Third Party Patch Roundup – June 2018

Another month is at an end, and you know what that means: another roundup of the patches issued in June (excluding Microsoft Patch Tuesday updates). For those of us in the northern hemisphere, we’re well into summer, and here in Texas, we’ve already seen a few days with temperatures over 100° F – and more to come in July and August.

Even in the sweltering heat, though, the hackers, attackers and malware purveyors continue to ply their malicious trade. Organizations large and small continue to experience data breaches due to negligence or mistakes, such as the one that left data aggregator Exactis with 340 million records exposed, and deliberate attacks brought some online services to a standstill. ProtonMail, a Swiss security email service, reported that a Russian group had hit its network with a sustained denial of service attack, causing mail to be delayed. The company said there was no data breach involved.

Meanwhile, a full month after GDPR enforcement went into effect, many organizations are still struggling to ensure that they’re in compliance and fine-tuning their security strategies to meet requirements.

A recent survey shows that IT pros believe ransomware and other malware to be the biggest security threat they face in the second half of this year. Of course, one of the first steps in preventing malware is to keep systems and applications updated so that the malicious programs can’t take advantage of vulnerabilities.

And that’s the aim of software vendors as they tirelessly work on patches to fix those vulnerabilities. Let’s take a look now at the patches that have been in June by some of the major OS makers.

Note that at the time this article is being written and submitted (morning of June 29), there is one more day left in the month. If additional updates are released later today or tomorrow, we will cover them in next month’s Roundup.

Apple

Timing is everything. At the time the May roundup was written, Apple had released only one security update which was for their Swift programming language running on Ubuntu. Later the day the article was submitted, they turned around and came out with four more patches:

• iOS 11.4 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, containing fixes for 36 vulnerabilities in a wide range of components, the most serious of which include arbitrary code execution issues.

• watchOS 4.3.1 for all Apple Watch models, containing fixes for 20 vulnerabilities, many of them the same as those found in the iOS patch.

• iTunes 12.7.5 for Windows 7 and later, containing fixes for 17 vulnerabilities, most of them in the WebKit component.
• tvOS 11.4 for Apple TV 4K and Apple TV (4th generation), containing fixes for 24 vulnerabilities, including the same WebKit issues.

Then in June, Apple issued five more updates for various software products:

• iCloud for Windows 7.5 Windows 7 and later was released on June 1, containing the same 17 fixes as those in the iTunes patch released a few days before.
• Safari 11.1.1 for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 was also released on June 1, containing 13 fixes, most of them for the same WebKit issues fixed in other patches referenced above.
• macOS High Sierra 10.13.5, Xcode 9.4.1 macOS High Sierra 10.13.2 or later, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan was released on June 1 as well, containing fixes for 33 vulnerabilities in many different OS components, a number of which are critical arbitrary code execution issues.

•  Xcode 9.4.1 for macOS High Sierra 10.13.2 or later was released on June 13 and fixes two issues in it, including arbitrary code execution.
• SwiftNIO 1.8.0 for macOS Sierra 10.12 and later, Ubuntu 14.04 and later was released on June 27, to fix a single buffer overflow issue by which an attacker could overwrite arbitrary memory.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

After a heavy patch month in May, Adobe only issued one security update thus far in June. It was an out of band patch that didn’t wait for the usual Patch Tuesday scheduled released date.

• APSB18-19 security update for Adobe Flash Player for Windows, macOS, Linux and Chrome was issued on June 7, 2018 to fix 2 critical arbitrary code execution vulnerabilities, one of which was a type confusion issue and the other a stack-based buffer overflow. Also fixed were two important vulnerabilities that could lead to information disclosure: an integer overflow issue and an out-of-bounds read vulnerability.

This update was released early because of reports that CVE-2018-5002, the stack-based buffer overflow vulnerability, was already being used in the wild.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html.

Google

• The desktop version of the Chrome browser for Windows, Mac, and Linux was updated to v67.0.3396.99 on June 25.
• Chrome OS received its latest stable channel update to v67.0.3396.101 on June 26 that contains a number of security updates along with bug fixes.
• A security bulletin for Android was issued on June 4, addressing updates for vulnerabilities in the framework, media framework, and system. These include one that could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions and multiple issues that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Another reminder that Google is expected to release Chrome 68 in July, which will make a major change to the way HTTP non-encrypted sites are displayed. With that version, the browser will start marking such sites as “Not Secure” with a prominent warning. Most top sites now use HTTPS (secure HTTP) by default.

For more information, see https://chromereleases.googleblog.com/

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-06-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July, and October.  The April 2018 update was released on April 18. The next scheduled update is scheduled to be released on July 17th.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

On June 26, Mozilla released Firefox version 61, which fixes the following vulnerabilities:

Critical Severity:

• CVE-2018-12359: Buffer overflow using a computed size of a canvas element. A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.

