Third Party Patch Roundup – March 2015

March came in like a lion, with fourteen security updates from Microsoft. After no updates last month, Apple let loose with six big ones, but Adobe came in with only one and other vendors issued average numbers of patches.  All in all, this has been a fairly heavy patching month; IT pros will undoubtedly be hoping for a little relief. Will we get it? Well, you know what they say about April showers, so let’s hope we don’t find ourselves caught in a downpour.

Meanwhile, let’s take a look at the major fixes that were released in March.

Apple

Apple took the month off in February when it came to security updates, issuing none during that entire month. They’ve made up for it this month though, with six patches that encompass both their desktop and mobile operating systems as well as Apple TV.  As of the date of this writing (March 29), Apple has released the following updates:

• On March 9, Apple released iOS 8.2 for the iPhone 4s and later, the fifth generation of iPod Touch and above, and the iPad 2 and up.  This update addresses six different vulnerabilities in the following technologies: CoreTelephony, iCloud Keychain, IOSurface, MobileStorageMounter, Secure Transport (FREAK) and Springboard. Exploit impacts include remotely causing a device to restart unexpectedly, creation of folders in trusted locations in the file system, interception of SSL/TLS communications, viewing of the home screen even if the device is not activated, and execution of arbitrary code.
• On March 9, Apple released Apple TV 7.1 for the third generation and later of Apple TV.  This update addresses three vulnerabilities in the Apple TV software that include the FREAK vulnerability that can allow interception of SSL/TLS communications via man-in-the-middle attacks, a problem with IOSurface’s handling of serialized objects that can result in arbitrary code execution, and an issue in the developer disk mounting logic that results in invalid disk image folders not being deleted.
• On March 9, Apple released Security Update 2015-002 for OS X Mountain Lion, Mavericks and Yosemite, which addresses four vulnerabilities in the desktop operating system. These include the FREAK vulnerability that may allow interception of SSL/TLS communications, the IOSurface problem with handling of serialized objects, an issue in IOAcceleratorFamily by which a malicious application might be able to execute arbitrary code with system privileges, and a kernel vulnerability by which maliciously crafted or compromised applications might be able to determine addresses in the kernel and aid in bypassing Address Space Layout Randomization (ASLR) security protections.
• On March 9, Apple also released Xcode 6.2 for OS X Mavericks 10.9.4 or later, which addresses five vulnerabilities. Four of the vulnerabilities are in Apache Subversion, and the patch updates Apache Subversion to version 1.7.19. The most serious of the vulnerabilities could allow an attacker with privileged position to spoof SSL servers with a crafted certificate. The fifth vulnerability is in Git, by which syncing with a malicious git repository could allow unexpected files to be added to the .git folder.
• On March 17, Apple released updates for Safari in OS X Mountain Lion, Mavericks and Yosemite, which address 17 vulnerabilities in the Apple desktop web browser. These include 16 vulnerabilities in WebKit that are caused by multiple memory corruption issues and by which visiting a malicious web site could result in unexpected application termination or arbitrary code execution.
• On March 19, Apple released Security update 2015-003 for OS X Yosemite, which addresses one vulnerability each in iCloud Keychain and IOSurface, both of which could result in arbitrary code execution. The first is due to multiple buffer overflows in the handling of data during iCloud Keychain recovery and the second deals with a type confusion issue in IOSurface’s handling of serialized objects.

For more information about each of these updates and the vulnerabilities they address, see the Apple Support website at https://support.apple.com/en-us/HT1222

Adobe

Adobe issued only one security advisory and update thus far in March. APSB15-05 is an update for Adobe Flash Player that was released on March 12. It addresses eleven vulnerabilities in the Flash Player software for Windows, MacIntosh and Linux.

This update has a priority rating of 1 for Windows and Mac. It also has a priority rating of 1 for Windows, Mac and Linux on Google Chrome and Internet Explorer 10 and 11, whilst the priority rating is 3 for Flash Player v11.2.202.442 and earlier on Linux. Severity rating is critical.

The vulnerabilities include memory and type confusion vulnerabilities that could lead to code execution, an integer vulnerability and use-after-free vulnerabilities that also could result in code execution, a vulnerability that could create a cross-domain policy bypass and a vulnerability that could lead to a file upload restriction bypass.

