J003-Content-3rdPartyRoundup_SQAs I write this, the month of May is coming to an end and summer is just around the corner.  Here in Texas, with temperatures already in the 80s, we feel as if it’s already arrived. I’m headed, next week, to Alaska for a week of cruising the Inside Passage and enjoying the weather and wildlife as that big, lumbering bear of a 49th state awakens from its winter sleep to welcome back its regular visitors like me.

Meanwhile, it’s time to make sure all my computers and devices are up to date before I sail into the northern (very late) sunset. There have been a few interesting update glitches this month, on the heels of the heavy load of patches released by Microsoft on the second Tuesday, so it hasn’t been an easy four weeks for IT admins.

We covered those Microsoft security patches in our separate Patch Tuesday Roundup article, but the company also released a huge set of non-security updates for Windows 7 this month, in the form of KB 3125574, which was part of the company’s announced shift to monthly rollup updates for Windows 7 and 8.1. The release also stirred up some controversy over a rather vaguely described update labeled KB 3123862, which is being called a “mystery patch.”

Also generating much animated discussion is Microsoft’s not-so-subtle push to move Windows 7 and 8.1 users to Windows 10 before the July deadline for the free installation of the new OS, with many accusing the company of outright tricking users into accepting the upgrade offer.

Meanwhile, Apple – which issued no patches in April – is back with a vengeance, unleashing seven new updates this month. Adobe put out five security bulletins, which is more than usual. Google is reportedly pressuring device OEMs and wireless carriers to speed up the installation of Android updates and security patches. Only Mozilla gave us some breathing space, not releasing a new version of Firefox this month after ten security fixes in v46 last month.

Now let’s take a look at the details of some of this month’s patches from major third party security vendors.

Apple

Last month, I wrote, “Apple has released no updates this month. Does that mean we’ll get slammed with another large slate of updates in May?” Yep, that’s pretty much what it meant. This time we have new versions of iTunes, Safari, OS X El Capitan, watchOS, iOS, tvOS and Xcode.

  • Xcode v7.3.1 was released on May 3 for OS X El Capitan v10.11 and above to address a buffer overflow issue.

Six updates were released on May 16:

  • tvOS v9.2.1 for fourth generation Apple TV addresses 33 vulnerabilities that include information leaks, arbitrary code execution with kernel privileges due to memory corruption issues, denial of service, unexpected application termination, and disclosure of data from another web site. Some of these issues are critical.
  • iOS v9.3.2 for iPhone 4s and above, iPod Touch 5th generation and above and iPad 2 and above, addresses 39 vulnerabilities in various components of the operating system, including Accessibility, CommonCrypto, Disk Images, the kernel, OpenGL, Safari, Siri, WebKit and more. These consist of buffer overflow, information leak, and arbitrary code execution with kernel privileges due to memory corruption issues, a denial of service issue and some information disclosure issues. Some of these issues are critical.
  • watchOS v2.2.1 for Apple Watch, all editions, addresses 26 vulnerabilities in some of the same components named in the patch descriptions above, including the critical arbitrary code execution issues.
  • OS X El Capitan v10.11.5 and security update 2016-003 address a whopping 69 vulnerabilities in many different components of the operating system, including many of the same ones mentioned in the patch descriptions above along with security issues in Tcl, ScreenLock, SceneKit, QuickTime, MultiTouch, Messages, various graphics drivers, Audio, ATS, AMD and Apache.
  • Safari v9.1.1 for OS X Mavericks, Yosemite and El Capitan addresses 7 vulnerabilities in the browser itself, WebKit, and WebKit Canvas. These include multiple memory corruption issues that could lead to arbitrary code execution, data disclosure, and inability to delete browsing history.
  • iTunes v12.4 for Windows 7 and above addresses a single vulnerability by which running the iTunes installer in an untrusted directory can result in arbitrary code execution.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Unlike Apple, Adobe didn’t take a break last month. They issued five new security bulletins with four actual updates in April and they’re back with five bulletins and four updates again this time. Three of them were issued on Adobe’s traditional Patch Tuesday. Along with the almost obligatory Flash Player update, we got patches for several other Adobe products and components.

On May 10, one advisory and one update came out:

  • Security Advisory APSA16-02 was issued for Adobe Flash Player regarding a critical vulnerability that could be exploited to crash the system and allow an attacker to take control.
  • Security Update APSB16-16 was issued for ColdFusion, consisting of hotfixes to address three vulnerabilities involving a host name verification problem. This update has a priority rating of 2.

On May 19, two updates were issued:

  • Security Update APS16-15 addresses the Flash Player vulnerabilities that were the subject of the May 10 advisory, and covers 27 vulnerabilities in Flash running on Windows, Mac OS X, Linux and Google Chrome OS. These include type confusion, use-after-free, heap buffer overflow, buffer overflow, directory search path and multiple memory corruption issues. Priority rating is 1 on affected operating systems and 3 on AIR SDK, Desktop Runtime and Compiler.
  • Security Update APS16-14 is an update for Adobe Acrobat and Reader that addresses an astounding 93 different vulnerabilities in those products running on Windows and Mac OS X. Many of these are critical issues but interestingly, the priority rating is only a 2 on both products on both operating systems. Vulnerability types include multiple use-after-free, buffer overflow, memory corruption and memory leak issues, as well as integer overflow, information disclosure, directory search path and Javascript API execution restrictions bypass vulnerabilities.

The following upandrew is gdate was released on May 23:

  • Security Update APSB16-17 for Adobe Connect running on Windows addresses a single vulnerability related to an untrusted search path in the Connect add-in installer. It is assigned a priority rating of 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google issued a security bulletin for Android on May 2, along with an update for Nexus devices. This bulletin addresses 40 vulnerabilities, most of which are elevation of privilege issues. Twelve of these are rated critical, with another 19 that are listed as high severity. The rest are moderate or low severity.

For more information, see the Android.com web site at https://source.android.com/security/bulletin/2016-05-01.html

Google also released Chrome 51 as a stable channel update, with 42 security fixes that include a number of high severity cross-origin bypass and heap use-after-free and overflow issues.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled release will be on July 19. Last month they issued regularly scheduled updates for a broad span of their products that addressed 136 vulnerabilities. For more detailed information about those previous updates, see the Oracle Critical Patch Update Advisory for April 2016 at
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Mozilla

Last month Mozilla released the latest version of its web browser, Firefox 46, which included 10 security fixes. At the time of this writing (May 26), v46 is the latest version of the browser.

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (May 26) Ubuntu has issued 49 security advisories, which is fairly typical. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2985-2: GNU C Library regression – 26th May

2016 USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not fully restarted after the upgrade. This update removes the fix for CVE-2014-9761 and a future update will be provided to address this issue.

USN-2985-1: GNU C Library vulnerabilities – 25th May 2016

Martin Carpenter discovered that pt_chown in the GNU C Library did not properly check permissions for tty files. A local attacker could use this to gain administrative privileges or expose sensitive information.

USN-2950-5: Samba regression – 25th May 2016

USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem. Original advisory details: Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation.

USN-2984-1: PHP vulnerabilities – 24th May 2016

It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

USN-2936-3: Firefox regression – 18th May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused an issue where a device update POST request was sent every time about:preferences#sync was shown. This update fixes the problem. We apologize for the inconvenience.

USN-2973-1: Thunderbird vulnerabilities – 18th May 2016

Christian Holler, Tyson Smith, and Phil Ringalda discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.

USN-2960-1: Oxide vulnerabilities – 18th May 2016

An out of bounds write was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code.

USN-2950-4: Samba regressions – 18th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the “client ipc signing” parameter to “auto”. We apologize for the inconvenience.

USN-2983-1: Expat vulnerability – 18th May 2016

Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code.

USN-2982-1: Libksba vulnerabilities – 17th May 2016

Hanno Böck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2981-1: libarchive vulnerabilities – 17th May 2016

It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2980-1: libndp vulnerability – 17th May 2016

Julien Bernard discovered that libndp incorrectly performed origin checks when receiving Neighbor Discovery Protocol (NDP) messages. A remote attacker outside of the local network could use this issue to advertise a node as a router, causing a denial of service, or possibly to act as a man in the middle.

USN-2979-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-2: Linux kernel (Xenial HWE) vulnerabilities – 16th May 2016

USN-2979-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2979-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2978-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2978-2: Linux kernel (Wily HWE) vulnerabilities – 16th May 2016

USN-2978-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2978-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2977-1: Linux kernel (Vivid HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2976-1: Linux kernel (Utopic HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2975-2: Linux kernel (Trusty HWE) vulnerability – 16th May 2016

USN-2975-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files.

USN-2975-1: Linux kernel vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2974-1: QEMU vulnerabilities – 12th May 2016

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-2391) Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support.

USN-2972-1: OpenJDK 6 vulnerabilities – 10th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2971-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2971-2: Linux kernel (Wily HWE) vulnerabilities – 9th May 2016

USN-2971-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2971-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2970-1: Linux kernel (Vivid HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2969-1: Linux kernel (Utopic HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2968-2: Linux kernel (Trusty HWE) vulnerabilities – 9th May 2016

USN-2968-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

USN-2968-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2967-2: Linux kernel (OMAP4) vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2967-1: Linux kernel vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2966-1: OpenSSH vulnerabilities – 9th May 2016

Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic.

USN-2965-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-2: Linux kernel (Xenial HWE) vulnerabilities – 6th May 2016

USN-2965-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2965-1: Linux kernel vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2964-1: OpenJDK 7 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2963-1: OpenJDK 8 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2961-1: Little CMS vulnerability – 4th May 2016

It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.

USN-2950-3: Samba regressions – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2950-2: libsoup update – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience.

USN-2959-1: OpenSSL vulnerabilities – 3rd May 2016

Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL incorrectly handled memory when decoding ASN.1 structures. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2936-2: Oxygen-GTK3 update – 2nd May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to crash on startup with the Oxygen GTK theme due to a pre-existing bug in the Oxygen-GTK3 theme engine. This update fixes the problem. We apologize for the inconvenience.

USN-2957-2: Libtasn1 vulnerability – 2nd May 2016

USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates.

USN-2958-1: poppler vulnerabilities – 2nd May 2016

It was discovered that the poppler pdfseparate tool incorrectly handled certain filenames. A local attacker could use this issue to cause the tool to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS.

USN-2957-1: Libtasn1 vulnerability – 2nd May 2016

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause applications using Libtasn1 to hang, resulting in a denial of service.