Patch

j003-content-microsoft-patch-tuesday-2016_sqAlong with 14 patches, Microsoft introduced a new Security Update Guide web site, as the new location for information on security vulnerabilities.

This month’s Patch Tuesday was also election day in the U.S. and I imagine for once, IT pros are actually happy to see a big load of security updates released – it’s something to take our mind off the culmination of this contentious campaign season.

Along with the fourteen patches released today, the Microsoft Security Response Center (MSRC) team  published a blog post that introduces the new Security Update Guide web site, which the company sees as the “new single destination for security vulnerability information.”

It’s in preview now, and the Microsoft Security Bulletin site is still operational, so if you’re one of many who don’t like change, you can still access the information in the traditional way – at least for a few months. After January 2017, the information about the security fixes will no longer be published to the Bulletins site; you’ll have to transition to the Update Guide.

The good news is that the new portal does give you far more flexibility. You can filter by release date, KB number, CVE identifier, or product. This is great for those who don’t want to waste time scrolling through information about software and services that they don’t have deployed or don’t use.

This month’s updates include six that are rated critical and eight classified as important. There are updates for both Microsoft web browsers, Adobe Flash, and various components of Windows, as well as one for SQL Server and one for Microsoft Office.

Let’s take a look at each of these updates in a little more detail.

MS16-129 (KB 3199057) This is the usual cumulative update for the Edge browser and applies to Edge on all iterations of Windows 10. It is rated critical for all.

The update addresses seventeen vulnerabilities, including multiple memory corruption issues, information disclosure, and a spoofing vulnerability. Twelve of these could be exploited to accomplish remote code execution.

The update fixes the problems by changing how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory, and correcting how the Microsoft Edge parses HTTP responses.

MS16-130 (KB 3199172) This is an update for all currently supported versions of the Windows client and server operating systems, including the server core installation. It is rated critical for all.

This update addresses three vulnerabilities: two elevation of privilege issues and one remote code execution vulnerability. The update fixes the problems by correcting how the Windows Input Method Editor (IME) loads DLLs and requiring hardened UNC paths be used in scheduled tasks.

MS16-131 (KB 3199151) This is an update for the Microsoft Video Control component in Windows Vista, 7, 8.1, RT 8.1 and 10. It is rated critical for all. It also affects Windows Server 2016 Preview 5.

The update addresses a single vulnerability based on the way the Video Control component handles objects in memory, which can be exploited to accomplish remote code execution. The update fixes the problems by correcting how Microsoft Video Control handles objects in memory.

MS16-132 (KB 3199120) This is an update for the Graphic component in all currently supported versions of Windows client and server operating systems, including the server core installation. It is rated critical for all.

The update addresses four vulnerabilities: an open type font information disclosure issue (for which a workaround is provided in the security bulletin), two memory corruption vulnerabilities – one in Windows Animation Manager and one in Media Foundation – and an open type font remote code execution vulnerability, which also has a workaround. You can find instructions for the workarounds at https://technet.microsoft.com/en-us/library/security/ms16-132.aspx

The update fixes the problems by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

MS16-141 (KB3202790) This is an update for Adobe Flash Player running on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It does not include the server core installation, which doesn’t have a web browser installed by default. It is rated critical for all affected systems.

The update addresses nine vulnerabilities in the Flash Player software, which include type confusion vulnerabilities and use-after-free vulnerabilities, both of which can be exploited to accomplish code execution. The update fixes the problems by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

MS16-142 (KB3198467) This is the usual cumulative update for the Internet Explorer web browser. It is rated Critical for IE 9 and IE 11 on affected Windows clients, and rated Moderate for IE 9, IE 10 and IE 11 on affected Windows server operating systems.

The update addresses seven vulnerabilities, which include four memory corruption issues and three information disclosure vulnerabilities. The most severe of these could be exploited to accomplish remote code execution. The update fixes the problems by correcting how Internet Explorer modifies objects in memory and the way it uses the XSS filter to handle RegEx.

MS16-133 (KB 3199168) This is an update for Microsoft Office that applies to Office 2007, 2010, 2013, 2013 RT, and 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel and PowerPoint Viewers. Also affected are Excel Services and Word Automation Services on SharePoint 2010, Word Automation Services on SharePoint 2013, and Office Web Apps 2010 and 2013. It is rated important for all.

The update addresses twelve vulnerabilities, ten of which are memory corruption issues. The other two are information disclosure and denial of service vulnerabilities. The update fixes the problems by correcting how Microsoft Office initializes variables and how affected versions of Office and Office components handle objects in memory.

MS16-134 (KB3193706) This is an update for the Common Log File System Driver in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses ten vulnerabilities, all of which are elevation of privilege issues. The update fixes the problem by correcting how CLFS handles objects in memory.

MS16-135 (KB3199135) This is an update for the Windows Kernel-mode Drivers in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses five vulnerabilities, which includes two information disclosure issues and three elevation of privilege vulnerabilities. The update fixes the problem by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-136 (KB3199641) This is an update for all currently supported editions of Microsoft SQL Server 2012, 2014 and 2016. It is rated important for all.

The update addresses six vulnerabilities, which includes three SQL RDBMS Engine Elevation of Privilege vulnerabilities, one MDS API XSS vulnerability, and one SQL Analysis Services information disclosure vulnerability, along with one SQL Server agent elevation of privilege vulnerability. The most severe of these vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The update fixes these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

MS16-137 (KB3199173) This is an update for Windows Authentication Methods in all currently supported releases of Windows client and server operating system, including the server core installation. It is rated important for all.

The update addresses three vulnerabilities, which include a Virtual Secure Mode Information Disclosure vulnerability, a Local Security Authority Subsystem Service Denial of Service vulnerability and a Windows NTLM Elevation of Privilege vulnerability.

The update fixes the problems by updating Windows NTLM to harden the password change cache, changing the way that LSASS handles specially crafted requests and correcting how Windows Virtual Secure Mode handles objects in memory.

MS16-138 (KB3199647) This is an update for the Microsoft Virtual Hard Disk Driver in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses four vulnerabilities, all of which are elevation of privilege issues that an attacker could exploit to manipulate files in locations not intended to be available to the user. The update fixes the problem by correcting how the kernel API restricts access to these files.

MS16-139 (KB3199720) This is an update for the Windows kernel in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, including the server core installation. It is rated important for all.

The update addresses a single vulnerability in the way the kernel API enforces permissions, which an attacker could exploit to gain access to information that is not intended for the user, but the attacker would have to be able to locally authenticate. The update fixes the problem by helping to ensure the kernel API correctly enforces access controls.

MS16-140 (KB3193479) This is an update for the Boot Manager in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses a single vulnerability when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. The update fixes the problem by revoking affected boot policies in the firmware.

You can find the full summary of all these updates, with links to each security bulletin, at https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx

If you don’t want to miss out on future information about important Microsoft vulnerabilities and patches, subscribe to our blog and receive regular news updates in your inbox.

You may also like:

  • IT automation comes to the rescue for sysadmins
  • Microsoft Patch Tuesday – October 2016
  • Microsoft Patch Tuesday has changed and now all patches are…


GFI Blog

J003-Content-Microsoft-Patch-Tuesday-Oct2016_SQThis Tuesday’s update addresses 49 vulnerabilities within 10 security bulletins, of which five are rated as critical, and four of them are zero-day flaws.

After the start of the announced changes on the way patches are delivered on Patch Tuesday, which we covered in our yesterday’s blog post, Microsoft has released the security bulletins for October 2016. Among affected products are Edge, Internet Explorer, Office, Windows, Skype for Business, and of course Adobe Flash Player, and most of the critical updates are for Remote Code Execution issues.

MS16-118 (KB 3192887) This is a cumulative security update for Internet Explorer fixing issues which could allow remote code execution if a user views a specially crafted webpage using IE9, 10 or 11, gaining the attacker the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by correcting how Internet Explorer handles objects in memory and namespace boundaries.

