3rd party patch roundup May 2015May has been a very wet month here in Texas and there is more rain in the forecast.  As with security patches, sometimes it’s possible to get a little too much of a good thing, and now many areas are facing flooding.

On the update front this month, we’ve already dealt with 13 Microsoft patches and now we’ll take a look at what has been released by third party software vendors.

Apple

Last month, Apple put out six different patches and some of them were big ones, addressing well over a 100 different vulnerabilities across their OS X client, OS X server, iOS mobile and Apple TV operating systems.  This month is a bit lighter, with only two patches released as of May 28.

  • On May 6, Apple released an update for their Safari web browser v8.0.6, 7.1.6 and 6.2.6, running on OSX Mountain Lion, Mavericks and Yosemite. This patch fixes three vulnerabilities involving memory corruption that could allow arbitrary code execution or unexpected application termination, along with one vulnerability in WebKit History that could allow unprivileged origins to access contents on the file system and one in WebKit page loading that could be used for user interface spoofing if a malicious web site is visited.
  • On May 19, Apple released the first update for its new Apple Watch OS, v1.0.1. This patch contains a large number of fixes, including an update to the certificate trust policy, a fix for a Font Parser vulnerability that could be exploited to execute arbitrary code, an update to Foundation to fix an XML External Entity issue that could lead to information disclosure, and fixes for vulnerabilities in IOHIDFamily and IOAcceleratorFamily, both of which could allow a malicious application to determine kernel memory layout. There are also updates to fix eight kernel vulnerabilities and a vulnerability in SSL/TLS (the FREAK vulnerability).

For more information about each of these updates and the vulnerabilities they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued only two updates this month, the first of which was issued on May 7 ahead of the regular Patch Tuesday release. The second was released on Patch Tuesday, May 12. Both are likely to affect millions of users as they apply to two of Adobe’s most popular products, Reader and Flash Player.

  • APSB15-10 was originally posted on May 7 and then updated on May 12. It addresses 34 vulnerabilities in Adobe Reader and Adobe Acrobat running on Windows and Mac OS X. The priority rating is high for both operating systems and they are rated critical. The vulnerabilities include use-after-free, heap-based buffer overflow, memory corruption and memory leak, security bypass, and a null pointer dereference issue, as well as additional hardening to protect against exploit of a vulnerability in handling of XML external entities.
  • APSB15-09 was released on May 12, to address 18 vulnerabilities in Adobe’s Flash Player for Windows, Mac OS X and Linux operating systems. Priority rating is one for most operating systems; it is three for Linux v11.2.202.457 and earlier and for AIR Desktop Runtime, AIR SDK and AIR SDK and compiler. All vulnerabilities are rated critical.  The vulnerabilities include memory corruption, heap overflow, time-of-check time-of-use race condition, validation bypass, integer overflow, type confusion, use-after-free, memory leak and security bypass.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

The most recent stable channel update for the Chrome web browser running on Windows, Mac and Linux was released on May 25, v43.0.2357.81 and contains the latest security updates.

An updated version of Chrome for Android 4.1 Jelly Bean and higher was released on May 27 and contains the latest security updates and bug fixes.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Oracle released on out-of-band security alert for CVE-2015-3456 in response to the VENOM vulnerability that can be exploited due to a buffer overflow in the virtual floppy disk controller.

For more information and the list of Oracle products that may be affected, see the Oracle Security blog:
https://blogs.oracle.com/security/

The next regular patch release is scheduled for July 14, 2015.

Mozilla

Mozilla released a new version of the Firefox web browser, v38, on May 12. It includes security fixes for a total of 13 security issues. These include five critical vulnerabilities, five rated high severity, two rated moderate and one rated low impact. The critical fixes include a buffer overflow when parsing compressed XML, use-after-free text processing with vertical text enabled, out-of-bounds read and write in asm.js validation, a buffer overflow with SVG content and CSS and miscellaneous memory safety hazards.

