3rd Party Patch RoundupFebruary is the shortest month of the year, so by all rights it should have the fewest vulnerabilities patched. Apple is one software vendor that seems to take that to heart; last year in February 2015 they issued no patches at all, and this year we have only one from them. Some of the other vendors followed suit, whereas with others it was business as usual.

Here in Texas, the second month of the year was volatile, weather-wise, as usual. During the course of four short weeks, we had temperatures ranging from below freezing to a balmy 80° F.  After the stresses of holiday festivities, the aftermath of the tornado that hit our area the day after Christmas, and the new year planning and project initiation phase, I needed a getaway. So I spent a week in the beautiful Caribbean on a cruise ship, visiting ports in Honduras, Belize and Mexico. I got home just in time to dive back into a different kind of ocean: the sea of security issues and fixes that is as perpetual (and sometimes seems as vast) as the Pacific and Atlantic.

Most months, I do the wrap-up a few days before the actual end of the month, on the 29th.  Of course, most years February only has 28 days so that doesn’t work. In 2016, though, we get our once-every-four-years Leap Day, so let’s leap right into our recap of the security patches that were issued by some of the major software companies this month.

Apple

On February 25th, Apple released a single update, for Apple TV:

  • Apple TV 7.2.1 This is an update for the 3rd generation of Apple TV software that contains fixes for more than 60 different vulnerabilities in a number of the components of the TV OS. Affected components include bootp, CloudKit, CFPreferences, Code Signing, CoreMedia Playback, CoreText, DiskImages, FontParser, ImageIO, IOKit, IOHIDFamily, the kernel, Libc, Libinfo, libpthread, libxml2, libxpc, libxslt, Location Framework, Office Viewer, QLOffice, Sandbox_profiles, and a whopping twenty-one vulnerabilities in WebKit. The vulnerabilities patched by this update range from multiple memory corruption issues to type confusion issues to integer overflow and more. The vast majority are memory corruption vulnerabilities, many of which could be exploited to achieve arbitrary code execution – making this a critical update.

For more information about this patch and the vulnerabilities it addresses, see the Apple Support website at https://support.apple.com/en-us/HT201222 .

Adobe

Adobe, which released only one patch in January, came back with four for this short month. The fixes apply to Flash Player, Photoshop CC and Bridge CC, Adobe Experience Manager and Adobe Connect.

On February 9th, Adobe released three security updates:

  • APSB16-03 is an update for Photoshop CC and Bridge CC for both the Windows and Mac OS X operating systems. It addresses three critical vulnerabilities, all of which are memory corruption issues by which an attacker could run code and take control of the system. Adobe has assigned a priority rating of 3 for all operating systems.
  • APSB16-04 is an update for Adobe Flash Player running on Windows, Mac OS X, Linux and Chrome OS. Google Chrome and Microsoft Edge and IE 11 are also affected. The update addresses 22 vulnerabilities that include type confusion, use-after-free and heap buffer overflow issues, but the majority are memory corruption vulnerabilities. All of these could potentially be exploited by an attacker to achieve code execution, and thus should be considered critical, although the priority rating depends on the OS and software product. Priority rating is 1 for Flash Player Desktop Runtime, Extended Support release, and Flash for Chrome, Edge and IE running on Windows, Mac, Linux and Chrome OS. Rating is 3 for Flash for Linux and for the AIR products running on Windows, Mac, Android and iOS.
  • APSB16-07 is an update for Adobe Connect running on Windows. Connect is Adobe’s online web conferencing, presentation and desktop sharing application, formerly known as Macromedia Breeze. The update addresses three vulnerabilities that are rated “important” in severity. They include input validation and spoofing issues, and the update also includes a cross-site request forgery protection feature. Priority rating is 3.

On February 12th, Adobe released one additional update:

  • APSB16-05 is an update for the Adobe Experience Manager on Windows, UNIX, Linux and Mac OS X. AEM is a web content management system, formerly called CQ5. This update addresses four vulnerabilities that include a cross-site scripting vulnerability, an information disclosure issue, a URL filter bypass and a Java deserialization issue. Priority rating for all operating systems is 2.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories website at https://helpx.adobe.com/security.html

Google

On February 3rd, Google announced that they were updating the Chrome browser to warn users if the website they’re entering contains social engineering advertisements. For more information regarding this, see http://bgr.com/2016/02/04/google-chrome-security-update-fake-download-buttons/

Google released its latest stable channel update for Chrome on February 18, containing both bug fixes and security fixes. A buffer overflow issue that could allow an attacker to take control of the system is one of the patched vulnerabilities. The current version is 48.0.2564.116.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  On January 15, Oracle released its most recent critical patch update that contains fixes for multiple security vulnerabilities across their product line. The next regularly scheduled update release will be on April 15, 2016.

For more information about previous updates, see the Oracle security bulletin at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

For a detailed summary of vulnerabilities and fixes, see the Oracle security blog at https://blogs.oracle.com/security/

Mozilla

Mozilla followed Apple’s lead and gave us a light update load for February. Only two patches were released, both on February 11th. However, both address critical vulnerabilities.

  • MFSA 2016-14 fixes a Graphite “smart font” vulnerability in Firefox ESR and Thunderbird by which a malicious “smart font” can circumvent the validation of internal instruction parameters. This could be exploited by an attacker to accomplish arbitrary code execution.
  • MFSA 2016-13 is an update for Firefox that fixes a same-origin-policy violation using Service Workers with plugins that could affect the security decisions made by plugins through forged responses to network requests.

For more information about all of these vulnerabilities and fixes, see Mozilla’s website at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (February 29th), Ubuntu has issued 49 security advisories, which is not out of the ordinary but a bit more than has been usual in recent months. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2909-2: Linux kernel (Utopic HWE) regression – 27th February 2016. USN-2909-1 fixed vulnerabilities in the Ubuntu 14.10 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubuntu 14.10 backport kernel within VMWare virtual machines. This update fixes the problem.

USN-2910-2: Linux kernel (Vivid HWE) regression – 27th February 2016. USN-2910-1 fixed vulnerabilities in the Ubuntu 15.04 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubuntu 15.04 backport kernel within VMWare virtual machines. This update fixes the problem.

USN-2908-5: Linux kernel (Wily HWE) regression – 27th February 2016. USN-2908-2 fixed vulnerabilities in the Ubuntu 15.10 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubuntu 15.10 backport kernel within VMWare virtual machines. This update fixes the problem.

USN-2908-4: Linux kernel regression – 26th February 2016. USN-2908-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 15.10 guests running within VMWare virtual machines. This update fixes the problem.

USN-2913-3: OpenSSL update – 24th February 2016. USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates package. This update adds support for alternate certificate chains to the OpenSSL package to properly handle the removal. Original advisory details: The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package.

USN-2913-2: glib-networking update – 24th February 2016. USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates package. This update adds support for alternate certificate chains to the glib-networking package to properly handle the removal. Original advisory details: The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package.

USN-2913-4: GnuTLS update – 24th February 2016. USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates package. This update adds support for alternate certificate chains to the GnuTLS package to properly handle the removal. Original advisory details: The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package.

USN-2913-1: ca-certificates update – 24th February 2016. The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package, including the removal of the SPI CA and CA certificates with 1024-bit RSA keys.

USN-2903-2: NSS regression – 23rd February 2016. USN-2903-1 fixed a vulnerability in NSS. An incorrect package versioning change in Ubuntu 12.04 LTS caused a regression when building software against NSS. This update fixes the problem.

USN-2912-1: libssh vulnerabilities – 23rd February 2016. Mariusz Ziulek discovered that libssh incorrectly handled certain packets. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service. (CVE-2015-3146) Aris Adamantiadis discovered that libssh incorrectly generated ephemeral secret keys of 128 bits instead of the recommended 1024 or 2048 bits.

USN-2905-1: Oxide vulnerability – 23rd February 2016. A security issue was discovered in Chromium. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions or a sandbox protection mechanism.

USN-2911-2: Linux kernel (OMAP4) vulnerability – 22nd February 2016. It was discovered that the Linux kernel keyring subsystem contained a race between read and revoke operations. A local attacker could use this to cause a denial of service (system crash).

USN-2911-1: Linux kernel vulnerability – 22nd February 2016. It was discovered that the Linux kernel keyring subsystem contained a race between read and revoke operations. A local attacker could use this to cause a denial of service (system crash).

USN-2910-1: Linux kernel (Vivid HWE) vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2909-1: Linux kernel (Utopic HWE) vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2908-1: Linux kernel vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2908-2: Linux kernel (Wily HWE) vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2908-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2907-2: Linux kernel (Trusty HWE) vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2907-1: Linux kernel vulnerabilities – 22nd February 2016. halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS in the Linux kernel incorrectly propagated security sensitive extended attributes, such as POSIX ACLs.

USN-2906-1: GNU cpio vulnerabilities – 22nd February 2016. Alexander Cherepanov discovered that GNU cpio incorrectly handled symbolic links when used with the –no-absolute-filenames option. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could possibly use this issue to write arbitrary files.

USN-2895-1: Oxide vulnerabilities – 18th February 2016. The DOM implementation in Chromium did not properly restrict frame-attach operations from occurring during or after frame-detach operations. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2016-1623) An integer underflow was discovered in Brotli.

USN-2903-1: NSS vulnerability – 17th February 2016. Hanno Böck discovered that NSS incorrectly handled certain division functions, possibly leading to cryptographic weaknesses. (CVE-2016-1938) This update also refreshes the NSS package to version 3.21 which includes the latest CA certificate bundle, and removes the SPI CA.

USN-2902-1: graphite2 vulnerabilities – 17th February 2016. Yves Younan discovered that graphite2 incorrectly handled certain malformed fonts. If a user or automated system were tricked into opening a specially- crafted font file, a remote attacker could use this issue to cause graphite2 to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2901-1: xdelta3 vulnerability – 17th February 2016. It was discovered that xdelta3 incorrectly handled certain files. If a user or automated system were tricked into processing a specially-crafted file, a remote attacker could use this issue to cause xdelta3 to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2900-1: GNU C Library vulnerability – 16th February 2016. It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2899-1: LibreOffice vulnerabilities – 16th February 2016. It was discovered that LibreOffice incorrectly handled LWP document files. If a user were tricked into opening a specially crafted LWP document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.

USN-2855-2: Samba regression – 16th February 2016. USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for CVE-2015-5252 introduced a regression in certain specific environments. This update fixes the problem. Original advisory details: Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets.

USN-2898-2: Eye of GNOME vulnerability – 15th February 2016. It was discovered that Eye of GNOME incorrectly handled certain large images. If a user were tricked into opening a specially-crafted image, a remote attacker could use this issue to cause Eye of GNOME to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2898-1: GTK+ vulnerability – 15th February 2016. It was discovered that GTK+ incorrectly handled certain large images. A remote attacker could use this issue to cause GTK+ applications to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2897-1: Nettle vulnerabilities – 15th February 2016. Hanno Böck discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8803) Hanno Böck discovered that Nettle incorrectly handled carry propagation in the NIST P-384 elliptic curve. (CVE-2015-8804) Niels Moeller discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8805)

USN-2896-1: Libgcrypt vulnerability – 15th February 2016. Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that Libgcrypt was susceptible to an attack via physical side channels. A local attacker could use this attack to possibly recover private keys.

USN-2893-1: Firefox vulnerability – 11th February 2016. Jason Pang discovered that service workers intercept responses to plugin network requests made through the browser. An attacker could potentially exploit this to bypass same origin restrictions using the Flash plugin. (CVE-2016-1949)

USN-2894-1: PostgreSQL vulnerabilities – 11th February 2016. It was discovered that PostgreSQL incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2016-0773) It was discovered that PostgreSQL incorrectly handled certain configuration settings (GUCS) for users of PL/Java.

USN-2892-1: nginx vulnerabilities – 9th February 2016. It was discovered that nginx incorrectly handled certain DNS server responses when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.

USN-2880-2: Firefox regression – 8th February 2016. USN-2880-1 fixed vulnerabilities in Firefox. This update introduced a regression which caused Firefox to crash on startup with some configurations. This update fixes the problem. We apologize for the inconvenience.

USN-2891-1: QEMU vulnerabilities – 3rd February 2016. Qinghao Tang discovered that QEMU incorrectly handled PCI MSI-X support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10.

USN-2890-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2890-2: Linux kernel (Wily HWE) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2890-1: Linux kernel vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2889-2: Linux kernel (Vivid HWE) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2889-1: Linux kernel vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2888-1: Linux kernel (Utopic HWE) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2887-2: Linux kernel (Trusty HWE) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2887-1: Linux kernel vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2886-2: Linux kernel (OMAP4) vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2886-1: Linux kernel vulnerabilities – 1st February 2016. It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information.

USN-2885-1: OpenJDK 6 vulnerabilities – 1st February 2016. Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2884-1: OpenJDK 7 vulnerabilities – 1st February 2016. Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.