Third Party Patch Roundup – September 2017

September in Texas is, weather-wise, still summer time. Only towards the very end do we see temperatures start to drop a little; as I sit here writing this on the 29, we’re enjoying a (relatively) cool day, predicted high in the low 80s F after recent 90°+ scorchers. September means many different things to me: my birthday, the anniversary of my father’s death, hurricane season (particularly of note this year), and a mix of many memories both good and bad.

For IT professionals, this month marks the end of summer and its end heralds the beginning of Q4 and all the business ramifications that go with that. The holidays loom just ahead and many organizations are scrambling to wrap up big projects before the end of the year. Budgets may be running low at the same time you need to get more done. Of course, if your company’s fiscal year doesn’t correspond to the calendar year, none of this may apply.

What does apply to all of us is the necessity to keep all those systems up to date. If you’ve moved to the cloud, particular to SaaS, some of that burden may have been lifted from your shoulders, but in all likelihood you still have at least some on-premises servers, along with client computers that need the latest patches.

Last month was relatively light in the patching department, but this month we’re not quite so lucky. Apple is back with a vengeance, so we’ll start with a look at the myriad of updates they’ve released this time.

Apple

Apple is still following a one on/one off schedule, with no security updates issued in April, then seven large updates in May, none in June, a heavy slate in July, and zero in August. I told you last time to look out for a big load to come down the pike in September, and that warning proved to be warranted.

Apple’s update site shows eleven patches issued this month, but some of these are just different versions of the same update, such as iTunes for Mac and iTunes for Windows. iOS was updated twice within a span of 7 days, but that turns out to be a little anti-climactic in terms of security. Here’s the full list of patches:

• On September 12, Apple released iTunes 12.7 for OS X Yosemite and later, and for  Windows 7 and later.  The iOS update addresses a single vulnerability resulting in an access control issue, but the Windows update addresses a whopping 19 vulnerabilities, all of them in the WebKit component and most of them memory corruption issues that could be exploited to execute arbitrary code, making it critical that you apply these updates.
• On September 19, Apple released iOS 11 for recent generations of iPhone, iPad, and iPod Touch, which patched 62 vulnerabilities in various components of the mobile operating system. These include privacy issues, Denial of Service vulnerabilities, validation issues, memory corruption, inadvertent caching of sensitive information, permissions issues, encryption issues, spoofing vulnerabilities, and more. Arbitrary code execution, information disclosure, cross-site scripting, and tracking of the user are some of the possible impacts.
• Also on September 19, Apple released updates for its watchOS (v4) and tvOS (v11) operating systems, to correct vulnerabilities that could lead to arbitrary code execution, denial of service, improper certificate validation, and reading of restricted memory.
• Also on September 19, Apple released version 11 of the Safari web browser for OS X El Capitan and macOS Sierra, which addresses 24 vulnerabilities. The most serious are memory corruption issues that could lead to arbitrary code execution.
• Also on September 19, Apple released an update for Xcode (v9), Apple’s suite of software development tools. Seven vulnerabilities are addressed, including multiple memory corruption issues, an input validation issue, and an ssh:// URL scheme handling issue.
• On September 25, Apple released macOS High Sierra 10.13 for OS X Lion and later. This update addresses 43 vulnerabilities in various components of the software that include firewall settings, multiple denial of service issues, an unencrypted password issue, permissions issues, memory corruption issues, validation issues, and more.
• Also on September 25, Apple released macOS Server 5.4 for High Sierra 10.13 to address two vulnerabilities in FreeRadius. No further information about the vulnerabilities was given.
• Also on September 25, Apple released iCloud for Windows 7 and above, to address twenty-two vulnerabilities in the cloud client software. All but one of these is in the Web Kit component, and includes multiple memory corruption issues that could lead to arbitrary code execution.
• On September 26, Apple released iOS 11.0.1, but it merely contains the same security updates as iOS 11; the new version fixes an Exchange connectivity bug.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued only three security updates this month, all of which were released on September 12, Adobe’s standard Patch Tuesday release date.

• APSB17-28 will affect the largest number of users, as it’s a patch for Adobe Flash Player for Windows, Mac, Linux and Chrome OS that addresses two critical remote code execution vulnerabilities.
• APSB-17-25 is an update for RoboHelp running on Windows that addresses an input validation vulnerability and an unvalidated URL redirect vulnerability that are rated important and moderate, respectively. Priority rating is 3.
• APSB-17-30 is an update for Adobe Cold Fusion, which addresses three vulnerabilities consisting of two information disclosure and one remote code execution issue, with two of the three rated critical. Priority rating is 2.

For more information, see the September security bulletin at
https://source.android.com/security/bulletin/2017-09-01

Google

The most recent update to Google’s Chrome web browser was released on September 21 and applies to the software running on Windows, Mac, and Linux. It includes three security fixes that include out-of-bounds access issues in V8.

For more information, see https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop_21.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled update is October 17th. For more information, see https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

On September 28, Mozilla released Firefox v56 with fixes for 17 vulnerabilities. These include a large variety of vulnerability types, including two that are rated critical. The critical vulnerabilities are both memory safety bugs. Six are rated high impact, eight are considered moderate, and two are low.

For more information, see https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (September 29), Ubuntu has issued only 24 separate  security advisories, which is below average – however, some of these advisories address as many as 90 vulnerabilities in one advisory. Many other also address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

• USN-3429-1: Libplist vulnerability – 25th September 2017. Wang Junjie discovered that Libplist incorrectly handled certain files. If a user were tricked into opening a crafted file, an attacker could possibly use this to cause a crash or denial of service.
• USN-3428-1: Emacs vulnerability – 21st September 2017. Charles A. Roelli discovered that Emacs incorrectly handled certain files. If a user were tricked into opening a specially crafted file (e.g., email messages in gnus), an attacker could possibly use this to execute arbitrary code.
• USN-3427-1: Emacs vulnerability – 21st September 2017. Charles A. Roelli discovered that Emacs incorrectly handled certain files. If a user were tricked into opening a specially crafted file (e.g., email messages in gnus), an attacker could possibly use this to execute arbitrary code.
• USN-3426-1: Samba vulnerabilities – 21st September 2017. Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in certain situations. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2017-12150) Stefan Metzmacher discovered that Samba incorrectly handled encryption across DFS redirects.
• USN-3414-2: QEMU regression – 20th September 2017. USN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control.
• USN-3425-1: Apache HTTP Server vulnerability – 19th September 2017. Hanno Böck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.
• USN-3424-1: libxml2 vulnerabilities – 18th September 2017. It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references.
• USN-3423-1: Linux kernel vulnerability – 18th September 2017. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
• USN-3422-2: Linux kernel (Trusty HWE) vulnerabilities – 18th September 2017. USN-3422-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
• USN-3420-2: Linux kernel (Xenial HWE) vulnerabilities – 18th September 2017. USN-3420-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3419-2: Linux kernel (HWE) vulnerabilities – 18th September 2017. USN-3419-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.
• USN-3419-1: Linux kernel vulnerabilities – 18th September 2017. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
• USN-3420-1: Linux kernel vulnerabilities – 18th September 2017. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
• USN-3421-1: Libidn2 vulnerability – 18th September 2017. It was discovered that Libidn2 incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn2 to crash, resulting in a denial of service.
• USN-3422-1: Linux kernel vulnerabilities – 18th September 2017. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
• USN-3346-2: Bind regression – 18th September 2017. USN-3346-1 fixed vulnerabilities in Bind. The fix for CVE-2017-3142 introduced a regression in the ability to receive an AXFR or IXFR in the case where TSIG is used and not every message is signed. This update fixes the problem. For more information, see the Ubuntu Security Notices web site at https://usn.ubuntu.com/usn/
• USN-3418-1: GDK-PixBuf vulnerabilities – 18th September 2017. It was discovered that the GDK-PixBuf library did not properly handle certain jpeg images. If an user or automated system were tricked into opening a specially crafted jpeg file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3416-1: Thunderbird vulnerabilities – 14th September 2017. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to bypass same-origin restrictions, bypass CSP restrictions, obtain sensitive information, spoof the origin of modal alerts, or cause a denial of service.
• USN-3417-1: Libgcrypt vulnerability – 14th September 2017. Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys.
• USN-3415-2: tcpdump vulnerabilities – 13th September 2017. USN-3415-1 fixed vulnerabilities in tcpdump for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.04. This update provides the corresponding tcpdump update for Ubuntu 12.04 ESM. Original advisory details: Wilfried Kirsch discovered a buffer overflow in the SLIP decoder in tcpdump.
• USN-3415-1: tcpdump vulnerabilities – 13th September 2017. Wilfried Kirsch discovered a buffer overflow in the SLIP decoder in tcpdump. A remote attacker could use this to cause a denial of service (application crash) or possibly execute arbitrary code. (CVE-2017-11543) Bhargava Shastry discovered a buffer overflow in the bitfield converter utility function bittok2str_internal() in tcpdump.
• USN-3414-1: QEMU vulnerabilities – 13th September 2017. Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493) Li Qiang discovered that QEMU incorrectly handled VMWare PVSCSI emulation.
• USN-3413-1: BlueZ vulnerability – 12th September 2017. It was discovered that an information disclosure vulnerability existed in the Service Discovery Protocol (SDP) implementation in BlueZ. A physically proximate unauthenticated attacker could use this to disclose sensitive information.
• USN-3412-1: file vulnerability – 7th September 2017. Thomas Jarosch discovered that file incorrectly handled certain ELF files. An attacker could use this to cause file to crash, resulting in a denial of service.
• USN-3411-1: Bazaar vulnerability – 5th September 2017. Adam Collard discovered that Bazaar did not properly handle host names in ‘bzr+ssh://’ URLs. A remote attacker could use this to construct a bazaar repository URL that when accessed could run arbitrary code with the privileges of the user.
• USN-3410-2: GD library vulnerability – 5th September 2017. USN-3410-1 fixed a vulnerability in GD Graphics Library. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the GD Graphics Library (aka libgd) incorrectly handled certain malformed PNG images. A remote attacker could use this issue to cause the GD Graphics Library …
• USN-3410-1: GD library vulnerability – 5th September 2017. It was discovered that the GD Graphics Library (aka libgd) incorrectly handled certain malformed PNG images. A remote attacker could use this issue to cause the GD Graphics Library to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3409-1: FontForge vulnerabilities – 4th September 2017. It was discovered that FontForge was vulnerable to a heap-based buffer over-read. A remote attacker could use a crafted file to DoS or execute arbitrary code.
• USN-3408-1: Liblouis vulnerabilities – 4th September 2017. It was discovered that an illegal address access can be made in Liblouis. A remote attacker can take advantange of this to access sensitive information. (CVE-2017-13738, CVE-2017-13744) It was discovered a heap-based buffer overflow that causes bytes out-of-bounds write in Liblouis.