• CVE-2018-12360: Use-after-free when using focus(). A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.
• CVE-2018-12361: Integer overflow in SwizzleData. An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash.
• CVE-2018-5186: Memory safety bugs fixed in Firefox 61. Mozilla developers and community members Christian Holler, Jason Kratzer, Jon Coppeard, Randell Jesup, Ronald Crane, and Boris Zbarsky reported memory safety bugs present in Firefox 60. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort that some of these could be exploited to run arbitrary code.
• CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1. Mozilla developers and community members Christian Holler, Sebastian Hengst, Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, Gary Kwong, and Jean-Yves Avenard reported memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort that some of these could be exploited to run arbitrary code.
• CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9. Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort that some of these could be exploited to run arbitrary code.

High Severity:

• CVE-2018-12358: Same-origin bypass using service worker and redirection. Service workers can use redirection to avoid the tainting of cross-origin resources in some instances,
• CVE-2018-12362: Integer overflow in SSSE3 scaler. An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.
• CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture. A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash.
• CVE-2018-12363: Use-after-free when appending DOM nodes. A use-after-free vulnerability can occur when a script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash.
• CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins. NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks.

Moderate severity:

• CVE-2018-12365: Compromised IPC child process can list local filenames. A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in the exposure of private local files.
• CVE-2018-12371: Integer overflow in Skia library during edge builder allocation. An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash.
• CVE-2018-12366: Invalid data handling during QCMS transformations. An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output.
• CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming. In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work, PerformanceNavigationTiming was not adjusted, but it was found that it could be used as a precision timer.
• CVE-2018-12368: No warning when opening executable SettingContent-ms files. Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” Without warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
• CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments. WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions.

Low severity:

• CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View. In Reader View, SameSite cookie protections are not checked on exit. This allows for a payload to be triggered when Reader View is exited if loaded by a malicious site while Reader mode is active, bypassing CSRF protections.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (June 29th), Ubuntu has issued the following forty-six security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

