J003-Content-3rdPartyRoundup_SQThe month of March is one traditionally full of hope, activity and new beginnings.  Whether you go by the meteorological or the astronomical date, the first day of spring falls in this month if you live in the northern hemisphere. Of course, if you’re “down under,” it marks the start of autumn. No matter which half of the world you inhabit, though, this March was a busy one for IT security professionals.

Vulnerabilities and exploits such as the DROWN SSL vulnerability and rumors of Badlock (supposedly to be disclosed on April 12) dominated tech news headlines. Apple issued their largest number of patches for the year. Oracle, which usually only issues security updates on a quarterly basis, with the next due in April, put out an out-of-band fix for Java.

And despite all the patches, data breaches continued to hit, affecting businesses, government agencies and individuals. The healthcare industry saw large and small breaches with a stolen laptop potentially exposing the data of 200,000 patients, a cancer center in Detroit losing a flash drive that contained patient info, and MedStar Health in Washington, D.C. shutting down due to ransomware in the wake of a similar ransomware attack on a Los Angeles hospital in February.  Meanwhile, the federal government is preparing to start “phase two” HIPAA compliance audits, putting added pressure on the healthcare sector to step up their security.  As for the government itself, a report was released showing more than 300 security incidents involving the “Obamacare” HealthCare.gov website.

Other types of businesses are being targeted, as well. Verizon suffered a breach affecting its business customers. American Express notified cardholders of a third party breach that might have exposed their data. While patching alone isn’t enough to ensure protection from hackers and attackers, it’s an important first step – and using an unpatched version of SSLv2 was a major factor in the proliferation of the DROWN exploit.

That said, let’s take a look at this month’s patches from major third party security vendors.

Apple

After releasing only a single update in February, Apple more than made up for it this month with a slate of eight patches, the largest number it’s issued since last December.

  • On March 9, Apple released Apple Software Update 2.2 for Windows 7 and later, which addresses a vulnerability caused by the contents of the updates window being retrieved from the network over an unprotected HTTP connection. The fix causes HTTPS to be used instead.

The following updates were all released on March 21:

  • iOS v9.3 for iPhone 4S and above, iPod Touch gen5 and iPad 2 and above addresses 39 separate vulnerabilities in the following components: AppleUSBNetworking, FontParser, HTTPProtocol, IOHIDFamily, LaunchServices, libxml2, Messages, Profiles, Security, TrueTypeScaler, WebKit, Wi-Fi and multiple vulnerabilities in the OS kernel. This is a critical update, with many of the vulnerabilities capable of being exploited to execute arbitrary code.
  • watchOS 2.2 for Apple Watch (all editions) addresses 34 vulnerabilities, many of the same ones that are fixed in iOS as noted above, in the same OS components. Many are memory corruption issues that can lead to arbitrary code execution, making this a critical update.
  • tvOS 9.2 for Apple TV gen4 addresses 23 vulnerabilities, many of the same ones that are fixed in iOS and watchOS as noted above, in the same components. Many are memory corruption issues that can lead to arbitrary code execution, making this a critical update.
  • Xcode 7.3 for OS X El Capitan and later addresses three critical vulnerabilities in the otool and subversion components of OS X v10.11 and later, which could be exploited to accomplish remote code execution.
  • OS X El Capitan v10.11.4 and Security Update 2016-002 for OS X Mavericks, Yosemite and El Capitan v10.11 through v10.11.3 address 59 vulnerabilities, some of which are the same as those addressed in iOS, watchOS and tvOS as noted above, along with additional vulnerabilities in Apache_mod_php, AppleRAID, Bluetooth, Carbon, the Intel Graphics Driver, IOFireWireFamily, IOGraphics, NVIDIA Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Reminder, Ruby and Tcl. Many of these are exploitable to accomplish arbitrary code execution, making this a critical update.
  • Safari 9.1 for OS X Mavericks, Yosemite, and El Capitan address 11 vulnerabilities in Apple’s web browser on its desktop operating systems, with impacts that include allowing web sites to track sensitive user information, user interface spoofing, Denial of Service (DoS), access to restricted ports, disclosure of a user’s current location, exfiltration of data cross-origin, unexpected browser crash, and most important, arbitrary code execution, making this a critical update.
  • OS X Server 5.1 for OS X El Capitan v10.11.4 addresses 4 vulnerabilities in the following components: Server App, Web Server, and Wiki Server, which could lead to leakage of sensitive information or allow an attacker to exploit weaknesses in the RC4 encryption algorithm.

