Time to update all your Apple devices: Patch Tuesday - Week 4, March 2019
Apple fixed a host of security vulnerabilities found across many of its products. These flaws could have allowed cyberattacks such as denial-of-service(DoS), privilege escalation & arbitrary code execution. A total of 51 vulnerabilities were patched with security updates. Below is the list of all newly updated software.
- iCloud for Windows 7.11: WebKit browser engine for Windows 7 and later versions had multiple security vulnerabilities related to privilege escalation and arbitrary code execution. Other components with flaws were CoreCrypto library, iTunes and iCloud’s Windows installer.
- iTunes 12.9.4 for Windows: WebKit component was again found with flaws on the iTunes application. They could have led to privilege escalation & arbitrary code execution attacks.
- Safari 12.1: Safari Reader contained a critical flaw that could lead to cross-site scripting attacks. As mentioned earlier, vulnerable WebKit also affected Safari.
- macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra: A majority of flaws were found in the kernel of the OS. These included information disclosure and privilege escalation flaws. Other components fixed are AppleGraphicsControl, Bom, CFString, configd, Contacts, FaceTime, Feedback Assistant and graphics drivers.
- tvOS 12.2: Apple TV 4K and Apple TV HD had a string of bugs in its software components. Most of them lay in the kernel as well as on WebKit. Other application such as Siri and Power Management also had authentication-related flaws.
- Xcode 10.2: The IDE for macOS had a memory corruption issue that could lead to arbitrary code execution.
- iOS 12.2: iOS in iPhone 5S (and later), iPad Air (and later) & iPod touch 6th generation had DoS, privilege escalation and RCE flaws in the kernel. The WebKit component also had these issues.
Amazon Web Services
For this week, Amazon Web Services addressed 42 security flaws in Amazon Linux AMI (ALA), a Linux kernel image used on Amazon EC2. Packages in ALA that were affected are given below (with their advisories linked).
- python27 python34 python35 python36
Users are advised to follow the specific instructions mentioned in the advisories.
This week, we witnessed the notorious APT Operation ShadowHammer that exploited ASUS Live Update utility and installed a backdoor. As per a report by the security firm Kaspersky, more than 57,000 users had unknowingly installed the backdoored version of Live Update. Now, the electronics manufacturer has released a patch to fix the issue.
The latest version (v.3.6.8) of Live Update has remediated the issue by incorporating security verification mechanisms to detect malicious entities. Users are advised to immediately update to this new version. In addition, ASUS developed a diagnostics tool to check systems affected by the malicious utility variant.
Cisco fixed four major vulnerabilities in its VoIP product -- IP Phone 8800 Series. Furthermore, it also patched a password exposure issue in Identity Services Engine (ISE). Below are the brief descriptions for the latest security advisories.
- Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability: The interface of SIP software in the product had a flaw that could allow attackers to conduct cross-site request forgery(CSRF) attack.
- Cisco IP Phone 8800 Series Path Traversal Vulnerability: The SIP software interface also had a flaw due to incorrect file permissions, that could have led to arbitrary files being written on the product.
- Cisco IP Phone 8800 Series Authorization Bypass Vulnerability: This flaw is due to the software in the product incorrectly handling URL requests. This can lead to attackers exploiting it to conduct a DoS attack.
- Cisco IP Phone 8800 Series File Upload Denial of Service Vulnerability: The SIP software does not restrict the size of files written on the disk. This can cause an abnormally high disk utilization ending up in a DoS attack.
- Cisco Identity Services Engine Password Recovery Vulnerability: Admin Portal in ISE improperly stored saved passwords. Attackers can abuse this to view passwords in plain text.
The content management platform had a ‘moderately critical’ flaw in Drupal versions 8 and 7. The flaw in the File module of Drupal could allow attackers to upload malicious files to conduct a cross-site scripting (XSS) attack.
Versions affected are Drupal 8.6.12 (and earlier), Drupal 8.5.13 (and earlier) & Drupal 7.64. Users are advised to update to the latest version to fix this issue.
Mozilla patched two critical vulnerabilities in its email client Thunderbird. Although these flaws cannot exclusively be abused in Thunderbird, they can be done in a browser-like environment. Below are the descriptions of the two flaws.
- CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations: Improper handling of ‘__proto__ mutations’ object leads to arbitrary code execution.
Both these issues are fixed in Thunderbird 60.6.1.
Ubuntu released four security advisories addressing flaws in Firefox browsers as well as those existing in PHP and XMLTooling. They spanned from information disclosure flaws to serious ones such as DoS . Below are the short descriptions of the advisories.
- USN-3922-1: PHP vulnerabilities: PHP in Ubuntu 18.10, 18.04 LTS & 16.04 LTS incorrectly handled some inputs, which could have led to information disclsoure.
- USN-3921-1: XMLTooling vulnerability: The C++ based library could be crashed with malicious files. This was due to the reason of improper handling of XML files by the library. Affected versions are Ubuntu 18.10, 18.04 LTS, 16.04 LTS & 14.04 LTS
- USN-3918-2: Firefox vulnerabilities: Incorrect security mechanisms in Firefox could be exploited to initiate a man-in-the-middle(MITM) attack. This was previously addressed in another advisory but persisted despite the update. Ubuntu 14.04 LTS is the affected version.