J003-Content-3rdPartyRoundup_SQIn North America, September is traditionally the month when it hits home that summer is over.  The kids are back in school, the trees are losing their leaves, the weather is turning cooler – and for me and millions of others born nine months after the Christmas holiday season, it’s birthday time. ‘Tis the season for football, homecoming parades, and somber reminders of the 9/11 terrorist attacks. It’s National Square Dancing Month, National Piano Month, and National Chicken Month.

For IT professionals, it’s just another month of updates and fixes as we scramble to stay ahead of the hackers and attackers who don’t seem inclined to take a break to enjoy the fall foliage, but instead just keep on cranking out the exploits. Microsoft issued 12 patches for September, and Apple released only five – but those five addressed an amazing 239 vulnerabilities. Adobe’s two patches handled 25 vulnerabilities and Google’s Chrome updates this month patched 31 security issues, which is more than usual. Ubuntu Linux had a slew of fixes, as usual.

Let’s take a look at some of the more important issues and updates.

Apple

Apple released five comprehensive updates in September, with all but one of them issued on September 16 (which also happens to be the most common birthdate in the U.S.).

  • Apple released iOS 9 for the iPhone 4 and later, iPod Touch (Gen 5 and later), and iPad 2 and later. This update addresses a whopping 104 vulnerabilities in various operating system components and built-in apps. These include vulnerabilities in Apple Pay, AppleKeyStore, the App Store, the audio playing system, several in CFNetwork, one in CoreCrypto by which an attacker could determine a private key, vulnerabilities in iTunes Store, Mail, and Safari, as well as a number of kernel vulnerabilities.  The complete list is too long to include here, but many of these are critical vulnerabilities that could be exploited to arbitrarily execute code and take control of the device.
  • Apple released an update to Xcode, version 7.0 for OS X Yosemite (10.10.5) or later that addresses 10 vulnerabilities in the following components: DevTools, IDE Xcode Server, subversion. Attackers may be able to exploit these to bypass access restrictions, access restricted parts of the file system, inspect traffic to the Xcode Server or receive unauthorized build notifications.
  • Apple released version 12.3 of iTunes for Windows 7 and later, which addresses a hefty 66 vulnerabilities in the application, including multiple memory corruption issues that could lead to arbitrary code execution, a security issue in the handling of library loading when opening a media file, and a very large number of WebKit vulnerabilities that could allow for a man-in-the-middle attack, as well as a redirection issue in the handling of certain network connections by which an attacker might be able to obtain encrypted SMB credentials.
  • Apple released an update to OS X Server, version 5.0.3 on OS X Yosemite (10.10.5) or later, which addresses 20 vulnerabilities in Apache, BIND, PostgreSQL and multiple XML security issues in Wiki Server. Exploits could result in remote denial of service (DoS) attacks or arbitrary code execution.
  • Apple released version 2 of watchOS for the Apple Watch, including Apple Watch Sport, that addresses 39 vulnerabilities in the kernel and various components of the watchOS. These include memory corruption issues, code signing bypass, an issue with the protection of cache data, a cross-domain cookie issue, an issue in the handling of proxy connect responses, a certificate validation issue, and transaction log issues. Affected components include Apple Pay, audio, certificate trust policy, CFNetwork, CoreCrypto, CoreText, Data Detectors Engine, DevTools, and more. The most serious of these vulnerabilities could allow arbitrary code execution, installation of extensions prior to the application being trusted, denial of service attacks, and the ability to determine kernel memory layout.

For more information about these updates, see Apple’s web site at
https://support.apple.com/en-us/HT201222

Adobe

Adobe normally releases security updates in conjunction with Microsoft on the second Tuesday of each month. This month, the company released only one update on Patch Tuesday, then released another later in the month.

  • On September 8 (Patch Tuesday), Adobe released APSB15-22 for Adobe Shockwave Player for Windows, affecting versions 12.1.9.160 and earlier. It is a critical update with a priority rating of 1, and fixes a pair of memory corruption vulnerabilities that could be exploited to achieve code execution.
  • On September 21, Adobe released APSB15-23 for Adobe Flash Player, which addresses 23 vulnerabilities in Flash on Windows, Mac, Linux and Chrome OS. This includes Flash in the Edge browser on Windows 10 as well as IE 10 and 11. The vulnerabilities are rated critical and the update has a priority rating of 1 for Windows and Mac and for Google Chrome on Linux and Chrome OS. The rating for Flash for Linux and AIR is 3. There are type confusion vulnerabilities, use-after-free vulnerabilities, validation check issues, memory corruption, stack corruption, stack overflow, memory leak and security bypass vulnerabilities.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

On September 1, Google released version 45 of its Chrome browser, which patched 29 security vulnerabilities that included cross-origin bypass, use-after-free vulnerabilities, character spoofing, permission scoping error, URL validation issues and an information link. Affected components include DOM, ServiceWorker, Skia, printing, omnibox, WebRequest and Blink.

The latest stable channel update for Windows, Mac and Linux was released on September 24, with fixes for two more cross-origin bypass vulnerabilities that were given a High priority rating.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com/

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  On July 14, Oracle released a critical patch update that addresses 193 security vulnerabilities across multiple Oracle products. Oracle did not release any security updates in August or September. The next regular release is scheduled for October 20.

For more information about Oracle security updates and a list of previously released patches, see http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

On September 22, Mozilla released 19 security advisories that included four rated critical, five rated high severity, one of low impact and the rest rated as moderate risk.

  • Critical: memory safety errors in libGLES in the ANGLE graphics library
  • Critical: Miscellaneous memory safety hazards
  • Critical: Use-after-free vulnerability while manipulating HTML media content
  • Critical: Use-after-free vulnerability with shared workers and indexedDB
  • High: Arbitrary file manipulation by local user through Mozilla updater
  • High: Buffer overflow while decoding WebM video
  • High: bypass of JavaScript immutable property enforcement
  • High: errors in the handling of CORS preflight request headers
  • High: vulnerabilities found through code inspection
  • Moderate: Access to inner window by scripted proxies
  • Moderate: Buffer overflow in libvpx while parsing vp9 format video
  • Moderate: Crash when using debugger with SavedStacks in JavaScript
  • Moderate: exposure of final URL after redirect when dragging and dropping images
  • Moderate: information disclosure issue via the High Resolution Time API
  • Moderate: Memory leak in mozTCPSocket to servers
  • Moderate: Out-of-bounds read during 2D canvas display on Linux 16 bit color depth systems
  • Moderate: Out-of-bounds read in QCMS library with ICC V4 profile attributes
  • Moderate: Site attribute spoofing on Android by pasting URL with unknown scheme
  • Low: URL spoofing in reader mode

For more information about these fixes, see the Mozilla Security Advisories web site at https://www.mozilla.org/en-US/security/advisories/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. However, as of the date of this writing September 28), Ubuntu has issued only 24 security advisories (fewer than usual), although many of them address multiple vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2747-1: NVIDIA graphics drivers vulnerability – September 28

Dario Weisser discovered that the NVIDIA graphics drivers incorrectly handled certain IOCTL writes. A local attacker could use this issue to possibly gain root privileges.

USN-2746-2: Simple Streams regression – September 25

USN-2746-1 fixed a vulnerability in Simple Streams. The update caused a regression preventing MAAS from downloading PXE images. This update fixes the problem. Original advisory details: It was discovered that Simple Streams did not properly perform gpg verification in some situations.

USN-2746-1: Simple Streams vulnerability – September 24

It was discovered that Simple Streams did not properly perform gpg verification in some situations. A remote attacker could use this to perform a man-in-the-middle attack and inject malicious content into the stream.

USN-2745-1: QEMU vulnerabilities – September 24

Lian Yihan discovered that QEMU incorrectly handled certain payload messages in the VNC display driver. A malicious guest could use this issue to cause the QEMU process to hang, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2743-3: Unity Integration for Firefox, Unity Websites Integration and Ubuntu Online Accounts extension update – September 24

USN-2743-1 fixed vulnerabilities in Firefox. Future Firefox updates will require all addons be signed and unity-firefox-extension, webapps-greasemonkey and webaccounts-browser-extension will not go through the signing process. Because these addons currently break search engine installations (LP: #1069793), this update permanently disables the addons by removing them from the system.

USN-2744-1: Apport vulnerability – September 24

Halfdog discovered that Apport incorrectly handled kernel crash dump files. A local attacker could use this issue to cause a denial of service, or possibly elevate privileges. The default symlink protections for affected releases should reduce the vulnerability to a denial of service.

USN-2743-2: Ubufox update – September 22

USN-2743-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox. Original advisory details: Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox.

USN-2743-1: Firefox vulnerabilities – September 22

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.

USN-2742-1: OpenLDAP vulnerabilities – September 16

Denis Andzakovic discovered that OpenLDAP incorrectly handled certain BER data. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service. (CVE-2015-6908) Dietrich Clauss discovered that the OpenLDAP package incorrectly shipped with a potentially unsafe default access control configuration.

USN-2741-1: Unity Settings Daemon vulnerability – September 16

It was discovered that the Unity Settings Daemon incorrectly allowed removable media to be mounted when the screen is locked. If a vulnerability were discovered in some other desktop component, such as an image library, a local attacker could possibly use this issue to gain access to the session.

USN-2740-1: ICU vulnerabilities – September 16

Atte Kettunen discovered that ICU incorrectly handled certain converter names. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash. (CVE-2015-1270) It was discovered that ICU incorrectly handled certain memory operations when processing data.

USN-2739-1: FreeType vulnerabilities – September 10

It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or hang, resulting in a denial of service, or possibly expose uninitialized memory.

USN-2738-1: Linux kernel vulnerability – September 9

It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2737-1: Linux kernel (Vivid HWE) vulnerability – September 9

It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2735-1: Oxide vulnerabilities – September 8

It was discovered that the DOM tree could be corrupted during parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions or cause a denial of service.

USN-2736-1: Spice vulnerability – September 8

Frediano Ziglio discovered that Spice incorrectly handled monitor configs. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process.

USN-2734-1: Linux kernel vulnerability – September 3

It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2733-1: Linux kernel (Trusty HWE) vulnerability – September 3

It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.

USN-2732-1: Linux kernel (OMAP4) vulnerability – September 3

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel.

USN-2731-1: Linux kernel vulnerability – September 3

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel.

USN-2730-1: OpenSLP vulnerabilities – September 3

Georgi Geshev discovered that OpenSLP incorrectly handled processing certain service requests. A remote attacker could possibly use this issue to cause OpenSLP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2729-1: libvdpau vulnerabilities – September 3

Florian Weimer discovered that libvdpau incorrectly handled certain environment variables. A local attacker could possibly use this issue to gain privileges.

USN-2728-1: Bind vulnerability – September 2

Hanno Böck discovered that Bind incorrectly handled certain malformed keys when configured to perform DNSSEC validation. A remote attacker could use this issue with specially crafted zone data to cause Bind to crash, resulting in a denial of service.

USN-2727-1: GnuTLS vulnerabilities – September 1

It was discovered that GnuTLS incorrectly handled parsing CRL distribution points. A remote attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2015-3308) Kurt Roeckx discovered that GnuTLS incorrectly handled a long DistinguishedName (DN) entry in a certificate.