It is Patch Tuesday June 2016, and Microsoft is coming out with 16 bulletins bringing fixing over 40 distinct vulnerabilities (CVEs). It brings up the half-year total to 81 which projects to a total of over 160 bulletins for 2016, a new record in terms of patches for the last decade.
Update: Adobe released the patch for Adobe Flash that addresses the current 0-day CVE-2016-4117 in APSB16-15. It also patches another 24 vulnerabilities that are mostly rated critical. Patch as quickly as possible. Chrome and Internet Explorer 11/Edge users will get their patches from Google and Microsoft automatically.
Original: Today is the second Tuesday of the month, when both Microsoft and Adobe publish the security updates to their products – the so-called Patch Tuesday.
But before we get into the details of their updates for the month (17 in all) let’s reiterate the urgency of another vulnerability that might have slipped by you. The popular open source program ImageMagick is currently under active attack on the Internet. Vulnerability CVE-2016-3714 (called ImageTragick in the associated vulnerability branding campaign) allows for remote code execution (RCE) through image uploads. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file. I did this immediately on my sites, even though I use ImageMagick only in commandline mode for thumbnail creation. BTW, the workaround has become more complete over the last 2 weeks, so it is worth taking another look even if you have applied it already…
This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.
It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player (APSB16-10) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.
Update: Adobe has released a new version of its Flash Player in APSB16-10. It addresses 22 critical vulnerabilities which can be used to gain code execution and 2 vulnerabilities that can be retrieve memory address information and to bypass a security feature. One of the vulnerabilities CVE-2016-1019 is currently being attacked in the wild in Exploit Kits.
This release is Adobe’s April Patch Tuesday release. We do not expected another release this month. You should patch as quickly as possible, especially on machines that are still running a pre-March version of Flash as these are vulnerable to CVE-2016-1019.
Oracle published a new version of Java today. The new version Java v8 update 77 addresses a single critical vulnerability with CVE code CVE-2016-0636. This vulnerability had been disclosed publically 2 weeks ago on the fulldisclosure list by Adam Gowdiak, CEO of Security Explorations, a security research company, as a variant of an issue (CVE_2013-5838) that he reported to Oracle in 2013 and that was not fully fixed in Oracle’s patch.
Security Explorations has a technical document describing the issue and POC code for an exploit published on their website. They affirm that Java v7 and Java v9 are also affected by the vulnerability.
Since Oracle chose to fix this vulnerability out of band, we can assume that a workable exploit of the vulnerability based on the published information is relatively easy to come up with. You should give this fix high priority and address as soon as possible.
Today Adobe released an critical update for their Flash Player APSB16-08 that addresses 23 vulnerabilities. The update had been expected on Tuesday already, but had been held back due to the last-minute inclusion of CVE-2016-1010, a vulnerability that is currently under targeted attack in the wild. A successful exploit of this vulnerability gives the attacker Remote Code Execution on the target machine. Attack vector includes malicious websites set up for the purpose of attack using Search Engine Poisoning, “normal” websites that have been hacked and are under the control of the attacker, and e-mailed documents (Word, PDF) that include a malicious Flash component.
The vulnerability was found at Kaspersky Labs, by Anton Ivanov.
Microsoft also released this delayed Flash as an out-of-band update to its Patch Tuesday lineup as MS16-036. With that, we are changing our ranking for the security bulletins for this month – MS16-036 now takes the highest priority followed by MS16-023 for Internet Explorer.
March Patch Tuesday 2016 comes right after a busy week at the RSA USA 2016 conference, where we discussed security and privacy with our industry peers and customers. We participated in numerous discussions around encryption and its function in the protection of privacy and its impact on law enforcement. On Thursday we talked with Chairman McCaul of the committee for Homeland Security about these issues. He said that US Congress is aware of the problems and is working on legislation that would balance both privacy and access to data. On Tuesday we had a Q&A session with Rami Malek, who plays the cyber vigilante Elliot Alderson on the USA Network show Mr. Robot. Rami gave us insight on the amount of work that goes into the writing, acting and production to assure that the computer scenes are as realistic as possible. The huge turnout at this session confirmed how successful the producers have been with this strategy.
On March 1st the DROWN vulnerability in openssl was disclosed. Exploited successfully by an attacker it can lead to decryption of SSL/TLS sessions.
On March 2nd our internal scanning indicated that we had 3 servers that were susceptible to DROWN. These 3 servers were part of a partner facing version of an application that was in the process of being decommissioned. No DNS names were connected to the servers anymore, but the IP addresses were still accessible.
On March 3rd we received a number of queries regarding the configuration of these servers and their susceptibility to DROWN. After verifying with the partner affected to assure that there was no more use of the servers, we turned off access to the respective services.
The certificate that was served on these machines is being reemitted with a new private key.
Last week, Fermin Serna from Google posted a report of a critical vulnerability in the glibc library used in very fundamental level in almost all Linux systems. The vulnerability CVE-2015-7547 is in the getaddrinfo() function and can be used to gain Remote Code Execution.
A malicious DNS server provides an overlong, specially formatted answer to a normal address query, which overflows a statically allocated internal 2K buffer with data. The data is then executed within the getaddrinfo() function.
