November is past, and most of the northern hemisphere is seeing cooler weather. In the U.S., Thanksgiving has come and gone. In the IT world, we have plenty to be thankful for as we head toward a new year that will bring new technologies to make our jobs easier, but also new challenges.
‘Tis the season for hackers and attackers to ramp up their efforts and take advantage of users who are distracted by holiday activities and obligations. There have been some high profile incidents, including a breach of Planned Parenthood’s network that exposed patients’ addresses, insurance information, and medical records. Meanwhile, AT&T has been working to take down a botnet discovered inside its network. Ikea was targeted in a cyber attack that spread malware through internal email, and Panasonic disclosed a security breach that resulted in unauthorized access to data on a file server.
There is good news, though: the bad guys don’t always win. Interpol announced that they have arrested over a thousand cybercriminals across twenty countries in a four-month crackdown called Operation HAECHI-II, focusing on online financial crime.
Meanwhile, it’s up to all of us to do our part by ensuring that the security updates issued by software vendors are installed in a timely manner to protect our systems and networks from exploits. Let’s take a look at some of those patches that were released in November.
Apple
You might recall that in October was a fairly heavy patch release month for Apple, with a total of eleven updates for operating systems across their product line. November saw only four updates, and three of those had no published CVE entries. The one that did was:
- iCloud for Windows, for Windows 10 and later (available via the Microsoft Store). This update patches six vulnerabilities in the Foundation, ImageIO, and WebKit components of the operating system. These include type confusion, multiple memory corruption issues, and a logic issue. The most serious could lead to arbitrary code execution.
The remaining three updates include:
- WatchOS 8.1.1 for Apple Watch series 7
- iOS 15.1.1 for iPhone 12 and later
- tvOS 15.1.1 for Apple TV 4K and Apple TV HD
For more information about current and past patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222
Adobe
Adobe had a light month in November, too. That was a relief after the fourteen patches fixing 92 vulnerabilities that we saw in October. Here are this past month’s updates:
- APSB21-87: Security hotfix available for RoboHelp Server – This update addresses a single path traversal vulnerability in RoboHelp Server running on Windows, which could lead to arbitrary code execution. It is rated critical.
- APSB21-110 : Security update available for Adobe InCopy – This update addresses a pair of vulnerabilities in InCopy running on Windows and macOS, one rated critical and one important. They include access of memory location after end of buffer and null pointer dereference. The first could lead to arbitrary code execution and the second could be exploited to create an application denial of service.
- APSB21-111: Security update available for Adobe Creative Cloud – This update addresses two vulnerabilities in Creative Cloud running on macOS, both rated important. One causes creation of a temporary file in a directory with incorrect permissions and the other is an improper access control issue. The first can result in an application denial of service and the second in privilege escalation.
For more information, see the security bulletin summary at
https://helpx.adobe.com/security.html
Chrome OS
Google released its most recent stable channel update for Chrome OS on November 30, as version 96.0.4664.77.
Chrome web browser
Chrome 96 for iOS was released on November 18.
Chrome 96 for Android was released on November 15.
Google also announced the release of the latest stable update for the Chrome desktop browser for Windows, Mac, and Linux on November 15. This update includes twenty-five security updates. Those rated high severity include:
- CVE-2021-38008: Use after free in media.
- CVE-2021-38009: Inappropriate implementation in cache.
- CVE-2021-38006: Use after free in storage foundation.
- CVE-2021-38007: Type Confusion in V8.
- CVE-2021-38005: Use after free in loader.
- CVE-2021-38010: Inappropriate implementation in service workers.
- CVE-2021-38011: Use after free in storage foundation.
The following patched vulnerabilities are rated medium severity:
- CVE-2021-38012: Type Confusion in V8.
- CVE-2021-38013: Heap buffer overflow in fingerprint recognition.
- CVE-2021-38014: Out of bounds write in Swiftshader.
- CVE-2021-38015: Inappropriate implementation in input.
- CVE-2021-38016: Insufficient policy enforcement in background fetch.
- CVE-2021-38017: Insufficient policy enforcement in iframe sandbox.
- CVE-2021-38018: Inappropriate implementation in navigation.
- CVE-2021-38019: Insufficient policy enforcement in CORS.
- CVE-2021-38020: Insufficient policy enforcement in contacts picker.
- CVE-2021-38021: Inappropriate implementation in referrer.
Finally, one vulnerability is rated as low severity:
- CVE-2021-38022: Inappropriate implementation in WebAuthentication.
For more information, see https://chromereleases.googleblog.com/
Android OS
The 2021-11-01 security patch addresses eight vulnerabilities in Framework, two in Media Framework, eight in System, as well as three Google Play system update issues included in Project Mainline components.
The most severe could enable an attacker to gain access to additional permissions with no user interaction required, enable a local malicious application to bypass user interaction requirements to gain access to additional permissions, and enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged user.
For more information, see https://source.android.com/security/bulletin/2021-10-01
Oracle
Oracle normally releases its critical patch updates on a quarterly cycle, in January, April, July and October. The most recent update was released on October 19th. It addresses 231 different vulnerabilities with 419 security fixes across 28 of Oracle’s product families. 36 of the patches are rated critical.
The next critical patch update will be released on January 18, 2022.
Oracle customers can read more about the current patch release on the Oracle web site at https://www.oracle.com/security-alerts/cpuoct2021.html
Mozilla Firefox
On November 2, Mozilla released Firefox 94, which contains fixes for the following seven high severity, four moderate severity vulnerabilities and two of low severity, for a total of thirteen.
The following vulnerabilities are rated high severity:
- CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets – The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
- CVE-2021-38504: Use-after-free in file picker dialog – When interacting with an HTML input element’s file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.
- CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data – Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user’s Microsoft account. This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.
- CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning – Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
- CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports – The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
- MOZ-2021-0003: Universal XSS in Firefox for Android via QR Code URLs – A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code.
- MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 – Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The following vulnerabilities are rated moderate severity:
CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing – By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MOZ-2021-0004: Web Extensions could access pre-redirect URL when their context menu was triggered by a user – When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-XXX but in the context of Web Extensions.
CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain –
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker’s choosing.
CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS – The executable file warning was not presented when downloading .inetloc files, which can run commands on a user’s computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
SAP
On November 9, SAP released the following security patches:
- 11 new and update SAP Security patches released – This includes only one HotNews note and three High Priority notes. This is a relatively calm patch day for SAP with only eight new security notes since October and only three new notes above CVSS 7.0 is a record low number for the year. Nevertheless, the lower-rated notes should not be left unaddressed as some of these vulnerabilities can be used to launch follow-up attacks, e.g., through impersonation of users or exploiting transport permissions.
- Update to Onapsis Found Vulnerability in CA Introscope Enterprise Manager –High Priority Note #2971638 is an update of a vulnerability in CA Introscope Enterprise Manager that was detected in 2020 by the Onapsis Research Labs. Hard-coded default passwords for the Admin and the Guest user allowed a remote attacker to bypass authentication, compromising the confidentiality of the service.
- ABAP Platform Kernel Patch the most Critical – SAP Security Note #3099776, tagged with a CVSS score of 9.6 patches a Missing Authorization Check vulnerability in ABAP Platform Kernel that can result in an escalation of privileges for an authenticated business user. SAP optimistically labeled the CVSS vector of the vulnerability as low impact on availability despite the fact that a business user “is able to read and modify data.”
Linux
Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following thirity-seven security advisories since last month’s roundup. Some of these advisories address multiple vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities, applicable to different versions of the OS. Other commercial Linux vendors issued a similar number of updates.
Many of this month’s fixes are for vulnerabilities in the Linux kernel. For more details about the vulnerabilities listed below, see Security notices | Ubuntu or click on the links to the individual notices.
- USN-5165-1: Linux kernel (OEM) vulnerabilities
- USN-5164-1: Linux kernel vulnerabilities
- USN-5163-1: Linux kernel vulnerabilities
- USN-5162-1: Linux kernel vulnerabilities
- USN-5161-1: Linux kernel vulnerabilities
- USN-5158-1: ImageMagick vulnerabilities
- USN-5156-1: ICU vulnerability
- USN-5155-1: BlueZ vulnerabilities
- USN-5154-1: FreeRDP vulnerabilities
- USN-5153-1: LibreOffice vulnerabilities
- USN-5152-1: Thunderbird vulnerabilities
- USN-5151-1: Mailman vulnerabilities
- USN-5150-1: OpenEXR vulnerability
- USN-5149-1: AccountsService vulnerability
- USN-5148-1: hivex vulnerability
- USN-5147-1: Vim vulnerabilities
- USN-5146-1: Thunderbird vulnerabilities
- USN-5145-1: PostgreSQL vulnerabilities
- USN-5144-1: OpenEXR vulnerability
- USN-5142-1: Samba vulnerabilities
- USN-5141-1: Firejail vulnerability
- LSN-0082-1: Kernel Live Patch Security Notice
- USN-5137-2: Linux kernel vulnerabilities
- USN-5140-1: Linux kernel (OEM 5.14) vulnerabilities
- USN-5139-1: Linux kernel (OEM 5.10) vulnerabilities
- USN-5138-1: python-py vulnerability
- USN-5137-1: Linux kernel vulnerabilities
- USN-5136-1: Linux kernel vulnerabilities
- USN-5130-1: Linux kernel vulnerabilities
- USN-5134-1: Docker vulnerability
- USN-5135-1: Linux kernel vulnerability
- USN-5133-1: ICU vulnerability
- USN-5132-1: Thunderbird vulnerabilities
- USN-5131-1: Firefox vulnerabilities
- USN-5128-1: Ceph vulnerabilities
- USN-5127-1: WebKitGTK vulnerabilities
- USN-5121-2: Mailman vulnerabilities