This year continues to whiz by and now we find ourselves already at the end of May, quickly approaching the half-way mark. According to a report from a threat intelligence research company, the number of vulnerabilities is steadily increasing, with thirty percent more CVEs registered in the National Vulnerability Database in the first quarter of 2017 than over the same time period a year before. As if that weren’t bad enough, there are many vulnerabilities out there that aren’t entered in the NVD and given CVE numbers, which means the problem is actually bigger than it seems.

The good news is that almost three-fourths of the identified vulnerabilities have patches, workarounds and/or new patched versions of the software that can prevent exploit; of course the big caveat is that you have to apply them – and even in today’s high threat environment, far too many systems go unpatched, putting them at risk. And the same study found that over a third of the reported vulnerabilities had already been exploited or exploits are readily available.

Interestingly, according to the CVE Details web site, the top five software products with the largest number of distinct vulnerabilities over the last five months are, in descending order, the Linux kernel (326), Android (255), iOS (207), an application called Imagemagick (173), and Mac OS X (148).

Let’s take a look at what vendors have been doing about it over this past month and the patches that they’ve issued.

Apple

Apple’s usual pattern for patch release is light/heavy/light/heavy, and that is borne out again by the May release of seven comprehensive updates, following only two in April, which came after ten in March. This time, we get major fixes for the desktop, mobile, watch and TV operating systems as well as the Safari web browser, iTunes music/download software and iCloud client.

All of the following patches were released on May 15:

  • iOS 10.3.2 for iPhone 5 and above, iPad 4th gen and above, and iPod Touch 6th gen and above addresses 52 separate vulnerabilies in various components, with many in WebKit, SQLite, AVEVideoEncoder, and the OS kernel. The most serious of these can be exploited to accomplish remote code execution.
  • macOS Sierra 10.12.5, Security update 2017-002 for OS X El Capitan and Yosemite for Mac desktop and laptop systems address 42 vulnerabilities in various components, with the largest number in the OS kernel and SQLite. These include memory corruption issues, certificate validation issues, sandbox escape, and the potential for arbitrary code execution.
  • watchOS 3.2.2 for all models of Apple Watch addresses 20 vulnerabilities in various components, most of which are the same vulnerabilities addressed in the mobile and desktop operating systems as discussed above.
  • tvOS 10.2.1 for 4th gen Apple TV addresses 31 vulnerabilities in various components, with the largest number in WebKit, SQLite, and AVEVideoEncoder. Many are the same vulnerabilities mentioned above for iOS.
  • Safari 10.1.1 for OS X Yosemite and El Capitan, and macOS Sierra desktop operating systems addresses 26 vulnerabilities, most of which are in the WebKit component. These include cross-site scripting, logic issues, memory corruption issues and more.
  • iTunes 12.6.1 for Windows 7 and above addresses a single memory corruption vulnerability in the WebKit component that could be exploited to accomplish arbitrary code execution.
  • iCloud for Windows 6.2.1 for Windows 7 and above addresses the same memory corruption vulnerability in the WebKit component as is addressed by the iTunes for Windows update.

For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe’s pattern is almost the opposite of Apple’s; Adobe released six security updates in April, with only two for May. Both of this month’s updates were released on May 9, in keeping with Adobe’s regular Patch Tuesday schedule:

  • APSB17-15 for Adobe Flash Player addresses seven vulnerabilities in the Flash Player software for Windows, Mac, Linux and Chrome OS, which include a use-after-free issue and multiple memory corruption vulnerabilities, all of which could be exploited to accomplish code execution, thus making this update critical. It is assigned a priority rating of 1 for all platforms with the exception of the Flash Player Desktop Runtime for Linux, which is rated 3.
  • APSB17-16 for Adobe Experience Manager Forms addresses a single information disclosure vulnerability in versions 6.0, 6.1, and 6.2 of Windows, Linux, Solaris, and AIX that results from abuse of the pre-population service in AEM forms. It has a priority rating of 2 on all platforms and is rated important.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On May 2, Google released a new version of the Chrome browser for Windows, Mac and Linux desktop operating systems, v58.0.3029.96, which includes a security fix for a high severity vulnerability related to a race condition in WebRTC.

On May 9, another stable channel update was released for the Chrome browser, v58.0.3029.110 for Windows, Mac and Linux, which automatically migrates users who have 32 bit versions of Chrome installed on 64 bit Windows to a 64 bit version of Chrome for security, performance and stability reasons.

On May 18, a stable channel update for the Chrome OS was released, v58.0.3029.140, which contains multiple security fixes.

This month’s security bulletin for Android provides patches for Nexus and Pixel devices that are distributed in an over-the-air update and can also be downloaded from Google’s developer web site. Google also revealed that Nexus 6 and 9 won’t be assured of receiving updates after October of this year. Pixel devices are supported until October 2019.

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Patches were released last month and the next regular update release is scheduled for July 18th.

For more information about these patches, see Oracle’s Update Advisory at https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

On May 5, Mozilla released Firefox v53.0.2, which contains the fix for a high severity use-after-free vulnerability in ANGLE that can be used to create an exploitable crash. This affects the ANGLE graphics library on the Windows operating systems only; Firefox on other operating systems is not affected.  

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox53.0.2

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. Ubuntu issued forty-four security notices in May, which is a big increase over last month’s 27 but fairly average over the course of the past year. Many of these address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Here are Ubuntu’s security advisories for May, as of 05/30:

  • USN-3304-1: Sudo vulnerability – 30th May 2017. It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions. 

  • USN-3212-2: LibTIFF regression – 30th May 201. USN-3212-1 fixed vulnerabilities in LibTIFF. Unfortunately, some of the security patches were misapplied, which caused a regression when processing certain images. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that LibTIFF incorrectly handled certain malformed images.

  • USN-3303-1: WebKitGTK+ vulnerabilities – 30th May 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

  • USN-3302-1: ImageMagick vulnerabilities – 30th May 2017. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.

  • USN-3301-1: strongSwan vulnerabilities – 30th May 2017. It was discovered that the strongSwan gmp plugin incorrectly validated RSA public keys. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service. (CVE-2017-9022) It was discovered that strongSwan incorrectly parsed ASN.1 CHOICE types.

  • USN-3300-1: juju-core vulnerability – 26th May 2017. Ryan Beisner discovered juju did not set permissions on a Unix domain socket. A local attacker could use this flaw to gain administrative privileges.

  • USN-3299-1: Firefox update – 25th May 2017. Some security information preloaded in Firefox was due to expire before the next scheduled release. This update bumps the expiration times.

  • USN-3296-2: Samba vulnerability – 24th May 2017. USN-3296-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Samba incorrectly handled shared libraries. A remote attacker could use this flaw to upload a shared library to a writable share and execute arbitrary code.

  • USN-3298-2: MiniUPnP vulnerability – 24th May 2017. USN-3298-1 fixed a vulnerability in MiniUPnP. This update provides the corresponding update for Ubuntu 17.04. Original advisory details: It was discovered that MiniUPnP incorrectly handled memory. A remote attacker could use this issue to cause a denial of service or possibly execute arbitrary code with privileges of the user.

  • USN-3298-1: MiniUPnP vulnerability – 24th May 2017. It was discovered that MiniUPnP incorrectly handled memory. A remote attacker could use this issue to cause a denial of service or possibly execute arbitrary code with privileges of the user running an application that uses the MiniUPnP library.

  • USN-3297-1: jbig2dec vulnerabilities – 24th May 2017. Bingchang Liu discovered that jbig2dec incorrectly handled memory when decoding malformed image files. If a user or automated system were tricked into processing a specially crafted JBIG2 image file, a remote attacker could cause jbig2dec to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3296-1: Samba vulnerability – 24th May 2017. It was discovered that Samba incorrectly handled shared libraries. A remote attacker could use this flaw to upload a shared library to a writable share and execute arbitrary code.

  • USN-3283-2: rtmpdump vulnerabilities – 23rd May 2017. Dave McDaniel discovered that rtmpdump incorrectly handled certain malformed streams. If a user were tricked into processing a specially crafted stream, a remote attacker could cause rtmpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3275-3: OpenJDK 7 regression – 18th May 2017. USN-3275-2 fixed vulnerabilities in OpenJDK 7. Unfortunately, the update introduced a regression when handling TLS handshakes. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations.

  • USN-3295-1: JasPer vulnerabilities – 18th May 2017. It was discovered that JasPer incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system using JasPer were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.

  • USN-3291-3: Linux kernel (Xenial HWE) vulnerabilities – 17th May 2017. USN-3291-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow.

  • USN-3291-2: Linux kernel vulnerabilities – 17th May 2017. USN-3291-1 fixed vulnerabilities in the generic Linux kernel. This update provides the corresponding updates for the Linux kernel built for specific processors and cloud environments. Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow.

  • USN-3294-1: Bash vulnerabilities – 17th May 2017. Bernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.

  • USN-3282-2: FreeType vulnerabilities – 16th May 2017. It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3276-2: shadow regression – 16th May 2017. USN-3276-1 intended to fix a vulnerability in su. The solution introduced a regression in su signal handling. This update modifies the security fix. We apologize for the inconvenience. Original advisory details: Sebastian Krahmer discovered integer overflows in shadow utilities.

  • USN-3293-1: Linux kernel vulnerabilities – 16th May 2017. Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS.

  • USN-3292-2: Linux kernel (HWE) vulnerability – 16th May 2017. USN-3292-1 fixed a vulnerability in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. Jason Donenfeld discovered a heap overflow in the MACsec module in the Linux kernel.

  • USN-3292-1: Linux kernel vulnerability – 16th May 2017. Jason Donenfeld discovered a heap overflow in the MACsec module in the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

  • USN-3291-1: Linux kernel vulnerabilities – 16th May 2017. Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

  • USN-3290-1: Linux kernel vulnerability – 16th May 2017. Marco Grassi discovered that the TCP implementation in the Linux kernel mishandles socket buffer (skb) truncation. A local attacker could use this to cause a denial of service (system crash).

  • USN-3278-1: Thunderbird vulnerabilities – 16th May 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via application crash, or execute arbitrary code.

  • USN-3272-2: Ghostscript regression – 16th May 2017. USN-3272-1 fixed vulnerabilities in Ghostscript. This change introduced a regression when the DELAYBIND feature is used with the eqproc command. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands.

  • USN-3289-1: QEMU vulnerabilities – 16th May 2017. Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-7377, CVE-2017-8086) Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device.

  • USN-3275-2: OpenJDK 7 vulnerabilities – 15th May 2017. USN-3275-1 fixed vulnerabilities in OpenJDK 8. This update provides the corresponding updates for OpenJDK 7. Original advisory details: It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of the user.

  • USN-3288-1: libytnef vulnerabilities – 15th May 2017. It was discovered that libytnef incorrectly handled malformed TNEF streams. If a user were tricked into opening a specially crafted TNEF attachment, an attacker could cause a denial of service or possibly execute arbitrary code.

  • USN-3287-1: Git vulnerability – 15th May 2017. Timo Schmid discovered that the Git restricted shell incorrectly filtered allowed commands. A remote attacker could possibly use this issue to run an interactive pager and access sensitive information.

  • USN-3286-1: KDE-Libs vulnerability – 15th May 2017. Sebastian Krahmer discovered that the KDE-Libs Kauth component incorrectly checked services invoking D-Bus. A local attacker could use this issue to gain root privileges.

  • USN-3285-1: LightDM vulnerability – 11th May 2017. Tyler Hicks discovered that LightDM did not confine the user session for guest users. An attacker with physical access could use this issue to access files and other resources that they should not be able to access.

  • USN-3260-2: Firefox regression – 11th May 2017. USN-3260-1 fixed vulnerabilities in Firefox. The update caused the date picker panel and form validation errors to close immediately on opening. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.

  • USN-3275-1: OpenJDK 8 vulnerabilities – 11th May 2017. It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of a different user.

  • USN-3284-1: OpenVPN vulnerabilities – 11th May 2017. It was discovered that OpenVPN improperly triggered an assert when receiving an oversized control packet in some situations. A remote attacker could use this to cause a denial of service (server or client crash). (CVE-2017-7478) It was discovered that OpenVPN improperly triggered an assert when packet ids rolled over.

  • USN-3283-1: rtmpdump vulnerabilities – 9th May 2017. Dave McDaniel discovered that rtmpdump incorrectly handled certain malformed streams. If a user were tricked into processing a specially crafted stream, a remote attacker could cause rtmpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. 

  • USN-3282-1: FreeType vulnerabilities – 9th May 2017. It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3281-1: Apache Fop vulnerability – 9th May 2017. Pierre Ernst discovered that Apache Fop incorrectly handled XML external entities. A remote attacker could possibly use this issue to obtain sensitive files from the filesystem, or cause a denial of service.

  • USN-3280-1: Apache Batik vulnerability – 9th May 2017. Lars Krapf and Pierre Ernst discovered that Apache Batik incorrectly handled XML external entities. A remote attacker could possibly use this issue to obtain sensitive files from the filesystem, or cause a denial of service.

  • USN-3279-1: Apache HTTP Server vulnerabilities – 9th May 2017. It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks.

  • USN-3276-1: shadow vulnerabilities – 5th May 2017. Sebastian Krahmer discovered integer overflows in shadow utilities. A local attacker could possibly cause them to crash or potentially gain privileges via crafted input. (CVE-2016-6252) Tobias Stöckmann discovered a race condition in su. A local attacker could cause su to send SIGKILL to other processes with root privileges. (CVE-2017-2616).

  • USN-3274-1: ICU vulnerabilities – 2nd May 2017. It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.

  • USN-3273-1: LibreOffice vulnerabilities – 2nd May 2017. It was discovered that LibreOffice incorrectly handled EMF image files. If a user were tricked into opening a specially crafted EMF image file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.