There’s an old saying that the month of March comes in like a lion and goes out like a lamb, but here in north central Texas, it was the other way around. As I’m writing this, severe thunderstorms with straight winds of 80 mph and storm warning sirens going off at 3:00 a.m. made for an exciting night and damaged some homes, but it missed our house and today is warm and sunny and beautiful.

On the security updates front, some vendors unleashed a tempest of patches that might have made some network admins want to run and take shelter. Apple seems to have fallen into a heavy/light/heavy alternating pattern and March belongs to the heavy side. Luckily, not all software companies dumped such a load on us.

If it’s any consolation, computer users aren’t the only ones who have to worry about security patches these days. Smart phones abound, and many who own them don’t seem to realize that they are, in fact, really just tiny computers. According to a report from a mobile security company, more than 70 percent of mobile devices are not up to date on patches. And with the proliferation of Internet of Things (IoT) devices, now even dishwashers are getting security updates.

It does no good for software vendors to rush to patch reported vulnerabilities, though, if those in charge of the systems don’t apply the updates. Of course, the flip side of that is that patches that are rushed to release sometimes cause more problems than they solve. IT departments need to test updates to ensure that they won’t introduce compatibility, reliability or performance issues before rolling them out to production machines – but that means leaving those systems at risk in the meantime.

Let’s take a look at the details of some of the updates that third party vendors issued this month:

Apple

Apple released nine big updates in January, then only two in February. This month, the pendulum swings back the other way and the company has gifted us with 10 patches that address numerous vulnerabilities across their various operating systems and applications.

On March 21, the following two updates were released:

  • iTunes 12.6 for OS X Mavericks and later
  • iTunes 12.6 for Windows 7 and later

Both of these updates for Apple’s digital media store and player address 17 vulnerabilities in the SQLite and expat components. Apple provided very little information about the vulnerability types or impact. The update for Windows 7 and later also addresses a vulnerability in the APNs Server whereby a client certificate was sent in plaintext, multiple memory corruption issues in libxsit and WebKit, and a validation issue in element handling. The most serious could be exploited to accomplish arbitrary code execution.

On March 27, the following seven updates were released:

  • New versions of Pages, Numbers and Keynote (Apple’s iWork productivity applications) for both iOS and Mac. These updates address a vulnerability by which the contents of password-protected PDFs could be exposed.
  • Safari 10.1 for OS X Yosemite, El Capitan and macOS Sierra. This update to the Apple web browser addresses numerous vulnerabilities, most of them in the WebKit component, the most serious of which could be exploited to accomplish arbitrary code execution.
  • macOS Sierra 10.12.4 and Security Update 2017-001 for OS X El Capitan and Yosemite. This update to Apple’s currently supported desktop/laptop operating systems patches a whopping 128 vulnerabilities in a large number of components, ranging from keyboard software to the kernel. The most serious could be exploited to accomplish arbitrary code execution.
  • iOS 10.3 for iPhone 5 and later, iPad 4th gen and later, and iPod Touch 6th gen and later. This update to Apple’s mobile operating system patches 88 vulnerabilities in a large number of components, many of them in WebKit. The most serious could be exploited to accomplish arbitrary code execution.
  • watchOS 3.2 for all Apple watch models. This update to Apple’s watchOS operating system patches 35 vulnerabilities in a large number of components. The most serious could be exploited to accomplish arbitrary code execution.
  • tvOS 10.2 for Apple TV 4th generation. This update to Apple’s TV software patches 35 vulnerabilities in a large number of components. The most serious could be exploited to accomplish arbitrary code execution.
  • macOS Server 5.3 for macOS 10.12.4 and later. This update to Apple’s server software patches three vulnerabilities in the Profile Manager, Web server and Wiki server components, two of which could be exploited to cause a denial of service and one that could enable a remote attacker to enumerate users.

On March 28, the following update was released:

iCloud for Windows 6.2. This update to Apple’s cloud client software for Windows 7 and later patches five vulnerabilities in the APNs Server, libxsit and WebKit components. The most serious could be exploited to accomplish arbitrary code execution.

For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released only two patches this month. Both were released on their regularly scheduled Patch Tuesday, March 14.

  • APSB17-07 for Adobe Flash Player. This update applies to Flash Player running on Windows, Mac, Linux and ChromeOS and addresses seven vulnerabilities that include buffer overflow, memory corruption, random number generator vulnerability and use-after-free issues. Three of these could be exploited to accomplish code execution while the other is an information disclosure vulnerability. The update is rated critical with a Priority 1 rating for all but Flash Player Desktop Runtime for Linux, which is Priority rating 3.
  • APSB17-08 for Adobe Shockwave Player. This update applies to Shockwave Player running on Windows and addresses a single vulnerability that could lead to escalation of privilege. Its severity rating is important and it has a Priority rating of 2.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On March 9, Google released stable channel release of the Chrome browser on the desktop, v. 57.0.2987.98 for Windows, Mac, and Linux, which includes 36 security fixes that include memory corruption, use-after-free, out of bounds write, integer overflow, incorrect security UI, information disclosure, address spoofing, bypass of content security policy in Blink, incorrect handling of cookies, and heap overflow issues, as well as various fixes from internal audits, fuzzing and other initiatives.

For more information, see the Chrome releases blog at https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  In January, they released a collection of patches (Critical Patch Update) that addressed two hundred and seventy security issues across a wide range of product families. The next regularly scheduled update is scheduled to take place on April 18.

For more information about previously released patches, see Oracle’s Update Advisory at https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Advisory 2017-05 for Firefox was released by Mozilla on March 7. It addresses security issues fixed in Firefox v. 52., which addressed 29 vulnerabilities that include eight critical issues, four of high severity, eleven rated as moderate, and six that are low impact.

Advisory 2017-08 for Firefox was released by Mozilla on March 17. It addresses a single security issue fixed in Firefox v. 52.0.1, which is an integer overflow issue that was reported through the Pwn2Own contest. It is rated critical.

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox52.0.1

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing, the afternoon of March 29, Ubuntu has issued  52 security notices this month, which is somewhat more than usual. Many of these address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Here are Ubuntu’s security advisories for March:

  • USN-3251-2: Linux kernel (HWE) vulnerability – 29th March 2017. USN-3251-1 fixed a vulnerability in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data.
  • USN-3249-2: Linux kernel (Xenial HWE) vulnerability – 29th March 2017. USN-3249-1 fixed a vulnerability in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
  • USN-3250-2: Linux kernel (Trusty HWE) vulnerability – 29th March 2017. USN-3250-1 fixed a vulnerability in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
  • USN-3251-1: Linux kernel vulnerability – 29th March 2017. It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
  • USN-3249-1: Linux kernel vulnerability – 29th March 2017. It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
  • USN-3248-1: Linux kernel vulnerability – 29th March 2017. It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
  • USN-3250-1: Linux kernel vulnerability – 29th March 2017. It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
  • USN-3236-1: Oxide vulnerabilities – 29th March 2017. Multiple vulnerabilities were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, spoof application UI by causing the security status API or webview URL to indicate the wrong values, bypass security restrictions, etc.
  • USN-3247-1: AppArmor vulnerability – 28th March 2017. Stéphane Graber discovered that AppArmor incorrectly unloaded some profiles when restarted or upgraded, contrary to expected behavior.
  • USN-3246-1: Eject vulnerability – 27th March 2017. Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly checked setuid and setgid return values. A local attacker could use this issue to execute code as an administrator.
  • USN-3245-1: GStreamer Good Plugins vulnerabilities – 27th March 2017. Hanno Böck discovered that GStreamer Good Plugins did not correctly handle certain malformed media files. If a user were tricked into opening a crafted media file with a GStreamer application, an attacker could cause a denial of service via application crash.
  • USN-3244-1: GStreamer Base Plugins vulnerabilities – 27th March 2017. Hanno Böck discovered that GStreamer Base Plugins did not correctly handle certain malformed media files. If a user were tricked into opening a crafted media file with a GStreamer application, an attacker could cause a denial of service via application crash.
  • USN-3233-1: Thunderbird vulnerabilities – 24th March 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, cause a denial of service via application crash or hang, or execute arbitrary code.
  • USN-3239-3: GNU C Library regression – 24th March 2017. USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2016-3706 introduced a regression that in some circumstances prevented IPv6 addresses from resolving. This update reverts the change in Ubuntu 12.04 LTS. We apologize for the error.
  • USN-3243-1: Git vulnerability – 23rd March 2017. It was discovered that Git incorrectly sanitized branch names in the PS1 variable when configured to display the repository status in the shell prompt. If a user were tricked into exploring a malicious repository, a remote attacker could use this issue to execute arbitrary code.
  • USN-3242-1: Samba vulnerability – 23rd March 2017. Jann Horn discovered that Samba incorrectly handled symlinks. An authenticated remote attacker could use this issue to access files on the server outside of the exported directories.
  • USN-3241-1: audiofile vulnerabilities – 22nd March 2017. Agostino Sarubbo discovered that audiofile incorrectly handled certain malformed audio files. If a user or automated system were tricked into processing a specially crafted audio file, a remote attacker could cause applications linked against audiofile to crash, leading to a denial of service, or possibly execute arbitrary code.
  • USN-3239-2: GNU C Library Regression – 21st March 2017. USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2015-5180 introduced an internal ABI change within the resolver library. This update reverts the change. We apologize for the inconvenience.
  • USN-3239-1: GNU C Library vulnerabilities – 20th March 2017. It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
  • USN-3240-1: NVIDIA graphics vulnerability – 20th March 2017. It was discovered that the NVIDIA graphics drivers contained a flaw in the kernel mode layer. A local attacker could use this issue to cause a denial of service.
  • USN-3173-2: NVIDIA graphics drivers vulnerability – 20th March 2017. USN-3173-1 fixed a vulnerability in nvidia-graphics-drivers-304 and nvidia-graphics-drivers-340. This update provides the corresponding update for nvidia-graphics-drivers-375. Original advisory details: It was discovered that the NVIDIA graphics drivers contained a flaw in the kernel mode layer. A local attacker could use this issue to cause a denial of service.
  • USN-3238-1: Firefox vulnerability – 20th March 2017. An integer overflow was discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to cause a denial of service via application crash or execute arbitrary code.
  • USN-3183-2: GnuTLS vulnerability – 20th March 2017. USN-3183-1 fixed CVE-2016-8610 in GnuTLS in Ubuntu 16.04 LTS and Ubuntu 16.10. This update provides the corresponding update for Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Original advisory details: Stefan Buehler discovered that GnuTLS incorrectly verified the serial length of OCSP responses.
  • USN-3237-1: FreeType vulnerability – 20th March 2017. It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3235-1: libxml2 vulnerabilities – 16th March 2017. It was discovered that libxml2 incorrectly handled format strings. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 16.04.
  • USN-3234-2: Linux kernel (Xenial HWE) vulnerabilities – 15th March 2017. USN-3234-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups.
  • USN-3234-1: Linux kernel vulnerabilities – 15th March 2017. Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash).
  • USN-3232-1: ImageMagick vulnerabilities – 14th March 2017. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.
  • USN-3231-1: Pidgin vulnerability – 14th March 2017. Joseph Bisch discovered that Pidgin incorrectly handled certain xml messages. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3230-1: Pillow vulnerabilities – 13th March 2017. It was discovered that Pillow incorrectly handled certain compressed text chunks in PNG images. A remote attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS.
  • USN-3229-1: Python Imaging Library vulnerabilities – 13th March 2017. It was discovered that the Python Imaging Library incorrectly handled certain compressed text chunks in PNG images. A remote attacker could possibly use this issue to cause the Python Imaging Library to crash, resulting in a denial of service.
  • USN-3228-1: libevent vulnerabilities – 13th March 2017. Guido Vranken discovered that libevent incorrectly handled memory when processing certain data. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code.
  • USN-3227-1: ICU vulnerabilities – 13th March 2017. It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.
  • USN-3226-1: icoutils vulnerabilities – 13th March 2017. Jerzy Kramarz discovered that icoutils incorrectly handled memory when processing certain files. If a user or automated system were tricked into opening a specially crafted file, an attacker could cause icoutils to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3225-1: libarchive vulnerabilities – 9th March 2017. It was discovered that libarchive incorrectly handled hardlink entries when extracting archives. A remote attacker could possibly use this issue to overwrite arbitrary files. (CVE-2016-5418) Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that libarchive incorrectly handled filename lengths when writing ISO9660 archives.
  • USN-3224-1: LXC vulnerability – 9th March 2017. Jann Horn discovered that LXC incorrectly verified permissions when creating virtual network interfaces. A local attacker could possibly use this issue to create virtual network interfaces in network namespaces that they do not own.
  • USN-3223-1: KDE-Libs vulnerability – 9th March 2017. Itzik Kotler, Yonatan Fridburg, and Amit Klein discovered that KDE-Libs incorrectly handled certain PAC files. A remote attacker could possibly use this issue to obtain sensitive information.
  • USN-3220-3: Linux kernel (AWS) vulnerability – 8th March 2017. USN-3220-1 fixed a vulnerability in the Linux kernel. This update provides the corresponding updates for the Linux kernel for Amazon Web Services (AWS). Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service.
  • USN-3222-1: ImageMagick vulnerabilities – 8th March 2017. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.
  • USN-3221-2: Linux kernel (HWE) vulnerability – 7th March 2017. USN-3221-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability.
  • USN-3221-1: Linux kernel vulnerability – 7th March 2017. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
  • USN-3220-1: Linux kernel vulnerability – 7th March 2017. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
  • USN-3220-2: Linux kernel (Xenial HWE) vulnerability – 7th March 2017. USN-3220-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability.
  • USN-3219-2: Linux kernel (Trusty HWE) vulnerability – 7th March 2017. USN-3219-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability.
  • USN-3216-1: Firefox vulnerabilities – 7th March 2017. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang.
  • USN-3219-1: Linux kernel vulnerability – 7th March 2017. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
  • USN-3218-1: Linux kernel vulnerability – 7th March 2017. Alexander Popov discovered that the N_HDLC line discipline implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
  • USN-3217-1: network-manager-applet vulnerability – 7th March 2017. Frederic Bardy and Quentin Biguenet discovered that network-manager-applet incorrectly checked permissions when connecting to certain wireless networks. A local attacker could use this issue at the login screen to access local files.
  • USN-3215-2: Munin regression – 3rd March 2017. USN-3215-1 fixed a vulnerability in Munin. The upstream patch caused a regression leading to errors being appended to the log file. This update fixes the problem. Original advisory details: It was discovered that Munin incorrectly handled CGI graphs. A remote attacker could use this issue to overwrite arbitrary files.
  • USN-3215-1: Munin vulnerability – 2nd March 2017. It was discovered that Munin incorrectly handled CGI graphs. A remote attacker could use this issue to overwrite arbitrary files as the www-data user.
  • USN- 3214-1: w3m vulnerabilities – 2nd March 2017. A large number of security issues were discovered in the w3m browser. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3211-2: PHP regression – 2nd March 2017. USN-3211-1 fixed vulnerabilities in PHP by updating to the new 7.0.15 upstream release. PHP 7.0.15 introduced a regression when using MySQL with large blobs. This update fixes the problem with a backported fix. Original advisory details: It was discovered that PHP incorrectly handled certain invalid objects when unserializing data.