J003-Content-3rdPartyRoundup_SQ (1)As yet another year winds down and November gets ready to morph into December, some IT pros in the U.S. are no doubt still recovering from an overload of turkey and dressing.  As I enjoyed my decidedly non-conventional but delicious Thanksgiving dinner on the 26th (lobster mac & cheese, baked sweet potatoes and pan grilled sword fish), I reflected on the many, many things for which I’m thankful.

One of those is the Internet, which has enriched my life in so many ways, put so much information at my fingertips, entertained me, and made it easy for me to keep in touch with people I know and to meet new friends I would never have known without this amazing technology. But like everything, it has also brought with it some not-so-good things, such as the security threats that bombard us from all sides and which we never had to deal with back in the days of standalone computers or local-only networks.

That’s why I’m also thankful that although there’s an army of malicious attackers out there working daily to steal our data or crash our systems or otherwise wreak havoc, there are also squadrons of good guys at all of the big tech companies and security research organizations who are working just as diligently to thwart their efforts, and to discover the vulnerabilities and get them patched before they can be exploited.

Speaking of vulnerabilities and patches, this month Apple released a total of nine updates fixing 60 vulnerabilities, four updates were issued by Adobe, and popular Linux distros had their usual selection of security advisories and updates this month. Google released a stable channel update on Chrome but also released an update to their Nexus devices which patched seven vulnerabilities.

Let’s take a look at some of the more important issues and updates.

Apple

After releasing 9 updates last month with 60 vulnerabilities patched by the OS X update alone, the company seems to be taking a rest this month. As of the date of this writing (November 27), Apple has released no new security updates for any of its products.  Does this portend a heavy slate of patches coming down the chimney with Santa in December? Only time will tell.

For more information about prior months’ updates and to keep an eye out for new ones, see Apple’s web site at
https://support.apple.com/en-us/HT201222

Adobe

Adobe normally releases security updates in conjunction with Microsoft on the second Tuesday of each month. This month, the company released only one update on that day, November 10, but released three more a week later on Nov 17.

APSB15-28 was released on Patch Tuesday for Flash Player on Windows, Mac OS X, Linux, Android and Chrome OS. This update patches 17 vulnerabilities, which include a type confusion issue, a security bypass that could be used to write data to the file system, and fifteen use-after-free vulnerabilities that could be exploited for the purpose of code execution.  These are rated critical and the priority rating is 1 for IE, Edge and Chrome as well as the Flash Player Desktop Runtime on Windows, Mac and Linux. It is rated 3 for Flash Player for Linux and AIR for Windows, Mac, Android and iOS.

APSB15-29 was released on November 17 as a security hotfix for Cold Fusion running on all platforms. It addresses three vulnerabilities, two of which are input validation issues that can be used in cross site scripting attacks and the third is a server-side request forgery vulnerability in BlazeDS. The priority rating on all platforms is 2.

APSB15-30 was released November 17 and is a security update for LiveCycle Date Services. It addresses the same server-side request forgery vulnerability in BlazeDS that’s mentioned above and applies to LiveCycleDS on Windows, Mac and Unix. The vulnerability is classified as important and the priority rating is a 2 for all platforms.

APBS15-31 was released November 17 and is a security update for Adobe Premier Clip. It addresses a single vulnerability that is an input validation issue in the mobile app for iOS. This vulnerability is classified as important and the priority rating is a 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On November 10, Google released stable channel update Chrome 46.0.2490.86 for Windows, Mac and Linux with security fixes. The most important is a fix for a high severity information leak issue in PDF Viewer that was discovered by researcher Rob Wu.

For more information, see the Google Chrome Releases blog site at http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html

Google also rolled out a security update to their Nexus devices in early November, which patches seven vulnerabilities, two of which are critical.
http://www.neowin.net/news/google-begins-rolling-out-november-security-update-to-nexus-devices

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  Last month they released an October update that patched a very large number of vulnerabilities. The next regularly scheduled update will be on January 19, 2016.

For a more detailed summary of previous vulnerabilities and fixes, see the Oracle security blog at https://blogs.oracle.com/security/   

Mozilla

Mozilla released Firefox v42 on November 3.  It contains 18 security fixes. Three of these are critical: one that involves NSS and NSPR memory corruption issues, one that consists of vulnerabilities found through code inspection, and a “miscellaneous memory safety hazards” vulnerability. Six are rated as high severity. These include a JavaScript garbage collection issue, a memory corruption issue in libjar through zip files, a vulnerability by which CORS preflight can be bypassed, an XSS attack vulnerability through intents on Firefox for Android, a buffer overflow during image interactions in canvas and a bypass of same-origin policy through trailing whitespace in IP address hostnames.  Seven are rated moderate and two are of low severity.

For more information about all of these vulnerabilities and fixes, see Mozilla’s website at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (November 27), Ubuntu has issued 33 security advisories, which is pretty typical. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2820-1: dpkg vulnerability – 26th November 2015. Hanno Boeck discovered that the dpkg-deb tool incorrectly handled certain old style Debian binary packages. If a user or an automated system were tricked into unpacking a specially crafted binary package, a remote attacker could possibly use this issue to execute arbitrary code.

USN-2818-1: OpenJDK 7 vulnerability – 25th November 2015 It was discovered that rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed. An attacker could use this to expose sensitive information or possibly execute arbitrary code.

USN-2817-1: IcedTea Web vulnerabilities – 24th November 2015 It was discovered that IcedTea Web incorrectly handled applet URLs. A remote attacker could possibly use this issue to inject applets into the .appletTrustSettings configuration file and bypass user approval. (CVE-2015-5234) Andrea Palazzo discovered that IcedTea Web incorrectly determined the origin of unsigned applets.

USN-2816-1: Django vulnerability – 24th November 2015 Ryan Butterfield discovered that Django incorrectly handled the date template filter. A remote attacker could possibly use this issue to obtain secrets from application settings.

USN-2815-1: libpng vulnerabilities – 19th November 2015 Mikulas Patocka discovered that libpng incorrectly handled certain large fields. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could exploit this to cause libpng to crash, leading to a denial of service. This issue only affected Ubuntu 12.04 LTS.

USN-2814-1: NVIDIA graphics drivers vulnerability – 18th November 2015 It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges.

USN-2813-1: LXCFS vulnerabilities – 17th November 2015 It was discovered that LXCFS incorrectly enforced directory escapes. A local attacker could use this issue to possibly escalate privileges. (CVE-2015-1342) It was discovered that LXCFS incorrectly checked certain permissions. A local attacker could use this issue t possibly escalate privileges.

USN-2812-1: libxml2 vulnerabilities – 16th November 2015 Florian Weimer discovered that libxml2 incorrectly handled certain XML data. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04.

USN-2811-1: strongSwan vulnerability – 16th November 2015 It was discovered that the strongSwan eap-mschapv2 plugin incorrectly handled state. A remote attacker could use this issue to bypass authentication.

USN-2810-1: Kerberos vulnerabilities – 12th November 2015 It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote attacker could possibly use this issue to cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS.

USN-2809-1: LXD vulnerability – 12th November 2015 Jeroen Simonetti discovered that LXD incorrectly set socket permissions. A local attacker could use this issue to escalate privileges.

USN-2807-1: Linux kernel (Wily HWE) vulnerability – 10th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2808-1: wpa_supplicant and hostapd vulnerabilities – 10th November 2015 It was discovered that wpa_supplicant incorrectly handled WMM Sleep Mode Response frame processing. A remote attacker could use this issue to perform broadcast/multicast packet injections, or cause a denial of service. (CVE-2015-5310) It was discovered that wpa_supplicant and hostapd incorrectly handled certain EAP-pwd messages.

USN-2806-1: Linux kernel (Vivid HWE) vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2805-1: Linux kernel (Utopic HWE) vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2804-1: Linux kernel (Trusty HWE) vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2803-1: Linux kernel vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2802-1: Linux kernel vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2801-1: Linux kernel vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2800-1: Linux kernel vulnerability – 9th November 2015 Ben Serebrin discovered that the KVM hypervisor implementation in the Linux kernel did not properly catch Alignment Check exceptions. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.

USN-2788-2: unzip regression – 9th November 2015 USN-2788-1 fixed vulnerabilities in unzip. One of the security patches caused a regression when extracting 0-byte files. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Gustavo Grieco discovered that unzip incorrectly handled certain password protected archives.

USN-2799-1: Linux kernel vulnerabilities – 5th November 2015 It was discovered that in certain situations, a directory could be renamed outside of a bind mounted location. An attacker could use this to escape bind mount containment and gain access to sensitive information.

USN-2798-1: Linux kernel (Vivid HWE) vulnerabilities – 5th November 2015 It was discovered that in certain situations, a directory could be renamed outside of a bind mounted location. An attacker could use this to escape bind mount containment and gain access to sensitive information.

USN-2797-1: Linux kernel (Utopic HWE) vulnerabilities – 5th November 2015 It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel.

USN-2796-1: Linux kernel (OMAP4) vulnerabilities – 5th November 2015 Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2795-1: Linux kernel (Trusty HWE) vulnerabilities – 5th November 2015 It was discovered that in certain situations, a directory could be renamed outside of a bind mounted location. An attacker could use this to escape bind mount containment and gain access to sensitive information.

USN-2794-1: Linux kernel vulnerabilities – 5th November 2015 It was discovered that in certain situations, a directory could be renamed outside of a bind mounted location. An attacker could use this to escape bind mount containment and gain access to sensitive information.

USN-2793-1: LibreOffice vulnerabilities – 5th November 2015 Federico Scrinzi discovered that LibreOffice incorrectly handled documents inserted into Writer or Calc via links. If a user were tricked into opening a specially crafted document, a remote attacker could possibly obtain the contents of arbitrary files. (CVE-2015-4551) It was discovered that LibreOffice incorrectly handled PrinterSetup data stored in ODF.

USN-2792-1: Linux kernel vulnerabilities – 4th November 2015 Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2785-1: Firefox vulnerabilities – 4th November 2015 Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong, Andrew McCreight, Georg Fritzsche, and Carsten Book discovered multiple memory safety issues in Firefox.

USN-2791-1: NSS vulnerabilities – 4th November 2015 Tyson Smith and David Keeler discovered that NSS incorrectly handled decoding certain ASN.1 data. An remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2790-1: NSPR vulnerability – 4th November 2015 Ryan Sleevi discovered that NSPR incorrectly handled memory allocation. A remote attacker could use this issue to cause NSPR to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2789-1: XScreenSaver vulnerability – 3rd November 2015 It was discovered that XScreenSaver incorrectly handled unplugging an external monitor. An attacker with physical access could use this flaw to gain access to a locked session.