Third Party Patch Roundup – October 2016

October is the month that kicks off the holiday season, but for IT professionals the "update party" never stops, with Chrome bringing even 21 security fixes this month.

October is the month that kicks off the holiday season, ending with hordes of ghosts and goblins on doorsteps throughout the country. For IT professionals, though, the really scary thing about the end of the month is looking back at the software updates released during the past four weeks, and hoping that we got all of them installed properly and they'll fix the security flaws and not result in any "unintended consequences."

I spent most of October in Europe, cruising the Mediterranean, but there's no escaping the inevitable. When I got back, I found a basket of updates waiting to be installed. All in all, it was a light-to-medium month in terms of the number of patches released by the major software vendors. Apple came out with six, Adobe with four, Mozilla had only one security update for Firefox, while Google's Chrome 54 brings 21 security fixes.

Let's take a look at each of the vendors' fixes in more detail.

Apple

Compared to September's thirteen major updates, many of them addressing dozens of vulnerabilities, this was a more typical month for Apple. They released a single update, for the iPhone 7 and 7 plus, on October 17, and then five patches for their other operating systems on October 24.

• iOS 10.0.3 for iPhone 7/7 Plus an update for the newest version of the iPhone, contains the same security content as iOS 10.0.2, released on September 23 and discussed in last month's 3rd Party Patch Roundup. 10.0.2, in turn contained the same security content as 10.0.1. In other words, Apple hadn't fixed any security issues in iOS in a while, until ...
• iOS 10.1 was released on October 24 and does include fixes for fourteen vulnerabilities, in twelve components: CFNetwork Proxies, Contacts, Core Graphics, FaceTime, FontParser, Kernel, libarchive, libxpc, Sandbox Profiles, Security, System Boot, and WebKit. These range from logging issues to input validation issues to multiple memory corruption issues and more, with the most serious being capable of arbitrary code execution, making the update critical.
• macOS Sierra 10.12.1 is an update for OS X Yosemite, El Capitan and Sierra that addresses eighteen separate vulnerabilities, some of them the same ones fixed by iOS 10.1. Once again, some of the issues can be exploited to accomplish arbitrary code execution, including with kernel privileges, so installation of this update should be considered critical.
• Safari 10.0.1 is an update to Apple's web browser, running on OS X Yosemite, El Capitan and macOS Sierra. It addresses three vulnerabilities in the WebKit component that include multiple memory corruption issues that can lead to arbitrary code execution and thus is a critical patch.
• TvOS 10.0.1 applies to Apple TV 4th generation devices, and it fixes twelve vulnerabilities, many of which are the same as those in iOS 10.1. They include the memory corruption vulnerabilities that can lead to arbitrary code execution, making this another critical update.
• watchOS 3.1 is the latest update for the Apple watch software and applies to all models. It addresses eight of the same vulnerabilities addressed in the OS X/Sierra and iOS updates and like those, includes the possibility of exploit leading to remote code execution, making it critical.

For more information about this and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released only three updates in September, and the number crept up slightly this month, with four patches – two of them for Flash Player. Two were released on October 11, the normal second-Tuesday release date, with one coming before and one after that regular schedule.

• APSB1632 is an update for Adobe Flash Player running on Windows, Mac, Linux and Chrome OS that fixes twelve vulnerabilities, including critical vulnerabilities that could allow the attacker to take control of the system. Included are type confusion, use-after-free, security bypass and memory corruption vulnerabilities. Adobe has assigned a priority rating of 1 to all except Adobe Flash Player for Linux, which has a rating of 3.
• APSB1633 is an update for Acrobat and Reader that addresses a whopping 74 vulnerabilities for the software running on the Mac and Windows operating systems. It has a priority rating of 2 for all versions. The vulnerabilities include many use-after-free and memory corruption vulnerabilities, along with some heap buffer overflow, restrictions bypass, security bypass and integer overflow issues.
• APSB1634 is an update for Adobe's Creative Cloud desktop application for its SaaS offering that gives users access to the company's graphic design, video and web editing and photography services. The update addresses a single unquoted search path vulnerability that could be exploited for elevation of privilege. It runs on Windows, and has a priority rating of 3.
• APSB1636 is another Flash Player update, released on October 26. It addresses a single critical use-after-free vulnerability that has been exploited in the wild, thus the out-of-band release. It applies to Flash Player running on Windows, Mac, Linux and Chrome OS. Adobe has assigned a priority rating of 1 to all except Adobe Flash Player for Linux, which has a rating of 3.

For more information about these vulnerabilities and updates, see Adobe's Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

Google released its stable channel update version 54.0.2840.59 for Windows, Mac and Linux on October 12. The update included 21 security fixes, including Universal XSS And heap overflow issues, several use-after-free vulnerabilities, cross-origin bypass, URL spoofing, UI spoofing, an out-of-bounds read and scheme bypass.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October. This month's regularly scheduled patch release occurred on October 18.

The critical patch for Oracle Database Server fixes 12 vulnerabilities in various components, including RDBMS security, Kernel PDB, Application Express and OJVM. Two security fixes are included for Oracle Secure Backup, one for Big Data Graph, twenty-nine for Oracle Fusion Middleware, five for Oracle Enterprise Manager, twenty-one for Oracle E-Business Suite, nineteen for Oracle Supply Chain Products Suite, eleven for PeopleSoft products, two for JD Edwards products, three for Oracle Siebel CRM, seven for Oracle Commerce, thirty-six for Oracle communications applications, twenty-four for Oracle Financial Services applications, one for Oracle Health Sciences applications, three for Oracle Hospitality applications, one for Oracle insurance applications, ten for Oracle Retail applications, two for Primavera Products Suite, seven for Java SE, sixteen for Sun Systems products suite, thirteen for Oracle Linux and Virtualization, and thirty-one for Oracle MySQL.

For more information about this critical patch and the vulnerabilities that it addresses, see Oracle's Update Advisory at http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Mozilla

Mozilla released Firefox v49 on September 20th, which contain fixes for eighteen vulnerabilities. This month, in Firefox version 49.0.2, there are only two vulnerabilities addressed; however, they are both rated high impact.

• The first vulnerability is a use-after-free issue that does not affect any releases earlier than v49.
• The second vulnerability is an issue affecting both Firefox 48 and 49, by which web content could access information in the HTTP cache and reveal URLs that were visited as well as the page contents.

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla's web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (October 26), Ubuntu has issued twenty-nine security notices this month, which is fewer than usual. Many of these address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. Here are the Ubuntu security advisories for October:

• USN-3114-1: nginx vulnerability – 25th October 2016. Dawid Golunski discovered that the nginx package incorrectly handled log file permissions. A remote attacker could possibly use this issue to obtain root privileges.
• USN-3110-1: Quagga vulnerability – 25th October 2016. David Lamparter discovered that Quagga incorrectly handled certain IPv6 router advertisements. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.
• USN-3109-1: MySQL vulnerabilities – 25th October 2016. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.53 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated to MySQL 5.7.16.
• USN-3107-2: Linux kernel (Raspberry Pi 2) vulnerability – 24th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3108-1: Bind vulnerability – 21st October 2016. Toshifumi Sakaguchi discovered that Bind incorrectly handled certain packets with malformed options. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
• USN-3106-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3106-3: Linux kernel (Raspberry Pi 2) vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3104-2: Linux kernel (OMAP4) vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3106-2: Linux kernel (Xenial HWE) vulnerability – 19th October 2016. USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
• USN-3105-2: Linux kernel (Trusty HWE) vulnerability – 19th October 2016. USN-3105-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.
• USN-3107-1: Linux kernel vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3106-1: Linux kernel vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3105-1: Linux kernel vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3104-1: Linux kernel vulnerability – 19th October 2016. It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.
• USN-3097-2: Linux kernel (OMAP4) vulnerabilities – 13th October 2016. Marco Grassi discovered a use-after-free condition could occur in the TCP retransmit queue handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-6828) Pengfei Wang discovered a race condition in the audit subsystem.
• USN-3103-1: DBD::mysql vulnerabilities – 13th October 2016. It was discovered that DBD::mysql incorrectly handled certain memory operations. A remote attacker could use this issue to cause DBD::mysql to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9906) Hanno Böck discovered that DBD::mysql incorrectly handled certain memory operations.
• USN-3102-1: Quagga vulnerabilities – 13th October 2016. It was discovered that Quagga incorrectly handled dumping data. A remote attacker could possibly use a large BGP packet to cause Quagga to crash, resulting in a denial of service. (CVE-2016-4049) It was discovered that the Quagga package incorrectly set permissions on the configuration directory.
• USN-3101-1: Tracker vulnerability – 12th October 2016. It was discovered that Tracker incorrectly handled certain malformed GIF images. If a user or automated system were tricked into downloading a specially-crafted GIF image, Tracker could crash, resulting in a denial of service.
• USN-3100-1: KDE-PIM Libraries vulnerability – 12th October 2016. Roland Tapken discovered that the KDE-PIM Libraries incorrectly filtered URLs. A remote attacker could use this issue to perform an HTML injection attack in the KMail plain text viewer.
• USN-3099-4: Linux kernel (Qualcomm Snapdragon) vulnerabilities – 11th October 2016. Vladimír Benea discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations in the Linux kernel, A remote attacker could use this to cause a stack corruption, leading to a denial of service (system crash).
• USN-3099-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 11th October 2016. Vladimír Benea discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations in the Linux kernel, A remote attacker could use this to cause a stack corruption, leading to a denial of service (system crash).
• USN-3099-2: Linux kernel (Xenial HWE) vulnerabilities – 11th October 2016. USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Vladimír Benea discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations.
• USN-3099-1: Linux kernel vulnerabilities – 11th October 2016. Vladimír Benea discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations in the Linux kernel, A remote attacker could use this to cause a stack corruption, leading to a denial of service (system crash).
• USN-3098-2: Linux kernel (Trusty HWE) vulnerabilities – 11th October 2016. USN-3098-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Marco Grassi discovered a use-after-free condition could occur in the TCP retransmit queue handling code.
• USN-3098-1: Linux kernel vulnerabilities – 11th October 2016. Vladimír Benea discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations in the Linux kernel, A remote attacker could use this to cause a stack corruption, leading to a denial of service (system crash).
• USN-3097-1: Linux kernel vulnerabilities – 10th October 2016. Marco Grassi discovered a use-after-free condition could occur in the TCP retransmit queue handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-6828) Pengfei Wang discovered a race condition in the audit subsystem.
• USN-3091-1: Oxide vulnerabilities – 7th October 2016. A use-after-free was discovered in the V8 bindings in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5170) A use-after-free was discovered in the V8 bindings.
• USN-3096-1: NTP vulnerabilities – 5th October 2016. Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack.
• USN-3095-1: PHP vulnerabilities – 4th October 2016. Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7124) Taoguang Chen discovered that PHP incorrectly handled invalid session names.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.