April Security Patches: Seven-Hundred Eighty-Nine Ways You Can Be Hacked

What if we said that you could be hacked in over a hundred ways right now? Sounds like an exaggeration, yet in April 2017 alone, major software vendors provided security updates patching hundreds of security vulnerabilities – many of which are considered Critical or Remotely Exploitable.

Most people now own multiple devices or computers, and may fail to recognize the multiple attack surfaces available in that diverse selection. For example, you may own an iPhone, an Android tablet, a Laptop (or two) and a PC. Running on these devices may be Adobe Acrobat, Adobe Flash, Java Runtime Environment and other common software. Multiply this by any additional members of your household and we increase the attack surface exponentially. So many attack vectors which require your attention.

Here is a quick look at just a few of the most common software updates in the last 30 days.

Microsoft Windows and Office

On the second Tuesday of every month, Microsoft issues security patches for each of its supported operating systems for both standard and Server editions. This month, on April 11, Microsoft issued 196 Critical updates affecting every version of Windows, from Vista to Windows 10, and Server 2008 to Server 2016. Also updated were all supported versions of Internet Explorer, Edge, .NET and the Adobe Flash plugin distributed by Microsoft. Several fixes included in these patches are considered a response to a recent release of NSA hacking tools and malware by the hacking group known as Shadow Brokers.

In addition to Windows patches, Microsoft provided 14 updates for all supported versions of Office and Outlook (versions 2007, 2010, 2013 and 2016). These fixes include a remote code execution vulnerability in Outlook and vulnerability fix, to bypass Outlook security features which could allow execution of malicious code on the user’s system in a maliciously crafted Office document. This model is a primary attack vector of malware authors in email phishing attempts to infect computers running Windows.

No less than 46 individual CVEs are addressed by Microsoft this month for Windows and Office.

Oracle Java SE

On April 18, Oracle released their quarterly update to the Java Runtime Environment. This release addressed at least 8 CVEs, 7 of which would allow remote code execution on the user’s system. Other vulnerabilities fixed would have allowed a remote user to gain elevated privileges (e.g. Administrator) on the affected system, modify data, corrupt memory and cause denial of service.

Adobe Acrobat Reader and Flash Player

On 6 April, Adobe released updates for all supported versions of Acrobat Reader: 11, DC and 2015. In total, 47 CVEs for Acrobat and Reader for Windows and Mac were addressed by this update. These updates include fixes to vulnerabilities that could allow an attacker to execute malicious code and corrupt memory on the affected system.

Adobe also released version 25.0.0.148 of Flash Player for Windows, Mac, Linux and Chrome OS on April 11. This update addressed at least 7 CVEs. These fixes address vulnerabilities in the browser plugin which could corrupt memory and allow malicious code execution. Microsoft also released this patch through the April Patch Tuesday (April 11, 2017) as part of the Windows Update which supports Internet Explorer.

Apple iOS

On March 27, Apple released iOS 10.3, which addressed 91 CVEs for supported versions of iPhone, iPad and iPod. This was a major release and addressed issues with Man-in-the-Middle (MITM) attacks, improper certificate handling, sensitive data leaks and exposure of the SMS directory to malicious applications.

Apple turned around and released an unusually quick security update on April 3 to address another critical vulnerability in their mobile device Wifi which could allow an attacker to execute malicious code remotely in the Wifi chip.

Apple macOS

On March 28, 2017, Apple released macOS version 10.12.4, which updates Mac systems Sierra, El Capitan and Yosemite users. The update addressed 127 CVEs. Among the vulnerabilities fixed were numerous bugs allowing arbitrary malicious code execution with kernel privileges and denial of service. The most severe attack vectors impacted not just the kernel but some of the most commonly used components of the macOS including the Bluetooth service, audio and graphics components, as well as the font renderer used by a majority of other components on the system.

Linux

Linux distributions are not exempt from critical security vulnerabilities. In April, many distributions such as CentOS, Ubuntu, Fedora and OpenSUSE issued updates to the Linux kernel and other components dealing with elevation of privileges (i.e. root access), denial of service (DOS) vulnerabilities and critical kernel crashes. Since Linux distributions often package many of the same applications in their installations, most will share the same vulnerabilities not just in the Linux kernel but in common applications such as LibreOffice, BIND, Qemu, httpd, tomcat, Thunderbird, etc. In total, CentOS released updates fixing 18 CVE vulnerabilities, Ubuntu - 86, Fedora - 27 and OpenSUSE – 67.

That is an average of 49 critical vulnerability fixes per major Linux distribution in April. Even if you do not use a Linux distribution at home, many of your online transactions are hosted on Linux servers. That’s a lot of your sensitive information at risk.

Android OS

Devices running the Android OS are also diverse, despite sharing some commonalities in the original OS and libraries used to build applications. Android security fixes in April included 102 CVEs including several elevation of privilege vulnerabilities, information disclosure, and denial of service. Individual manufacturers of devices running Android OS must still take Android fixes and build updates for their devices. Check with your Android device manufacturer for any updates.

Summary

In case you weren’t counting, major software manufacturers released security patches for 789 vulnerabilities in the last month alone. Consider also that some critical vulnerabilities go unreported but could constitute a zero-day vulnerability. What other software do you use? Compound this number with updates to other third-party software (e.g. Quicken, HP, Firefox, Chrome, etc.) and the attack surface grows with unpatched software. An average user may be impacted by over one hundred critical software vulnerabilities across multiple devices and applications at any given time this month alone.

Bottom line: apply manufacturer patches as soon as they are released, to reduce exposure of your sensitive data to hackers and cybercriminals.

References:

http://fortune.com/2017/04/15/microsoft-shadow-brokers-patch/
https://isc.sans.edu/forums/diary/April+2017+Microsoft+Patch+Tuesday/22288/
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
https://helpx.adobe.com/security/products/acrobat/apsb17-11.html
https://helpx.adobe.com/security/products/flash-player/apsb17-10.html
https://support.apple.com/en-us/HT207617
https://support.apple.com/en-us/HT207688
https://support.apple.com/en-us/HT207615
https://lwn.net/Alerts/CentOS
https://www.ubuntu.com/usn
http://www.linuxsecurity.com/content/blogcategory/98/110
https://lists.opensuse.org/opensuse-security-announce/2017-04/date.html
https://source.android.com/security/bulletin/2017-04-01