For more information about each of these patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222.

Adobe

Adobe released three updates this month. One was released on March 8, Patch Tuesday (Adobe’s usual update release date) with another released prior to that and a third released after.

  • On March 3, Adobe released APSB16-09 for Adobe Acrobat and Reader software, running on Windows and Mac OS X. This applies to Acrobat DC and XI and Reader DC and XI, continuous, classic and desktop tracks. The update addresses two memory corruption vulnerabilities that could lead to code execution and one vulnerability in the directory search path that also could lead to code execution, thus this is a critical Priority rating is 2 for all products on all operating systems.
  • On March 8, Adobe released APSB16-06 for Adobe Digital Editions (ADE) 4.5.0 and earlier. This is Adobe’s ebook reader software that runs on Windows, Mac OS X, iOS and Android. It addresses one memory corruption vulnerability that could be exploited to accomplish code execution and thus is rated critical; however, priority rating is 3 on all affected operating systems.
  • On March 10, Adobe released APSB16-08 for Adobe Flash Player running on Windows, Mac OS X, Linux, ChromeOS, iOS and Android. This update addresses 23 vulnerabilities that include critical vulnerabilities that can be exploited to execute code and take over control of a system. Vulnerability types include use-after-free, heap overflow and memory corruption. Priority is rated at 1 for Windows, Mac, Linux, and ChromeOS, including Windows 8.1 and 10. It’s rated 3 for AIR runtime and SDK on all operating systems.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On March 8, Google released Chrome web browser version 49.0.2623.87, which includes three important security patches that include fixes for a type confusion vulnerability in Blink (the rendering engine), a use-after-free vulnerability, also in Blink, that causes a memory corruption issue that could be exploited to remotely execute code, and an out-of-bounds write issue in the PDF rendering engine. All of these vulnerabilities were rated as High severity.

On March 24, another update was released that fixed four more high severity vulnerabilities: an out-of-bounds read in V8, a use-after-free issue in Navigation, a use-after free issue in Extensions and a buffer overflow in libANGLE. In addition, fixes were included for various security bugs and multiple vulnerabilities in V8.

The latest stable channel update is v49.0.2623.110 for Windows, Mac OS X and Linux, which includes these fixes.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next regular update cycle is scheduled for April 15. However, this month Oracle released an out-of-band patch for Java.

On March 24, the new version of Java v8 was released to address a single critical vulnerability that had been publicly disclosed earlier in the month. The vulnerability affects Java SE running in web browsers on desktop operating systems, including Windows, Mac OS X, Linux and Solaris and it is remotely exploitable without authentication. Oracle recommends that affected customers apply the update as soon as possible.

http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html

Mozilla

On March 8, Mozilla released Firefox v45, which includes 23 security fixes. Nine of the vulnerabilities are rated as critical (highest severity). Seven are rated high severity, six are moderate and the remaining one is considered low severity. The critical vulnerabilities include a couple of font vulnerabilities, several use-after-free types, a buffer overflow, an out-of-bounds read issue and miscellaneous memory safety hazards.

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (March 29th), Ubuntu has issued 36 security advisories. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2943-1: PCRE vulnerabilities – March 29

It was discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2942-1: OpenJDK 7 vulnerability – March 24

A vulnerability was discovered in the JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2941-1: Quagga vulnerabilities – March 24

Kostya Kortchinsky discovered that Quagga incorrectly handled certain route data when configured with BGP peers enabled for VPNv4. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2939-1: LibTIFF vulnerabilities – March 23

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

USN-2938-1: Git vulnerabilities – March 21

Laël Cellier discovered that Git incorrectly handled path strings in crafted Git repositories. A remote attacker could use this issue to cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking Git. (CVE-2016-2315, CVE-2016-2324)

USN-2937-1: WebKitGTK+ vulnerabilities – March 21

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code.

USN-2935-3: PAM regression – March 17

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 intended to fix the problem but was incomplete for Ubuntu 12.04 LTS. This update fixes the problem in Ubuntu 12.04 LTS. We apologize for the inconvenience.

USN-2935-2: PAM regression – March 16

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords.

