This quarter's installment of Oracle CPU delivers fixes for a record 276 vulnerabilities. Included were a whopping...
19 vulnerabilities that scored a CVSS 3.0 base score of 9.8 -- all of them remotely exploitable without authentication.
The July Oracle patch tally passed the previous record, 248, set in January. And this batch of flaws was well-patched, as it included a total of 159 vulnerabilities, of all ratings, that could be remotely exploited without authentication.
The Oracle Critical Patch Update (CPU) this quarter "contains patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle," the research team at ERPScan wrote in a blog post. The applications included "Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail applications, Oracle JD Edwards, Oracle Supply Chain products [and] Oracle Database Server. About 43% (121) of all of the patch updates close vulnerabilities in these products. Moreover, about 71% of these vulnerabilities can be exploited remotely without authentication."
According to the ERPScan research team, the record-breaking number of Oracle patches in this CPU was almost 2.5 times the average for the quarterly Oracle CPU release. "The trend demonstrates that the number of identified and closed issues in Oracle products keeps growing."
In other news:
- OpenSSH, an open source suite of secured network utilities based on the SSH protocol, is vulnerable to an enumeration attack. Security researcher Eddie Harari discovered attackers can send large passwords to an OpenSSH daemon, or client process, to enumerate or determine valid users. The vulnerability is due to a difference in the way the client calculates hashes. "When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hardcoded password structure, the password hash is based on BLOWFISH ($2) algorithm. If real users' passwords are hashed using SHA256/SHA512, then sending large passwords (10 KB) will result in shorter response time from the server for non-existing users," Harari wrote on the Full Disclosure list.
- Researchers at enSilo, a cybersecurity firm based in San Francisco, discovered security issues related to code hooking and injection techniques. "Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively," the firm wrote in a blog post. "It's particularly critical for security products. For example, antivirus software typically uses hooking to allow it to monitor for malicious activity on a system. Most antiexploitation solutions monitor memory allocation functions in order to detect vulnerability exploitation. A security bug in the hooking function exposes the system to compromise." The researchers examined hooking engines and discovered half a dozen vulnerabilities affecting "commercial engines, such as Microsoft's Detours; open source engines, such as EasyHook; and proprietary engines, such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others." Tomer Bitton, co-founder and vice president of research at enSilo, and Udi Yavo, co-founder and CTO, will present more details of the vulnerabilities at the Black Hat conference in Las Vegas in August.
- Whistleblower Edward Snowden and hardware hacker Andrew "Bunnie" Huang plan to design and implement tools for journalists that can let them know when their smartphones are tracking or disclosing their location. The pair published a paper outlining their approach to the problem, and Snowden presented the project in a talk at MIT. They wrote, "Legal barriers barring the access to unwitting phone transmissions are failing because of the precedent set by the U.S.'s 'third-party doctrine,' which holds that metadata on such signals enjoys no legal protection." The proposed device will monitor radio activity using a measurement tool in a phone-mounted battery case. "We call this tool an introspection engine. The introspection engine has the capability to alert a reporter of a dangerous situation in real time. The core principle is simple: If the reporter expects radios to be off, alert the user when they are turned on."
- France's Chair of the National Data Protection Commission (CNIL) gave Microsoft formal notice "to stop collecting excessive data and tracking browsing by users without their consent" in Windows 10, and also demanded "Microsoft take satisfactory measures to ensure the security and confidentiality of user data." After the CNIL carried out its own investigation, Microsoft was cited for not complying with France's Data Protection Act by collecting irrelevant or excessive data about apps installed and the amount of time spent using those apps; for failing to secure data access by giving users four-digit PINs, with no limits on the number of attempts to enter the PIN; default activation of an advertising ID; no option for users to block cookies; and "transferring its account holders' personal data to the United States on a 'Safe Harbor' basis" after the invalidation of the Safe Harbor framework for transatlantic data flows. Microsoft now has three months to comply with the French Data Protection Act.
- Apple patched a raft of vulnerabilities across a wide swath of iProducts, including iOS, OS X, Safari, iTunes, iCloud, tvOS and watchOS. Particularly surprising was the fix for CVE-2016-4635, a vulnerability in FaceTime that would have enabled an attacker to eavesdrop on FaceTime calls, even after the call is terminated. Apple wrote: "An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated."