Vulnerabilities Weekly Summary Ending April 8

By Jerry Adams on April 12, 2016

A vulnerability (CVE-2016-1789) with Apple’s iBooks Author software has been fixed in an Apple security update (“About the security content…“, 2016 Mar. 31).  An XML external entity reference issue existed when parsing a maliciously crafted iBooks Author file which could have led to sensitive user information being disclosed (SecurityFocus, 2016 Mar. 31).

Another Apple vulnerability (CVE-2016-1743), this one concerning Intel driver in the Graphics Drivers subsystem affecting Apple OS X before 10.11.4.  This vulnerability allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app (“CVE-2016-1743“, 2016 Mar. 25).

Adobe has released a Security Bulletin for Adobe Flash Player which addresses a number of vulnerabilities affecting Windows, Macintosh, Linux and ChromeOS (“Adobe Security Bulletin“, 2016 Apr. 7):

  • CVE-2016-1006 – JIT spraying attacks that could be used to bypass memory layout randomization mitigations
  • CVE-2016-1015 – type confusion vulnerabilities that could lead to code execution
  • CVE-2016-1019 – type confusion vulnerabilities that could lead to code execution
  • CVE-2016-1011 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-1013 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-1016 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-1017 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-1031 – use-after-free vulnerabilities that could lead to code execution
  • CVE-2016-1012 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1020 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1021 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1022 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1023 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1024 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1025 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1026 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1027 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1028 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1029 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1032 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1033 – memory corruption vulnerabilities that could lead to code execution
  • CVE-2016-1018 – stack overflow vulnerability that could lead to code execution
  • CVE-2016-1030 – security bypass vulnerability
  • CVE-2016-1014 – vulnerability in the directory search path used to find resources that could lead to code execution

References

(2016 Mar. 31). “About the security content of iBooks Author 2.4.1“. Apple, Inc. Retrieved from https://support.apple.com/en-us/HT206224 on Apr. 5, 2016.

SecurityFocus (2016 Mar. 31). “APPLE-SA-2016-03-31-1 iBooks Author 2.4.1“. Symantec, Inc. Retrieved from http://www.securityfocus.com/archive/1/537949 on Apr. 5, 2016.

(2016 Apr. 7). “Adobe Security Bulletin“. Adobe Systems. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb16-10.html on Apr. 12, 2016.

(2016 Mar. 25). “CVE-2016-1743“. Security Database. Retrieved from http://www.security-database.com/detail.php?alert=CVE-2016-1743 on Apr. 12, 2016.

Related Posts