MS16-119 (KB 3192890) This is a similar cumulative security update like the previous one, this time for Edge browser, resolving remote code execution issues on Windows 10-based computers using Edge as a primary browser.

The patch modifies how Microsoft Edge and certain functions, like the Chakra JavaScript scripting engine, handle objects in memory, and restricts what information is returned to Microsoft Edge. It also changes the way Microsoft Browsers store credentials in memory and handle namespace boundaries, and corrects how Microsoft Edge Content Security Policy validates documents.

MS16-120 (KB 3192884) Yet another critical fix for remote code execution, but this time for the Microsoft Graphics Component, and it resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

This update is rated critical for all supported Windows versions, Office 2007 and 2010, Lync/Skype for Business 2010, 2013 and 2016, .NET Framework and Silverlight, and it addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

Since it affects Windows operating systems since Vista SP2 and Server 2008 SP2 until Windows 10, including Windows RT 8.1, and covers seven vulnerabilities verified by CVE, this patch should not be taken lightly. Also, this is the only zero-day vulnerability on this batch which there were already registered exploits.

MS16-122 (KB 3195360) This vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Of course, if the user is logged on with administrative user rights, an attacker could take control of the affected system.

This security update is rated Critical for Windows Vista, 7, 8.1, RT 8.1, and Windows 10, and it fixes the vulnerability by correcting how Microsoft Video Control handles objects in memory.

MS16-127 (KB 3194343) And, as usual, this Patch Tuesday brought another update for Adobe Flash Player. It updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge, on all supported editions of Windows 8.1, RT 8.1, 10, and on Windows Server 2012 and 2012 R2.

The patch covers a set of 13 CVE vulnerabilities, described in Adobe Security Bulletin APSB16-32, and there are several known workarounds and mitigation actions for these issues. Apart from blocking Adobe Flash Player completely, of course.

MS16-121 (KB 3194063) This update resolves an Office RTF remote code execution vulnerability which exists in Microsoft Office, when the Office software fails to properly handle RTF files. It affects Office 2007, 2010, 2013 (including the RT version), 2016, Office for Mac 2011 and 2016, and some other Office apps and services, such as SharePoint Server 2010 and 2013.

An attacker who would successfully exploit this memory corruption vulnerability could run arbitrary code as the current user, and the update fixes the issue by changing the way Microsoft Office apps handle RTF content.

MS16-123 (KB 3192892) This security update resolves several vulnerabilities in various editions of Microsoft Windows, from Vista to 10 and Servers 2008 and 2012, where the more severe ones could allow elevation of privilege of an attacker.

Microsoft has not identified any mitigating factors or workarounds for these five CVE vulnerabilities, and this security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-124 (KB 3193227) Like the previous one, this update fixes a vulnerability that allows attackers to perform unauthorized privilege elevation and gain access to registry information, and corrects it by changing the way how the kernel API restricts access to this information.

It applies to variants of Microsoft operating systems from Windows Vista SP2 to Windows 10, and addresses four known CVE vulnerabilities, all marked as important.

MS16-125 (KB 3193229) This security update is rated Important for all supported editions of Windows 10, and resolves a vulnerability which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses this vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

MS16-126 (KB 3196067) The last update in today’s batch is marked as Moderate, and addresses an information disclosure vulnerability, when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploits this vulnerability could test for the presence of files on disk, but for an attack to be successful an attacker must persuade a user to open a malicious website.

The security update affects Windows Vista, 7, Server 2008 and 2008 R2, and is rated moderate on client and low on server operating systems. Also, note that you must install two updates to be protected from this vulnerability: this one, and the update in MS16-118.

You will find more details about all the updates listed above in the Security Bulletin Summary for October 2016.

You may also like:

  • Microsoft Patch Tuesday has changed and now all patches are…
  • Third Party Patch Roundup – September 2016
  • Microsoft Patch Tuesday – September 2016


GFI Blog

J003-Content-3rdPartyRoundup_SQAutumn season brings falling leaves and a new set patches, with an unusually large security patch bunch coming from Apple, and a regular monthly number of patches from other vendors.

Autumn is in the air, the trees are displaying their finest fall colors, the weather is getting cooler, and many of us are already getting psyched up for the holidays ahead. The seasons change, but in the IT industry there’s one constant: pumpkin patches won’t be the only kind of patches we’ll be dealing with as we head into this time of the year.

While we’re in the produce section of the grocery store, try not to upset the Apple cart because you might get buried under the large number of security updates that have been released for iProducts this month. We’re used to seeing only perhaps five or six actual updates, although often one will contain fixes for fifty or more vulnerabilities. This time, Apple has put out a whopping thirteen security patches as of this writing on September 28th.

Other vendors had more typical numbers of patch releases.

Apple released only two patches in August, so I guess they’re making up for that – with a vengeance – this time. The Safari web browser was updated twice, and the iOS mobile operating system got three updates in fewer than thirty days.

On September 1, Apple released two patches:

  • Security update 2016-001 for OS X El Capitan and 2016-005 for OS X Yosemite. These update for the Mac OS X operating system address two kernel vulnerabilities, one of which could be exploited to disclose kernel memory and the other to execute arbitrary code with kernel privileges.
  • Safari 9.1.3 for OS X Mavericks and Yosemite. This update patches a memory corruption vulnerability that could be exploited to allow a malicious web site to execute arbitrary code.

On September 13, Apple released six patches:

  • iOS 10 for iPhone 5 and above, iPad 4th gen and above, iPod Touch 6th gen and above. This update addresses 49 separate vulnerabilities in the mobile operating system, in components including the kernel, WebKit, Safari Reader, S2 Camera, Messages, Printing UIKit, Mail, GeoServices, FontParser, CoreCrypto, Audio, and more. It also updates the certificate trust policy.
  • iOS 10.0.1 for iPhone 5 and above, iPad 4th gen and above, iPod Touch 6th gen and above. This update, released the same day as the above, addresses a single validation issue that could allow an application to disclose kernel memory.
  • Xcode 8 for OS X Capitan and later. This update also addresses a single validation issue that could allow an application to disclose kernel memory.
  • watchOS 3, all models. This update addresses nineteen vulnerabilities in Apple’s smart watch operating system, which include memory corruption, input validation, memory disclosure, arbitrary code execution and other issues. Many of these are the same issues addressed in the updates for iOS and OS X.
  • tvOS 10 for Apple TV 4th This update addresses twenty-nine vulnerabilities in the operating system software for the Apple TV media device, which include many of the same issues addressed in the updates for iOS and OS X.
  • iTunes 12.5.1 for Windows 7 and above. This update address eleven vulnerabilities in the WebKit component of the iTunes application for Windows, which include parsing and permissions issues, multiple memory corruption issues, a cross-protocol exploitation of non-HTTP services vulnerability, and a certificate validation issue.
  • macOS Sierra 10.12 for OS X El Capitan. This update addresses sixty-five vulnerabilities in various components of Apple’s latest desktop and server operating system, macOS Sierra. (macOS was previously OS X; Apple changed the name to correspond more closely to iOS). The vulnerabilities exist in many components, including apache, the Application Firewall, audio, Bluetooth, crypto and display components, FontParser, the Intel graphics driver, Kerberos, the kernel, S2 Camera, security components, Terminal, WindowServer and more. The vulnerabilities include type confusion, information disclosure, arbitrary code execution, bypass of protection mechanisms, memory corruption, out-of-bounds read issues, denial of service vulnerability, user account vulnerability, a spoofing issue, session management issues, input validation issues, and more.
  • Safari 10 for OS X Yosemite, OS X El Capitan and macOS Sierra. This update addresses twenty-one vulnerabilities in the Safari web browser, which include multiple memory corruption issues, certificate validation vulnerability, cross-protocol exploitation of non-HTTP services, permissions issues, a parsing issue, a state management issue and more in Safari Reader, Safari Tabs and WebKit components.
  • macOS Server 5.2 for macOS Sierra. This update addresses a pair of vulnerabilities in apache and ServerDocs Server components that include an issue in the handling of the HTTP_PROXY environment variable that could allow an attacker to proxy traffic through an arbitrary server and an RC4 cryptographic weakness.
  • iCloud for Windows v6 for Windows 7 and above. This update addresses a single memory corruption vulnerability in the WebKit component of Apple’s iCloud application for Windows that could be exploited to accomplish arbitrary code execution.
  • iOS 10.0.2 for iPhone 5 and above, iPad 4th gen and above, and iPod Touch 6th gen and above. This update for Apple’s mobile operating system includes the security content from iOS 10.0.1.

For more information about this and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe released only one update in August, so we might have expected a deluge this time – but instead we got a pretty typical three patches, all of them originally released on their normal Patch Tuesday schedule, which this month fell on September 13.

  • APSB16-28. This is an update for Adobe Digital Editions for Windows, Mac OS, iOS and Android. Digital Editions (ADE) is Adobe’s ebook reader software. The update addresses seven memory corruption issues and a use-after-free vulnerability, all of which could be exploited to accomplish code execution. The rating is critical.
  • APSB16-29. This is an update for Adobe Flash Player for Windows, Mac OS, Linux and ChromeOS. It addresses twenty-six vulnerabilities including integer overflow, use-after-free, security bypass, and memory corruption issues. Impacts include code execution and information disclosure and the rating is critical.
  • APSB16-31. This is an update for Adobe AIR SDK and Compiler on Windows and Mac OS, which addresses a single vulnerability and adds support for secure transmission of runtime analytics for AIR applications on Android.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

On September 13th, Google released a security update for the Chrome web browser on Windows, Mac and Linux desktop operating systems that address multiple vulnerabilities. These include two use-after-free issues in Blink, an arbitrary memory read in v8, an extension resource access issue, a popup not correctly suppressed, and a SafeBrowsing bypass issue.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October, so the next regularly scheduled patch release will occur on October 18.

Mozilla released Firefox v49 on September 20th, which contains four critical security fixes, ten rated as high severity, two rated with moderate severity and two rated low, for a total of eighteen vulnerabilities addressed.

  • Buffer overflow when working with empty filters during canvas rendering – critical
  • Potentially exploitable crash caused by buffer overflow when encoding image frames – critical
  • Memory corruption issues – critical
  • More memory corruption issues – critical
  • Heap buffer overflow – high
  • Bad cast when processing layout with input elements – high
  • Potentially exploitable crash in accessibility – high
  • Use-after-free vulnerability triggered by aria-owns attribute – high
  • Use-after-free vulnerability in web animations during restyling – high
  • Use-after-free vulnerability in web animation when destroying timeline – high
  • Use-after-free when changing text direction – high
  • Use-after-free when manipulating SVG content through script – high
  • Timing attack vulnerability using iframes – high
  • Add-on update site certification pin expiration – high
  • Full path to local files available to scripts – moderate
  • Favicons can be loaded through non-whitelisted protocols – moderate
  • Content security policy containing referrer directive with no values can cause crash – low
  • Out-of-bounds read during processing of text runs – low

For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (September 28), Ubuntu has issued twenty-eight security notices this month, which is fewer than usual. Many of these address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. Here are the Ubuntu security advisories for September:

  • USN-3093-1: ClamAV vulnerabilities – 28th September 2016. It was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile.
  • USN-3092-1: Samba vulnerability – 28th September 2016. Stefan Metzmacher discovered that Samba incorrectly handled certain flags in SMB2/3 client connections. A remote attacker could use this issue to disable client signing and impersonate servers by performing a man in the middle attack. Samba has been updated to 4.3.11 in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  • USN-3090-1: Pillow vulnerabilities – 27th September 2016. It was discovered that a flaw in processing a compressed text chunk in a PNG image could cause the image to have a large size when decompressed, potentially leading to a denial of service.
  • USN-3088-1: Bind vulnerability – 27th September 2016. It was discovered that Bind incorrectly handled building responses to certain specially crafted requests. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
  • USN-3089-1: Django vulnerability – 27th September 2016. Sergey Bobrov discovered that Django incorrectly parsed cookies when being used with Google Analytics. A remote attacker could possibly use this issue to set arbitrary cookies leading to a CSRF protection bypass.
  • USN-3087-2: OpenSSL regression – 23rd September 2016. USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem.
  • USN-3087-1: OpenSSL vulnerabilities – 22nd September 2016. Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2016-6304) Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic.
  • USN-3073-1: Thunderbird vulnerabilities – 22nd September 2016. Christian Holler, Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight, and Phil Ringnalda discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.
  • USN-3076-1: Firefox vulnerabilities – 22nd September 2016. Atte Kettunen discovered an out-of-bounds read when handling certain Content Security Policy (CSP) directives in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash.
  • USN-3085-1: GDK-PixBuf vulnerabilities – 21st September 2016. It was discovered that the GDK-PixBuf library did not properly handle specially crafted bmp images, leading to a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted bmp file, a remote attacker could use this flaw to cause GDK-PixBuf to crash.
  • USN-3086-1: Irssi vulnerabilities – 21st September 2016. Gabriel Campana and Adrien Guinet discovered that the format parsing code in Irssi did not properly verify 24bit color codes. A remote attacker could use this to cause a denial of service (application crash).
  • USN-3084-4: Linux kernel (Qualcomm Snapdragon) vulnerabilities – 19th September 2016. Pengfei Wang discovered a race condition in the audit subsystem in the Linux kernel. A local attacker could use this to corrupt audit logs or disrupt system-call auditing.
  • USN-3084-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 19th September 2016. Pengfei Wang discovered a race condition in the audit subsystem in the Linux kernel. A local attacker could use this to corrupt audit logs or disrupt system-call auditing.
  • USN-3084-2: Linux kernel (Xenial HWE) vulnerabilities – 19th September 2016. USN-3084-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Pengfei Wang discovered a race condition in the audit subsystem in the Linux kernel.
  • USN-3084-1: Linux kernel vulnerabilities – 19th September 2016. Pengfei Wang discovered a race condition in the audit subsystem in the Linux kernel. A local attacker could use this to corrupt audit logs or disrupt system-call auditing.
  • USN-3083-2: Linux kernel (Trusty HWE) vulnerabilities – 19th September 2016. USN-3083-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Dmitry Vyukov discovered that the IPv6 implementation in the Linux kernel did not properly handle options data.
  • USN-3083-1: Linux kernel vulnerabilities – 19th September 2016. Dmitry Vyukov discovered that the IPv6 implementation in the Linux kernel did not properly handle options data, including a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3082-2: Linux kernel (OMAP4) vulnerability – 19th September 2016. Chiachih Wu, Yuan-Tsung Lo, and Xuxian Jiang discovered that the legacy ABI for ARM (OABI) had incomplete access checks for epoll_wait(2) and semtimedop(2). A local attacker could use this to possibly execute arbitrary code.
  • USN-3082-1: Linux kernel vulnerability – 19th September 2016. Chiachih Wu, Yuan-Tsung Lo, and Xuxian Jiang discovered that the legacy ABI for ARM (OABI) had incomplete access checks for epoll_wait(2) and semtimedop(2). A local attacker could use this to possibly execute arbitrary code.
  • USN-3081-1: Tomcat vulnerability – 19th September 2016. Dawid Golunski discovered that the Tomcat init script incorrectly handled creating log files. A remote attacker could possibly use this issue to obtain root privileges. (CVE-2016-1240) This update also reverts a change in behaviour introduced in USN-3024-1 by setting mapperContextRootRedirectEnabled to True by default.
  • USN-3080-1: Python Imaging Library vulnerabilities – 15th September 2016. Eric Soroos discovered that the Python Imaging Library incorrectly handled certain malformed FLI or PhotoCD files. A remote attacker could use this issue to cause Python Imaging Library to crash, resulting in a denial of service. (CVE-2016-0775, CVE-2016-2533) Andrew Drake discovered that the Python Imaging Libray incorrectly validated input.
  • USN-3058-1: Oxide vulnerabilities – 14th September 2016. An issue was discovered in Blink involving the provisional URL for an initially empty document. An attacker could potentially exploit this to spoof the currently displayed URL. (CVE-2016-5141) A use-after-free was discovered in the WebCrypto implementation in Blink.
  • USN-3079-1: WebKitGTK+ vulnerabilities – 14th September 2016. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3078-1: MySQL vulnerability – 13th September 2016. Dawid Golunski discovered that MySQL incorrectly handled configuration files. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS has been updated to MySQL 5.7.15.
  • USN-3077-1: OpenJDK 6 vulnerabilities – 12th September 2016. A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this to expose sensitive data over the network or possibly execute arbitrary code. (CVE-2016-3458) Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability.
  • USN-3075-1: Imlib2 vulnerabilities – 8th September 2016. Jakub Wilk discovered an out of bounds read in the GIF loader implementation in Imlib2. An attacker could use this to cause a denial of service (application crash) or possibly obtain sensitive information. (CVE-2016-3994) Yuriy M. Kaminskiy discovered an off-by-one error when handling coordinates in Imlib2.
  • USN-3074-1: File Roller vulnerability – 8th September 2016. It was discovered that File Roller incorrectly handled symlinks. If a user were tricked into extracting a specially-crafted archive, an attacker could delete files outside of the extraction directory.

