J003-Content-3rdPartyRoundup_SQGoogle published several Chrome updates in November, addressing several security and stability issues, while other vendors had a more or less calm month.

This month seemed to go by in a flash. Here we are, Thanksgiving feasts already behind us, and December staring us in the face. One of the things that I remembered to be thankful for this year was the hard work put in by the security researchers all over the world – both those working for software vendors and those working independently – to ferret out the vulnerabilities in the operating systems and applications we use on a daily basis so they can be fixed before we fall victim to exploits and attacks.

It looks as if some of our software makers took the month off from patching, others took it easy and released fewer fixes than on a typical month, while for others it was business as usual. Let’s take a look at each of the major vendors’ November releases in more detail.

Apple

Last month, we covered the six patches that Apple had released as of the date of our October roundup, which was October 26. The next day, they came out with three more updates, and a fourth on October 31, so we’ll discuss those this month. Thus far (as of the November 28th), Apple has had no updates released in November.

On October 27, Apple released the following updates:

  • Xcode 8.1 for OS X El Capitan and later, addresses ten security issues in Node.js in Xcode Server, which could potentially be exploited by a remote attacker to execute arbitrary code and/or cause an application crash. The patch updates Node.js to version 4.5.0.
  • iCloud for Windows 6.0.1 applies to Apple’s cloud client running on Windows 7 or later. It addresses three vulnerabilities: one in iCloud itself and two in the WebKit component. These vulnerabilities could be exploited to result in disclosure of user information or arbitrary code execution. The patch fixes the problems through improved path searching, improved state management and improved memory handling.
  • iTunes 12.5.2 for Windows applies to Apple’s iTunes software running on Windows 7 or later. It addresses the same two WebKit vulnerabilities described above in the iCloud patch, which could result in information disclosure or arbitrary code execution, and fixes them in the same manner.

On October 31, Apple released the following update:

  • iOS 10.1.1 is the latest release of the mobile operating system for iPhone 5 and later, iPad 4th gen and later, and iPod Touch 6th gen and later. The security content is the same as iOS 1.1.

For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released four patches in October, but this month they’ve served up a relatively light load: two updates that were both released on November 8, which is in keeping with Adobe’s regular monthly Patch Tuesday release schedule.

APSB16-35 is an update for Adobe Connect for Windows, which is Adobe’s web conferencing and presentation software. The update addresses a single input validation vulnerability in the events registration module that could be exploited to accomplish cross-site scripting attacks. It has a priority rating of 3.

APSB16-37 is an update for Adobe Flash Player running on Windows, Mac OS X, Linux and Chrome OS. It addresses nine separate vulnerabilities, including critical issues that could allow an attacker to take control of the system. These include type confusion vulnerabilities and use-after-free vulnerabilities, all of which could be exploited to accomplish code execution. Priority rating is 1 for all except Adobe Flash Player for Linux.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On November 2, Google released a new version of the Chrome browser, 54.0.2840.87 for Windows and Mac OS X, and version 54.0.2840.90 for Linux, which contain a security fix that addresses a denial of service vulnerability.

On November 10, Google released another new version, 54.0.2840.99 for Windows and 54.0.2840.98 for Linux, which contain security fixes for multiple vulnerabilities that could be exploited by an attacker to take control of a system.

On November 16, Google released a stable channel update for the Chrome OS operating system (54.0.2840.101) which contains a number of security updates along with bug fixes.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Google also released an Over the Air (OTA) update for the Android mobile OS that addresses multiple security issues, including a critical vulnerability that could enable remote code execution on an affected device. For more information, see the Android Security Bulletin for November at https://source.android.com/security/bulletin/2016-11-01.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October, so the next regularly scheduled update will be released on January 17, 2017.

For more information about previously released patches, see Oracle’s Update Advisory at http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Mozilla

On November 15, Mozilla released Security Advisory 2016-89 and Firefox v50, which addresses 3 critical vulnerabilities, 12 high impact vulnerabilities, 10 moderate impact vulnerabilities, and 2 of low impact, for a grand total of 27 security fixes.

The most serious of these include heap buffer overflow issues and memory corruption issues that could be exploited to run arbitrary code. Other vulnerabilities include URL parsing crash, data that can be written to an arbitrary local file, arbitrary target directory issues, incorrect argument length in checking JavaScript, add-on updates that fail to verify the add-on ID, location bar spoofing, integer overflow leading to buffer overflow, heap-use-after-free issues, sandbox not enabled by default, WebExtensions’ ability to access an API resulting in elevated privileges, timing attacks issues, same-origin policy violation, an ability to read arbitrary files as SYSTEM, and SSL indicator that can mislead the user about the real URL visited, interception of AuthTokens meant for Firefox only, API keys access by a malicious application, possible exposure of metadata information, violation of cross-origin protections, WebExtension sandbox escape, timing side-channel attacks, browser history probe and more.