• USN-3686-2: file vulnerabilities. USN-3686-1 fixed a vulnerability in the file. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that file incorrectly handled certain magic files. An attacker could use this issue with a specially crafted magic file to cause a denial of service, or possibly execute arbitrary code. 28 June 2018
• USN-3694-1: NASM vulnerabilities. It was discovered that NASM incorrectly handled certain source files. If a user or automated system were tricked into processing a specially crafted source file, a remote attacker could use these issues to cause NASM to crash, resulting in a denial of service, or possibly execute arbitrary code. 28 June 2018
• USN-3693-1: JasPer vulnerabilities. It was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.27 June 2018
• USN-3692-2: OpenSSL vulnerabilities. USN-3692-1 fixed a vulnerability in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys.
• USN-3692-1: OpenSSL vulnerabilities. Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. (CVE-2018-0495) Guido Vranken discovered that OpenSSL incorrectly handled very large prime values during a key agreement. 26 June 2018
• USN-3691-1: OpenJDK 7 vulnerabilities. It was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in JAR archive file manifests. An attacker could possibly use this to modify attributes in a manifest without invalidating the signature. 21 June 2018
• USN-3690-1: AMD Microcode update. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction might allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. 20 June 2018
• USN-3689-2: Libgcrypt vulnerability. USN-3689-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Keegan Ryan discovered that Libgcrypt was susceptible to a side-channel attack. A local attacker could possibly use this attack to recover ECDSA private keys. 19 June 2018
• USN-3688-1: Spidermonkey vulnerabilities. Multiple memory safety issues were fixed in Spidermonkey. An attacker could potentially exploit these to cause a denial of service or execute arbitrary code. 19 June 2018
• USN-3689-1: Libgcrypt vulnerability. Keegan Ryan discovered that Libgcrypt was susceptible to a side-channel attack. A local attacker could possibly use this attack to recover ECDSA private keys. 19 June 2018
• USN-3675-3: GnuPG vulnerability. USN-3675-1 fixed a vulnerability in GnuPG. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. 18 June 2018
• USN-3687-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. 18 June 2018
• USN-3678-4: Linux kernel (Raspberry Pi 2) vulnerabilities. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted metadata in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. 15 June 2018
• USN-3675-2: GnuPG 2 vulnerability. USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu 16.04 LTS and Ubuntu 14.04 LTS. 15 June 2018
• USN-3686-1: file vulnerabilities. Alexander Cherepanov discovered that file incorrectly handled a large number of notes. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9620) Alexander Cherepanov discovered that file incorrectly handled certain long strings. 14 June 2018
• USN-3685-1: Ruby vulnerabilities. Some of the CVE were already addressed in previous USN: 3439-1, 3553-1, 3528-1. Here we address for the remain releases. It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to cause a buffer overrun. (CVE-2017-0898) It was discovered that Ruby incorrectly handled certain files. 13 June 2018
• USN-3684-2: Perl vulnerability. USN-3684-1 fixed a vulnerability in Perl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Perl incorrectly handled certain archive files. An attacker could possibly use this to overwrite arbitrary files.13 June 2018
• USN-3684-1: Perl vulnerability. It was discovered that Perl incorrectly handled certain archive files. An attacker could possibly use this to overwrite arbitrary files.13 June 2018
• USN-3683-1: Bind vulnerability. Andrew Skalski discovered that Bind could incorrectly enable recursion when the “allow-recursion” setting wasn’t specified. This issue could improperly permit recursion to all clients, contrary to expectations. 13 June 2018
• USN-3682-1: Firefox vulnerability. A heap buffer overflow was discovered in Skia. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service or execute arbitrary code. 12 June 2018
• USN-3678-3: Linux kernel (Azure) vulnerabilities. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted metadata in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1092) 12 June 2018
• USN-3681-1: ImageMagick vulnerabilities. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.12 June 2018
• USN-3680-1: libvirt vulnerability and update. Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via side-channel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. 12 June 2018
• USN-3679-1: QEMU update. Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via side-channel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. 12 June 2018
• USN-3678-2: Linux kernel (Azure) vulnerabilities. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted metadata in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. 12 June 2018
• USN-3678-1: Linux kernel vulnerabilities. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted metadata in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. 12 June 2018
• USN-3677-2: Linux kernel (HWE) vulnerabilities. USN-3677-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that the Netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. 12 June 2018
• USN-3676-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3676-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. 11 June 2018
• USN-3677-1: Linux kernel vulnerabilities. It was discovered that the Netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. 11 June 2018
• USN-3676-1: Linux kernel vulnerabilities. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. 11 June 2018
• USN-3675-1: GnuPG vulnerabilities. Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation. 11 June 2018
• USN-3674-2: Linux kernel (Trusty HWE) vulnerabilities. USN-3674-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. 11 June 2018
• USN-3674-1: Linux kernel vulnerabilities. It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. 11 June 2018
• USN-3673-1: Unbound vulnerability. Ralph Dolmans and Karst Koymans discovered that Unbound did not properly handle certain NSEC records. An attacker could use this to to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick Unbound into accepting a NODATA proof. 7 June 2018
• USN-3672-1: Liblouis vulnerabilities. Henri Salo discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. 6 June 2018
• USN-3671-1: Git vulnerabilities. Etienne Stalmans discovered that git did not properly validate git submodules files. A remote attacker could possibly use this to craft a git repo that causes arbitrary code execution when “git clone –recurse-submodules” is used. 5 June 2018
• USN-3670-1: elfutils vulnerabilities. Agostino Sarubbo discovered that elfutils incorrectly handled certain malformed ELF files. If a user or automated system were tricked into processing a specially crafted ELF file, elfutils could be made to crash or consume resources, resulting in a denial of service. 5 June 2018
• USN-3658-2: procps-ng vulnerabilities. USN-3658-1 fixed a vulnerability in procps-ng. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libprocps incorrectly handled the file2strvec() function. A local attacker could possibly use this to execute arbitrary code. 5 June 2018
• USN-3669-1: Liblouis vulnerabilities. It was discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-11410) It was discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. 4 June 2018
• USN-3664-2: Apport vulnerability. USN-3664-1 fixed a vulnerability in Apport. Sander Bos reported that Ubuntu 14.04 LTS was also vulnerable to this issue, but was incorrectly omitted from the previous updates. This update provides the corresponding update for Ubuntu 14.04 LTS. 4 June 2018
• USN-3668-1: Exempi vulnerabilities. It was discovered that Exempi incorrectly handled certain media files. If a user or automated system were tricked into opening a specially crafted file, a remote attacker could cause Exempi to hang or crash, resulting in a denial of service, or possibly execute arbitrary code. 4 June 2018
• USN-3667-1: libytnef vulnerabilities. It was discovered that libytnef incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. (CVE-2017-12141, CVE-2017-9146, CVE-2017-9471, CVE-2017-9473) It was discovered that libytnef incorrectly handled certain files. An attacker could possibly use this to access sensitive information. 31 May 2018
• USN-3666-1: Oslo middleware vulnerability. Divya K Konoor discovered Oslo middleware was vulnerable to an information disclosure. A local attacker could exploit this flaw to obtain sensitive information from OpenStack component error logs. 31 May 2018
• USN-3665-1: Tomcat vulnerabilities. It was discovered that Tomcat incorrectly handled being configured with HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP file to the server and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. 30 May 2018
• USN-3664-1: Apport vulnerability. Sander Bos discovered that Apport incorrectly handled core dumps when certain files are missing from /proc. A local attacker could possibly use this issue to cause a denial of service, gain root privileges, or escape from containers. 30 May 2018
• USN-3663-1: HAProxy vulnerability. It was discovered that HAProxy incorrectly handled certain requests. An attacker could possibly use this to expose sensitive information. 30 May 2018