United States: Third Party Patch Roundup – May 2016

Last Updated: June 7 2016

Article by Debra Littlejohn Shinder

As I write this, the month of May is coming to an end and summer is just around the corner.  Here in Texas, with temperatures already in the 80s, we feel as if it's already arrived. I'm headed, next week, to Alaska for a week of cruising the Inside Passage and enjoying the weather and wildlife as that big, lumbering bear of a 49th state awakens from its winter sleep to welcome back its regular visitors like me.

Meanwhile, it's time to make sure all my computers and devices are up to date before I sail into the northern (very late) sunset. There have been a few interesting update glitches this month, on the heels of the heavy load of patches released by Microsoft on the second Tuesday, so it hasn't been an easy four weeks for IT admins.

We covered those Microsoft security patches in our separate Patch Tuesday Roundup article, but the company also released a huge set of non-security updates for Windows 7 this month, in the form of KB 3125574, which was part of the company's announced shift to monthly rollup updates for Windows 7 and 8.1. The release also stirred up some controversy over a rather vaguely described update labeled KB 3123862, which is being called a "mystery patch."

Also generating much animated discussion is Microsoft's not-so-subtle push to move Windows 7 and 8.1 users to Windows 10 before the July deadline for the free installation of the new OS, with many accusing the company of outright tricking users into accepting the upgrade offer.

Meanwhile, Apple – which issued no patches in April – is back with a vengeance, unleashing seven new updates this month. Adobe put out five security bulletins, which is more than usual. Google is reportedly pressuring device OEMs and wireless carriers to speed up the installation of Android updates and security patches. Only Mozilla gave us some breathing space, not releasing a new version of Firefox this month after ten security fixes in v46 last month.

Now let's take a look at the details of some of this month's patches from major third party security vendors.

Apple

Last month, I wrote, "Apple has released no updates this month. Does that mean we'll get slammed with another large slate of updates in May?" Yep, that's pretty much what it meant. This time we have new versions of iTunes, Safari, OS X El Capitan, watchOS, iOS, tvOS and Xcode.

  • Xcode v7.3.1 was released on May 3 for OS X El Capitan v10.11 and above to address a buffer overflow issue.

Six updates were released on May 16:

  • tvOS v9.2.1 for fourth generation Apple TV addresses 33 vulnerabilities that include information leaks, arbitrary code execution with kernel privileges due to memory corruption issues, denial of service, unexpected application termination, and disclosure of data from another web site. Some of these issues are critical.
  • iOS v9.3.2 for iPhone 4s and above, iPod Touch 5th generation and above and iPad 2 and above, addresses 39 vulnerabilities in various components of the operating system, including Accessibility, CommonCrypto, Disk Images, the kernel, OpenGL, Safari, Siri, WebKit and more. These consist of buffer overflow, information leak, and arbitrary code execution with kernel privileges due to memory corruption issues, a denial of service issue and some information disclosure issues. Some of these issues are critical.
  • watchOS v2.2.1 for Apple Watch, all editions, addresses 26 vulnerabilities in some of the same components named in the patch descriptions above, including the critical arbitrary code execution issues.
  • OS X El Capitan v10.11.5 and security update 2016-003 address a whopping 69 vulnerabilities in many different components of the operating system, including many of the same ones mentioned in the patch descriptions above along with security issues in Tcl, ScreenLock, SceneKit, QuickTime, MultiTouch, Messages, various graphics drivers, Audio, ATS, AMD and Apache.
  • Safari v9.1.1 for OS X Mavericks, Yosemite and El Capitan addresses 7 vulnerabilities in the browser itself, WebKit, and WebKit Canvas. These include multiple memory corruption issues that could lead to arbitrary code execution, data disclosure, and inability to delete browsing history.
  • iTunes v12.4 for Windows 7 and above addresses a single vulnerability by which running the iTunes installer in an untrusted directory can result in arbitrary code execution.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Unlike Apple, Adobe didn't take a break last month. They issued five new security bulletins with four actual updates in April and they're back with five bulletins and four updates again this time. Three of them were issued on Adobe's traditional Patch Tuesday. Along with the almost obligatory Flash Player update, we got patches for several other Adobe products and components.