For more information about any of these patches, visit the Ubuntu web site at http://www.ubuntu.com/usn/

You may also like:

  • Top 10 features in Windows Server 2016 sysadmins need to…
  • Microsoft Patch Tuesday – September 2016
  • Third Party Patch Roundup – August 2016


GFI Blog

Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install.

One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability.

As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received, then the underlying buffer to store the incoming message is reallocated and moved.

“Unfortunately a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.”

OpenSSL 1.1.0 users need to install 1.1.0b.

That one, rated critical, was turned up by Robert Święcki of the Google Security Team.

In the other bug (CVE-2016-7052), OpenSSL 1.0.2i omitted a certificate revocation list (CRL) sanity check from 1.1.0, meaning “any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.” Grab OpenSSL 1.0.2j to fix that one.

The latest patched code is available here or from your favorite operating system distribution. ®

Sponsored: Flash storage buyer's guide


The Register - Security

Vulnerable: Oracle Weblogic Server 12.2.1
Oracle Weblogic Server 10.3.6 0
Oracle Weblogic Server 12.1.3.0
Oracle WebCenter Sites 11.1.1 8.0
Oracle WebCenter Sites 12.2.1.0
Oracle VM VirtualBox 5.0.16
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0.9
Oracle VM VirtualBox 5.0.8
Oracle VM VirtualBox 5.0.18
Oracle VM VirtualBox 5.0
Oracle Utilities Work and Asset Management 1.9.1.2.8
Oracle Utilities Network Management System 1.12.0.3.5
Oracle Utilities Network Management System 1.12.0.2.12
Oracle Utilities Network Management System 1.12.0.1.16
Oracle Utilities Network Management System 1.11.0.5.4
Oracle Utilities Network Management System 1.11.0.4.41
Oracle Utilities Network Management System 1.10.0.6.27
Oracle Utilities Framework 4.3.0.2.0
Oracle Utilities Framework 4.3.0.1.0
Oracle Utilities Framework 4.2.0.3.0
Oracle Utilities Framework 4.2.0.2.0
Oracle Utilities Framework 4.2.0.1.0
Oracle Utilities Framework 4.1.0.2.0
Oracle Utilities Framework 4.1.0.1.0
Oracle Utilities Framework 2.2.0.0.0
Oracle Transportation Management 6.4.1
Oracle Transportation Management 6.4
Oracle Transportation Management 6.3.5
Oracle Transportation Management 6.3.4
Oracle Transportation Management 6.3.3
Oracle Transportation Management 6.3.2
Oracle Transportation Management 6.3.1
Oracle Transportation Management 6.3.7
Oracle Transportation Management 6.3.6
Oracle Transportation Management 6.3
Oracle Switch ES1-24 1.3
Oracle Sun Network QDR InfiniBand Gateway Switch 0
Oracle Sun Network 10GE Switch 72p 1.2
Oracle Sun Data Center InfiniBand Switch 36 2.2.2
Oracle Sun Blade 6000 Ethernet Switched NEM 24P 10GE 1.2
Oracle SPARC Enterprise M9000 XCP 1118
Oracle SPARC Enterprise M9000 XCP 1117
Oracle SPARC Enterprise M8000 XCP 1118
Oracle SPARC Enterprise M8000 XCP 1117
Oracle SPARC Enterprise M5000 XCP 1118
Oracle SPARC Enterprise M5000 XCP 1117
Oracle SPARC Enterprise M4000 XCP 1118
Oracle SPARC Enterprise M4000 XCP 1117
Oracle SPARC Enterprise M3000 XCP 1118
Oracle SPARC Enterprise M3000 XCP 1117
Oracle Solaris Cluster 4.3
Oracle Solaris Cluster 3.3
Oracle Solaris 11.3
Oracle Solaris 10
Oracle Siebel Applications 8.2.2
Oracle Siebel Applications IP2016
Oracle Siebel Applications IP2015
Oracle Siebel Applications IP2014
Oracle Siebel Applications 8.5
Oracle Siebel Applications 8.1.1
Oracle Secure Global Desktop 5.2
Oracle Secure Global Desktop 4.71
Oracle Secure Global Desktop 4.63
Oracle Retail Store Inventory Management 14.1
Oracle Retail Store Inventory Management 14.0
Oracle Retail Store Inventory Management 13.2
Oracle Retail Store Inventory Management 13.1
Oracle Retail Store Inventory Management 13.0
Oracle Retail Store Inventory Management 12.0
Oracle Retail Service Backbone 15.0
Oracle Retail Service Backbone 14.1
Oracle Retail Service Backbone 14.0
Oracle Retail Service Backbone 13.2
Oracle Retail Service Backbone 13.1
Oracle Retail Service Backbone 13.0
Oracle Retail Returns Management 14.1
Oracle Retail Returns Management 14.0
Oracle Retail Returns Management 13.4
Oracle Retail Returns Management 13.3
Oracle Retail Returns Management 13.2
Oracle Retail Returns Management 13.1
Oracle Retail Returns Management 13.0
Oracle Retail Returns Management 12.0
Oracle Retail Order Broker 5.2
Oracle Retail Order Broker 5.1
Oracle Retail Order Broker 4.1
Oracle Retail Order Broker 15.0
Oracle Retail Integration Bus 15.0
Oracle Retail Integration Bus 14.1
Oracle Retail Integration Bus 14.0
Oracle Retail Integration Bus 13.2
Oracle Retail Integration Bus 13.1
Oracle Retail Integration Bus 13.0
Oracle Retail Central Office 14.1
Oracle Retail Central Office 14.0
Oracle Retail Central Office 13.4
Oracle Retail Central Office 13.3
Oracle Retail Central Office 13.2
Oracle Retail Central Office 13.1
Oracle Retail Central Office 13.0
Oracle Retail Central Office 12.0
Oracle Retail Back Office 14.1
Oracle Retail Back Office 14.0
Oracle Retail Back Office 13.4
Oracle Retail Back Office 13.3
Oracle Retail Back Office 13.2
Oracle Retail Back Office 13.1
Oracle Retail Back Office 13.0
Oracle Retail Back Office 12.0
Oracle Primavera P6 Enterprise Project Portfolio Management 8.4
Oracle Primavera P6 Enterprise Project Portfolio Management 8.3
Oracle Primavera P6 Enterprise Project Portfolio Management 16.1
Oracle Primavera P6 Enterprise Project Portfolio Management 15.2
Oracle Primavera P6 Enterprise Project Portfolio Management 15.1
Oracle Primavera Contract Management 14.2
Oracle Portal 11.1.1 6.0
Oracle Policy Automation for Mobile Devices 12.1.1
Oracle Policy Automation Connector for Siebel 10.4.6
Oracle Policy Automation Connector for Siebel 10.4.5
Oracle Policy Automation Connector for Siebel 10.4.4
Oracle Policy Automation Connector for Siebel 10.4.3
Oracle Policy Automation Connector for Siebel 10.4.2
Oracle Policy Automation Connector for Siebel 10.4.1
Oracle Policy Automation Connector for Siebel 10.4
Oracle Policy Automation Connector for Siebel 10.3
Oracle Policy Automation 12.1.1
Oracle Policy Automation 12.1
Oracle Policy Automation 10.4.6
Oracle Policy Automation 10.4.5
Oracle Policy Automation 10.4.4
Oracle Policy Automation 10.4.3
Oracle Policy Automation 10.4.2
Oracle Policy Automation 10.4.1
Oracle Policy Automation 10.4
Oracle Policy Automation 10.3.1
Oracle Policy Automation 10.3
Oracle PeopleSoft Enterprise PeopleTools 8.55
Oracle PeopleSoft Enterprise PeopleTools 8.54
Oracle PeopleSoft Enterprise PeopleTools 8.53
Oracle PeopleSoft Enterprise FSCM 9.2
Oracle PeopleSoft Enterprise FSCM 9.1
Oracle Oracle Outside In Technology 8.5.2
Oracle Oracle Outside In Technology 8.5.1
Oracle Oracle Outside In Technology 8.5.0
Oracle MySQL Server 5.7
Oracle MySQL Server 5.6.29
Oracle MySQL Server 5.6.28
Oracle MySQL Server 5.6.27
Oracle MySQL Server 5.6.26
Oracle MySQL Server 5.6.23
Oracle MySQL Server 5.6.22
Oracle MySQL Server 5.6.21
Oracle MySQL Server 5.5.48
Oracle MySQL Server 5.5.47
Oracle MySQL Server 5.5.46
Oracle MySQL Server 5.5.45
Oracle MySQL Server 5.5.42
Oracle MySQL Server 5.5.41
Oracle MySQL Server 5.5.40
Oracle MySQL Server 5.6.25
Oracle MySQL Server 5.6.24
Oracle MySQL Server 5.6.20
Oracle MySQL Server 5.6.16
Oracle MySQL Server 5.6.15
Oracle MySQL Server 5.6
Oracle MySQL Server 5.5.44
Oracle MySQL Server 5.5.43
Oracle MySQL Server 5.5.36
Oracle MySQL Server 5.5.35
Oracle Mysql 5.7.12
Oracle Mysql 5.6.30
Oracle Mysql 5.5.49
Oracle MICROS Retail XBRi Loss Prevention 10.8.1
Oracle MICROS Retail XBRi Loss Prevention 10.8
Oracle MICROS Retail XBRi Loss Prevention 10.7
Oracle MICROS Retail XBRi Loss Prevention 10.6
Oracle MICROS Retail XBRi Loss Prevention 10.5
Oracle MICROS Retail XBRi Loss Prevention 10.0.1
Oracle JRockit R28.3.10
Oracle JRE(Windows Production Release) 1.8.0 Update 92
Oracle JRE(Windows Production Release) 1.8.0 Update 91
Oracle JRE(Windows Production Release) 1.7.0 Update 101
Oracle JRE(Windows Production Release) 1.6.0 Update 115
Oracle JRE(Solaris Production Release) 1.8.0 Update 92
Oracle JRE(Solaris Production Release) 1.8.0 Update 91
Oracle JRE(Solaris Production Release) 1.7.0 Update 101
Oracle JRE(Solaris Production Release) 1.6.0 Update 115
Oracle JRE(Linux Production Release) 1.8.0 Update 92
Oracle JRE(Linux Production Release) 1.8.0 Update 91
Oracle JRE(Linux Production Release) 1.7.0 Update 101
Oracle JRE(Linux Production Release) 1.6.0 Update 115
Oracle JDK(Windows Production Release) 1.8.0 Update 92
Oracle JDK(Windows Production Release) 1.8.0 Update 91
Oracle JDK(Windows Production Release) 1.7.0 Update 101
Oracle JDK(Windows Production Release) 1.6.0 Update 115
Oracle JDK(Solaris Production Release) 1.8.0 Update 92
Oracle JDK(Solaris Production Release) 1.8.0 Update 91
Oracle JDK(Solaris Production Release) 1.7.0 Update 101
Oracle JDK(Solaris Production Release) 1.6.0 Update 115
Oracle JDK(Linux Production Release) 1.8.0 Update 92
Oracle JDK(Linux Production Release) 1.8.0 Update 91
Oracle JDK(Linux Production Release) 1.7.0 Update 101
Oracle JDK(Linux Production Release) 1.6.0 Update 115
Oracle JDeveloper 12.1.3 0
Oracle JDeveloper 11.1.2 4.0
Oracle JDeveloper 11.1.1 7.0
Oracle JDeveloper 12.2.1.0.0
Oracle JDeveloper 11.1.1.9.0
Oracle JD Edwards EnterpriseOne Tools 9.2.0.5
Oracle Integrated Lights Out Manager 3.2
Oracle Integrated Lights Out Manager 3.1
Oracle Integrated Lights Out Manager 3.0
Oracle Insurance Rules Palette 9.7.1
Oracle Insurance Rules Palette 9.6.1
Oracle Insurance Rules Palette 10.2.2
Oracle Insurance Rules Palette 10.2.0
Oracle Insurance Rules Palette 10.1.2
Oracle Insurance Rules Palette 10.0.1
Oracle Insurance Policy Administration J2EE 9.7.1
Oracle Insurance Policy Administration J2EE 9.6.1
Oracle Insurance Policy Administration J2EE 10.2.2
Oracle Insurance Policy Administration J2EE 10.2.0
Oracle Insurance Policy Administration J2EE 10.1.2
Oracle Insurance Policy Administration J2EE 10.0.1
Oracle Insurance Calculation Engine 9.7.1
Oracle Insurance Calculation Engine 10.2.2
Oracle Insurance Calculation Engine 10.1.2
Oracle In-Memory Policy Analytics 12.0.1
Oracle Hyperion Financial Reporting 11.1.2.4
Oracle HTTP Server 12c 12.1.3.0
Oracle HTTP Server 11g 11.1.1.9
Oracle Healthcare Master Person Index 4.0.1
Oracle Healthcare Master Person Index 3.0.0
Oracle Healthcare Master Person Index 2.0.12
Oracle Healthcare Analytics Data Integration 3.1.0.0.0
Oracle Health Sciences Information Manager 3.0.1.0
Oracle Health Sciences Information Manager 2.0.2.3
Oracle Health Sciences Information Manager 1.2.8.3
Oracle Health Sciences Clinical Development Center 3.1.2.0
Oracle Health Sciences Clinical Development Center 3.1.1.0
Oracle Glassfish Server 3.1.2
Oracle Glassfish Server 3.0.1
Oracle Glassfish Server 2.1.1
Oracle Fusion Middleware 12.1.3 0.0
Oracle Fusion Middleware 11.1.2 3.0
Oracle Fusion Middleware 11.1.2 2.0
Oracle Fusion Middleware 11.1.1 8.0
Oracle Fusion Middleware 11.1.1 7.0
Oracle Fusion Middleware 12.2.1.0
Oracle Fusion Middleware 11.1.1.9
Oracle Fusion Applications 11.1.10
Oracle Fusion Applications 11.1.9
Oracle Fusion Applications 11.1.8
Oracle Fusion Applications 11.1.7
Oracle Fusion Applications 11.1.6
Oracle Fusion Applications 11.1.5
Oracle Fusion Applications 11.1.4
Oracle Fusion Applications 11.1.3
Oracle Fusion Applications 11.1.2
Oracle Fujitsu M10-4S Server XCP 2290
Oracle Fujitsu M10-4S Server XCP 2271
Oracle Fujitsu M10-4S Server XCP 2230
Oracle Fujitsu M10-4 Server XCP 2290
Oracle Fujitsu M10-4 Server XCP 2271
Oracle Fujitsu M10-4 Server XCP 2230
Oracle Fujitsu M10-1 Server XCP 2290
Oracle Fujitsu M10-1 Server XCP 2271
Oracle Fujitsu M10-1 Server XCP 2230
Oracle FLEXCUBE Direct Banking 12.0.1
Oracle FLEXCUBE Direct Banking 12.0.3
Oracle FLEXCUBE Direct Banking 12.0.2
Oracle Financial Services Lending and Leasing 14.2
Oracle Financial Services Lending and Leasing 14.1
Oracle Exalogic Infrastructure 2.0
Oracle Exalogic Infrastructure 1.0
Oracle Enterprise Manager Ops Center 12.3.2
Oracle Enterprise Manager Ops Center 12.2.2
Oracle Enterprise Manager Ops Center 12.1.4
Oracle Enterprise Manager for Fusion Middleware 11.1.1.9
Oracle Enterprise Manager for Fusion Middleware 11.1.1.7
Oracle Enterprise Manager Base Platform 13.1.0.0
Oracle Enterprise Manager Base Platform 12.1.0.5
Oracle Enterprise Communications Broker 0
Oracle Engineering Data Management 6.2.0.0
Oracle Engineering Data Management 6.1.3.0
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.1.2
Oracle E-Business Suite 12.1.1
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.4
Oracle E-Business Suite 12.1.3
Oracle Documaker 0
Oracle Directory Server Enterprise Edition 7.0
Oracle Directory Server Enterprise Edition 11.1.1.7
Oracle Demand Planning 12.2
Oracle Demand Planning 12.1
Oracle Database 12c Release 1 12.1 2
Oracle Database 12c Release 1 12.1 1
Oracle Database 11g Release 2 11.2.0.4
Oracle Communications Unified Session Manager 7.3.5
Oracle Communications Unified Session Manager 7.2.5
Oracle Communications Session Border Controller 7.3.0
Oracle Communications Session Border Controller 7.2.0
Oracle Communications Policy Management 9.9
Oracle Communications Operations Monitor 0
Oracle Communications Network Charging and Control 5.0.2.0.0
Oracle Communications Network Charging and Control 5.0.1.0.0
Oracle Communications Network Charging and Control 5.0.0.2.0
Oracle Communications Network Charging and Control 5.0.0.1.0
Oracle Communications Network Charging and Control 4.4.1.5.0
Oracle Communications Messaging Server 7.0.5 30.0
Oracle Communications Messaging Server 7.0.5 29.0
Oracle Communications Messaging Server 8.0
Oracle Communications Messaging Server 7.0.5.33.0
Oracle Communications Messaging Server 7.0.5
Oracle Communications Messaging Server 7.0
Oracle Communications Messaging Server 6.3
Oracle Communications EAGLE Application Processor 16.0
Oracle Communications Core Session Manager 7.3.5
Oracle Communications Core Session Manager 7.2.5
Oracle Communications ASAP 7.3
Oracle Communications ASAP 7.2
Oracle Communications ASAP 7.0
Oracle Business Intelligence Enterprise Edition 11.2.1.0.0
Oracle Business Intelligence Enterprise Edition 11.1.1.9.0
Oracle Business Intelligence Enterprise Edition 11.1.1.7.0
Oracle BI Publisher 12.2.1.0.0
Oracle BI Publisher 11.1.1.9.0
Oracle BI Publisher 11.1.1.7.0
Oracle Banking Platform 2.5.0
Oracle Banking Platform 2.4.1
Oracle Banking Platform 2.4.0
Oracle Banking Platform 2.3.0
Oracle Application Express 5.0.3
Oracle Application Express 5.0.2
Oracle Application Express 5.0.1
Oracle Application Express 4.2.6
Oracle Application Express 4.2.1
Oracle Application Express 3.2.1 .00.10
Oracle Application Express 2.2.1
Oracle Application Express 1.1.3
Oracle Application Express 1.1.2
Oracle Application Express 1.1.1
Oracle Application Express 5.0
Oracle Application Express 4.2.3.00.08
Oracle Application Express 4.2
Oracle Application Express 4.1
Oracle Application Express 4.0
Oracle Application Express 3.2.0.00.27
Oracle Application Express 3.2
Oracle Application Express 2.2
Oracle Application Express 2.1
Oracle Application Express 2.0
Oracle Application Express 1.5
Oracle Agile PLM 9.3.5
Oracle Agile PLM 9.3.4
Oracle Agile Engineering Data Management 6.2.0.0
Oracle Agile Engineering Data Management 6.1.3.0
Oracle Access Manager 10.1.4 3
Oracle Access Manager 10.1.4 .2
Oracle Access Manager 10.1.4
Oracle Access Manager 11.1.2.0.0
Oracle Access Manager 11.1.1.7.0
IBM Websphere Application Server 9.0
IBM Websphere Application Server 8.5.5.0 - Liberty Pr
IBM Websphere Application Server 8.5.5 Full Profile
IBM Websphere Application Server 8.5 Liberty Profile
IBM Websphere Application Server 8.5 Full Profile
Citrix NetScaler T1 0
Citrix NetScaler Service Delivery Appliance 0
Citrix NetScaler Gateway 0
Citrix NetScaler Application Delivery Controller (ADC) 0
Citrix Command Center Appliance 0
Citrix CloudBridge 0


