Here in the United States, November brings us falling leaves, cold fronts that drop the temperatures – sometimes precipitously – and Thanksgiving, a day of gratitude, family gathering, and eating lots and lots of turkey (at least in theory).

Of course, November also brought its share of data breaches, malware infestations, and newly discovered vulnerabilities. Google disclosed a vulnerability (now fixed) that allowed third party apps to access the Camera app on Android phones, the UK Labour party reported that it had suffered a sophisticated cyber attack, and a Trojan malware package called Zeus or Zbot was named “malware of the month” by securityboulevard.com.

The good news is that software vendors are staying vigilant and responding when new security issues in their code are discovered. During the hectic holiday season when others are taking time off work or slacking, security research response teams are still churning out the patches to help you protect your systems and mobile devices from

hackers and malicious software attacks.

Let’s take a look at some of the fixes issued this past month.

Apple

November was a light month for Apple. After releasing nineteen patches in October, the company only has two updates listed on its security updates page for November, and neither of these lists any published CVE entries.

The pair of patches released are:

iOS 13.2.3 and iPadOS 13.2.3 for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation, released on Nov 18th.

iOS 13.2.2 and iPadOS 13.2.2 for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation, released on Nov 7th.

The Apple updates site doesn’t provide any details as to what these two updates do address. According to Forbes, fixes in the new versions include improvements to search, display of photos and other attachments in Messages, background activity issues, and an issue where Mail was having problems with Exchange accounts.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released four updates this month, the same number they issued in October. All four were released on November 12th, on Adobe’s usual second-Tuesday schedule. These included:

APSB19-53 Security update available for Adobe Bridge CCthis is a priority 3 update that applies to Adobe Bridge CC running on Windows and macOS. It addresses two memory corruption vulnerabilities that could lead to information disclosure and is rated important.

APSB19-52 – Security update available for Adobe Media Encoder – this is a priority 3 update that applies to Adobe Media Encoder 13.1 and earlier running on Windows and macOs. It addresses four out-of-bounds read issues that could result in information disclosure and are rated important, along with one critical out-of-bounds write vulnerability that could be exploited to accomplish arbitrary code execution.

APSB19-36 Security update available for Adobe Illustrator CC – this is a priority 3 update that applies to Illustrator CC 2019 version 23.1 and earlier running on Windows. It addresses an insecure library loading (DLL hijacking) vulnerability that could lead to privilege escalation and is rated important, along with two memory corruption vulnerabilities that could be exploited to accomplish arbitrary code execution and are rated critical.

APSB19-34 Security update available for Adobe Animate CC – this is a priority 3  update that applies to Animate CC 2019 version 19.2.1 and earlier running on Windows. It addresses one insecure library loading (DDL hijacking) vulnerability that could lead to privilege escalation and is rated important.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On November 18, Google released a stable channel update for the Chrome desktop browser for Windows, Mac, and Linux, version 78.0.3904.108. It addresses five security issues, including two that are rated high severity:

  • Use-after-free vulnerability in Bluetooth
  • Out-of-bounds access issue in Bluetooth

On November 19, Google released a stable channel update for Chrome OS, version 78.0.3904.106 for most Chrome OS devices that contains a number of bug fixes and security updates.

For more information, see https://chromereleases.googleblog.com/

Android

On November 4, Google released the November security bulletin for Android, detailing fixes for security issues in:

  • Framework (the most severe of which could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions)
  • Library (could enable a remote attacker to execute arbitrary code within the context of an unprivileged process)
  • Media Framework (the most severe of which could enable a malicious application to bypass user interaction requirements to access additional permissions)
  • System (the most severe of which could enable a remote attacker to execute arbitrary code)

All of the above are rated high severity except three remote code execution vulnerabilities in System, which are rated critical.

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2019-11-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next regular release is scheduled for January 14th, 2020.

Oracle customers can read more about previous patches in the executive summary on the Oracle Support site at https://login.oracle.com/mysso/signon.jsp

Mozilla

Mozilla released Firefox 70 on October 22nd and will release Firefox 71 on December 3rd.  No security updates for Firefox were released in November.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories/.

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of October 31, Ubuntu has issued the following forty-seven security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-4204-1: psutil vulnerability. Riccardo Schirone discovered that psutil incorrectly handled certain reference counting operations. An attacker could use this issue to cause psutil to crash, resulting in a denial of service, or possibly execute arbitrary code.28 November 2019
  • USN-4203-2: NSS vulnerability. USN-4203-1 fixed a vulnerability in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code. 27 November 2019
  • USN-4203-1: NSS vulnerability. It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code. 27 November 2019
  • USN-4202-1: Thunderbird vulnerabilities. It was discovered that a specially crafted S/MIME message with an inner encryption layer could be displayed as having a valid signature in some circumstances, even if the signer had no access to the encrypted message. An attacker could potentially exploit this to spoof the message author. 26 November 2019
  • USN-4201-1: Ruby vulnerabilities. It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this issue to pass path matching what can lead to an unauthorized access. (CVE-2019-15845) It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could use this issue to cause a denial of service. 26 November 2019
  • USN-4200-1: Redmine vulnerabilities. It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly use this issue to cause a XSS attack. (CVE-2019-17427) It was discovered that an SQL injection could allow users to access protected information via a crafted object query. 26 November 2019
  • USN-4199-1: libvpx vulnerabilities. It was discovered that libvpx did not properly handle certain malformed WebM media files. If an application using libvpx opened a specially crafted WebM file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. 25 November 2019
  • USN-4189-2: DPDK regression. USN-4189-1 fixed a vulnerability in DPDK. The new version introduced a regression in certain environments. This update fixes the problem. Original advisory details: Jason Wang discovered that DPDK incorrectly handled certain messages. An attacker in a malicious container could possibly use this issue to cause DPDK to leak resources. 25 November 2019
  • USN-4198-1: DjVuLibre vulnerabilities. It was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code. 21 November 2019
  • USN-4197-1: Bind vulnerability. It was discovered that Bind incorrectly handled certain TCP-pipelined queries. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. 21 November 2019
  • USN-4195-2: MariaDB vulnerabilities. USN-4195-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2974 in MariaDB 10.1 and CVE-2019-2938, CVE-2019-2974 for MariaDB 10.3. Ubuntu 18.04 LTS has been updated to MariaDB 10.1.43. Ubuntu 19.04 and 19.10 has been updated to MariaDB 10.3.20. 20 November 2019
  • USN-4196-1: python-ecdsa vulnerabilities. It was discovered that python-ecdsa incorrectly handled certain signatures. A remote attacker could possibly use this issue to cause python-ecdsa to generate unexpected exceptions, resulting in a denial of service. (CVE-2019-14853) It was discovered that python-ecdsa incorrectly verified DER encoding in signatures. 18 November 2019
  • USN-4195-1: MySQL vulnerabilities. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.18 in Ubuntu 19.10. Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.04 have been updated to MySQL 5.7.28. 18 November 2019
  • USN-4194-1: postgresql-common vulnerability. Rich Mirch discovered that the postgresql-common pg_ctlcluster script incorrectly handled directory creation. A local attacker could possibly use this issue to escalate privileges. 14 November 2019
  • USN-4193-1: Ghostscript vulnerability. Paul Manfred and Lukas Schauer discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files, execute arbitrary code, or cause a denial of service. 14 November 2019
  • USN-4192-1: ImageMagick vulnerabilities. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. 14 November 2019
  • USN-4191-2: QEMU vulnerabilities. USN-4191-2 fixed a vulnerability in QEMU. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. 14 November 2019
  • USN-4191-1: QEMU vulnerabilities. It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. 14 November 2019
  • USN-4186-3: Linux kernel vulnerability. USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. 13 November 2019
  • USN-4185-3: Linux kernel vulnerability and regression. USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported.
  • USN-4183-2: Linux kernel vulnerability. USN-4183-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. 13 November 2019
  • USN-4184-2: Linux kernel vulnerability and regression. USN-4184-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. 13 November 2019
  • USN-4190-1: libjpeg-turbo vulnerabilities. It was discovered that libjpeg-turbo incorrectly handled certain BMP images. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-14498) It was discovered that libjpeg-turbo incorrectly handled certain JPEG images. 13 November 2019
  • USN-4189-1: DPDK vulnerability. Jason Wang discovered that DPDK incorrectly handled certain messages. An attacker in a malicious container could possibly use this issue to cause DPDK to leak resources, resulting in a denial of service. 13 November 2019
  • USN-4188-1: Linux kernel vulnerability. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4185-2: Linux kernel (Azure) vulnerabilities. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory. 13 November 2019
  • USN-4187-1: Linux kernel vulnerability. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4186-2: Linux kernel (Xenial HWE) vulnerabilities. USN-4186-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. 13 November 2019
  • USN-4186-1: Linux kernel vulnerabilities. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4185-1: Linux kernel vulnerabilities. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4184-1: Linux kernel vulnerabilities. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4183-1: Linux kernel vulnerabilities. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 13 November 2019
  • USN-4182-2: Intel Microcode update. USN-4182-2 provided updates for Intel Microcode. This update provides the corresponding update for Ubuntu 14.04 ESM. 12 November 2019
  • USN-4182-1: Intel Microcode update. Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents. 12 November 2019
  • USN-4181-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. 12 November 2019
  • USN-4180-1: Bash vulnerability. It was discovered that Bash incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. 11 November 2019
  • USN-4179-1: FriBidi vulnerability. Alex Murray discovered a stack-based buffer overflow when handling a large number of unicode isolate directives. An attacker could use this to cause a denial of service or possibly execute arbitrary code. 7 November 2019
  • USN-4178-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. 7 November 2019
  • USN-4177-1: Rygel vulnerability. It was discovered that the Rygel package automatically started the daemon by default in user sessions. In certain environments, this resulted in media being shared contrary to expectations. 6 November 2019
  • USN-4176-1: GNU cpio vulnerability. Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to privilege escalation. 6 November 2019
  • USN-4165-2: Firefox regressions. USN-4165-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. 5 November 2019
  • USN-4171-4: Apport regression. USN-4171-1 fixed a vulnerability in Apport. The update caused a regression in the Python Apport library. This update fixes the problem for Ubuntu 14.04 ESM. We apologize for the inconvenience. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. 5 November 2019
  • USN-4175-1: Nokogiri vulnerability. It was discovered that Nokogiri incorrectly handled inputs. A remote attacker could possibly use this issue to execute arbitrary OS commands. 5 November 2019
  • USN-4174-1: HAproxy vulnerability. It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling). 5 November 2019
  • USN-4171-3: Apport regression. USN-4171-1 fixed vulnerabilities in Apport. The update caused a regression in the Python Apport library. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. 5 November 2019
  • USN-4170-3: Whoopsie regression. USN-4170-1 fixed a vulnerability in Whoopsie and USN-4170-2 fixed a subsequent regression. That update was incomplete and could still result in Whoopsie potentially crashing when uploading crash reports on some architectures. This update fixes the problem. We apologize for the inconvenience. 5 November 2019
  • USN-4171-2: Apport vulnerabilities. USN-4171-1 fixed several vulnerabilities in apport. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. 4 November 2019

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.