TechGenix Patch Central: February non-Microsoft patches

February may be the shortest month, but on this leap year, it was certainly not a slow news month. The focus has been on the physical threat of the COVID-19 epidemic and cyberthreats have taken a back seat for the moment, but that doesn’t mean hackers and attackers have slowed down in their efforts to infiltrate systems, disrupt services, and hold data hostage.

The month saw 105 reported security breach incidents that resulted in 623 million records compromised, according to the UK’s IT governance site.

Keeping your networks and devices safe is as important as ever. Applying security updates as soon as possible after release is still a top priority for IT admins and security pros. Some of you may find yourselves with more time to do it, given the cancellation of several popular events such as Black Hat Asia, Mobile World Congress, Cisco’s Live Melbourne event, IDC’s Directions conference, Facebook’s developer conference, and even Google I/O. Some events that did happen were without some of their scheduled sponsors; AT&T, Verizon, and IBM Security all pulled out of RSA 2020 due to concerns about the coronavirus.

Here’s hoping this real-world virus dies out soon and life gets back to normal. Meanwhile, software companies remain diligent in creating and releasing patches to keep your digital systems healthy. Let’s look at what has come down the pike from the major non-Microsoft vendors in the past month. (For a look at the February patches from Microsoft, click here.)

Apple

February patches
Shutterstock

Apple released ten product patches in January, but February brought only two updates, both for their watchOS, and neither containing any published CVE information. Both were released on Feb. 18.

  • watchOS 6.1.3 for Apple Watch Series 1 and later
  • watchOS 5.3.5 for Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed.

For more information about current and past patches and the vulnerabilities that they address, see the Apple Support website.

Adobe

magento

Unlike Apple, Adobe released more patches than usual in February, for a number of their products, including their most popular and widely-installed software.

The following were released on Adobe’s usual Patch Tuesday schedule, on Feb. 11:

  • APSB20-08 Security update available for Adobe Experience Manager running on all platforms – This is a pair of priority 2 hotfixes to resolve a vulnerability in AEM versions 6.5 and 6.4 rated Important. Successful exploitation could result in a denial-of-service condition.
  • APSB20-07 Security update available for Adobe Digital Editions running on Windows – This is a priority 3 update that resolves a critical command injection vulnerability that could result in arbitrary code execution and an important buffer errors vulnerability that could result in information disclosure.
  • APSB20-06 Security updates available for Adobe Flash Player running on Windows, macOS, Linux, and Chrome OS – This is a priority 2 update that addresses a critical vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user.
  • APSB20-05 Security update available for Adobe Acrobat and Reader running on Windows and macOS – This is a priority 2 update that addresses six vulnerabilities, four of which are critical: a privilege escalation issue that could result in arbitrary file system write, and heap overflow, buffer errors, and use-after-free vulnerabilities, all of which could result in arbitrary code execution. Also addressed are an important out-of-bounds read vulnerability that could result in information disclosure and a stack exhaustion vulnerability that could result in a memory leak.
  • APSB20-04 Security Updates Available for Adobe Framemaker running on Windows – This is a priority 3 update that addresses four critical vulnerabilities: a buffer error, heap overflow, memory corruption, and out-of-bounds write vulnerability, all of which can result in arbitrary code execution.

Two more patches were released on Feb. 19:

  • APSB20-10 – Security update available for Adobe Media Encoder running on Windows – This is a priority 3 update for a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.
  • APSB20-09 Security update available for Adobe After Effects running on Windows – This is a priority 3 update for a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.

For more information, see the Adobe security bulletin summary.

Google

On Feb. 4, Google released the stable channel version of Chrome v80 for Windows, Mac, and Linux, containing 56 security fixes that included patches for at least 10 issues of high severity. On Feb. 24, build 80.0.3987.122 of the desktop browser was released, containing fixes for three more high severity vulnerabilities.

Google also released Chrome 80 for Android on Feb. 24. For more information, see the Google blog.

Android

This month’s Android Security Bulletin was published on Feb. 3 and updated on Feb. 5. The most severe of the issues addressed is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Also fixed was a high severity vulnerability in the Framework component that could enable a local malicious application to bypass user interaction requirements to gain access to additional permissions.

For more information about the vulnerabilities that are addressed by the Android updates, see the Android security bulletin.

Oracle

February patches
Photo by Peter Kaminski

Oracle normally releases security updates on a quarterly cycle, in January, April, July, and October. The most recent critical patch update occurred on Jan. 14. The next scheduled release will be on April 14.

Oracle customers can read more about the current patch release on the Oracle website.

Mozilla

On February 11th, Mozilla released Firefox 73 with patches for the following vulnerabilities:

High severity:

#CVE-2020-6796: Missing bounds check on shared memory read in the parent process. A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash.

#CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5. Mozilla developers and community members Raul Gurzau, Tyson Smith, Bob Clary, Liz Henry, and Christian Holler reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

#CVE-2020-6801: Memory safety bugs fixed in Firefox 73. Mozilla developers Jason Kratzer, Tyson Smith, and Christian Holler reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Moderate severity:

#CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX. By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user’s computer. The attacker is restricted as they are unable to download non-quarantined files or supply command-line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected.

#CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection. If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.

#CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader. Command-line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types. This required Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third party application that insufficiently sanitized URL data. In that situation, clicking a link in the third party application could have been used to retrieve and execute files whose location was supplied through command line arguments. Note: This issue only affects Windows operating systems and when Firefox is configured as the default handler for non-default filetypes. Other operating systems are unaffected.

Mozilla has more information about these and other vulnerabilities on its website.

Linux

Linux VM template

Popular Linux distros, as usual, have seen several security advisories and updates this month. As of Feb. 29, Ubuntu has issued the following thirty-nine security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-4278-3: Firefox regressions. USN-4278-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
  • USN-4278-2: Firefox vulnerabilities. USN-4278-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
  • USN-4292-1: rsync vulnerabilities. It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib.
  • USN-4291-1: mod-auth-mellon vulnerability. It was discovered that mod_auth_mellon incorrectly handled certain requests. An attacker could use this issue to redirect a user to a malicious URL.
  • USN-4290-1: libpam-radius-auth vulnerability. It was discovered that libpam-radius-auth incorrectly handled certain long passwords. A remote attacker could use this issue to cause libpam-radius-auth to crash, resulting in a denial of service.
  • USN-4289-1: Squid vulnerabilities. Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could use this issue to obtain sensitive information from Squid memory. (CVE-2019-12528) Regis Leroy discovered that Squid incorrectly handled certain HTTP requests.
  • USN-4288-1: ppp vulnerability. It was discovered that ppp incorrectly handled certain rhostname values. A remote attacker could use this issue to cause ppp to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could use this issue to cause a denial of service.
  • USN-4284-1: Linux kernel vulnerabilities. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.
  • USN-4287-2: Linux kernel (Azure) vulnerabilities. USN-4287-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 ESM. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.
  • USN-4286-2: Linux kernel (Xenial HWE) vulnerabilities. USN-4286-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics.
  • USN-4286-1: Linux kernel vulnerabilities. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel.
  • USN-4287-1: Linux kernel vulnerabilities. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.
  • USN-4285-1: Linux kernel vulnerabilities. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that the HSA Linux kernel driver for AMD GPU devices did not properly check for errors in certain situations.
  • USN-4283-1: QEMU vulnerabilities. Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that QEMU incorrectly handled iSCSI server responses. A remote attacker in control of the iSCSI server could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code.
  • USN-4280-2: ClamAV vulnerability. USN-4280-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled memory when the Data-Loss-Prevention (DLP) feature was enabled.
  • USN-4282-1: PostgreSQL vulnerability. It was discovered that PostgreSQL incorrectly performed authorization checks when handling the “ALTER … DEPENDS ON EXTENSION” sub-commands. A remote attacker could use this issue to drop any function, procedure, materialized view, index, or trigger under certain conditions.
  • USN-4281-1: WebKitGTK+ vulnerabilities. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-4280-1: ClamAV vulnerability. It was discovered that ClamAV incorrectly handled memory when the Data-Loss-Prevention (DLP) feature was enabled. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service.
  • USN-4279-1: PHP vulnerabilities. It was discovered that PHP incorrectly handled certain scripts. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2015-9253) It was discovered that PHP incorrectly handled certain inputs.
  • USN-4278-1: Firefox vulnerabilities. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct cross-site scripting (XSS) attacks, or execute arbitrary code.
  • USN-4277-1: libexif vulnerabilities. Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS.
  • USN-4276-1: Yubico PIV Tool vulnerabilities. It was discovered that libykpiv, a supporting library of the Yubico PIV Tool and YubiKey PIV Manager, mishandled specially crafted input. An attacker with a custom-made, malicious USB device could potentially execute arbitrary code on a computer running the Yubico PIV Tool or Yubikey PIV Manager.
  • USN-4274-1: libxml2 vulnerabilities. It was discovered that libxml2 incorrectly handled certain XML files. An attacker could use this issue to cause a denial of service. (CVE-2019-19956, CVE-2020-7595)
  • USN-4275-1: Qt vulnerabilities. It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
  • USN-4250-2: MariaDB vulnerability. It was discovered that an unspecified vulnerability existed in the C API component of MariaDB. An attacker could use this to cause a denial of service for MariaDB clients. MariaDB has been updated to 10.3.22 in Ubuntu 19.10 and 10.1.44 in Ubuntu 18.04 LTS.
  • USN-4273-1: ReportLab vulnerability. It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could use this issue to execute arbitrary code.
  • USN-4272-1: Pillow vulnerabilities. It was discovered that Pillow incorrectly handled certain images. An attacker could use this issue to cause a denial of service. (CVE-2019-16865, CVE-2019-19911) It was discovered that Pillow incorrectly handled certain images. An attacker could use this issue to execute arbitrary code.
  • USN-4271-1: Mesa vulnerability. Tim Brown discovered that Mesa incorrectly handled shared memory permissions. A local attacker could use this issue to obtain and possibly alter sensitive information belonging to another user.
  • USN-4270-1: Exiv2 vulnerability. It was discovered that Exiv2 incorrectly handled certain images. An attacker could use this issue to cause a denial of service.
  • USN-4269-1: systemd vulnerabilities. It was discovered that systemd incorrectly handled certain PIDFile files. A local attacker could use this issue to trick systemd into killing privileged processes. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-16888) It was discovered that systemd incorrectly handled certain udevadm trigger commands.
  • USN-4268-1: OpenSMTPD vulnerability. It was discovered that OpenSMTPD incorrectly verified the sender’s or receiver’s e-mail addresses under certain conditions. An attacker could use this vulnerability to execute arbitrary commands as root.
  • USN-4263-2: Sudo vulnerability. USN-4263-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled.
  • USN-4267-1: ARM mbed TLS vulnerabilities. It was discovered that mbedtls has a bounds-check bypass through an integer overflow that can be used by an attacker to execute arbitrary code or cause a denial of service. (CVE-2017-18187) It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause a denial of service (buffer overflow).
  • USN-4266-1: GraphicsMagick vulnerabilities. It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could use this issue to cause a denial of service or other unspecified impact.
  • USN-4265-2: SpamAssassin vulnerabilities. USN-4265-1 fixed several vulnerabilities in SpamAssassin. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that SpamAssassin incorrectly handled certain CF files.
  • USN-4265-1: SpamAssassin vulnerabilities. It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially crafted CF file, a remote attacker could run arbitrary code.
  • USN-4264-1: Django vulnerability. Simon Charette discovered that Django incorrectly handled input in the PostgreSQL module. A remote attacker could use this to perform SQL injection attacks.
  • USN-4263-1: Sudo vulnerability. Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could use this issue to obtain unintended access to the administrator account.

Leave a Comment

Your email address will not be published.

Scroll to Top