USN-2935-1: PAM vulnerabilities – March 16

It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2930-3: Linux kernel (Raspberry Pi 2) vulnerabilities – March 16

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2933-1: Exim vulnerabilities – March 15

It was discovered that Exim incorrectly filtered environment variables when used with the perl_startup configuration option. If the perl_startup option was enabled, a local attacker could use this issue to escalate their privileges to the root user. This issue has been fixed by having Exim clean the complete execution environment

USN-2932-1: Linux kernel (Vivid HWE) vulnerabilities – March 14

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2929-1: Linux kernel vulnerabilities – March 14

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2929-2: Linux kernel (Trusty HWE) vulnerabilities – March 14

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2931-1: Linux kernel (Utopic HWE) vulnerabilities – March 14

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2930-2: Linux kernel (Wily HWE) vulnerabilities – March 14

Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2930-1: Linux kernel vulnerabilities – March 14
Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2928-2: Linux kernel (OMAP4) vulnerability – March 14
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2928-1: Linux kernel vulnerability – March 14
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly performed a double-free. A local attacker with physical access could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2927-1: graphite2 vulnerabilities – March 14
It was discovered that graphite2 incorrectly handled certain malformed fonts. If a user or automated system were tricked into opening a specially- crafted font file, a remote attacker could use this issue to cause graphite2 to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2920-1: Oxide vulnerabilities – March 10
It was discovered that the ContainerNode::parserRemoveChild function in Blink mishandled widget updates in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions.

USN-2926-1: OTR vulnerability – March 10

Markus Vervier discovered that OTR incorrectly handled large incoming messages. A remote attacker could use this issue to cause OTR to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2925-1: Bind vulnerabilities – March 9

It was discovered that Bind incorrectly handled input received by the rndc control channel. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2016-1285) It was discovered that Bind incorrectly parsed resource record signatures for DNAME resource records.

USN-2924-1: NSS vulnerability – March 9

Francis Gabriel discovered that NSS incorrectly handled decoding certain ASN.1 data. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2917-1: Firefox vulnerabilities – March 9

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked in opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.

USN-2923-1: BeanShell vulnerability – March 8

Alvaro Muñoz and Christian Schneider discovered that BeanShell incorrectly handled deserialization. A remote attacker could possibly use this issue to execute arbitrary code.

USN-2922-1: Samba vulnerabilities – March 8

Jeremy Allison discovered that Samba incorrectly handled ACLs on symlink paths. A remote attacker could use this issue to overwrite the ownership of ACLs using symlinks. (CVE-2015-7560) Garming Sam and Douglas Bagnall discovered that the Samba internal DNS server incorrectly handled certain DNS TXT records.

USN-2904-1: Thunderbird vulnerabilities – March 8

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2015-7575) Yves Younan discovered that graphite2 incorrectly handled certain malformed fonts.

USN-2915-3: Django regression – March 7

USN-2915-1 fixed vulnerabilities in Django. The upstream fix for CVE-2016-2512 introduced a regression for certain applications. This update fixes the problem by applying the complete upstream regression fix. Original advisory details: Mark Striemer discovered that Django incorrectly handled user-supplied redirect URLs containing basic authentication credentials.

USN-2921-1: Squid vulnerabilities – March 7

Sebastian Krahmer discovered that Squid incorrectly handled certain SNMP requests. If SNMP is enabled, a remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-6270) Alex Rousskov discovered that Squid incorrectly handled certain malformed responses.

USN-2915-2: Django regression – March 7

USN-2915-1 fixed vulnerabilities in Django. The upstream fix for CVE-2016-2512 introduced a regression for certain applications. This update fixes the problem. Original advisory details: Mark Striemer discovered that Django incorrectly handled user-supplied redirect URLs containing basic authentication credentials.

USN-2919-1: JasPer vulnerabilities – March 3

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges.

USN-2918-1: pixman vulnerability – March 3

Vincent LE GARREC discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, a remote attacker could cause pixman to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2916-1: Perl vulnerabilities – March 2

It was discovered that Perl incorrectly handled certain regular expressions with an invalid backreference. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2915-1: Django vulnerabilities – March 1

Mark Striemer discovered that Django incorrectly handled user-supplied redirect URLs containing basic authentication credentials. A remote attacker could possibly use this issue to perform a cross-site scripting attack or a malicious redirect. (CVE-2016-2512) Sjoerd Job Postmus discovered that Django incorrectly handled timing when doing password hashing operations.

USN-2914-1: OpenSSL vulnerabilities – March 1

Yuval Yarom, Daniel Genkin, and Nadia Heninger discovered that OpenSSL was vulnerable to a side-channel attack on modular exponentiation. On certain CPUs, a local attacker could possibly use this issue to recover RSA keys. This flaw is known as CacheBleed.