubuntu.

USN-2625-1: Apache HTTP Server update – June 2

As a security improvement, this update makes the following changes to the Apache package in Ubuntu 12.04 LTS: Added support for ECC keys and ECDH ciphers. The SSLProtocol configuration directive now allows specifying the TLSv1.1 and TLSv1.2 protocols.

USN-2624-1: OpenSSL update – June 1

As a security improvement, this update removes the export cipher suites from the default cipher list to prevent their use in possible downgrade attacks.

USN-2623-1: ipsec-tools vulnerability – June 1

It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly handled certain UDP packets. A remote attacker could use this issue to cause racoon to crash, resulting in a denial of service.