3rd Party Patch RoundupThird Party Patch Roundup  – October 2018

This is the time of year when we begin the parade of holidays that will take us through to the New Year. As I write this, Halloween is upon us here in the U.S., and the front yards in my suburban neighborhood are decorated with ghosts and goblins and skeletons that rattle in the wind as all stock up on candy in preparation for the trick-or-treaters who will soon be knocking on our doors.

But to an IT pro, few things are scarier than a huge slate of security patches waiting to be applied, and the fear that one of them will be incompatible and throw our systems in chaos. Many people went through the update nightmare this month with the rollout of Windows 10 version 1809, which caused a myriad of problems that included the disappearance of all their documents, pictures, music, and other personal files.

Nobody wants to go through all that again, so here’s hoping the following third-party software updates will go smoothly. Of course, because there is no way vendors can test a patch with every possible software and hardware configuration beforehand, there is always a chance for a problem, so we highly recommend that you do your own testing before rolling out any major operating system or mission critical software updates on your production network.

Now let’s take a look at what this month has brought us from some of the major software makers.

Apple

If you thought the release of nine updates in September meant none in October (a pattern that Apple followed for a while), think again. This time we have nine patches for the various iProducts and programs, so hang on as we go through them all.

On October 8th, Apple released just two updates, leading us to believe this month was going to be a light one.

  • iCloud for Windows 7.7 for Windows 7 and later. Addresses a number of security issues in CFNetwork, CoreFoundation, CoreText, and WebKit components, the most serious of which could allow for arbitrary code execution.
  • iOS 12.0.1 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Addresses a security issue with lockscreen by which a local attacker may be able to view photos and contacts from the lock screen.

That assumption carried throughout most of the month. Then the following were released on October 30th:

  • Safari 12.0.1 for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14. Addresses multiple security issues in Safari Reader and WebKit, the most serious of which could lead to arbitrary code execution.
  • iCloud for Windows 7.8 for Windows 7 and later. Addresses security issues in CoreCrypto, Safari Reader, and WebKit components that could lead to code execution, denial of service, universal cross site scripting, and more.
  • iTunes 12.9.1 for Windows 7 and later. Addresses security issues in CoreCrypto, ICU, Safari Reader, and WebKit components, the most serious of which could lead to arbitrary code execution.
  • watchOS 5.1 for Apple Watch Series 1 and later. Addresses security issues in Apple AVD, CoreCrypto, ICU, IPsec, the kernel, NetworkExtension, Safari Reader, Security, and WebKit components that could lead to code execution.
  • iOS 12.1 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. Addresses numerous security issues in a multiplicity of components, including WebKit, the most serious of which could lead to code execution.
  • tvOS 12.1 for Apple TV 4K and Apple TV (4th generation). Addresses security issues in Apple AVD, CoreCrypto, ICU, IPsec, the kernel, NetworkExtension, Safari Reader, Security, and WebKit components that could lead to code execution.
  • macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14. Addresses a whopping seventy-one security issues in a multiplicity of components, the most serious of which could lead to code execution.

For more information about the current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe threw us a heavy load of updates this month, too, but many of the people reading this will find that only a couple of them are applicable to your software installations. All but one were released on Adobe’s usual schedule (second Tuesday of the month). The first was an out-of-band update issued early

Adobe released the following update on October 1st:

  • APSB18-30 Security updates for Adobe Acrobat and Reader. This update addresses forty-seven critical vulnerabilities and thirty-nine important ones, including out-of-bounds write and read vulnerabilities, heap overflow, use-after-free, type confusion, stack overflow, double free, integer overflow, buffer errors, untrusted pointer dereference, and security bypass issues. Impacts include information disclosure, privilege escalation, and arbitrary code execution.

The following updates were released on the usual Patch Tuesday date, October 9th:

  • APSB18-38 Security Updates Available for Adobe Technical Communications Suite. This is a priority 3 update that addresses one important insecure library loading (DLL hijacking) vulnerability that could allow for escalation of privilege.
  • APSB18-37 Security Updates for Adobe Framemaker. This is a priority 3 update that addresses one important insecure library loading (DLL hijacking) vulnerability that could allow for escalation of privilege.
  • APSB18-36 Security Updates for Adobe Experience Manager. This is a priority 2 update that addresses five important and moderate cross-site scripting vulnerabilities that could result in disclosure of sensitive information.
  • APSB18-27 Security Updates for Adobe Digital Editions. This is a priority 3 update that addresses nine vulnerabilities, four of which are rated critical and the others important. These include heap overflow, out-of-bounds read, and use-after-free issues and the most serious could result in arbitrary code execution.
  • APSB18-35 updates for Adobe Flash Player. This is a priority 3 update for Flash Player on Windows, macOS, Linux, and Chrome OS. Although Adobe lists it as a security update and issued a security bulletin for it, the description says, “These updates address feature and performance bugs, and do not include security fixes” and no vulnerabilities are shown to be addressed by it.

