October is almost over as I write this, and November is right around the corner. Here in my suburban neighborhood, we’re stocking up on candy in preparation for the onslaught of Halloween trick-or-treaters that come with the end of this month.

Ghosts and goblins, though, aren’t nearly as scary as some of the malware and exploits that are lurking out there on the Internet. October brought us new reports of havoc created by ransomware variants such as Bad Rabbit, WannaCry and Sage, attacks by Anonymous on the Spanish government, and the discovery of the HomeHack vulnerability that exposes LG refrigerators, dishwashers, air conditioners, and vacuum cleaners (among other appliances) to remote takeover and control, and those are only the tip of the proverbial iceberg.

Speaking of ice, the weather turned cold over much of the country as the nice, cool autumn days suddenly morphed into a preview of winter. Here in north Texas, we went from shorts and tee shirts one day to jeans and sweatshirts the next as the temperature plummeted 40 degrees last week. I’m looking forward more than ever to getting away from it all on a trip to the Cayman Islands in a few weeks.

The ocean is lovely, dark and deep, but I have promises to keep, and systems to patch before I sleep (to paraphrase poet Robert Frost, whose name corresponds nicely to the current weather report). So let’s get on with it.

Apple

Apple had been following a one on/one off schedule since last spring, with no security updates issued in April, then seven large updates in May, none in June, a heavy slate in July, zero in August, and then 11 patches last month.

We can be forgiven, then, for being a little surprised that the company issued four patches this month – well, sort of. The moral of this story: never assume that a pattern, no matter how well established it might appear to be, will continue to hold true. And at the same time, don’t assume that just because something is listed as a security update, it actually contains security fixes.

Here’s what I’m talking about:

  • On October 3, Apple released iOS 11.0.2 for the iPhone 5 and above, iPad Air and above, and iPod Touch 6th generation. The interesting thing is that although it’s listed on Apple’s security updates page, this update apparently doesn’t actually contain any new security fixes, but only contains the security content that was included in iOS 11.0.1 that was issued one week before.
  • On October 4, Apple released watchOS 4.0.1 for Apple Watch Series 3 (GPS + Cellular). Just like iOS 11.0.2, it contains the same security fixes as watchOS 4.
  • On October 5, Apple released macOS High Sierra 10.13 supplemental update. This one is a real security update with fixes for two vulnerabilities, one in StorageKit and one in the Security component. The first could be exploited to gain access to an encrypted APFS volume and the second could allow a malicious application to extract keychain passwords.
  • On October 11, Apple released iOS 11.0.3 for the iPhone 5 and above, iPad Air and above, and iPod Touch 6th generation. Once again, this update doesn’t provide any new security content.

For more information about the patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

This was the lightest month in a long time for Adobe, which issued only one security update this month, on October 16 – which is not Adobe’s standard Patch Tuesday release date.

  • ApsB17-32 is a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS, which addresses a critical type confusion vulnerability that could lead to code execution. It has been assigned a priority rating of 1.

For more information, see the security bulletin at: https://helpx.adobe.com/security/products/flash-player/apsb17-32.html.

Google

On October 26, Google released Chrome version 62.0.3202.75 for Windows, Mac, and Linux. This version addresses a stack overflow vulnerability in V8 that an attacker could exploit to cause a denial-of-service condition.

For more information, see https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The October update contains 252 new security fixes across Oracle product families. These include Oracle Database Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Hyperion, Oracle Industry Applications (Communications, Health Sciences, Construction, Financial Services, Retail, and Hospitality), Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

For more information and a detailed list of the vulnerabilities patched, see  http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Mozilla

Mozilla did not release an update for the Firefox web browser in October. They are planning a major release that includes a complete overhaul, on November 14 of Firefox 57. The new version will be called Firefox Quantum and it is currently available in beta version.

For more information or to try the beta, see https://www.mozilla.org/en-US/firefox/quantum/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (October 29), Ubuntu has issued 51 separate  security advisories, which is on the high side of average for them, and more than double the number last month. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3466-1: systemd vulnerability26th October 2017. Karim Hossen & Thomas Imbert discovered that systemd-resolved incorrectly handled certain DNS responses. A remote attacker could possibly use this issue to cause systemd to temporarily stop responding, resulting in a denial of service.

  • USN-3465-1: Irssi vulnerabilities26th October 2017. Brian Carpenter discovered that Irssi incorrectly handled messages with invalid time stamps. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-10965) Brian Carpenter discovered that Irssi incorrectly handled the internal nick list.

  • USN-3464-1: Wget vulnerabilities26th October 2017. Antti Levomäki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3463-1: Werkzeug vulnerability25th October 2017. It was discovered that Werkzeug did not properly handle certain web scripts. A remote attacker could use this to inject arbitrary code via a field that contains an exception message.

  • USN-3425-2: Apache HTTP Server vulnerability24th October 2017. USN-3425-1 fixed a vulnerability in Apache HTTP Server. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files.

  • USN-3388-2: Subversion vulnerabilities24th October 2017. USN-3388-1 fixed several vulnerabilities in Subversion. This update provides the corresponding update for Ubuntu 12.04 ESM. Ivan Zhakov discovered that Subversion did not properly handle some requests. A remote attacker could use this to cause a denial of service.

  • USN-3411-2: Bazaar vulnerability24th October 2017. USN-3411-1 fixed a vulnerability in Bazaar. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Adam Collard discovered that Bazaar did not properly handle host names in ‘bzr+ssh://’ URLs.

  • USN-3462-1: Pacemaker vulnerabilities24th October 2017. Jan Pokorný and Alain Moulle discovered that Pacemaker incorrectly handled the IPC interface. A local attacker could possibly use this issue to execute arbitrary code with root privileges. (CVE-2016-7035) Alain Moulle discovered that Pacemaker incorrectly handled authentication. A remote attacker could possibly use this issue to shut down connections.

  • USN-3454-2: libffi vulnerability24th October 2017. USN-3454-1 fixed a vulnerability in libffi. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libffi incorrectly enforced an executable stack. An attacker could possibly use this issue, in combination with another vulnerability, to facilitate executing arbitrary code.

  • USN-3434-2: Libidn vulnerability23rd October 2017. USN-3434-1 fixed a vulnerability in Libidn. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Libidn incorrectly handled decoding certain digits. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service.

  • USN-3441-2: curl vulnerabilities23rd October 2017. USN-3441-1 fixed several vulnerabilities in curl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Daniel Stenberg discovered that curl incorrectly handled large floating point output.

  • USN-3458-2: ICU vulnerability23rd October 2017. USN-3458-1 fixed a vulnerability in ICU. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ICU incorrectly handled certain inputs. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code.

  • USN-3458-1: ICU vulnerability23rd October 2017. It was discovered that ICU incorrectly handled certain inputs. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.

  • USN-3461-1: NVIDIA graphics drivers vulnerabilities23rd October 2017. It was discovered that the NVIDIA graphics drivers contained flaws in the kernel mode layer. A local attacker could use these issues to cause a denial of service or potentially escalate their privileges on the system.

  • USN-3460-1: WebKitGTK+ vulnerabilities23rd October 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code.

  • USN-3459-1: MySQL vulnerabilities23rd October 2017. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.58 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10 have been updated to MySQL 5.7.20.

  • USN-3457-1: curl vulnerability23rd October 2017. Brian Carpenter discovered that curl incorrectly handled IMAP FETCH response lines. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3456-1: X.Org X server vulnerabilities17th October 2017. It was discovered that the X.Org X server incorrectly handled certain lengths. An attacker able to connect to an X server, either locally or remotely, could use these issues to crash the server, or possibly execute arbitrary code.

  • USN-3455-1: wpa_supplicant and hostapd vulnerabilities16th October 2017. Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly handled WPA2. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled invalid characters in passphrase parameters.

  • USN-3454-1: libffi vulnerability12th October 2017. It was discovered that libffi incorrectly enforced an executable stack. An attacker could possibly use this issue, in combination with another vulnerability, to facilitate executing arbitrary code.

  • USN-3453-1: X.Org X server vulnerabilities12th October 2017. Michal Srb discovered that the X.Org X server incorrectly handled shared memory segments. An attacker able to connect to an X server, either locally or remotely, could use this issue to crash the server, or possibly replace shared memory segments of other X clients in the same session.

  • USN-3452-1: Ceph vulnerabilities11th October 2017. It was discovered that Ceph incorrectly handled the handle_command function. A remote authenticated user could use this issue to cause Ceph to crash, resulting in a denial of service. (CVE-2016-5009) Rahul Aggarwal discovered that Ceph incorrectly handled the authenticated-read ACL.

  • USN-3451-1: OpenStack Swift vulnerabilities11th October 2017. It was discovered that OpenStack Swift incorrectly handled tempurls. A remote authenticated user in possession of a tempurl key authorized for PUT could retrieve other objects in the same Swift account. (CVE-2015-5223) Romain Le Disez and Örjan Persson discovered that OpenStack Swift incorrectly closed client connections.

  • USN-3450-1: Open vSwitch vulnerabilities11th October 2017. Bhargava Shastry discovered that Open vSwitch incorrectly handled certain OFP messages. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9214) It was discovered that Open vSwitch incorrectly handled certain OpenFlow role messages.

  • USN-3449-1: OpenStack Nova vulnerabilities11th October 2017. George Shuklin discovered that OpenStack Nova incorrectly handled the migration process. A remote authenticated user could use this issue to consume resources, resulting in a denial of service. (CVE-2015-3241) George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectly handled deleting instances.

  • USN-3448-1: OpenStack Keystone vulnerability11th October 2017. Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remote authenticated user may receive all the roles assigned to a project regardless of the federation mapping, contrary to expectations.

  • USN-3447-1: OpenStack Horizon vulnerability11th October 2017. Beth Lancaster and Brandon Sawyers discovered that OpenStack Horizon was incorrect protected against cross-site scripting (XSS) attacks. A remote authenticated user could use this issue to inject web script or HTML in a dashboard form.

  • USN-3446-1: OpenStack Glance vulnerabilities11th October 2017. Hemanth Makkapati discovered that OpenStack Glance incorrectly handled access restrictions. A remote authenticated user could use this issue to change the status of images, contrary to access restrictions. (CVE-2015-5251) Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly handled the storage quota.

  • USN-3436-1: Thunderbird vulnerabilities11th October 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing-like context, an attacker could potentially exploit these to read uninitialized memory, bypass phishing and malware protection, conduct cross-site scripting (XSS) attacks, cause a denial of service.

  • USN-3445-2: Linux kernel (Trusty HWE) vulnerabilities11th October 2017. USN-3445-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.

  • USN-3443-3: Linux kernel (GCP) vulnerability11th October 2017. Andrey Konovalov discovered that a divide-by-zero error existed in the TCP stack implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).

  • USN-3444-2: Linux kernel (Xenial HWE) vulnerabilities10th October 2017. USN-3444-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

  • USN-3445-1: Linux kernel vulnerabilities10th October 2017. Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation in the Linux kernel contained a buffer overflow when handling fragmented packets. A remote attacker could use this to possibly execute arbitrary code with administrative privileges. (CVE-2016-8633) Andrey Konovalov discovered that a divide-by-zero error existed in the TCP stack.

  • USN-3444-1: Linux kernel vulnerabilities10th October 2017. Jan H. Schönherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host.

  • USN-3424-2: libxml2 vulnerabilities10th October 2017. USN-3424-1 fixed several vulnerabilities in libxml2. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service.

  • USN-3443-2: Linux kernel (HWE) vulnerabilities10th October 2017. USN-3443-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. It was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn().

  • USN-3443-1: Linux kernel vulnerabilities10th October 2017. It was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

  • USN-3442-1: libXfont vulnerabilities10th October 2017. It was discovered that libXfont incorrectly handled certain patterns in PatternMatch. A local attacker could use this issue to cause libXfont to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2017-13720) It was discovered that libXfont incorrectly handled certain malformed PCF files.

  • USN-3441-1: curl vulnerabilities10th October 2017. Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.

  • USN-3440-1: poppler vulnerabilities6th October 2017. It was discovered that Poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service.

  • USN-3439-1: Ruby vulnerabilities5th October 2017. It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to cause a buffer overrun. (CVE-2017-0898) Yusuke Endoh discovered that Ruby incorrectly handled certain files. An attacker could use this to execute terminal escape sequences. (CVE-2017-0899) Yusuke Endoh discovered that Ruby incorrectly handled certain inputs.

  • USN-3438-1: Git vulnerability5th October 2017. It was discovered that Git incorrectly handled certain subcommands such as cvsserver. A remote attacker could possibly use this issue via shell metacharacters in modules names to execute arbitrary code. This update also removes the cvsserver subcommand from git-shell by default.

  • USN-3435-2: Firefox regression4th October 2017. USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash plugin to crash in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.

  • USN-3437-1: OCaml vulnerability3rd October 2017. Radek Micek discovered that OCaml incorrectly handled sign extensions. A remote attacker could use this issue to cause applications using OCaml to crash, to possibly obtain sensitive information, or to possibly execute arbitrary code.

  • USN-3430-2: Dnsmasq vulnerabilities3rd October 2017. USN-3430-1 fixed several vulnerabilities in Dnsmasq. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker could use this issue to cause Dnsmasq to crash.

  • USN-3435-1: Firefox vulnerabilities2nd October 2017. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, bypass phishing and malware protection, spoof the origin in modal dialogs, conduct cross-site scripting (XSS) attacks.

  • USN-3434-1: Libidn vulnerability2nd October 2017. It was discovered that Libidn incorrectly handled decoding certain digits. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3433-1: poppler vulnerabilities2nd October 2017. It was discovered that Poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial service. This issue only affected Ubuntu 17.04. (CVE-2017-14517) It was discovered that Poppler incorrectly handled certain files.

  • USN-3430-1: Dnsmasq vulnerabilities2nd October 2017. Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker could use this issue to cause Dnsmasq to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • USN-3432-1: ca-certificates update2nd October 2017. The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20170717 package.

  • USN-3431-1: NSS vulnerability – 2nd October 2017. Martin Thomson discovered that NSS incorrectly generated handshake hashes. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.