High severity vulnerabilities include one in which Mozilla Windows updater can be run outside of application directory, a privilege escalation through IPC channel messages, untrusted site hosting trusted page ability to intercept webchannel responses, and a buffer overflow and out-of-bounds read while parsing MP4 video metadata, as well as a buffer overflow parsing H.264 video with Linux Gstreamer. The two moderate impact vulnerabilities are a use-after-free and one in which sensitive URL encoded information is written to Android logcat. Finally, the low severity vulnerability involves referrer policy being ignored when links are opened by middle-click and context menu.

Linux

Popular Linux distros, as usual, have already seen a number of security advisories and updates this month. Ubuntu has issued 38 security advisories, many of which address multiple vulnerabilities. Other commercial Linux vendors issued similar advisories.

  • USN-2617-3: NTFS-3G vulnerability – May 27 2015. USN-2617-1 fixed a vulnerability in NTFS-3G. The original patch did not completely address the issue. This update fixes the problem. Original advisory details: Tavis Ormandy discovered that FUSE incorrectly filtered environment variables. A local attacker could use this issue to gain administrative privileges.
  • USN-2622-1: OpenLDAP vulnerabilities – May 26 2015. It was discovered that OpenLDAP incorrectly handled certain search queries that returned empty attributes. A remote attacker could use this issue to cause OpenLDAP to assert, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS.
  • USN-2621-1: PostgreSQL vulnerabilities – May 25 2015. Benkocs Norbert Attila discovered that PostgreSQL incorrectly handled authentication timeouts. A remote attacker could use this flaw to cause the unauthenticated session to crash, possibly leading to a security issue. (CVE-2015-3165) Noah Misch discovered that PostgreSQL incorrectly handled certain standard library function return values, possibly leading to security issues.
  • USN-2620-1: Linux kernel vulnerability – May 23 2015. A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP fast open to initiate a connection. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).
  • USN-2619-1: Linux kernel (Trusty HWE) vulnerability – May 23 2015. A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP fast open to initiate a connection. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).
  • USN-2617-2: NTFS-3G vulnerability – May 22 2015. USN-2617-1 fixed a vulnerability in FUSE. This update provides the corresponding fix for the embedded FUSE copy in NTFS-3G. Original advisory details: Tavis Ormandy discovered that FUSE incorrectly filtered environment variables. A local attacker could use this issue to gain administrative privileges.
  • USN-2618-1: python-dbusmock vulnerability – May 21 2015. It was discovered that python-dbusmock incorrectly handled template loading from shared directories. A local attacker could possibly use this issue to execute arbitrary code.
  • USN-2609-1: Apport vulnerabilities – May 21 2015. Sander Bos discovered that Apport incorrectly handled permissions when the system was configured to generate core dumps for setuid binaries. A local attacker could use this issue to gain elevated privileges.
  • USN-2617-1: FUSE vulnerability – May 21 2015. Tavis Ormandy discovered that FUSE incorrectly filtered environment variables. A local attacker could use this issue to gain administrative privileges.
  • USN-2610-1: Oxide vulnerabilities – May 21 2015. Several security issues were discovered in the DOM implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass Same Origin Policy restrictions.
  • USN-2616-1: Linux kernel vulnerabilities – May 20 2015.  Alexandre Oliva reported a race condition flaw in the btrfs file system’s handling of extended attributes (xattrs). A local attacker could exploit this flaw to bypass ACLs and potentially escalate privileges.
  • USN-2615-1: Linux kernel (Utopic HWE) vulnerabilities – May 20 2015.  Alexandre Oliva reported a race condition flaw in the btrfs file system’s handling of extended attributes (xattrs). A local attacker could exploit this flaw to bypass ACLs and potentially escalate privileges.
  • USN-2614-1: Linux kernel vulnerabilities – May 20 2015. Vincent Tondellier discovered an integer overflow in the Linux kernel’s netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system).
  • USN-2613-1: Linux kernel (Trusty HWE) vulnerabilities – May 20 2015. Vincent Tondellier discovered an integer overflow in the Linux kernel’s netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system).
  • USN-2612-1: Linux kernel (OMAP4) vulnerabilities – May 20 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges. (CVE-2015-3339) Vincent Tondellier discovered an integer overflow in the Linux kernel’s netfilter connection tracking accounting of loaded extensions.
  • USN-2611-1: Linux kernel vulnerability – May 20 2015. Vincent Tondellier discovered an integer overflow in the Linux kernel’s netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system).
  • USN-2603-1: Thunderbird vulnerabilities – May 18 2015. Jesse Ruderman, Mats Palmgren, Byron Campen, and Steve Fink discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.
  • USN-2602-1: Firefox vulnerabilities – May 13 2015. Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong, Andrew McCreight, Christian Holler, Jon Coppeard, and Milan Sreckovic discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
  • USN-2608-1: QEMU vulnerabilities – May 13 2015. Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. This issue is known as VENOM. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process.
  • USN-2607-1: Module::Signature vulnerabilities – May 12 2015. John Lightsey discovered that Module::Signature incorrectly handled PGP signature boundaries. A remote attacker could use this issue to trick Module::Signature into parsing the unsigned portion of the SIGNATURE file as the signed portion. (CVE-2015-3406) John Lightsey discovered that Module::Signature incorrectly handled files that were not listed in the SIGNATURE file.
  • USN-2606-1: OpenSSL update – May 12 2015. For compatibility reasons, Ubuntu 12.04 LTS shipped OpenSSL with TLSv1.2 disabled when being used as a client. This update re-enables TLSv1.2 by default now that the majority of problematic sites have been updated to fix compatibility issues.
  • USN-2605-1: ICU vulnerabilities – May 11 2015. Pedro Ribeiro discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.
  • USN-2604-1: Libtasn1 vulnerability – May 11 2015. Hanno Böck discovered that Libtasn1 incorrectly handled certain ASN.1 data. A remote attacker could possibly exploit this with specially crafted ASN.1 data and cause applications using Libtasn1 to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2600-2: Linux kernel regression – May 8 2015. USN-2600-1 fixed vulnerabilities in the Linux kernel, however an unrelated regression in the auditing of some path names was introduced. Due to the regression the system could crash under certain conditions. This update fixes the problem.
  • USN-2599-2: Linux kernel (Utopic HWE) vulnerability – May 8 2015. USN-2599-1 fixed vulnerabilities in the Linux kernel, however an unrelated regression in the auditing of some path names was introduced. Due to the regression the system could crash under certain conditions. This update fixes the problem.
  • USN-2598-2: Linux kernel regression – May 8 2015. USN-2598-1 fixed vulnerabilities in the Linux kernel, however an unrelated regression in the auditing of some path names was introduced. Due to the regression the system could crash under certain conditions. This update fixes the problem.
  • USN-2597-2: Linux kernel (Trusty HWE) regression – May 8 2015. USN-2597-1 fixed vulnerabilities in the Linux kernel, however an unrelated regression in the auditing of some path names was introduced. Due to the regression the system could crash under certain conditions. This update fixes the problem.
  • USN-2582-1: Oxide vulnerabilities – May 6 2015. A use-after-free was discovered in the DOM implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.
  • USN-2601-1: Linux kernel vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2600-1: Linux kernel vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2599-1: Linux kernel (Utopic HWE) vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2598-1: Linux kernel vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2597-1: Linux kernel (Trusty HWE) vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2596-1: Linux kernel vulnerability – May 5 2015. A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.
  • USN-2595-1: ppp vulnerability – May 5 2015. It was discovered that ppp incorrectly handled large PIDs. When pppd is used with a RADIUS server, a remote attacker could use this issue to cause it to crash, resulting in a denial of service.
  • USN-2594-1: ClamAV vulnerabilities – May 5 2015. It was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile.
  • USN-2593-1: Dnsmasq vulnerability – May 4 2015. Nick Sampanis discovered that Dnsmasq incorrectly handled certain malformed DNS requests. A remote attacker could use this issue to cause Dnsmasq to crash, resulting in a denial of service, or possibly obtain sensitive information.
  • USN-2592-1: XML::LibXML vulnerability – May 4 2015. Tilmann Haak discovered that XML::LibXML incorrectly handled the expand_entities parameter in certain situations. A remote attacker could possibly use this issue to access sensitive information.