SecurityFocus Vulnerabilities

The OpenSSL Project announced on Monday that it will soon release updates that patch several vulnerabilities, including one rated as having “high” severity.

OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u will be released on Thursday, September 22, at around 8:00 UTC. There are only few details about the upcoming versions, but the OpenSSL Project said one of the issues has high severity, one has moderate severity, while the rest have low impact.

High severity flaws are less likely to be exploitable compared to critical vulnerabilities. OpenSSL developers typically try to address these bugs within a month after learning of their existence.

The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31. The 1.1.0 branch was launched on August 25.

Three rounds of security updates have been released so far this year, patching a total of 16 vulnerabilities. The last updates were announced in early May, when the OpenSSL Project resolved a vulnerability (CVE-2016-2107) introduced in 2013 as part of the fix for the Lucky 13 TLS attack.

The security hole allows a man-in-the-middle (MitM) attacker to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI instructions. Roughly three weeks after the fix was made available, researchers reported that many of the world’s top websites had still not been patched.

Updates released in March addressed DROWN, a cross-protocol attack method that can be exploited to crack encrypted communications and steal potentially sensitive data.

Related Reading: Encrypted Network Traffic Comes at a Cost

Related Reading: Several Vulnerabilities Patched in Libarchive Library

Related Reading: Facebook Messenger to Offer Strong Encryption

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Here’s an overview of some of last week’s most interesting news and articles:

Five ways to respond to the ransomware threat
While organizations wrestle with the ever-pressing issue of whether to pay or not to pay if they’re victimized, Logicalis US suggests CXOs focus first on how to protect, thwart and recover from a potential attack.

MySQL 0-day could lead to total system compromise
Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona). One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted.

Organization must modify the network access policy to address IoT devices
By 2020, 21 billion of Internet of Things (IoT) devices will be in use worldwide. Of these, close to 6 percent will be in use for industrial IoT applications.

US 911 emergency system can be crippled by a mobile botnet
What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country.

Microsoft ends Tuesday patches
In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install.

Artificial intelligence in cybersecurity: Snake oil or salvation?
Machine learning is the science of enabling computers to learn and take action without being explicitly programmed. What has this to do with information security? Currently, not that much. But this is set to change.

DDoS and web application attacks keep escalating
Akamai Technologies released its Second Quarter, 2016 State of the Internet / Security Report, which highlights the cloud security landscape, specifically trends with DDoS and web application attacks, as well as malicious traffic from bots.

DDoS downtime calculator based on real-world information
Are you wondering how you can assess the risks associated with a DDoS attack? Incapsula’s free DDoS Downtime Calculator offers case-specific information adjusted to the realities of your organization.

ICS-CERT warns of remotely exploitable power meter flaws
Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.

Improve SecOps by making collaboration easier
Ensuring smooth collaboration and sharing between SOC analysts, incident responders, and endpoint and network administrators has its challenges.

Bogus Pokémon GO guide app roots Android devices
The popularity of Pokémon GO is apparently on the wane, but there are still more than enough players to make it a good lure for cyber crooks. In fact, fake apps like the “Guide For Pokémon Go New” recently spotted on Google Play can end up being downloaded by as many as half a million users.

What proposed Rule 41 changes mean for your privacy
Last week, US Senator Ron Wyden took the floor of the Senate to explain why his (and his colleagues’) Stopping Mass Hacking Act should be voted in.

Android apps based on Adobe AIR SDK send out unencrypted data
Developers using the Adobe AIR SDK should update to the latest version of the software development kit and rebuild the apps as soon as possible if they don’t want their users’ traffic being exposed to attackers.

Hack a Nexus from afar, get $ 200,000
Google has issued a challenge to bug hunters around the world: find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, and you’ll be handsomely rewarded.

Cyberattacks cost SMBs an average of $ 86,500
On average, a single cybersecurity incident now costs large businesses a total of $ 861,000. Meanwhile, SMBs pay an average of $ 86,500.

6.6 million ClixSense users exposed in wake of site, company hack
If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

IoT Village uncovers 47 security vulnerabilities across 23 devices
New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, held at DEF CON 24 in Las Vegas. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.

Ransomware usage explodes, as app, browser and plug-in vulnerabilities increase
Bromium conducted research on cyber attacks and threats affecting enterprise security over the last six months. The good news is while the number of vulnerabilities is steadily increasing, not all exploitable vulnerabilities are actually exploited. The bad news is, criminals are working harder to get protected data.

Stingray use lacks transparency and meaningful oversight
Cell-site simulators – aka Stingrays, aka IMSI catchers – are widely used by US law enforcement, usually without a warrant that such type of surveillance should require.

PCI Council wants more robust security controls for payment devices
The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

Consumers harassed by 30 million spam calls every day
Consumers are giving up twice as much sensitive data over the previous year.


Help Net Security

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks.

The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits.

The earliest attacks using the since-defeated exploit date back to January 2014, and as recently as July when it was stopped by Kafeine and others.

The most recent of the malvertising campaigns, AdGholas, sent up to a million users every day to the local banking trojans.

The bug was first reported last year and only received a CVE from Microsoft in July when Proofpoint and Trend Micro collaborated on research into the AdGholas and GooNky groups.

Attackers deployed the dangerous Nutrino exploit kit before dropping Terdot.A when they detected UK victims, Gozi ISFB for Canadians, DELoader for Australians, and Gootkit for users browsing from Spain.

The commended Proofpoint malware prober says the low-level bugs fixed this week allowed the now dead Angler exploit kit gang, along with current actors AdGholas and GooNky, to reduce the likelihood their "massive, long running" malvertising campaigns would be detected.

Kafeine says it is an example of why patching small bugs is important.

"The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organisations and users must rethink patching prioritisations, and researchers need to look for new avenues to detect malicious activity," Kafeine says.

The flaw allowed attackers to obtain browser fingerprinting information which could help reveal if virtualised systems were used by potential targets.

Malvertising scams are known for profiling victim machines before deploying payloads in a bid to avoid white hats and extend the amount of time attack campaigns can operate undetected.

Kafeine says researchers found attacks using the flaw back in 2014 after "additional archeological work".

"Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,"Kafeine says.

"In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation."

The bank trojans were being dropped until Kafeine and fellow researchers reported the attacks to advertising networks whose infrastructure was being abused. ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

The September 2016 Patch Tuesday release from Microsoft includes 14 total bulletins, seven of which were rated critical, but six of those bulletins all highlight issues of browser security in various forms.

For September's Patch Tuesday release, experts said MS16-104 and MS16-105 are standard bulletins for Microsoft's Internet Explorer and Edge browsers, respectively, and should be prioritized because they include patches for remote code execution (RCE) vulnerabilities. But these bulletins do not stand alone because the web browser is a popular attack vector.

Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., noted that MS16-106, for the Microsoft Graphics Component, MS16-109, for Silverlight, and MS16-116, for the VBScript Scripting Engine, each remediate critical RCE flaws that can be exploited by coercing a victim to visit a malicious website. Additionally, MS16-117 contains critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.

Lane Thames, security research and software development engineer at Tripwire, said enterprises should note MS16-116. "The catch here is that the vulnerability, identified by CVE-2016-3375, is not fully resolved until the Internet Explorer security updates in MS16-104 are applied." 

MS16-107 includes critical patches for Microsoft Office and SharePoint to resolve a total of 13 vulnerabilities.

Chris Goettl, product manager with Shavlik, said IT should note this bulletin includes "all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007."

"You may see this show up on machines more than once depending on what products and viewers are on each system," Goettl said. "This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management."

The final critical bulletin for September's Patch Tuesday is MS16-108, which handles vulnerabilities in Microsoft Exchange Server, but the most severe flaw could allow remote code execution in some Oracle Outside libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

However, Goettl said the risk of this vulnerability would be mitigated if an enterprise moved to the cloud.

"At this point, the number of enterprises running Microsoft Exchange on-premises is dwindling as many have moved to Office365.  If you are on Office365,  it's assumed that Microsoft has already rolled this patch out and you can ignore this patch," Goettl said. "If you are still running Exchange on premises, this update should be installed soon. However, after installation, it's worth moving your mail to the cloud."

Thames saw a trend regarding attack vectors and MS16-115, an update to Microsoft's PDF Library.

"PDF has long been a favorite for cyber attackers and criminals. A new trend to notice is Microsoft Window’s PDF library appearing more and more often as a common Patch Tuesday bulletin," Thames said. "Today, Microsoft is releasing MS16-115 as a security update for its PDF Library, which resolves two information disclosure vulnerabilities. This new trend can be seen by the following sequence of bulletins: MS16-012, MS16-068, MS16-080, MS16-102, MS16-105, and MS16-115. This is a collection of security bulletins introduced this year for various vulnerabilities related to PDF in Windows. Administrators should ensure that critical systems, such as servers or other machines that contain sensitive data, do not have these components installed if it is not needed."

Rounding out the rest of the September Patch Tuesday are important bulletins MS16-110 and MS16-114, which fix RCE flaws in Windows and SMBv1 Server; MS16-111 and MS16-112, which resolve elevation of privilege vulnerabilities in the Windows Kernel and Windows Lock Screen; and, MS16-113, which handles an information disclosure issue in the Windows Secure Kernel.

Overall, Craig Young, cybersecurity researcher for Tripwire, said he noticed a positive trend in Microsoft's security bulletins.

"This month Microsoft has indicated that there are only nine vulnerabilities rated as 'exploitation likely' which can result in code execution with all but two of these CVEs existing within browser code. As a point of comparison, there has been a general gradual decline in the number of easily exploited Microsoft bugs over time and even just looking at the past three months, the bulletins averaged having twice as many easily exploited vulnerabilities," Young said. "This trend is even more interesting if we look back at the September 2015 bulletin when there were roughly three times as many vulnerabilities with the 'exploitation likely' rating."

Next Steps

Catch up on the August 2016 Patch Tuesday news.

Learn more about the advantages, disadvantages and surprises of Office 365.

Find out how to spot and prevent emerging PDF attacks.


SearchSecurity: Security Wire Daily News

J003-Content-Microsoft-Patch-Tuesday-Sept2016_SQIt’s September and business for sysadmins is back to normal, so we got a brand new batch of seven critical and seven important updates.

Am I the only one who’s amazed that September has rolled back around already? For me, it means I get to celebrate (or lament) getting another year older. For others, it means the end of summer, the beginning of the school year, cooler weather (a welcome relief here in Texas), falling leaves, and the start of preparations for the impending holiday season.

For IT pros, it means business as usual. Rain or shine, hot or cold, work day or weekend, in sickness and in health, our users keep on using and our servers have to keep on serving. And keeping them up and running and safe from attack and infiltration, updates are inevitable and never-ending.

This month, Microsoft ushers in the season with fourteen patches for Windows, Edge, IE, Office, Exchange and Adobe Flash Player. Seven are critical; the other half are rated important. The usual suspects make their appearances: memory corruption/remote code execution vulnerabilities, elevation of privilege issues, security feature bypasses, and information disclosure issues.

Let’s take a look at each of these updates in a little more detail, and you can find the full summary with links to each security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-sep.aspx

MS16-104 (KB 3183038) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn’t apply to server core installations that don’t run a web browser.

The update addresses ten separate vulnerabilities, which include memory corruption, elevation of privilege and information disclosure issues as well as security bypass. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Internet Explorer and certain functions handle objects in memory, zone and integrity settings, cross-origin settings and URL files.

MS16-105 (KB 3183043) This is the usual monthly cumulative update for the Edge web browser that applies to Windows 10, and it is rated critical.

The update addresses twelve separate vulnerabilities, which include memory corruption and information disclosure issues. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way both Edge itself and the Chakra JavaScript scripting engine handle objects in memory, correcting how Edge handles cross-origin requests, and ensuring that Edge properly implements ASLR and properly validates page content.

MS16-106 (KB 3185848) This is an update for the Microsoft Graphics Component in Windows. It affects all supported versions of Windows client and server, including the server core installation. It is rated critical for Windows 10 version 1607, and important for all other versions of Windows.

The update addresses five vulnerabilities, three of which are elevation of privilege issues, one information disclosure issue, and the most serious a remote code execution vulnerability, all stemming from the way the Windows Graphics Device Interface (GDI) works. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way some of the Windows kernel-mode drivers and the GDI handle objects in memory, and by preventing unintended user-mode elevation of privilege.

MS16-107 (KB 3185852) This is an update for Microsoft Office. It applies to the Office suite and the individual Excel, Outlook and PowerPoint applications in Office 2007, 2010, 2013, 2013 RT, and 2016, and Visio 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel, PowerPoint and Word Viewers. It is rated critical.

The update addresses a total of thirteen vulnerabilities, which include an APP-V ASLR bypass, an information disclosure issue, a spoofing vulnerability and ten memory corruption vulnerabilities. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Office saves documents, how it handles objects in memory, the way Outlook determines the end of MIME messages, and how Click-to-Run components handle memory addresses.

MS16-108 (KB 3185883) This is an update for Microsoft Exchange Server. It applies to Exchange 2007, 2010, 2013 and 2016, and is rated critical for all.

The update addresses three vulnerabilities in Exchange, which include an information disclosure issue, an open redirect vulnerability and an elevation of privilege issue. The update also addresses eighteen vulnerabilities in the Oracle libraries that include remote code execution, information disclosure and denial of service issues. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Exchange OWA validates web requests and by helping ensure that OWA properly sanitizes user input and email content.

MS16-116 (KB 3188724) This is an update for OLE Automation for the VBScripting engine in Windows. It applies to all supported versions of Windows client and Server operating systems, including the server core installations. It is rated critical on client computers and moderate on servers.

The update addresses a single memory corruption vulnerability that could allow an attack to execute arbitrary code in the context of the current user. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way the OLE automation mechanism in Windows and the VBScripting engine in IE handle objects in memory.

MS16-117 (KB 3188128) This is an update for the Adobe Flash Player on Windows. It applies to Windows 8.1/RT 8.1, Windows 10, and Server 2012/2012 R2. It is rated critical for all.

This update addresses a twenty-six separate vulnerabilities in Flash Player that can be exploited through Internet Explorer, embedding an ActiveX control in an Office document or application, or uploading malicious content to a web site that hosts user-provided content or advertising.

The good news is that there are both mitigations and workarounds, for those who are unable to install the update. These are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-117.aspx

MS16-109 (KB 3182373) This is an update for Silverlight and applies to version 5 (including Silverlight 5 Developer Runtime) installed on Windows or Mac computers. This includes all supported versions of Windows. It is rated important for all operating systems.

The update addresses a single memory corruption vulnerability in Silverlight, which could be exploited to accomplish remote code execution. There are no published mitigations or workarounds for this vulnerability.

The update fixes the problem by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder.

MS16-110 (KB 3178467) This is an update for all currently supported versions of the Windows client and server operating system, including the server core installations. It is rated important for all.

The update addresses four separate vulnerabilities, which include an elevation of privilege issue, an information disclosure issue, a denial of service and a remote code execution vulnerability. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by correcting how Windows enforces permissions, preventing NT LAN Manager (NTLM) Single Sign-On (SSO) authentication to non-private SMB resources when users are signed in to Windows via a Microsoft Account (https://www.microsoft.com/account) and connected to a “Guest or public networks” firewall profile, and correcting how Windows handles objects in memory.

MS16-111 (KB 3186973) This is an update for the Windows kernel. It applies to all supported versions of the Windows client and server operating system, including the server core installations. It is rated important for all.

The update addresses five elevation of privilege issues that are due to the way Windows handles session objects, in that a locally authenticated user could hijack the session of another user. To exploit the vulnerabilities, the attacker would have to be able to log on locally with valid credentials. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing how Windows handles session objects, and by correcting how the Windows Kernel API enforces user permissions and restricts access to user information.

MS16-112 (KB 3178469) This is an update for the Windows Lock Screen in Windows 8.1, RT 8.1, Windows 10, and Server 2012 R2 (including the server core installations). It is rated important for all.

The update addresses a single vulnerability that occurs when Windows improperly allows web content to be loaded from the lock screen. This could be exploited to achieve elevation of privilege, but the attacker would have to have physical access to the computer. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the behavior of the Windows lock screen to prevent unintended web content from loading.

MS16-113 (KB 3185876) This is an update for Windows Secure Kernel Mode in Windows 10 and Windows 10 v1511, both the 32- and 64-bit editions. It is rated important.

The update addresses a single information disclosure vulnerability that happens when the Secure Kernel Mode improperly handles objects in memory. The attacker would have to be authenticated locally in order to exploit this vulnerability. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way Windows handles objects in memory.

MS16-114 (KB 3185879) This is an update to the SMBv1 server component Windows client and server operating systems. It applies to all versions, including the server core installation, but affects different versions in different ways. It is rated important for all.

The update addresses a single vulnerability in SMBv1. Later versions of the SMB server are not affected. In Windows Vista, 7, and Server 2008 and 2008 R2, the vulnerability could allow remote code execution. In later versions of Windows, the impact would be limited to a denial of service. There are both mitigating factors and workarounds published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-114.aspx

The update addresses the problem by changing the way the SMBv1 server handles specially crafted requests.

MS16-115 (KB 3188733) This is an update to the Windows PDF library. It applies to Windows 8.1/RT 8.1, Windows 10, and Windows Server 2012 and 2012 R2. It is rated important.

The update addresses a pair of information disclosure vulnerabilities in the PDF library that are due to the way the component handles objects in memory. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way certain functions handle objects in memory.

Found this post useful?
Subscribe to our news feed and make sure you never miss
another useful sysadmin story from GFI Blog.

You may also like:

  • Third Party Patch Roundup – August 2016
  • 10 new Windows 10 features for sysadmins
  • August 2016 – Microsoft Patch Tuesday


GFI Blog