On May 10, one advisory and one update came out:

  • Security Advisory APSA16-02 was issued for Adobe Flash Player regarding a critical vulnerability that could be exploited to crash the system and allow an attacker to take control.
  • Security Update APSB16-16 was issued for ColdFusion, consisting of hotfixes to address three vulnerabilities involving a host name verification problem. This update has a priority rating of 2.

On May 19, two updates were issued:

  • Security Update APS16-15 addresses the Flash Player vulnerabilities that were the subject of the May 10 advisory, and covers 27 vulnerabilities in Flash running on Windows, Mac OS X, Linux and Google Chrome OS. These include type confusion, use-after-free, heap buffer overflow, buffer overflow, directory search path and multiple memory corruption issues. Priority rating is 1 on affected operating systems and 3 on AIR SDK, Desktop Runtime and Compiler.
  • Security Update APS16-14 is an update for Adobe Acrobat and Reader that addresses an astounding 93 different vulnerabilities in those products running on Windows and Mac OS X. Many of these are critical issues but interestingly, the priority rating is only a 2 on both products on both operating systems. Vulnerability types include multiple use-after-free, buffer overflow, memory corruption and memory leak issues, as well as integer overflow, information disclosure, directory search path and Javascript API execution restrictions bypass vulnerabilities.

The following upandrew is gdate was released on May 23:

  • Security Update APSB16-17 for Adobe Connect running on Windows addresses a single vulnerability related to an untrusted search path in the Connect add-in installer. It is assigned a priority rating of 3.

For more information about these vulnerabilities and updates, see Adobe's Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google issued a security bulletin for Android on May 2, along with an update for Nexus devices. This bulletin addresses 40 vulnerabilities, most of which are elevation of privilege issues. Twelve of these are rated critical, with another 19 that are listed as high severity. The rest are moderate or low severity.

For more information, see the Android.com web site at https://source.android.com/security/bulletin/2016-05-01.html

Google also released Chrome 51 as a stable channel update, with 42 security fixes that include a number of high severity cross-origin bypass and heap use-after-free and overflow issues.

For more information, see the Google Chrome Releases blog at http://googlechromereleases.blogspot.com

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled release will be on July 19. Last month they issued regularly scheduled updates for a broad span of their products that addressed 136 vulnerabilities. For more detailed information about those previous updates, see the Oracle Critical Patch Update Advisory for April 2016 at
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Mozilla

Last month Mozilla released the latest version of its web browser, Firefox 46, which included 10 security fixes. At the time of this writing (May 26), v46 is the latest version of the browser.

For more information about all of these vulnerabilities and fixes, see Mozilla's web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (May 26) Ubuntu has issued 49 security advisories, which is fairly typical. Many of them address multiple vulnerabilities and in some cases there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

USN-2985-2: GNU C Library regression – 26th May

2016 USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not fully restarted after the upgrade. This update removes the fix for CVE-2014-9761 and a future update will be provided to address this issue.

USN-2985-1: GNU C Library vulnerabilities – 25th May 2016

Martin Carpenter discovered that pt_chown in the GNU C Library did not properly check permissions for tty files. A local attacker could use this to gain administrative privileges or expose sensitive information.

USN-2950-5: Samba regression – 25th May 2016

USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem. Original advisory details: Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation.

USN-2984-1: PHP vulnerabilities – 24th May 2016

It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.

USN-2936-3: Firefox regression – 18th May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused an issue where a device update POST request was sent every time about:preferences#sync was shown. This update fixes the problem. We apologize for the inconvenience.