For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html

Google

On October 1st, Android security patch level 2018-10-05 addressed five issues in Framework and five in Media Framework, as well as thirteen System vulnerabilities.

On October 16th, Google announced Chrome 70 stable channel for Windows, Mac, and Linux desktop operating systems. Chrome v70.3538.67 contains twenty-three security fixes, including sandbox escape in AppCache, a remote code execution vulnerability in V8, a heap bugger overflow, URL spoofing, use-after-free, memory corruption, cross-origin URL disclosure, and security UI occlusion issues, as well as various fixes from internal audits and fuzzing.

On October 26th, Google announced a new stable channel version of Chrome OS, 70.0.3538.76, which contains both security updates and bug fixes.

On October 29th, Google announced Chrome 70 for Android, to roll out in the next few weeks.

For more information about Chrome updates, see https://chromereleases.googleblog.com/

For more information about the vulnerabilities that are addressed by the Android updates, see https://source.android.com/security/bulletin/2018-08-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  This month’s update was released on October 16th. This Critical Patch Update contains 301 new security fixes across the Oracle product families.

The next regularly scheduled critical patch update will be on January 15th, 2019.

Oracle customers can read more about this update in the executive summary on the Oracle Support site at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html.

Mozilla

On October 23rd, Mozilla released Firefox 63, which contains security fixes for fourteen vulnerabilities. Only two of these are designated as critical; both are memory safety issues that have the potential to be exploited to run arbitrary code.

Three vulnerabilities are rated high severity. These include an HTTP live stream playback issue on Firefox for Android, a vulnerability that could trigger an exploitable crash with nested event loops, and an integer overflow issue.

This version also addresses four vulnerabilities of moderate severity and five of low severity.

For more information about these and other vulnerabilities patched by Mozilla, see https://www.mozilla.org/en-US/security/advisories//mfsa2018-26/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (October 30th), Ubuntu has issued the following forty-nine security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3804-1: OpenJDK vulnerabilities. It was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions.
  • USN-3803-1: Ghostscript vulnerabilities. Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.
  • USN-3799-2: MySQL vulnerabilities. USN-3799-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.62 in Ubuntu 12.04 ESM.
  • USN-3802-1: X.Org X server vulnerability. Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.
  • USN-3801-1: Firefox vulnerabilities. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass CSP restrictions, spoof the protocol registration notification bar, leak SameSite cookies, bypass mixed content warnings, or execute arbitrary code.
  • USN-3800-1: audiofile vulnerabilities. It was discovered that audiofile incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-13440) It was discovered that audiofile incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
  • USN-3799-1: MySQL vulnerabilities. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.62 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to MySQL 5.7.24. In addition to security fixes, the updated packages contain bug fixes.
  • USN-3788-2: Tex Live-bin vulnerability. USN-3788-1 fixed vulnerabilities in Tex Live. This update provides the corresponding update for Ubuntu 18.10 Original advisory details: It was discovered that Tex Live incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
  • USN-3777-3: Linux kernel (Azure) vulnerabilities. USN-3777-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 %LTS. This update provides the corresponding updates for the Linux kernel for Azure Cloud systems. Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows, leading to a use-after-free vulnerability.
  • USN-3797-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3797-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel.
  • USN-3797-1: Linux kernel vulnerabilities. Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734) It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel.
  • USN-3798-2: Linux kernel (Trusty HWE) vulnerabilities. USN-3798-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
  • USN-3798-1: Linux kernel vulnerabilities. Dmitry Vyukov discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is negatively instantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3790-2: Requests vulnerability. USN-3790-1 fixed vulnerabilities in Requests. This update provides the corresponding update for Ubuntu 18.10 Original advisory details: It was discovered that Requests incorrectly handled certain HTTP headers. An attacker could possibly use this issue to access sensitive information.
  • USN-3796-3: Paramiko vulnerability. USN-3796-1 fixed a vulnerability in Paramiko. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: Daniel Hoffman discovered that Paramiko incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.
  • USN-3795-2: libssh vulnerability. USN-3795-1 fixed a vulnerability in libssh. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: Peter Winter-Smith discovered that libssh incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.
  • USN-3792-3: Net-SNMP vulnerability. USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: It was discovered that Net-SNMP incorrectly handled certain certain crafted packets. A remote attacker could possibly use this issue to cause Net-SNMP to crash, resulting in a denial of service.
  • USN-3796-2: Paramiko vulnerability. USN-3796-1 fixed a vulnerability in paramiko. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Daniel Hoffman discovered that Paramiko incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.
  • USN-3796-1: Paramiko vulnerability. Daniel Hoffman discovered that Paramiko incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.
  • USN-3795-1: libssh vulnerability. Peter Winter-Smith discovered that libssh incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.
  • USN-3789-2: ClamAV vulnerabilities. USN-3789-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled unpacking MEW executables. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.
  • USN-3794-1: MoinMoin vulnerability. It was discovered that MoinMoin incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information.
  • USN-3792-2: Net-SNMP vulnerability. USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Net-SNMP incorrectly handled certain certain crafted packets. A remote attacker could possibly use this issue to cause Net-SNMP to crash, resulting in a denial of service.
  • USN-3793-1: Thunderbird vulnerabilities. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code.
  • USN-3792-1: Net-SNMP vulnerability. It was discovered that Net-SNMP incorrectly handled certain certain crafted packets. A remote attacker could possibly use this issue to cause Net-SNMP to crash, resulting in a denial of service.
  • USN-3790-1: Requests vulnerability. It was discovered that Requests incorrectly handled certain HTTP headers. An attacker could possibly use this issue to access sensitive information.
  • USN-3791-1: Git vulnerability. It was discovered that git did not properly validate git submodule urls or paths. A remote attacker could possibly use this to craft a git repository that causes arbitrary code execution when recursive operations are used.
  • USN-3789-1: ClamAV vulnerability. It was discovered that ClamAV incorrectly handled unpacking MEW executables. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.
  • USN-3788-1: Tex Live vulnerabilities. Jakub Wilk discovered that Tex Live incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-5700) It was discovered that Tex Live incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
  • USN-3787-1: Tomcat vulnerability. It was discovered that Tomcat incorrectly handled returning redirects to a directory. A remote attacker could possibly use this issue with a specially crafted URL to redirect to arbitrary URIs.
  • USN-3781-2: WebKitGTK+ regression. USN-3781-1 fixed vulnerabilities in WebKitGTK+. The updated package was missing some header files, preventing certain applications from building. This update fixes the problem. We apologize for the inconvenience. Original advisory details: A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines.
  • USN-3786-1: libxkbcommon vulnerabilities. It was discovered that libxkbcommon incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3785-1: ImageMagick vulnerabilities. Due to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, this update includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration.
  • USN-3784-1: AppArmor update. As a security improvement, this update adjusts the private-files abstraction to disallow writing to thumbnailer configuration files. Additionally adjust the private-files, private-files-strict and user-files abstractions to disallow writes on parent directories of sensitive files.
  • USN-3783-1: Apache HTTP Server vulnerabilities. Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module incorrectly destroyed certain streams. A remote attacker could possibly use this issue to cause the server to crash, leading to a denial of service. (CVE-2018-1302) Craig Young discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain requests.
  • USN-3778-1: Firefox vulnerabilities. A crash was discovered in TransportSecurityInfo used for SSL, which could be triggered by data stored in the local cache directory. An attacker could potentially exploit this in combination with another vulnerability that allowed them to write data to the cache, to execute arbitrary code.
  • USN-3782-1: Liblouis vulnerabilities. Henri Salo discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-12085) It was discovered that Liblouis incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
  • USN-3781-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3780-1: HAProxy vulnerability. It was discovered that HAProxy incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service.
  • USN-3779-1: Linux kernel vulnerabilities. It was discovered that an integer overflow vulnerability existed in the Linux kernel when loading an executable to run. A local attacker could use this to gain administrative privileges. (CVE-2018-14634) It was discovered that a stack-based buffer overflow existed in the iSCSI target implementation of the Linux kernel.
  • USN-3777-2: Linux kernel (HWE) vulnerabilities. USN-3777-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.
  • USN-3777-1: Linux kernel vulnerabilities. Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
  • USN-3776-2: Linux kernel (Xenial HWE) vulnerabilities. USN-3776-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows.
  • USN-3776-1: Linux kernel vulnerabilities. Jann Horn discovered that the vmacache subsystem did not properly handle sequence number overflows, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
  • USN-3775-2: Linux kernel (Trusty HWE) vulnerabilities. USN-3775-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that the paravirtualization implementation in the Linux kernel did not properly handle some indirect calls.
  • USN-3775-1: Linux kernel vulnerabilities. It was discovered that the paravirtualization implementation in the Linux kernel did not properly handle some indirect calls, reducing the effectiveness of Spectre v2 mitigations for paravirtual guests. A local attacker could use this to expose sensitive information.
  • USN-3774-1: strongSwan vulnerability. It was discovered that strongSwan incorrectly handled signature validation in the gmp plugin. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3769-2: Bind vulnerability. USN-3769-1 fixed a vulnerability in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Bind incorrectly handled the deny-answer-aliases feature. If this feature is enabled, a remote attacker could use this issue to cause Bind to crash, resulting in a denial of service.
  • USN-3773-1: Ghostscript vulnerabilities. It was discovered that Ghostscript contained multiple security issues. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

 

The ultimate IT security solution for business