United States: Third Party Patch Roundup – May 2016

Last Updated: June 7 2016

Article by Debra Littlejohn Shinder

As I write this, the month of May is coming to an end and summer is just around the corner.  Here in Texas, with temperatures already in the 80s, we feel as if it's already arrived. I'm headed, next week, to Alaska for a week of cruising the Inside Passage and enjoying the weather and wildlife as that big, lumbering bear of a 49th state awakens from its winter sleep to welcome back its regular visitors like me.

Meanwhile, it's time to make sure all my computers and devices are up to date before I sail into the northern (very late) sunset. There have been a few interesting update glitches this month, on the heels of the heavy load of patches released by Microsoft on the second Tuesday, so it hasn't been an easy four weeks for IT admins.

We covered those Microsoft security patches in our separate Patch Tuesday Roundup article, but the company also released a huge set of non-security updates for Windows 7 this month, in the form of KB 3125574, which was part of the company's announced shift to monthly rollup updates for Windows 7 and 8.1. The release also stirred up some controversy over a rather vaguely described update labeled KB 3123862, which is being called a "mystery patch."

Also generating much animated discussion is Microsoft's not-so-subtle push to move Windows 7 and 8.1 users to Windows 10 before the July deadline for the free installation of the new OS, with many accusing the company of outright tricking users into accepting the upgrade offer.

Meanwhile, Apple – which issued no patches in April – is back with a vengeance, unleashing seven new updates this month. Adobe put out five security bulletins, which is more than usual. Google is reportedly pressuring device OEMs and wireless carriers to speed up the installation of Android updates and security patches. Only Mozilla gave us some breathing space, not releasing a new version of Firefox this month after ten security fixes in v46 last month.

Now let's take a look at the details of some of this month's patches from major third party security vendors.

Apple

Last month, I wrote, "Apple has released no updates this month. Does that mean we'll get slammed with another large slate of updates in May?" Yep, that's pretty much what it meant. This time we have new versions of iTunes, Safari, OS X El Capitan, watchOS, iOS, tvOS and Xcode.

  • Xcode v7.3.1 was released on May 3 for OS X El Capitan v10.11 and above to address a buffer overflow issue.

Six updates were released on May 16:

  • tvOS v9.2.1 for fourth generation Apple TV addresses 33 vulnerabilities that include information leaks, arbitrary code execution with kernel privileges due to memory corruption issues, denial of service, unexpected application termination, and disclosure of data from another web site. Some of these issues are critical.
  • iOS v9.3.2 for iPhone 4s and above, iPod Touch 5th generation and above and iPad 2 and above, addresses 39 vulnerabilities in various components of the operating system, including Accessibility, CommonCrypto, Disk Images, the kernel, OpenGL, Safari, Siri, WebKit and more. These consist of buffer overflow, information leak, and arbitrary code execution with kernel privileges due to memory corruption issues, a denial of service issue and some information disclosure issues. Some of these issues are critical.
  • watchOS v2.2.1 for Apple Watch, all editions, addresses 26 vulnerabilities in some of the same components named in the patch descriptions above, including the critical arbitrary code execution issues.
  • OS X El Capitan v10.11.5 and security update 2016-003 address a whopping 69 vulnerabilities in many different components of the operating system, including many of the same ones mentioned in the patch descriptions above along with security issues in Tcl, ScreenLock, SceneKit, QuickTime, MultiTouch, Messages, various graphics drivers, Audio, ATS, AMD and Apache.
  • Safari v9.1.1 for OS X Mavericks, Yosemite and El Capitan addresses 7 vulnerabilities in the browser itself, WebKit, and WebKit Canvas. These include multiple memory corruption issues that could lead to arbitrary code execution, data disclosure, and inability to delete browsing history.
  • iTunes v12.4 for Windows 7 and above addresses a single vulnerability by which running the iTunes installer in an untrusted directory can result in arbitrary code execution.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Unlike Apple, Adobe didn't take a break last month. They issued five new security bulletins with four actual updates in April and they're back with five bulletins and four updates again this time. Three of them were issued on Adobe's traditional Patch Tuesday. Along with the almost obligatory Flash Player update, we got patches for several other Adobe products and components.

On May 10, one advisory and one update came out:

  • Security Advisory APSA16-02 was issued for Adobe Flash Player regarding a critical vulnerability that could be exploited to crash the system and allow an attacker to take control.
  • Security Update APSB16-16 was issued for ColdFusion, consisting of hotfixes to address three vulnerabilities involving a host name verification problem. This update has a priority rating of 2.

On May 19, two updates were issued:

  • Security Update APS16-15 addresses the Flash Player vulnerabilities that were the subject of the May 10 advisory, and covers 27 vulnerabilities in Flash running on Windows, Mac OS X, Linux and Google Chrome OS. These include type confusion, use-after-free, heap buffer overflow, buffer overflow, directory search path and multiple memory corruption issues. Priority rating is 1 on affected operating systems and 3 on AIR SDK, Desktop Runtime and Compiler.
  • Security Update APS16-14 is an update for Adobe Acrobat and Reader that addresses an astounding 93 different vulnerabilities in those products running on Windows and Mac OS X. Many of these are critical issues but interestingly, the priority rating is only a 2 on both products on both operating systems. Vulnerability types include multiple use-after-free, buffer overflow, memory corruption and memory leak issues, as well as integer overflow, information disclosure, directory search path and Javascript API execution restrictions bypass vulnerabilities.

The following upandrew is gdate was released on May 23:

  • Security Update APSB16-17 for Adobe Connect running on Windows addresses a single vulnerability related to an untrusted search path in the Connect add-in installer. It is assigned a priority rating of 3.

For more information about these vulnerabilities and updates, see Adobe's Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google issued a security bulletin for Android on May 2, along with an update for Nexus devices. This bulletin addresses 40 vulnerabilities, most of which are elevation of privilege issues. Twelve of these are rated critical, with another 19 that are listed as high severity. The rest are moderate or low severity.

For more information, see the Android.com web site at https://source.android.com/security/bulletin/2016-05-01.html

Google also released Chrome 51 as a stable channel update, with 42 security fixes that include a number of high severity cross-origin bypass and heap use-after-free and overflow issues.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled release will be on July 19. Last month they issued regularly scheduled updates for a broad span of their products that addressed 136 vulnerabilities. For more detailed information about those previous updates, see the Oracle Critical Patch Update Advisory for April 2016 at
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Mozilla

Last month Mozilla released the latest version of its web browser, Firefox 46, which included 10 security fixes. At the time of this writing (May 26), v46 is the latest version of the browser.

For more information about all of these vulnerabilities and fixes, see Mozilla's web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (May 26) Ubuntu has issued 49 security advisories, which is fairly typical. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2985-2: GNU C Library regression – 26th May

2016 USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not fully restarted after the upgrade. This update removes the fix for CVE-2014-9761 and a future update will be provided to address this issue.

USN-2985-1: GNU C Library vulnerabilities – 25th May 2016

Martin Carpenter discovered that pt_chown in the GNU C Library did not properly check permissions for tty files. A local attacker could use this to gain administrative privileges or expose sensitive information.

USN-2950-5: Samba regression – 25th May 2016

USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem. Original advisory details: Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation.

USN-2984-1: PHP vulnerabilities – 24th May 2016

It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

USN-2936-3: Firefox regression – 18th May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused an issue where a device update POST request was sent every time about:preferences#sync was shown. This update fixes the problem. We apologize for the inconvenience.

USN-2973-1: Thunderbird vulnerabilities – 18th May 2016

Christian Holler, Tyson Smith, and Phil Ringalda discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.

USN-2960-1: Oxide vulnerabilities – 18th May 2016

An out of bounds write was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code.

USN-2950-4: Samba regressions – 18th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the "client ipc signing" parameter to "auto". We apologize for the inconvenience.

USN-2983-1: Expat vulnerability – 18th May 2016

Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code.

USN-2982-1: Libksba vulnerabilities – 17th May 2016

Hanno Böck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2981-1: libarchive vulnerabilities – 17th May 2016

It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2980-1: libndp vulnerability – 17th May 2016

Julien Bernard discovered that libndp incorrectly performed origin checks when receiving Neighbor Discovery Protocol (NDP) messages. A remote attacker outside of the local network could use this issue to advertise a node as a router, causing a denial of service, or possibly to act as a man in the middle.

USN-2979-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-2: Linux kernel (Xenial HWE) vulnerabilities – 16th May 2016

USN-2979-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2979-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2978-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2978-2: Linux kernel (Wily HWE) vulnerabilities – 16th May 2016

USN-2978-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2978-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2977-1: Linux kernel (Vivid HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2976-1: Linux kernel (Utopic HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2975-2: Linux kernel (Trusty HWE) vulnerability – 16th May 2016

USN-2975-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files.

USN-2975-1: Linux kernel vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2974-1: QEMU vulnerabilities – 12th May 2016

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-2391) Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support.

USN-2972-1: OpenJDK 6 vulnerabilities – 10th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2971-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2971-2: Linux kernel (Wily HWE) vulnerabilities – 9th May 2016

USN-2971-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2971-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2970-1: Linux kernel (Vivid HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2969-1: Linux kernel (Utopic HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2968-2: Linux kernel (Trusty HWE) vulnerabilities – 9th May 2016

USN-2968-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

USN-2968-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2967-2: Linux kernel (OMAP4) vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2967-1: Linux kernel vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2966-1: OpenSSH vulnerabilities – 9th May 2016

Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic.

USN-2965-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-2: Linux kernel (Xenial HWE) vulnerabilities – 6th May 2016

USN-2965-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2965-1: Linux kernel vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2964-1: OpenJDK 7 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2963-1: OpenJDK 8 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2961-1: Little CMS vulnerability – 4th May 2016

It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.

USN-2950-3: Samba regressions – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2950-2: libsoup update – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience.

USN-2959-1: OpenSSL vulnerabilities – 3rd May 2016

Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL incorrectly handled memory when decoding ASN.1 structures. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2936-2: Oxygen-GTK3 update – 2nd May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to crash on startup with the Oxygen GTK theme due to a pre-existing bug in the Oxygen-GTK3 theme engine. This update fixes the problem. We apologize for the inconvenience.

USN-2957-2: Libtasn1 vulnerability – 2nd May 2016

USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates.

USN-2958-1: poppler vulnerabilities – 2nd May 2016

It was discovered that the poppler pdfseparate tool incorrectly handled certain filenames. A local attacker could use this issue to cause the tool to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS.

USN-2957-1: Libtasn1 vulnerability – 2nd May 2016

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause applications using Libtasn1 to hang, resulting in a denial of service.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.