Google

The most recent stable channel update for Chrome OS was released on March 24 and is version 41.0.2272.102 (Platform version 6680.78.0). It contains an update for Adobe Flash that includes security updates.

The most recent stable channel update for the Chrome web browser for Windows, Mac and Linux was released on March 19.

Chrome v41, released March 5, fixed 51 security vulnerabilities, 12 of which were rated as high impact.

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Oracle released one update in January and the next expected update release will be April 14.

Mozilla

Mozilla released two security advisories this month, on March 20:

• MFSA 2015-29 is a code execution vulnerability in Firefox 36.0.3, Firefox ESR 31.5.2 and SeaMonkey 2.33.1 that stems from a flaw in the implementation of typed array bounds checking in JavaScript just-in-time (JIT) compilation. An attacker could exploit the vulnerability to read and write memory to execute code.
• MFSA 2015-28 is a privilege escalation vulnerability in Firefox 3.0.4, Firefox ESR 31.5.3 and SeaMonkey 2.331 that can be exploited to run arbitrary scripts in a privileged context and bypass the same-origin policy protections by using a flaw in processing of SVG format content navigation.

Linux

Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued 35 updates as of March 29, many of which address multiple vulnerabilities. Other commercial Linux vendors issued similar advisories.

USN-2549-1: libarchive vulnerabilities – 25th March 2015
It was discovered that the libarchive bsdcpio utility extracted absolute paths by default without using the –insecure flag, contrary to expectations. If a user or automated system were tricked into extracting cpio archives containing absolute paths, a remote attacker may be able to write to arbitrary files.

USN-2548-1: Batik vulnerability – 25th March 2015
Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption.

USN-2547-1: Mono vulnerabilities – 24th March 2015
It was discovered that the Mono TLS implementation was vulnerable to the SKIP-TLS vulnerability. A remote attacker could possibly use this issue to perform client impersonation attacks. (CVE-2015-2318) It was discovered that the Mono TLS implementation was vulnerable to the FREAK vulnerability.

USN-2546-1: Linux kernel vulnerabilities – 24th March 2015
A flaw was discovered in the automatic loading of modules in the crypto subsystem of the Linux kernel. A local user could exploit this flaw to load installed kernel modules, increasing the attack surface and potentially using this to gain administrative privileges.

USN-2545-1: Linux kernel (Utopic HWE) vulnerabilities – 24th March 2015
A flaw was discovered in the automatic loading of modules in the crypto subsystem of the Linux kernel. A local user could exploit this flaw to load installed kernel modules, increasing the attack surface and potentially using this to gain administrative privileges.

USN-2544-1: Linux kernel vulnerabilities – 24th March 2015
Eric Windisch discovered a flaw in how the Linux kernel’s XFS file system replaces remote attributes. A local access with access to an XFS file system could exploit this flaw to escalate their privileges.

USN-2543-1: Linux kernel (Trusty HWE) vulnerabilities – 24th March 2015
Eric Windisch discovered flaw in how the Linux kernel’s XFS file system replaces remote attributes. A local access with access to an XFS file system could exploit this flaw to escalate their privileges.

USN-2542-1: Linux kernel (OMAP4) vulnerabilities – 24th March 2015
The Linux kernel’s splice system call did not correctly validate its parameters. A local, unprivileged user could exploit this flaw to cause a denial of service (system crash).

USN-2541-1: Linux kernel vulnerabilities – 24th March 2015
The Linux kernel’s splice system call did not correctly validate its parameters. A local, unprivileged user could exploit this flaw to cause a denial of service (system crash).

USN-2540-1: GnuTLS vulnerabilities – 23rd March 2015
It was discovered that GnuTLS did not perform date and time checks on CA certificates, contrary to expectations. This issue only affected Ubuntu 10.04 LTS.

USN-2539-1: Django vulnerabilities – 23rd March 2015
Andrey Babak discovered that Django incorrectly handled strip_tags. A remote attacker could possibly use this issue to cause Django to enter an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.

USN-2538-1: Firefox vulnerabilities – 22nd March 2015
A flaw was discovered in the implementation of typed array bounds checking in the Javascript just-in-time compilation. If a user was tricked into opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox.

USN-2537-1: OpenSSL vulnerabilities – 19th March 2015
It was discovered that OpenSSL incorrectly handled malformed EC private key files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code.

USN-2536-1: libXfont vulnerabilities – 18th March 2015
Ilja van Sprundel, Alan Coopersmith, and William Robinet discovered that libXfont incorrectly handled malformed bdf fonts. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges.

USN-2535-1: PHP vulnerabilities – 18th March 2015
Thomas Jarosch discovered that PHP incorrectly limited recursion in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to consume resources or crash, resulting in a denial of service.

USN-2534-1: Libav vulnerabilities – 17th March 2015
It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program

USN-2532-1: cups-filters vulnerability – 16th March 2015
It was discovered that cups-browsed incorrectly filtered remote printer names and strings. A remote attacker could use this issue to possibly execute arbitrary commands.

USN-2533-1: Sudo vulnerability – 16th March 2015
Jakub Wilk and Stephane Chazelas discovered that Sudo incorrectly handled the TZ environment variable. An attacker with Sudo access could possibly use this issue to open arbitrary files, bypassing intended permissions.

USN-2531-1: Requests vulnerability – 16th March 2015
Matthew Daley discovered that Requests incorrectly handled cookies without host values when being redirected. A remote attacker could possibly use this issue to perform session fixation or cookie stealing attacks.

USN-2530-1: Linux kernel vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2529-1: Linux kernel (Utopic HWE) vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2528-1: Linux kernel vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2527-1: Linux kernel (Trusty HWE) vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2526-1: Linux kernel vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2525-1: Linux kernel vulnerability – 12th March 2015
It was discovered that the Linux kernel’s Infiniband subsystem did not properly sanitize its input parameters while registering memory regions from userspace. A local user could exploit this flaw to cause a denial of service (system crash) or to potentially gain administrative privileges.

USN-2524-1: eCryptfs vulnerability – 10th March 2015
Sylvain Pelissier discovered that eCryptfs did not generate a random salt when encrypting the mount passphrase with the login password. An attacker could use this issue to discover the login password used to protect the mount passphrase and gain unintended access to the encrypted files.

USN-2522-3: ICU vulnerabilities – 10th March 2015
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font patches caused a regression when using LibreOffice Calc. The patches have now been updated to fix the regression. We apologize for the inconvenience.

USN-2521-1: Oxide vulnerabilities – 10th March 2015
Several out-of-bounds write bugs were discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program.

USN-2523-1: Apache HTTP Server vulnerabilities – 10th March 2015
Martin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders directives.

USN-2505-2: Firefox regression – 9th March 2015
USN-2505-1 fixed vulnerabilities in Firefox. This update removed the deprecated “-remote” command-line switch that some older software still depends on. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Matthew Noorenberghe discovered that whitelisted Mozilla domains could make UITour API calls from background tabs.

USN-2522-2: ICU regression – 6th March 2015
USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font patches caused a regression when using LibreOffice Calc. The patches have been temporarily backed out until the regression is investigated. We apologize for the inconvenience.

USN-2522-1: ICU vulnerabilities – 5th March 2015
It was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS.

USN-2516-3: Linux kernel vulnerabilities regression – 4th March 2015
USN-2516-1 fixed vulnerabilities in the Linux kernel, and the fix in USN-2516-2 was incomplete. There was an unrelated regression in the use of the virtual counter (CNTVCT) on arm64 architectures. This update fixes the problem. We apologize for the inconvenience.

USN-2515-2: Linux kernel (Trusty HWE) vulnerabilities regression – 4th March 2015
USN-2515-1 fixed vulnerabilities in the Linux kernel. There was an unrelated regression in the use of the virtual counter (CNTVCT) on arm64 architectures. This update fixes the problem. We apologize for the inconvenience.

USN-2506-1: Thunderbird vulnerabilities – 3rd March 2015
Armin Razmdjou discovered that contents of locally readable files could be made available via manipulation of form autocomplete in some circumstances. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to obtain sensitive information.