ID

VAR-201206-0062

CVE

CVE-2012-1713

TITLE

Oracle Java SE of Java Runtime Environment (JRE) In 2D Processing vulnerability

DESCRIPTION

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (DoS) An attack may be carried out. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the BasicService.showDocument Java Webstart function. This function allows additional parameters to be passed to the browser. Depending on which browser the user has set as default browser this could lead to remote code execution under the context of the current user. This vulnerability affects the following supported versions: 7 Update 4, 6 Update 32, 5 Update 35, 1.4.2_37, JavaFX 2.1. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-06-12-1 Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 is now available and addresses the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.4, OS X Lion Server v10.7.4 Impact: Multiple vulnerabilities in Java Description: Multiple vulnerabilities exist in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. These issues are addressed by updating to Java version 1.6.0_33. Further information is available via the Java website at http://www.o racle.com/technetwork/java/javase/releasenotes-136954.html CVE-ID CVE-2012-0551 CVE-2012-1711 CVE-2012-1713 CVE-2012-1716 CVE-2012-1718 CVE-2012-1719 CVE-2012-1721 CVE-2012-1722 CVE-2012-1723 CVE-2012-1724 CVE-2012-1725 Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: The Java browser plugin and Java Web Start are deactivated if they remain unused for 35 days Description: As a security hardening measure, the Java browser plugin and Java Web Start are deactivated if they are unused for 35 days. Users may re-enable Java if they encounter Java applets on a web page or Java Web Start applications by clicking the region labeled "Inactive plug-in" on a web page. This security measure is also available for OS Lion systems if the prior update "Java for OS X 2012-003" was not installed. Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.4, OS X Lion Server v10.7.4 Impact: The Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version Description: As a security hardening measure, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. Note: These updates include the security content from Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8. Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: c2fcc844b7073d8243588f3407eb3ce1d497043d For OS X Lion systems The download file is named: JavaForOSX.dmg Its SHA-1 digest is: f176546327bc62d8cd397d54d1dc22b72aee1d2b Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJP15giAAoJEPefwLHPlZEw0JUQAI8bP4nvp9BgEyc8K2Z1GrKW sH0nTQtVCei8yF/ORZh7bnxTgANx/kbcwyy/+rfRuU0cKCryvIH5I6Odjt4qE17q Kqa/L8Xsl3pBdEwRVbo2rvy5IAVB32L8fUMfcQ4mweYeimTilR/+O9qQnFChZiEU KZgLCGDmBbGqhP/P/g9CM9G+g2rC+nG/07U8MN9nk0Mfio2mHxMSxFy96b4DK3TX g5R6nYOth+GEQPCC0+O7zKoVViL/6xLxvrnuGQL9uYizDgYLpfIHAyDUTJy27yVb t6ggjZIfMMKEL2uQAKh/1WlLN7oMfyYyIJkdKmjb9ZYRIia3brlmlDsEzoIH7DSr fdOJ/zUDHn6qvrRktdNhNJWI6z6XY6EzDWe+HnCbZvifqK7oiAtRJo7BcFeMFQS8 wDFLGebzr2YRFV+5Oa3hxDmGzXvl2B0FQ/T2PSOUraUuj14LSA1H/ekD7MrSo+09 tNDK2C3VpVY5eK7gjxFX8+hWT1w/x3jyIPWA7fCOzG6BM27FnQBuroFTTLlEmsev yV1Mcnd+KBgS194yu29gzbApOAQBHLT5epps1n/omIfQoKAfjfN66KM+dgl9e7uB 6s3s4sRCzQX8XtYlnC0PRG050R2lkO16k9UddZ/0CqE4pegIiIcvWtt4MB3jxMxr lTEVodir4Ubn3QZQ0SK7 =J235 -----END PGP SIGNATURE----- . CVE-2012-1711 CVE-2012-1719 Multiple errors in the CORBA implementation could lead to breakouts of the Java sandbox CVE-2012-1713 Missing input sanitising in the font manager could lead to the execution of arbitrary code. CVE-2012-1716 The SynthLookAndFeel Swing class could be abused to break out of the Java sandbox. CVE-2012-1717 Several temporary files were created insecurely, resulting in local information disclosure. CVE-2012-1723 CVE-2012-1725 Validation errors in the bytecode verifier of the Hotspot VM could lead to breakouts of the Java sandbox. CVE-2012-1724 Missing input sanitising in the XML parser could lead to denial of service through an infinite loop. We recommend that you upgrade your openjdk-6 packages. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: uCosminexus Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49578 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49578/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49578 RELEASE DATE: 2012-06-15 DISCUSS ADVISORY: http://secunia.com/advisories/49578/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49578/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49578 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged multiple vulnerabilities in uCosminexus products, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. The vulnerabilities are caused due to vulnerabilities in the bundled version of Cosminexus Developer's Kit for Java. For more information: SA49472 Please see the vendor's advisory for a list of affected products. ORIGINAL ADVISORY: HS12-015: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-015/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-ibm security update Advisory ID: RHSA-2012:1289-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1289.html Issue date: 2012-09-18 CVE Names: CVE-2012-0547 CVE-2012-0551 CVE-2012-1682 CVE-2012-1713 CVE-2012-1716 CVE-2012-1717 CVE-2012-1719 CVE-2012-1721 CVE-2012-1722 CVE-2012-1725 CVE-2012-1726 CVE-2012-3136 CVE-2012-4681 ===================================================================== 1. Summary: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2012-0547, CVE-2012-0551, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725, CVE-2012-1726, CVE-2012-3136, CVE-2012-4681) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR2 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 829358 - CVE-2012-1717 OpenJDK: insecure temporary file permissions (JRE, 7143606) 829360 - CVE-2012-1716 OpenJDK: SynthLookAndFeel application context bypass (Swing, 7143614) 829361 - CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617) 829371 - CVE-2012-1719 OpenJDK: mutable repository identifiers in generated stub code (CORBA, 7143851) 829376 - CVE-2012-1725 OpenJDK: insufficient invokespecial <init> verification (HotSpot, 7160757) 829377 - CVE-2012-1726 OpenJDK: java.lang.invoke.MethodHandles.Lookup does not honor access modes (Libraries, 7165628) 831353 - CVE-2012-1721 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment) 831354 - CVE-2012-1722 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment) 831355 - CVE-2012-0551 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment) 852051 - CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473) 853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476) 853138 - CVE-2012-3136 OpenJDK: beans MethodElementHandler insufficient permission checks (beans, 7194567) 853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.i686.rpm x86_64: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.i686.rpm ppc64: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.ppc64.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.ppc64.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.ppc64.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.ppc64.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.ppc64.rpm s390x: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.s390x.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.s390x.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.s390x.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.s390x.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.s390x.rpm x86_64: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.i686.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.i686.rpm x86_64: java-1.7.0-ibm-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm java-1.7.0-ibm-src-1.7.0.2.0-1jpp.3.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0547.html https://www.redhat.com/security/data/cve/CVE-2012-0551.html https://www.redhat.com/security/data/cve/CVE-2012-1682.html https://www.redhat.com/security/data/cve/CVE-2012-1713.html https://www.redhat.com/security/data/cve/CVE-2012-1716.html https://www.redhat.com/security/data/cve/CVE-2012-1717.html https://www.redhat.com/security/data/cve/CVE-2012-1719.html https://www.redhat.com/security/data/cve/CVE-2012-1721.html https://www.redhat.com/security/data/cve/CVE-2012-1722.html https://www.redhat.com/security/data/cve/CVE-2012-1725.html https://www.redhat.com/security/data/cve/CVE-2012-1726.html https://www.redhat.com/security/data/cve/CVE-2012-3136.html https://www.redhat.com/security/data/cve/CVE-2012-4681.html https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQWPtvXlSAg2UNWIIRAjubAJ9aWLiD24KwCpPXVoVavMOB69e9AACeIDJA 8OG2piuC4TOxhny9zXTzdXQ= =XCmb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Content-Disposition: inline ==========================================================================Ubuntu Security Notice USN-1505-2 August 30, 2012 icedtea-web regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 Summary: USN 1505-1 introduced a regression in the IcedTea-Web Java web browser plugin that prevented it from working with the Chromium web browser. Software Description: - icedtea-web: A web browser plugin to execute Java applets Details: USN-1505-1 fixed vulnerabilities in OpenJDK 6. As part of the update, IcedTea-Web packages were upgraded to a new version. That upgrade introduced a regression which prevented the IcedTea-Web plugin from working with the Chromium web browser in Ubuntu 11.04 and Ubuntu 11.10. We apologize for the inconvenience. Original advisory details: It was discovered that multiple flaws existed in the CORBA (Common Object Request Broker Architecture) implementation in OpenJDK. An attacker could create a Java application or applet that used these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711, CVE-2012-1719) It was discovered that multiple flaws existed in the OpenJDK font manager's layout lookup implementation. A attacker could specially craft a font file that could cause a denial of service through crashing the JVM (Java Virtual Machine) or possibly execute arbitrary code. (CVE-2012-1713) It was discovered that the SynthLookAndFeel class from Swing in OpenJDK did not properly prevent access to certain UI elements from outside the current application context. An attacker could create a Java application or applet that used this flaw to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions. (CVE-2012-1716) It was discovered that OpenJDK runtime library classes could create temporary files with insecure permissions. A local attacker could use this to gain access to sensitive information. (CVE-2012-1717) It was discovered that OpenJDK did not handle CRLs (Certificate Revocation Lists) properly. A remote attacker could use this to gain access to sensitive information. (CVE-2012-1718) It was discovered that the OpenJDK HotSpot Virtual Machine did not properly verify the bytecode of the class to be executed. A remote attacker could create a Java application or applet that used this to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions. (CVE-2012-1723, CVE-2012-1725) It was discovered that the OpenJDK XML (Extensible Markup Language) parser did not properly handle some XML documents. An attacker could create an XML document that caused a denial of service in a Java application or applet parsing the document. (CVE-2012-1724) As part of this update, the IcedTea web browser applet plugin was updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-plugin 1.2-2ubuntu0.11.10.3 Ubuntu 11.04: icedtea-6-plugin 1.2-2ubuntu0.11.04.3 After a standard system update you need to restart your web browser to make all the necessary changes. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.ht ml - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Chris Ries - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

AFFECTED PRODUCTS