USN-2973-1: Thunderbird vulnerabilities – 18th May 2016

Christian Holler, Tyson Smith, and Phil Ringalda discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.

USN-2960-1: Oxide vulnerabilities – 18th May 2016

An out of bounds write was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code.

USN-2950-4: Samba regressions – 18th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the "client ipc signing" parameter to "auto". We apologize for the inconvenience.

USN-2983-1: Expat vulnerability – 18th May 2016

Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code.

USN-2982-1: Libksba vulnerabilities – 17th May 2016

Hanno Böck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

USN-2981-1: libarchive vulnerabilities – 17th May 2016

It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2980-1: libndp vulnerability – 17th May 2016

Julien Bernard discovered that libndp incorrectly performed origin checks when receiving Neighbor Discovery Protocol (NDP) messages. A remote attacker outside of the local network could use this issue to advertise a node as a router, causing a denial of service, or possibly to act as a man in the middle.

USN-2979-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2979-2: Linux kernel (Xenial HWE) vulnerabilities – 16th May 2016

USN-2979-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2979-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2978-3: Linux kernel (Raspberry Pi 2) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2978-2: Linux kernel (Wily HWE) vulnerabilities – 16th May 2016

USN-2978-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2978-1: Linux kernel vulnerabilities – 16th May 2016

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host.

USN-2977-1: Linux kernel (Vivid HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2976-1: Linux kernel (Utopic HWE) vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2975-2: Linux kernel (Trusty HWE) vulnerability – 16th May 2016

USN-2975-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files.

USN-2975-1: Linux kernel vulnerability – 16th May 2016

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

USN-2974-1: QEMU vulnerabilities – 12th May 2016

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-2391) Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support.

USN-2972-1: OpenJDK 6 vulnerabilities – 10th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2971-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2971-2: Linux kernel (Wily HWE) vulnerabilities – 9th May 2016

USN-2971-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

USN-2971-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2970-1: Linux kernel (Vivid HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2969-1: Linux kernel (Utopic HWE) vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2968-2: Linux kernel (Trusty HWE) vulnerabilities – 9th May 2016

USN-2968-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

USN-2968-1: Linux kernel vulnerabilities – 9th May 2016

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash).

USN-2967-2: Linux kernel (OMAP4) vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2967-1: Linux kernel vulnerabilities – 9th May 2016

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service.

USN-2966-1: OpenSSH vulnerabilities – 9th May 2016

Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic.

USN-2965-4: Linux kernel (Qualcomm Snapdragon) vulnerability – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-3: Linux kernel (Raspberry Pi 2) vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2965-2: Linux kernel (Xenial HWE) vulnerabilities – 6th May 2016

USN-2965-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-2965-1: Linux kernel vulnerabilities – 6th May 2016

Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.

USN-2964-1: OpenJDK 7 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2963-1: OpenJDK 8 vulnerabilities – 4th May 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code.

USN-2961-1: Little CMS vulnerability – 4th May 2016

It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.

USN-2950-3: Samba regressions – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.

USN-2950-2: libsoup update – 4th May 2016

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience.

USN-2959-1: OpenSSL vulnerabilities – 3rd May 2016

Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL incorrectly handled memory when decoding ASN.1 structures. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

USN-2936-2: Oxygen-GTK3 update – 2nd May 2016

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to crash on startup with the Oxygen GTK theme due to a pre-existing bug in the Oxygen-GTK3 theme engine. This update fixes the problem. We apologize for the inconvenience.

USN-2957-2: Libtasn1 vulnerability – 2nd May 2016

USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates.

USN-2958-1: poppler vulnerabilities – 2nd May 2016

It was discovered that the poppler pdfseparate tool incorrectly handled certain filenames. A local attacker could use this issue to cause the tool to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS.

USN-2957-1: Libtasn1 vulnerability – 2nd May 2016

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause applications using Libtasn1 to hang, resulting in a denial of service.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions