Here we are again at the end of another month, and it’s been an interesting one for those who spend their lives down in the IT security trenches.

After two years of anticipation, planning, dreading, and scrambling to put compliance measures into place, the GDPR enforcement deadline kicked in, and almost immediately multi-billion dollar privacy lawsuits were brought against Google, Facebook and other popular social services.

Optiv released their annual Cyber Threat Intelligence Estimate showing a dramatic increase in cyber attacks coming from unexpected sources, such as the Netherlands, most of them using traditional exploits that depend on open source and custom built tools.

And to top things off, the FBI issued a warning that Russian malware has infected over half a million consumer routers and NAS devices and advised users to reset their networking equipment in an attempt to address the problem.  

Of course, one of the most important elements in protecting your devices and network against these and other threats is to keep all systems (including the firmware on routers) updated. It’s important to remember that the major software vendors whose patches we review here each month are only a part of the vast number of companies that create the programs that run our many machines.  Today, even our connected cars are vulnerable; researchers discovered 14 vulnerabilities in several models of BMW that could be exploited to gain control of the software; BMW dealerships are providing updates.

There is no way that we can cover the myriad of patches released every month by thousands of small and large companies, but let’s take a look now at the patches that came our way in May from the “usual suspects.”

Note that at the time this article is being written and submitted, there are two more days left in the month. If additional updates are released during those two days, we will cover them in next month’s Roundup.

Apple

As of the date of this writing (May 29), Apple had released only one security update this month and it wasn’t an iOS, OS X or macOS patch; it was for their Swift programming language running on Ubuntu.

  • Security Update 2018-001 Swift 4.1.1 for Ubuntu 14.04 was released on May 4 to fix an issue whereby libraries are loaded with write and execute permissions. An attacker could exploit this vulnerability to obtain admin privileges and accomplish arbitrary code execution so this should be considered a critical update.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe has issued five security updates thus far in May. Three were released on the regular Patch Tuesday date of May 8th, and two were issued the following week on May 14. These include updates for the following products:

  • APSB18-09 Security updates available for Adobe Acrobat and Reader
  • APSB18-12 Security update available for Adobe Creative Cloud Desktop Application
  • APSB18-16 Security update available for Adobe Flash Player
  • APSB18-17 Security updates available for Adobe Photoshop CC
  • APSB18-18 Security update available for Adobe Connect

The Flash Player update for Windows, Mac, Linux and Chrome OS and the Adobe Acrobat and Reader update will have the most widespread impact. The Flash update addresses a single critical type confusion vulnerability that could be used to accomplish arbitrary code execution.

The Acrobat/Reader update addresses a large number of critical and important CVEs that include double free, heap overflow, use-after-free, out-of-bounds write, out-of-bounds read, security bypass, type confusion, untrusted pointer dereference, memory corruption, NTLM SSO hash theft, and HTTP POST new line injection issues. Most of these are arbitrary code execution vulnerabilities; there are also two information disclosure issues and a security bypass.

The Photoshop CC update will also affect a substantial number of users. It addresses a single critical out-of-bounds write vulnerability that could lead to remote code execution.

The Creative Cloud update addresses three vulnerabilities, two of which are privilege escalation issued rated important, and the third is a security bypass that is rated critical.

The Adobe Connect update addresses a single authentication bypass vulnerability that could result in sensitive information disclosure. It is rated important.

For more information, see the security bulletin summary at : https://helpx.adobe.com/security.html

Google

  • On May 7, Google released their monthly Android security bulletin containing details of vulnerabilities affecting Android devices. The most severe of this month’s issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. 
  • On May 15, Google released a new stable channel update for the Chrome web browser for Windows, Mac, and Linux, version 66.0.3359.
  • On May 17, Google released a new stable channel update for the Chrome OS, version 66.0.3359.181, that contains “a number of bug fixes and security updates.”

Looking ahead, Google is expected to release Chrome 68 in July, which will make a major change to the way HTTP non-encrypted sites are displayed. With that version, the browser will start marking such sites as “Not Secure” with a prominent warning. Most top sites now use HTTPS (secure HTTP) by default.

For more information, see https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-05-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The April 2018 update was released on April 18. The next scheduled update is scheduled to be released on July 17th.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

On May 9, Mozilla released Firefox version 60, which fixes the following vulnerabilities:

  • CVE-2018-5154: Use-after-free with SVG animations and clip paths. High impact.A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash.
  • CVE-2018-5155: Use-after-free with SVG animations and text paths. A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash.
  • CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files. Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website.
  • CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer. The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.
  • CVE-2018-5159: Integer overflow and out-of-bounds write in Skia.An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content.
  • CVE-2018-5160: Uninitialized memory use by WebRTC encoder. WebRTC can use a WrappedI420Buffer pixel buffer but the owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash.
  • CVE-2018-5152: WebExtensions information leak through webRequest API. WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in.
  • CVE-2018-5153: Out-of-bounds read in mixed content websocket messages. If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response.
  • CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache. If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process’ privileges, escaping the sandbox on content processes.Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks.
  • CVE-2018-5166: WebExtension host permission bypass through filterReponseData. WebExtensions can use request redirection and a filterReponseData filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission.
  • CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger. The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Both will display chrome: links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display javascript: links, which users could be tricked into clicking by malicious sites.
  • CVE-2018-5168: Lightweight themes can be installed without user interaction. Sites can bypass security checks on permissions to install lightweight themes by manipulating the baseURI property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images.
  • CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages. If manipulated hyperlinked text with chrome: URL contained in it is dragged and dropped on the “home” icon, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs.
  • CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer. The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either
  • CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters. The filename appearing in the Downloads panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel.
  • CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update. In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won’t prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen.
  • CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies. A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of ‘strict-dynamic’. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts.
  • CVE-2018-5176: JSON Viewer script injection. The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including javascript: links. If a JSON file contains malicious JavaScript script embedded as javascript: links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context.
  • CVE-2018-5177: Buffer overflow in XSLT during number formatting. A vulnerability exists in XSLT during number formatting where a negative buffer size may be allocated in some instances, leading to a buffer overflow and crash if it occurs.
  • CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox. In 32-bit versions of Firefox, the Adobe Flash plugin setting for “Enable Adobe Flash protected mode” is unchecked by default even though the Adobe Flash sandbox is actually enabled. The displayed state is the reverse of the true setting, resulting in user confusion. This could cause users to select this setting
  • CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced.  A use-after-free vulnerability can occur during WebGL operations. While this results in a potentially exploitable crash, the vulnerability is limited because the memory is freed and reused in a brief window of time during the freeing of the same callstack.
  • CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink. If a URL using the file: protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is to open it with the noopener keyword.
  • CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar. If a text string that happens to be a filename in the operating system’s native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent file: URL.
  • CVE-2018-5151: Memory safety bugs fixed in Firefox 60. Mozilla developers and community members Christoph Diehl, Christian Holler, Jon Coppeard, Jason Kratzer, Nathan Froyd, Paul Theriault, Ryan VanderMeulen, Tyson Smith, Sebastian Hengst, Byron Campen, Emilio Cobos Álvarez, Ronald Crane, and Phillipp reported memory safety bugs present in Firefox 59. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
  • CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8. Mozilla developers and community members Christoph Diehl, Randell Jesup, Tyson Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan, and Jason Kratzer reported memory safety bugs present in Firefox 59 and Firefox ESR 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (May 29th), Ubuntu has issued the following thirty-six security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of advisories and updates.

  • USN-3662-1: NVIDIA graphics drivers vulnerabilities. It was discovered that the NVIDIA graphics drivers contained flaws in the kernel mode layer. A local attacker could use these issues to cause a denial of service or potentially escalate their privileges on the system. 29 May 2018
  • USN-3661-1: Batik vulnerability. It was discovered that Batik incorrectly handled certain XML. An attacker could possibly use this to expose sensitive information. 29 May 2018
  • USN-3586-2: DHCP vulnerabilities. USN-3586-1 fixed a vulnerability in DHCP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Felix Wilhelm discovered that the DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service. 28 May 2018
  • USN-3660-1: Thunderbird vulnerabilities. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service via application crash, install lightweight themes without user interaction, or execute arbitrary code. 25 May 2018
  • USN-3598-2: curl vulnerabilities. USN-3598-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Phan Thanh discovered that curl incorrectly handled certain FTP paths. An attacker could use this to cause a denial of service or possibly execute arbitrary code. 24 May 2018
  • USN-3659-1: Spice vulnerability. Frediano Ziglio discovered that Spice incorrectly handled certain client messages. An attacker could possibly use this to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code. 23 May 2018
  • USN-3658-1: procps-ng vulnerabilities. It was discovered that the procps-ng top utility incorrectly read its configuration file from the current working directory. A local attacker could possibly use this issue to escalate privileges. It was discovered that the procps-ng ps tool incorrectly handled memory. A local user could possibly use this issue to cause a denial of service. 23 May 2018
  • USN-3657-1: Linux kernel (Raspberry Pi 2) vulnerabilities. It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). 22 May 2018
  • USN-3656-1: Linux kernel (Raspberry Pi 2, Snapdragon) vulnerabilities. Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that a race condition existed in the F2FS implementation in the Linux kernel. 22 May 2018
  • USN-3655-2: Linux kernel (Trusty HWE) vulnerabilities. USN-3655-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. 22 May 2018
  • USN-3655-1: Linux kernel vulnerabilities. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. 22 May 2018
  • USN-3654-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3654-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. 22 May 2018
  • USN-3654-1: Linux kernel vulnerabilities. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. 22 May 2018
  • USN-3653-2: Linux kernel (HWE) vulnerabilities. USN-3653-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. 22 May 2018
  • USN-3653-1: Linux kernel vulnerabilities. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. 22 May 2018
  • USN-3652-1: Linux kernel vulnerability. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. 22 May 2018
  • USN-3651-1: QEMU update. Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via sidechannel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. 21 May 2018
  • USN-3650-1: xdg-utils vulnerability. It was discovered that xdg-utils incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. 21 May 2018
  • USN-3645-2: Firefox regression. USN-3645-1 fixed vulnerabilities in Firefox. The update caused an issue where users experienced long UI pauses in some circumsances. This update fixes the problem. We apologize for the inconvenience. 18 May 2018
  • USN-3646-2: PHP vulnerabilities. USN-3646-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that PHP incorrectly handled opcache access controls when configured to use PHP-FPM. 16 May 2018
  • USN-3642-2: DPDK vulnerability. USN-3642-1 fixed a vulnerability in DPDK. This update provides the corresponding update for Ubuntu 17.10. Original advisory details: Maxime Coquelin discovered that DPDK incorrectly handled guest physical ranges. A malicious guest could use this issue to possibly access sensitive information. 16 May 2018
  • USN-3649-1: QEMU vulnerabilities. Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values during migration. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. 16 May 2018
  • USN-3648-1: curl vulnerabilities. Dario Weisser discovered that curl incorrectly handled long FTP server command replies. If a user or automated system were tricked into connecting to a malicious FTP server, a remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. 16 May 2018
  • USN-3647-1: poppler vulnerabilities. It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this to cause a denial of service. (CVE-2017-18267) It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. 15 May 2018
  • USN-3600-2: PHP vulnerabilities. USN-3600-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. 15 May 2018
  • USN-3646-1: PHP vulnerabilities. It was discovered that PHP incorrectly handled opcache access controls when configured to use PHP-FPM. A local user could possibly use this issue to obtain sensitive information from another user’s PHP applications. (CVE-2018-10545) It was discovered that the PHP iconv stream filter incorrect handled certain invalid multibyte sequences. 14 May 2018
  • USN-3645-1: Firefox vulnerabilities. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, install lightweight themes without user interaction. 11 May 2018
  • USN-3644-1: OpenJDK 8 vulnerabilities. It was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in JAR archive file manifests. An attacker could possibly use this to modify attributes in a manifest without invalidating the signature. 11 May 2018
  • USN-3643-2: Wget vulnerability. USN-3643-1 fixed a vulnerability in Wget. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Wget incorrectly handled certain inputs. An attacker could possibly use this to inject arbitrary cookie values. 9 May 2018
  • USN-3643-1: Wget vulnerability. It was discovered that Wget incorrectly handled certain inputs. An attacker could possibly use this to inject arbitrary cookie values. 9 May 2018
  • USN-3642-1: DPDK vulnerability. Maxime Coquelin discovered that DPDK incorrectly handled guest physical ranges. A malicious guest could use this issue to possibly access sensitive information. 9 May 2018
  • USN-3641-2: Linux kernel vulnerabilities. USN-3641-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.10. This update provides the corresponding updates for Ubuntu 12.04 ESM. Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. 8 May 2018
  • USN-3641-1: Linux kernel vulnerabilities. Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service (system crash). This issue only affected the amd64 architecture. 8 May 2018
  • USN-3640-1: WebKitGTK+ vulnerability. Ivan Fratric discovered that WebKitGTK+ incorrectly handled certain web content. If a user were tricked into viewing a malicious website, a remote attacker could possibly exploit this to execute arbitrary code. 8 May 2018
  • USN-3639-1: LibRaw vulnerabilities. It was discovered that LibRaw incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. (CVE-2018-10528) It was discovered that LibRaw incorrectly handled certain files. An attacker could possibly use this to obtain sensitive information. 8 May 2018
  • USN-3638-1: QPDF vulnerabilities. It was discovered that QPDF incorrectly handled certain malformed files. A remote attacker could use this issue to cause QPDF to crash, resulting in a denial of service, or possibly execute arbitrary code. 7 May 2018