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (November 28th), Ubuntu has issued twenty-nine security notices this month, which is fewer than usual. Many of these address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. Here are the Ubuntu security advisories for October:

  • USN-3135-2: GStreamer Good Plugins vulnerability – 28th November 2016. USN-3135-1 fixed a vulnerability in GStreamer Good Plugins. The original security fix was incomplete. This update fixes the problem. Original advisory details: Chris Evans discovered that GStreamer Good Plugins did not correctly handle malformed FLC movie files.
  • USN-3137-1: MoinMoin vulnerabilities – 23rd November 2016. It was discovered that MoinMoin did not properly sanitize certain inputs, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data.
  • USN-3136-1: LXC vulnerability – 23rd November 2016. Roman Fiedler discovered a directory traversal flaw in lxc-attach. An attacker with access to an LXC container could exploit this flaw to access files outside of the container.
  • USN-3135-1: GStreamer Good Plugins vulnerability – 22nd November 2016. Chris Evans discovered that GStreamer Good Plugins did not correctly handle malformed FLC movie files. If a user were tricked into opening a crafted FLC movie file with a GStreamer application, an attacker could cause a denial of service via application crash, or execute arbitrary code.
  • USN-3134-1: Python vulnerabilities – 22nd November 2016. It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. (CVE-2016-0772) Rémi Rampin discovered that Python would not protect CGI applications from contents of the HTTP_PROXY environment variable.
  • USN-3132-1: tar vulnerability – 21st November 2016. Harry Sintonen discovered that tar incorrectly handled extracting files when path names are specified on the command line. If a user or automated system were tricked into processing a specially crafted archive, an attacker could possibly overwrite arbitrary files.
  • USN-3131-1: ImageMagick vulnerabilities – 21st November 2016. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user.
  • USN-3124-1: Firefox vulnerabilities – 18th November 2016. Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Firefox.
  • USN-3130-1: OpenJDK 7 vulnerabilities – 17th November 2016. It was discovered that OpenJDK did not restrict the set of algorithms used for Jar integrity verification. An attacker could use this to modify without detection the content of a JAR file, affecting system integrity.
  • USN-3126-2: Linux kernel (OMAP4) vulnerabilities – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3126-1: Linux kernel vulnerabilities – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3129-2: Linux kernel (Raspberry Pi 2) vulnerabilities – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3129-1: Linux kernel vulnerability – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3128-3: Linux kernel (Qualcomm Snapdragon) vulnerability – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3128-2: Linux kernel (Xenial HWE) vulnerability – 11th November 2016. USN-3128-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
  • USN-3128-1: Linux kernel vulnerability – 11th November 2016. Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).
  • USN-3127-2: Linux kernel (Trusty HWE) vulnerabilities – 11th November 2016. USN-3127-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
  • USN-3127-1: Linux kernel vulnerabilities – 11th November 2016. It was discovered that the compression handling code in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel did not properly check for an integer overflow. A local attacker could use this to cause a denial of service (system crash).
  • USN-3125-1: QEMU vulnerabilities – 9th November 2016. Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-5403) Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support.
  • USN-3123-1: curl vulnerabilities – 3rd November 2016. It was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS connection. (CVE-2016-7141) Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain strings.
  • USN-3122-1: NVIDIA graphics drivers vulnerabilities – 3rd November 2016. It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges.
  • USN-3121-1: OpenJDK 8 vulnerabilities – 3rd November 2016. It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An attacker could use this to bypass Java sandbox restrictions. (CVE-2016-5582) It was discovered that OpenJDK did not restrict the set of algorithms used for Jar integrity verification.
  • USN-3113-1: Oxide vulnerabilities – 2nd November 2016. It was discovered that a long running unload handler could cause an incognito profile to be reused in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2016-1586) Multiple security vulnerabilities were discovered in Chromium.
  • USN-3120-1: Memcached vulnerabilities – 2nd November 2016. Aleksandar Nikolic discovered that Memcached incorrectly handled certain malformed commands. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3119-1: Bind vulnerability – 1st November 2016. Tony Finch and Marco Davids discovered that Bind incorrectly handled certain responses containing a DNAME answer. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
  • USN-3118-1: Mailman vulnerabilities – 1st November 2016. It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery (CSRF) attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could perform administrative actions. This issue only affected Ubuntu 12.04 LTS.
  • USN-3117-1: GD library vulnerabilities – 1st November 2016. Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed Tiff images. If a user or automated system were tricked into processing a specially crafted Tiff image, an attacker could cause a denial of service.
  • USN-3116-1: DBus vulnerabilities – 1st November 2016. It was discovered that DBus incorrectly validated the source of ActivationFailure signals. A local attacker could use this issue to cause a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-0245) It was discovered that DBus incorrectly handled certain format strings.
  • USN-3115-1: Django vulnerabilities – 1st November 2016. Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed.