J003-Content-3rdPartyRoundup_SQCan it really be true that we’re at the end of October already, with Thanksgiving and Christmas holidays right around the corner and a new year coming at us like a freight train?  First, though, we have to get through Halloween – and what could be scarier to an IT professional than a whole slew of security vulnerabilities that need to be patched?

We had a mixture of good news and bad news this time. Whereas there were fewer security advisories from Mozilla and Ubuntu than usual, Apple had a relatively large load – nine updates addressing 148 vulnerabilities. Oracle fixed 154 security issues across a myriad of their products and Google fixed 24 security problems in the latest release of Chrome.

The summary of security issues in this article cover those that have been issued as of the time of this writing, which is October 26.  If there are additional releases in the last few days of the month, we’ll pick them up next time.

Let’s take a look at some of the more important issues and updates.

Apple

On most months, Apple releases three to five updates, although it’s not uncommon for a single update to contain fixes for more than a hundred vulnerabilities. Well, this year’s “October surprise” isn’t good news for those who were hoping for a light patching month. Following one iOS update on October 15, on October 21 Apple released nine updates, including updates for their newest version of OS X, El Capitan.

iOS 9.1 was released on October 15 for the iPhone 4s and above, the iPod Touch 5th generation and above and the iPad 2 and above. It patches 48 security vulnerabilities with a large number of them being in the Font Parser and WebKit components. Impact ranges from leakage of sensitive information to arbitrary code execution and includes denial of service issues, elevation of privilege and overwriting of files. There are multiple memory corruption issues, flaws in authorization checks, validation issues, and a type confusion issue.

watchOS 2.0.1 was released on October 21 for the Apple Watch, Sport and Hermes editions.  It fixes 14 vulnerabilities that include memory corruption issues, a heap buffer overflow issue, a file traversal vulnerability and a problem related to the transaction log functionality. Affected components include Apple Pay, Bom, configd, CoreGraphics, FontParser, ImageIO, Grand Central Dispatch, IOAccelerator Family and IOHIDFamily. Impact includes potential for execution of arbitrary code with kernel privileges.

Safari 9.0.1 was released on October 21 for OS X Mavericks, Yosemite and El Capitan. It addresses nine vulnerabilities in WebKit that include multiple memory corruption issues. Impact includes the potential for arbitrary code execution upon visiting a malicious website.

OS X El Capitan 10.11.1/Security Update 2015-007 was released October 21 for OS X Mavericks, Yosemite and El Capitan 10.11 to fix 60 security vulnerabilities in various components of the desktop operating system that could be exploited to allow a malicious app to programmatically control keychain access prompts, overwrite arbitrary files, trick a user into running arbitrary AppleScript, conduct impersonation attacks, and most serious, execute arbitrary code with kernel privileges, as well as the potential for denial of service attacks or read kernel memory.

iTunes 12.3.1 for Windows 7 and later was released October 21. It addresses 12 vulnerabilities that include multiple memory corruption issues in iTunes’ WebKit that could result in man-in-the-middle attacks while browsing the iTunes Store along with memory corruption issues in the processing of text files in the CoreText component that could allow unexpected application termination or arbitrary code execution.

Mac EFI Security Update 2015-002 was released October 21 for OS X Mavericks to address a single vulnerability in the EFI component by which an attacker could exercise unused EFI functions due to an issue with EFI argument handling.

Xcode 7.1 was released October 21 for OS X Yosemite 10.10.5 and later to address a single vulnerability in Swift by which Swift programs performing certain type conversations could receive unexpected values, which was fixed by improving type checking.

OS X Server 5.0.15 was released October 21 for OS X Yosemite and El Capitan to address 3 vulnerabilities in Web Service and BIND. The BIND vulnerabilities could be exploited to create a denial of service attack, and the Web Service flaw could be used by a remote attacker to bypass access restrictions due to an HTTP header field reference that was missing from the configuration files.

For more information about these updates, see Apple’s web site at
https://support.apple.com/en-us/HT201222

Adobe

Adobe normally releases security updates in conjunction with Microsoft on the second Tuesday of each month. This month, the company released one update early, on October 8, released one more on Patch Tuesday (October 13), then released an advisory on October 14 and an update on October 16.

APSB15-24 was released on October 8 for Adobe Acrobat and Reader. It addressed a whopping 56 vulnerabilities in these programs for Windows and Mac running Acrobat DC and XI and Reader DC, XI and X. The update is rated critical with a priority rating of 2 for all systems and versions. Vulnerabilities include buffer overflow, use-after-free, memory corruption, memory leak, security bypass and JavaScript API execution vulnerabilities that could lead to information disclosure or code execution.

APSB15-25 was released October 13 for Adobe Flash Player on Windows, Mac and Linux, as well as AIR SDK and Compiler on Android and iOS, to address 21 vulnerabilities. These include memory corruption and use-after-free vulnerabilities as well as a flaw that could be exploited to bypass the same-origin policy. Impact includes information disclosure and code execution. The update is rated critical with a priority rating of for Flash on Windows and Mac, 3 on Linux and for AIR SDK.

APSB15-05 is a security advisory that was released October 14 for Flash Player in regard to one critical vulnerability that affects version 19.0.0.207 and earlier on Windows, Mac and Linux. 

APSB15-27 was released on October 16 for Flash Player to fix the vulnerability that was the subject of the October 14 advisory, along with two more vulnerabilities. These are type confusion vulnerabilities that could be exploited to accomplish code execution and there were already reports of limited targeted attacks in the wild. The update is rated critical and has a priority rating of 1 for Windows and Mac and for Chrome on Windows, Mac and Linux. The rating for Flash Player on Linux is 3.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On October 13, Google released stable channel update Chrome 46 for Windows, Mac and Linux with 24 security fixes that included cross-origin bypass, use-after-free, bad-cast, information leakage in LocalStorage, improper error handling, memory corruption and CORS bypass via CSS fonts.  For more information, see the Google Chrome Releases blog site at http://googlechromereleases.blogspot.com/2015/10/stable-channel-update.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month on October 23, as part of their regular update cycle, Oracle released a critical patch update that contained 154 new security fixes across their product families. These include Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

For a more detailed summary of these vulnerabilities and fixes, see the Oracle security blog at https://blogs.oracle.com/security/   

Mozilla

Mozilla released Firefox 41.0.2 on October 15, the latest version of its web browser.  Only one vulnerability fix is listed in this update, a cross-origin restriction bypass using Fetch that could allow a malicious web page to access private data from other origins due to the fetch API not correctly implementing the cross-origin resource sharing (CORS) specification. This vulnerability is rated as a high impact one.

https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. However, as of the date of this writing (October 26), Ubuntu has issued 30 security advisories (2 more than last month), although many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2781-1: MySQL vulnerabilities – 26th October 2015. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.46 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.04 and Ubuntu 15.10 have been updated to MySQL 5.6.27.

USN-2780-2: MiniUPnP vulnerability – 23rd October 2015. USN-2780-1 fixed a vulnerability in the MiniUPnP library in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 15.04. This update provides the corresponding update for Ubuntu 15.10. Original advisory details: Aleksandar Nikolic discovered a buffer overflow vulnerability in the XML parser functionality of the MiniUPnP library.

USN-2770-2: Oxide vulnerabilities – 22nd October 2015. USN-2770-1 fixed vulnerabilities in Oxide in Ubuntu 14.04 LTS and Ubuntu 15.04. This update provides the corresponding updates for Ubuntu 15.10. Original advisory details: It was discovered that ContainerNode::parserInsertBefore in Blink would incorrectly proceed with a DOM tree insertion in some circumstances.

USN-2780-1: MiniUPnP vulnerability – 20th October 2015. Aleksandar Nikolic discovered a buffer overflow vulnerability in the XML parser functionality of the MiniUPnP library. A remote attacker could use this to cause a denial of service (application crash) or possibly execute arbitrary code with privileges of the user running an application that uses the MiniUPnP library.

USN-2770-1: Oxide vulnerabilities – 20th October 2015. It was discovered that ContainerNode::parserInsertBefore in Blink would incorrectly proceed with a DOM tree insertion in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same origin restrictions.

USN-2779-1: Linux kernel vulnerabilities – 20th October 2015. It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel.

USN-2778-1: Linux kernel (Vivid HWE) vulnerabilities – 20th October 2015. It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel.

USN-2777-1: Linux kernel (Utopic HWE) vulnerabilities – 19th October 2015. It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges.

USN-2776-1: Linux kernel vulnerabilities – 19th October 2015. It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel.

USN-2775-1: Linux kernel (Trusty HWE) vulnerabilities – 19th October 2015. It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel.

USN-2774-1: Linux kernel (OMAP4) vulnerabilities – 19th October 2015. It was discovered that virtual networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges.

USN-2773-1: Linux kernel vulnerabilities – 19th October 2015. It was discovered that virtual networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges.

USN-2768-1: Firefox vulnerability – 16th October 2015. Abdulrahman Alqabandi and Ben Kelly discovered that the fetch() API did not correctly implement the Cross Origin Resource Sharing (CORS) specification. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information from other origins.

USN-2772-1: PostgreSQL vulnerabilities – 16th October 2015. Josh Kupershmidt discovered the pgCrypto extension could expose several bytes of server memory if the crypt() function was provided a too-short salt. An attacker could use this flaw to read private data. (CVE-2015-5288) Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust available stack space.

USN-2771-1: Click vulnerability – 15th October 2015. It was discovered that click did not properly perform input sanitization during click package installation. If a user were tricked into installing a crafted click package, a remote attacker could exploit this to escalate privileges by tricking click into installing lenient security policy for the installed application.

USN-2709-2: pollinate update – 14th October 2015. USN-2709-1 updated pollinate’s certificate for entropy.ubuntu.com but did not include a new certificate authority certificate. This update fixes the problem.
Original advisory details: The pollinate package bundles the certificate for entropy.ubuntu.com. This update refreshes the certificate to match the new certificate for the server.

USN-2769-1: Apache Commons HttpClient vulnerabilities – 14th October 2015. It was discovered that Apache Commons HttpClient did not properly verify the Common Name or subjectAltName fields of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS.

USN-2767-1: GDK-PixBuf vulnerabilities – 13th October 2015. Gustavo Grieco discovered that the GDK-PixBuf library did not properly handle scaling tga image files, leading to a heap overflow. If a user or automated system were tricked into opening a tga image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service.

USN-2766-1: Spice vulnerabilities – 6th October 2015. Frediano Ziglio discovered multiple buffer overflows, undefined behavior signed integer operations, race conditions, memory leaks, and denial of service issues in Spice. A malicious guest operating system could potentially exploit these issues to escape virtualization.

USN-2753-3: LXC regression – 5th October 2015. USN-2753-1 fixed a vulnerability in LXC. The update caused a regression that prevented some containers from starting. This regression only affected containers that had a path that contained a ‘/./’ directory specified as a bind mount target in their configuration file. This update fixes the problem.

USN-2765-1: Linux kernel (Vivid HWE) vulnerability – 5th October 2015. Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2764-1: Linux kernel (Utopic HWE) vulnerability – 5th October 2015. Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2763-1: Linux kernel (Trusty HWE) vulnerability – 5th October 2015. Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2762-1: Linux kernel vulnerability – 5th October 2015. Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2761-1: Linux kernel vulnerability – 5th October 2015. Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

USN-2754-1: Thunderbird vulnerabilities – 5th October 2015. Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, and Cameron McCormack discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash.

USN-2757-1: Oxide vulnerabilities – 5th October 2015. Two security issues were discovered in Blink and V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same-origin restrictions. (CVE-2015-1303, CVE-2015-1304)

USN-2743-4: Firefox regression – 5th October 2015. USN-2743-1 fixed vulnerabilities in Firefox. After upgrading, some users reported problems with bookmark creation and crashes in some circumstances. This update fixes the problem.

USN-2760-1: Linux kernel (OMAP4) vulnerabilities – 1st October 2015. It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2759-1: Linux kernel vulnerabilities – 1st October 2015. It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.