Critical roundup: important patches from major vendors

Business

Since mid-October, several major software vendors have released a number of security announcements and updates, most of them serious or outward critical. Let’s take a look at them, as most of the updated products are firmly nested in business networks.

Microsoft

Microsoft released six security bulletins on October 13, of which three were marked “critical”. But, as Threatpost wrote, the real news was the deprecation of the outdated RC4 encryption algorithm in Windows 10.

Windows 10 is a new system and, as usual, it’s being fine-tuned – the process will take some extra time, most likely. Moving away from RC4 is, however, a very timely move.

RC4 is a stream cipher known for its simplicity and speed. Unfortunately it was found vulnerable, so the industry gradually moved away from it. Microsoft has previously deprecated it in .NET, and now in Windows 10, too.

The advisory also updated the default transport encryption in Windows to TLS 1.2.

As for critical updates, they included the “ubiquitous” Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows. For details please visit Threatpost.

wide

Apple

Apple has also patched a batch of vulnerabilities in its software, including Keynote, Pages, Numbers, and iWork.

The most serious flaw allowed an attacker to execute code on a compromised OS X computer running Yosemite 10.10.4 or later, or iOS 8.4 or later on mobile devices.

Input validation and memory corruption errors in the aforementioned software also allowed attackers to run an arbitrary code or steal data. Detailed information is available here.

Adobe

Adobe released an urgent, emergency, red alert patch for a Flash zero day vulnerability a week earlier than the company had originally planned.

The zeroday known as CVE-2015-7645 was exploited, albeit in a limited fashion, in the wild.

“The flaw, a type confusion vulnerability, has been tied to attacks carried out by a Russian-speaking APT group operating under the guise of Pawn Storm, or APT 28. Type confusion vulnerabilities occur when code doesn’t verify the type of object that’s passed to it, and uses it without type-checking”, Threatpost wrote.

CVE-2015-7645 exploits have been used in spearphishing emails.

Adobe’s patch also addressed two other type confusion vulnerabilities: CVE-2015-7647 and CVE-2015-7648. Details are available here.

Oracle

Oracle is probably October’s number one fix regarding the amount of patched flaws: 154 vulnerabilities in 54 different products were fixed last week, as part of its Critical Patch Update.

84 patches addressed vulnerabilities that Oracle claimed might be remotely exploitable without authentication.

24 of the vulnerabilities were patched in Java SE, of which seven were marked as high severity. Oracle warned if the bugs were exploited under the right conditions it could result in a full compromise of the targeted system.

There are also severe bugs in Oracle Fusion Middleware and Oracle Database, as well as Siebel, Pillar Axiom, Applications for Work and Asset Management. Many are “definitely” remotely exploitale without authentication, although actual exploits hasn’t been spotted in the wild by Oracle at the time of the patches release.

Details are available here.

WordPress

Akismet, an antispam plugin critical for WordPress, has been updated in order to fix a serious cross-site scripting error.

It was exploitable via the comment section on sites running versions of the Akismet plugin after 2.5.0 and allowed for injection of malicious scripts into the comment section of the admin panel. This could in theory lead to a full site compromise, although Akismet was technically already blocking attempts during the comment-check API call.

No exploits in the wild so far, and WordPress plugin developers have pushed an automatic update for any sites running the vulnerable versions to auto update plugins last week.

Earlier in October, yet another XSS error in WordPress was fixed.

Joomla

Another content management system popular among businesses has been updated to fix a nasty bug. Critical, in fact, as this SQL injection flaw could have let attackers gain access to data in the backend of any site running on the platform.

The bug sat in the core module of Joomla, thus any site that runs it, including various e-commerce sites, could be vulnerable. Attackers could get administrator privileges – and it’s pretty clear what that could mean for the website.

Conclusion

There is no perfect, bugless software. In fact, bugs of various severity exist everywhere, so fixing them in numbers and on a regular basis is actually a good thing for the users, even though we all would prefer there were less bugs around.

Some software, however, should be under continuous scrutiny, in the “presumption of guilt” mode – namely Flash and Java. These are especially buggy, unfortunately, and due to their extreme popularity, and always in the reticles of cybercriminals.

Flash might be headed off into the sunset, but for now it’s still here, so it should be watched closely.

Our readers have already installed all of these critical updates, yes?