Third Party Patch Roundup – November 2017

Autumn was fleeting this year, and now that November has come to a close we’re headed toward the winter months again. In some parts of the world and the country, that means heavy coats and scarves and shoveling snow. Here in north central Texas, it means we need to dig out our long sleeved shirts and replace our shorts with jeans and our sandals with socks and shoes.

Cold or hot, one thing is the same no matter where you live and work: we’re dependent on our computers to get that work done and regardless of what software those systems are running, it has vulnerabilities. The good news is that those vulnerabilities are continuously being patched to help prevent hackers and attackers from celebrating the holidays by stealing our data and bringing down our networks.

December traditionally ‘tis the season to be merry, but in the IT business, it’s also the season when many companies are operating with something akin to a skeleton crew because many employees take time off to be with family or to travel.  That can leave IT departments even more short-staffed than they already are since the move to the cloud decimated the ranks of so many.  

If you’re the lucky network admin who’s on call on these holiday weekends or during the week of Christmas, the last thing you need is to have your holiday dinner disrupted by calls to come in and address a network outage caused by a denial of service attack, or to have to deal with the nightmare of a big data breach.  So it pays to get all those patches applied sooner rather than later. That might not guarantee that you’ll sail through the holidays like Santa on his sled, but it will help to reduce the chances that you’ll have to forego the turkey and stuffing to rush back to work and “fix the computers.”

Now, though, let’s take a look back at the patches that were released in November.

Apple

We had been lulled into thinking Apple would continue to follow a one on/one off schedule that they had established over most of this year – until October, when the company issued four updates, some of which contained new security fixes and some of which had the same fixes as their previous versions.

For November, we’re back on track but with a very light patch load. Although two updates for the mobile operating system were released, they don’t contain new security content. These include:

• iOS 11.1.1 for iPhone 5s and above, iPad Air and above, and iPod Touch gen 6 released on November 9th
• iOS 11.1.2 for iPhone 5s and above, iPad Air and above, and iPod Touch gen 6 released on November 16th

The only real security update released this month is for the desktop OS:

• Security update 2017-001 for macOS High Sierra 10.13 and 10.13.1 was released on November 29th, and it addresses a single vulnerability that could allow an attacker to bypass administrator authentication without providing the admin password – obviously a serious issue. The fix addresses the problem by improving credential validation.  Earlier versions of  macOS are not impacted by this.
  

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe had only one update last month, but a quick glance at their security bulletins page would make it appear that they’re trying to make up for it this month. They issued nine patches for nine different products, all of which came in on their regular Patch Tuesday cycle, on November 14.  The largest of these is the update for Adobe Acrobat and Reader, which is of note because it includes such a large number of fixes and because such a large percentage of computers have these programs installed.

The full slate of updates includes the following:

• • APSB17-41 Security updates available for Adobe Experience Manager to resolve a reflected cross-site scripting vulnerability rated moderate in the HtmlRendererServlet, an information disclosure vulnerability rated important in which a sensitive token is included in an http GET request under certain circumstances, and a cross-site scripting vulnerability in Apache Sling Servlets Post 2.3.20 rated important.
  • APSB17-40 Security update available for Adobe Shockwave Player to resolve a critical memory corruption vulnerability that could lead to code execution.
  • APSB17-39 Security update available for Adobe Digital Editions for Adobe Digital Editions for Windows, Macintosh, iOS, and Android to address an XML external entity processing vulnerability rated critical that could lead to information disclosure, out-of-bounds read vulnerabilities that could lead to the disclosure of memory addresses and a memory corruption vulnerability that could lead to the disclosure of memory addresses.
  • APSB17-38 Security update available for Adobe InDesign to address a critical memory corruption vulnerability due to improper handling of a malformed .inx file.
  • APSB17-37 Security update available for the Adobe DNG Converter to resolve a critical memory corruption vulnerability.
  • APSB17-36 Security updates available for Adobe Acrobat and Reader for Windows and Macintosh to address 62 critical vulnerabilities, the most serious of which could potentially allow an attacker to take control of the affected system. These include type confusion, out-of-bounds reads and writes, security bypass, buffer overflow and over-read, heap overflow, improper validation, and more.
  • APSB17-35 Security update available for Adobe Connect to resolve a critical Server-Side Request Forgery (SSRF) vulnerability that could be abused to bypass network access controls. This update also resolves three input validation vulnerabilities rated Important that could be used in reflected cross-site scripting attacks. The update also includes a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks.
  • APSB17-34 Security updates available for Adobe Photoshop CC for Windows and Macintosh, to resolve two critical vulnerabilities that could lead to code execution.
  • APSB17-33 Security updates available for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address five critical vulnerabilities that could lead to code execution.

For more information, see the security bulletin at
https://helpx.adobe.com/security/products/flash-player/apsb17-33.html.

Google

On November 13, Google released a new stable channel update for the desktop version of the Chrome browser for Windows, Mac, and Linux, version 62.0.3202.94.

On November 15, Google released a new stable channel update for the Chrome OS, version 62.0.3202.97 (Platform version: 9901.77.0) for most Chrome OS devices, containing bug fixes and security updates.

For more information, see the Chrome releases blog: https://chromereleases.googleblog.com/

On November 6, Google released the Android Security Bulletin for this month, which addresses a number of critical vulnerabilities. For more information, see https://source.android.com/security/bulletin/2017-11-01

Google has also launched a new Pixel/Nexus Security Bulletin which contains information on additional security vulnerabilities and functional improvements that are addressed on supported Pixel and Nexus devices. If you use or support these devices, check it out here:
https://source.android.com/security/bulletin/pixel/2017-11-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The October update contained 252 new security fixes across Oracle product families. The latest version of the October updates is Rev. 5, released November 20. The next scheduled updates will be released on January 16, 2018.  

For more information, see: https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Mozilla did not release an update for the Firefox web browser in October. In November they released a major overhaul of the browser, which came out on November 14 and is called Firefox Quantum (version 57).  Security issues fixed in this version include four critical issues, one high impact issue, seven that are rated as moderate, and four of low severity, for a total of 16 fixes.

The issues include the ever-present memory safety bugs, use-after-free and cross-origin vulnerabilities, information disclosure and domain spoofing, and more. For more information on the individual CVEs, see https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (November 30th), Ubuntu has issued 45 separate security advisories. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. For more information about the individual updates and update instructions you can click here: https://usn.ubuntu.com/usn/

• USN-3501-1: libxcursor vulnerability – 29 November 2017. It was discovered that libxcursor incorrectly handled certain files. An attacker could use these issues to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3500-1: libXfont vulnerability – 29 November 2017. It was discovered that libXfont incorrectly followed symlinks when opening font files. A local unprivileged user could use this issue to cause the X server to access arbitrary files, including special device files.
• USN-3499-1: Exim vulnerability – 29 November 2017. It was discovered that Exim incorrectly handled certain BDAT data headers. A remote attacker could possibly use this issue to cause Exim to crash, resulting in a denial of service.
• USN-3498-1: curl vulnerabilities – 29 November 2017. Alex Nichols discovered that curl incorrectly handled NTLM authentication credentials. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10.
• USN-3497-1: OpenJDK 7 vulnerabilities – 29 November 2017. It was discovered that the Smart Card IO subsystem in OpenJDK did not properly maintain state. An attacker could use this to specially construct an untrusted Java application or applet to gain access to a smart card, bypassing sandbox restrictions.
• USN-3496-3: Python vulnerability – 28 November 2017. USN-3496-1 fixed a vulnerability in Python2.7. This update provides the corresponding update for versions 3.4 and 3.5. Original advisory details: It was discovered that Python incorrectly handled decoding certain strings. An attacker could possibly use this issue to execute arbitrary code.
• USN-3496-2: Python vulnerability – 28 November 2017. USN-3496-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Python incorrectly handled decoding certain strings. An attacker could possibly use this issue to execute arbitrary code.
• USN-3496-1: Python vulnerability – 28 November 2017. It was discovered that Python incorrectly handled decoding certain strings. An attacker could possibly use this issue to execute arbitrary code.
• USN-3477-2: Firefox regression – 27 November 2017. USN-3477-1 fixed vulnerabilities in Firefox. The update caused search suggestions to not be displayed when performing Google searches from the search bar. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
• USN-3476-2: postgresql-common vulnerabilities – 27 November 2017. USN-3476-1 fixed two vulnerabilities in postgresql-common. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Dawid Golunski discovered that the postgresql-common pg_ctlcluster script incorrectly handled symlinks. A local attacker could possibly use this issue to escalate privileges.
• USN-3495-1: OptiPNG vulnerability – 27 November 2017. It was discovered that OptiPNG incorrectly handled memory. A remote attacker could use this issue with a specially crafted image file to cause OptiPNG to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3494-1: XML::LibXML vulnerability – 27 November 2017. It was discovered that XML::LibXML incorrectly handled memory when processing a replaceChild call. A remote attacker could possibly use this issue to execute arbitrary code.
• USN-3493-1: Exim vulnerability – 27 November 2017. It was discovered that Exim incorrectly handled memory in the ESMTP CHUNKING extension. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3492-1: LibRaw vulnerabilities – 22 November 2017. It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3491-1: ldns vulnerabilities – 22 November 2017. Leon Weber discovered that the ldns-keygen tool incorrectly set permissions on private keys. A local attacker could possibly use this issue to obtain generated private keys. This issue only applied to Ubuntu 14.04 LTS. (CVE-2014-3209) Stephan Zeisberg discovered that ldns incorrectly handled memory when processing data.
• USN-3489-2: Berkeley DB vulnerability – 21 November 2017. USN-3489-1 fixed a vulnerability in Berkeley DB. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Berkeley DB incorrectly handled certain configuration files. An attacker could possibly use this issue to read sensitive information.
• USN-3489-1: Berkeley DB vulnerability – 21 November 2017. It was discovered that Berkeley DB incorrectly handled certain configuration files. An attacker could possibly use this issue to read sensitive information.
• USN-3485-3: Linux kernel (AWS) vulnerabilities – 21 November 2017. It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3484-3: Linux kernel (GCP) vulnerability – 21 November 2017. It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host.
• USN-3488-1: Linux kernel (Azure) vulnerability – 21 November 2017. It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host.
• USN-3487-1: Linux kernel vulnerabilities – 21 November 2017. It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host.
• USN-3486-2: Samba vulnerability – 21 November 2017. USN-3486-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Volker Lendecke discovered that Samba incorrectly cleared memory when returning data to a client. A remote attacker could possibly use this issue to obtain sensitive information.
• USN-3483-2: procmail vulnerability – 21 November 2017. USN-3483-1 fixed a vulnerability in procmail. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Jakub Wilk discovered that the formail tool incorrectly handled certain malformed mail messages. An attacker could use this flaw to cause formail to crash, resulting in a denial of service.
• USN-3486-1: Samba vulnerabilities – 21 November 2017. Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory when processing certain SMB1 requests. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2017-14746) Volker Lendecke discovered that Samba incorrectly cleared memory when returning data to a client.
• USN-3485-2: Linux kernel (Xenial HWE) vulnerabilities – 21 November 2017. USN-3485-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3484-2: Linux kernel (HWE) vulnerability – 21 November 2017. USN-3484-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.
• USN-3485-1: Linux kernel vulnerabilities – 20 November 2017. It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
• USN-3484-1: Linux kernel vulnerability – 20 November 2017. It was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host.
• USN-3480-2: Apport regressions – 20 November 2017. USN-3480-1 fixed vulnerabilities in Apport. The fix for CVE-2017-14177 introduced a regression in the ability to handle crashes for users that configured their systems to use the Upstart init system in Ubuntu 16.04 LTS and Ubuntu 17.04. The fix for CVE-2017-14180 temporarily disabled crash forwarding to containers.
• USN-3483-1: procmail vulnerability – 2h November 2017. Jakub Wilk discovered that the formail tool incorrectly handled certain malformed mail messages. An attacker could use this flaw to cause formail to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3477-1: Firefox vulnerabilities – 16 November 2017. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the address bar.
• USN-3482-1: ipsec-tools vulnerability – 16 November 2017. It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly handled certain ISAKMP fragments. A remote attacker could use this issue to cause racoon to crash, resulting in a denial of service.
• USN-3481-1: WebKitGTK+ vulnerabilities – 16 November 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code.
• USN-3480-1: Apport vulnerabilities – 15 November 2017. Sander Bos discovered that Apport incorrectly handled core dumps for setuid binaries. A local attacker could use this issue to perform a denial of service via resource exhaustion or possibly gain root privileges. (CVE-2017-14177) Sander Bos discovered that Apport incorrectly handled core dumps for processes in a different PID namespace.
• USN-3276-3: shadow vulnerability – 14 November 2017. USN-3276-1 and USN-3276-2 fixed vulnerabilities in shadow. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Sebastian Krahmer discovered integer overflows in shadow utilities. A local attacker could possibly cause them to crash or potentially gain privileges via crafted input.
• USN-3479-1: PostgreSQL vulnerabilities – 14 November 2017. David Rowley discovered that PostgreSQL incorrectly handled memory when processing certain JSON functions. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2017-15098) Dean Rasheed discovered that PostgreSQL incorrectly enforced SELECT privileges when processing INSERT … ON CONFLICT DO UPDATE commands.
• USN-3478-2: Perl vulnerability – 13 November 2017. USN-3478-1 fixed two vulnerabilities in Perl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Jakub Wilk discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3478-1: Perl vulnerabilities – 13 November 2017. Jakub Wilk discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3476-1: postgresql-common vulnerabilities – 9 November 2017. Dawid Golunski discovered that the postgresql-common pg_ctlcluster script incorrectly handled symlinks. A local attacker could possibly use this issue to escalate privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-1255) It was discovered that the postgresql-common helper scripts incorrectly handled symlinks.
• USN-3346-3: Bind vulnerabilities – 8 November 2017. USN-3346-1 and USN-3346-2 fixed two vulnerabilities in Bind and a regression, respectively. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone update requests. An attacker could use this to improperly perform zone updates.
• USN-3473-1: OpenJDK 8 vulnerabilities – 8 November 2017. It was discovered that the Smart Card IO subsystem in OpenJDK did not properly maintain state. An attacker could use this to specially construct an untrusted Java application or applet to gain access to a smart card, bypassing sandbox restrictions.
• USN-3475-1: OpenSSL vulnerabilities – 6 November 2017. It was discovered that OpenSSL incorrectly parsed the IPAddressFamily extension in X.509 certificates, resulting in an erroneous display of the certificate in text format. (CVE-2017-3735) It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure.
• USN-3474-1: Liblouis vulnerability – 6 November 2017. Raphael Sanchez Prudencio discovered that Liblouis incorrectly handled certain files. If a user were tricked into opening a crafted file, an attacker could possibly use this to cause a denial of service or potentially execute arbitrary code.
• USN-3426-2: Samba vulnerabilities – 2 November 2017. USN-3426-1 fixed several vulnerabilities in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in certain situations. A remote attacker could use this issue to perform a man in the middle attack.  
• USN-3472-1: LibreOffice vulnerabilities – 2 November 2017. Marcin Noga discovered that LibreOffice incorrectly handled PPT documents. If a user were tricked into opening a specially crafted PPT document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2017-12607) Marcin Noga discovered that LibreOffice incorrectly handled Word documents.