VARIoT IoT vulnerabilities database

ABBS is an architectural portal. ABBS Electronic Flash Cards has a buffer overflow vulnerability that allows an attacker to exploit a vulnerability message for a malicious attack

ABBS is an architectural portal. ABBS Audio Media Player has a buffer overflow vulnerability that allows an attacker to exploit a vulnerability message for a malicious attack

TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet to TCP port 10651. Progea Movicon is a new generation of automated monitoring software. A vulnerability exists in TCPUploadServer.exe provided by Progea Movicon that allows remote unauthenticated hosts to execute arbitrary commands on the server. The attacker sends a specially crafted message to the server TCP port 10651, which allows the system to respond to the OS version and driver information. In addition, an attacker sending a specially crafted message can cause the file to be deleted or the server to crash. Progea Movicon is prone to a security-bypass vulnerability. An attacker can exploit this issue to perform unauthorized actions, obtain sensitive information, and cause denial-of-service conditions. Versions prior to Movicon 11.2 Build 1084 are vulnerable

SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks

Trend Micro WebReputation API technology can be used to prevent clients from accessing suspicious web sites. The Trend Micro WebReputation API has a security bypass vulnerability that allows an attacker to bypass the filters contained in the download mechanism and successfully exploit the vulnerability to allow target users to download malicious files to the system. Trend Micro WebReputation API is prone to a security-bypass vulnerability. Successful exploits may cause victims to download malicious files onto affected computers. This issue affects WebReputation API 10.5; other versions may also be vulnerable

Multiple untrusted search path vulnerabilities in (1) SAPGui.exe and (2) BExAnalyzer.exe in SAP GUI 6.4 through 7.2 allow local users to gain privileges via a Trojan horse MFC80LOC.DLL file in the current working directory, as demonstrated by a directory that contains a .sap file. NOTE: some of these details are obtained from third party information. SAP GUI of (1) SAPGui.exe Or (2) BExAnalyzer.exe Contains a vulnerability that allows it to get permission due to a flaw in search path processing. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. MFC80LOC.DLL It may be possible to get permission through the file. The SAP GUI is a graphical user interface client for SAP software. SAP GUI applications (such as SAPGui.exe and BExAnalyzer.exe) load libraries (such as MFC80LOC.DLL) in an unsafe manner, and an attacker can entice a user to open an SAP GUI shortcut on a remote WebDAV or SMB share (\".sap\" A file that causes arbitrary code to be executed in the login user security context. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. SAP GUI versions 6.4 through 7.2 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SAP GUI Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA43707 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43707/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43707 RELEASE DATE: 2011-03-16 DISCUSS ADVISORY: http://secunia.com/advisories/43707/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43707/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43707 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in SAP GUI, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application (e.g SAPGui.exe and BExAnalyzer.exe) loading libraries (e.g. MFC80LOC.DLL) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. Successful exploitation allows execution of arbitrary code. SOLUTION: Apply fixes (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Alexey Sintsov and Alexandr Polyakov, Digital Security Research Group (DSecRG) ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1511179 Digital Security Research Group (DSECRG-11-014): http://dsecrg.com/pages/vul/show.php?id=314 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP NetWeaver has input validation errors. Passing the \"logger\" parameter to the ViewLogger.jsp and \"class\" parameters passed to the ShowMemLog servlet. Inputs are missing before use, which can result in injecting arbitrary HTML and script code when the malicious data is viewed. Executed on the user's browser. The input of the \"logonUrl\" parameter is missing filtering before returning to the user, which can lead to cross-site scripting attacks. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver Cross-Site Scripting and Script Insertion Vulnerabilities SECUNIA ADVISORY ID: SA43737 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43737/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43737 RELEASE DATE: 2011-03-14 DISCUSS ADVISORY: http://secunia.com/advisories/43737/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43737/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43737 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in SAP NetWeaver, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. SOLUTION: Apply fixes (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) Dmitriy Evdokimov, Digital Security Research Group (DSecRG) 2) Alexey Sintsov, Digital Security Research Group (DSecRG) ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1438191 https://service.sap.com/sap/support/notes/1450270 https://service.sap.com/sap/support/notes/1512776 Digital Security Research Group (DSECRG-11-009, DSECRG-11-010, DSECRG-11-012, DSECRG-11-013): http://dsecrg.com/pages/vul/show.php?id=309 http://dsecrg.com/pages/vul/show.php?id=310 http://dsecrg.com/pages/vul/show.php?id=312 http://dsecrg.com/pages/vul/show.php?id=313 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011. Adobe Flash contains an arbitrary code execution vulnerability. Adobe Flash contains a memory corruption vulnerability that may lead to arbitrary code execution. Attacks leveraging this vulnerability have been confirmed.Crafted Flash Viewing a document with embedded content may lead to arbitrary code execution. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Both Adobe Reader and Acrobat are products of the American company Adobe. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Flash Player Unspecified Code Execution Vulnerability SECUNIA ADVISORY ID: SA43751 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43751/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43751 RELEASE DATE: 2011-03-16 DISCUSS ADVISORY: http://secunia.com/advisories/43751/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43751/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43751 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error. Further information is currently not available. The vulnerability is reported in versions 10.2.152.33 and prior for Windows, Macintosh, Linux, and Solaris, versions 10.2.154.18 and prior for Chrome, and versions 10.1.106.16 and prior for Android. NOTE: The vulnerability is reportedly being actively exploited. SOLUTION: Adobe plans to release a fixed version during the week of March 21, 2011. PROVIDED AND/OR DISCOVERED BY: Reported as a 0-day. ORIGINAL ADVISORY: http://www.adobe.com/support/security/advisories/apsa11-01.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA43751 SOLUTION: Do not browse untrusted sites. ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. For more information: SA43751 SOLUTION: Updated packages are available via Red Hat Network. SOLUTION: Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers and Adobe Security Advisories and Bulletins referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10" References ========== [ 1 ] APSA11-01 http://www.adobe.com/support/security/advisories/apsa11-01.html [ 2 ] APSA11-02 http://www.adobe.com/support/security/advisories/apsa11-02.html [ 3 ] APSB11-02 http://www.adobe.com/support/security/bulletins/apsb11-02.html [ 4 ] APSB11-12 http://www.adobe.com/support/security/bulletins/apsb11-12.html [ 5 ] APSB11-13 http://www.adobe.com/support/security/bulletins/apsb11-13.html [ 6 ] APSB11-21 https://www.adobe.com/support/security/bulletins/apsb11-21.html [ 7 ] APSB11-26 https://www.adobe.com/support/security/bulletins/apsb11-26.html [ 8 ] CVE-2011-0558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558 [ 9 ] CVE-2011-0559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559 [ 10 ] CVE-2011-0560 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560 [ 11 ] CVE-2011-0561 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561 [ 12 ] CVE-2011-0571 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571 [ 13 ] CVE-2011-0572 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572 [ 14 ] CVE-2011-0573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573 [ 15 ] CVE-2011-0574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574 [ 16 ] CVE-2011-0575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575 [ 17 ] CVE-2011-0577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577 [ 18 ] CVE-2011-0578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578 [ 19 ] CVE-2011-0579 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579 [ 20 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 21 ] CVE-2011-0607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607 [ 22 ] CVE-2011-0608 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608 [ 23 ] CVE-2011-0609 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609 [ 24 ] CVE-2011-0611 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611 [ 25 ] CVE-2011-0618 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618 [ 26 ] CVE-2011-0619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619 [ 27 ] CVE-2011-0620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620 [ 28 ] CVE-2011-0621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621 [ 29 ] CVE-2011-0622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622 [ 30 ] CVE-2011-0623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623 [ 31 ] CVE-2011-0624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624 [ 32 ] CVE-2011-0625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625 [ 33 ] CVE-2011-0626 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626 [ 34 ] CVE-2011-0627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627 [ 35 ] CVE-2011-0628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628 [ 36 ] CVE-2011-2107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107 [ 37 ] CVE-2011-2110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110 [ 38 ] CVE-2011-2125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 39 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 40 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 41 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 42 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 43 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 44 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 45 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 46 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 47 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 48 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 49 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 50 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 51 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 52 ] CVE-2011-2426 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426 [ 53 ] CVE-2011-2427 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427 [ 54 ] CVE-2011-2428 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428 [ 55 ] CVE-2011-2429 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429 [ 56 ] CVE-2011-2430 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430 [ 57 ] CVE-2011-2444 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Comtrend CT-5367 ADSL Router is an ADSL router. Since the device allows unauthenticated access to the \"password.cgi\" script, a remote attacker can gain access to the device by submitting a specially crafted HTTP request, changing the administrator password. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Comtrend CT-5367 "password.cgi" Security Bypass Vulnerability SECUNIA ADVISORY ID: SA43653 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43653/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43653 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43653/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43653/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43653 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Comtrend CT-5367, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the device allowing unrestricted access to the "password.cgi" script. This can be exploited to e.g. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Todor Donev OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0.246 allows attackers to read the contents of memory locations via unknown vectors, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. Blackberry Torch 9800 is prone to a remote security vulnerability. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1290. Reason: This candidate is a duplicate of CVE-2011-1290. Notes: All CVE users should reference CVE-2011-1290 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. An integer overflow vulnerability exists in WebKit in Research In Motion (RIM) BlackBerry Torch 9800 with firmware version 6.0.0.246. A remote attacker can execute arbitrary code with the help of an unknown vector. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle redirects in conjunction with HTTP Basic Authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43698 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43698/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43698/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43698/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable device. For more information: SA43582 1) An error in the WebKit component when handling regular expressions can be exploited to corrupt memory. For more information see vulnerability #14: SA40664 2) An error in the FreeType library when processing TrueType fonts can be exploited to cause a heap-based buffer overflow. This may be related to: SA40110 4) Two errors in the WebKit component when handling Cascading Style Sheets (CSS) and cached resources. For more information see vulnerabilities #2 and #3: SA43696 5) An unspecified error in the WebKit component can be exploited to corrupt memory. 6) A weakness in MobileSafari when being re-opened after another application is launched via a URL handler can be exploited to prevent the browser from being used. 7) A boundary error when handling Wi-Fi frames can be exploited to cause a device to restart. The vulnerabilities are reported in versions prior to 4.3. SOLUTION: Update to version 4.3. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1-4) Reported by the vendor The vendor also credits: 5) Benoit Jacob, Mozilla 6) Nitesh Dhanjani, Ernst & Young LLP 7) Scott Boyd, ePlus Technology, Inc. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4564 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in WebKit, as used on the Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0.246, in Google Chrome before 10.0.648.133, and in Apple Safari before 5.0.5, allows remote attackers to execute arbitrary code via unknown vectors related to CSS "style handling," nodesets, and a length value, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. WebKit Is CSS There is a flaw in the handling of styles, node sets, and length values that could allow arbitrary code execution.Skillfully crafted by a third party Web Through the site, you may get important information on the heap memory address. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the WebKit library's implementation of a CSS style. When totaling the length of it's string elements, the library will store the result into a 32bit integer. This value will be used for an allocation and then later will be used to initialize the allocated buffer. Due to the number of elements being totaled being variable, this will allow an aggressor to provide as many elements as necessary in order to cause the integer value to wrap causing an under-allocation. Initialization of this data will then cause a heap-based buffer overflow. This can lead to code execution under the context of the application. WebKit is prone to a memory-corruption vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 46833 (Blackberry Browser Multiple Unspecified Information Disclosure and Integer Overflow Vulnerabilities), but has been given its own record to better document it. Google Chrome is a web browser developed by Google (Google). This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011. ZDI-11-104: (Pwn2Own) Webkit CSS Text Element Count Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-104 April 14, 2011 -- CVE ID: CVE-2011-1290 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: WebKit -- Affected Products: WebKit WebKit -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11087. -- Vendor Response: Apple patch on April 14, 2011: http://support.apple.com/kb/HT4606 http://support.apple.com/kb/HT4607 http://support.apple.com/kb/HT4596 -- Disclosure Timeline: 2011-03-31 - Vulnerability reported to vendor 2011-04-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . Gents, If you are a lucky BlackBerry owner, or an administrator of many BB devices, you can do a quick security check of your smartphone(s), by browsing this web page from your device (free quick check): http://tehtris.com/bbcheck For now, this will check for you if you are potentially vulnerable against those exploits: -> Nov 2007 - US-CERT Advisory VU#282856 - Exploit from Michael Kemp http://www.blackberry.com/btsc/KB12577 -> Jan 2011 - CVE-2010-2599 - Exploit found by TEHTRI-Security http://www.blackberry.com/btsc/KB24841 -> Mar 2011 - CVE-2011-1290 - Awesome Pwn2own/CSW exploit from Vincenzo Iozzo, Ralf Philipp Weinmann, and Willem Pinckaers A workaround for this latest vulnerability (CVE-2011-1290) could be to disable JavaScript, as explained on RIM resources. You should definitely read this: http://www.blackberry.com/btsc/KB26132 Have a nice day, Laurent OUDOT, CEO TEHTRI-Security -- "This is not a game" http://www.tehtri-security.com/ Follow us: @tehtris => Join us for more hacking tricks during next awesome events: - SyScan Singapore (April) -- Training: "Advanced PHP Hacking" http://www.syscan.org/index.php/sg/training - HITB Amsterdam (May) -- Training: "Hunting Web Attackers" http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=16 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2192-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano March 15, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0779 CVE-2011-1290 Several vulnerabilities were discovered in the Chromium browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-0779 Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. For the stable distribution (squeeze), these problems have been fixed in version 6.0.472.63~r59945-5+squeeze4 For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed version 10.0.648.133~r77742-1 We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk1/lHMACgkQNxpp46476ao/EwCdFThT2dtAQ9HB8yza9Z4gIqV4 FeIAn3zISoa/86EhpLs5qjhMB9gQ6Oc0 =QJZP -----END PGP SIGNATURE-----

Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari on the iPhone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the support for parsing Office files. When handling the OfficeArtMetafileHeader the process trusts the cbSize field and performs arithmetic on it before making an allocation. As the result is not checked for overflow, the subsequent allocation can be undersized. Later when copying into this buffer, memory can be corrupted leading to arbitrary code execution under the context of the mobile user on the iPhone. An attacker can exploit this issue by enticing an unsuspecting user into viewing a specially crafted website. Failed exploits will likely result in a denial-of-service condition. Apple iOS 4.3 and earlier are vulnerable. NOTE: Due to memory protections in place in iOS 4.3, code execution will be difficult. An integer overflow vulnerability exists in QuickLook used in MobileSafari in Apple Mac OS X versions prior to 10.6.7 and Apple iOS versions prior to 4.2.7, 4.3.2 and 4.3.x when parsing OfficeArtBlips. CVE-ID CVE-2011-1417 : Charlie Miller and Dion Blazakis working with TippingPoint's Zero Day Initiative Pages for iOS v1.5 is available for download via the App Store. To check the current version of software, select "Settings -> Pages -> Version". ---------------------------------------------------------------------- Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). Other versions may also be affected. SOLUTION: Do not browse untrusted websites. ---------------------------------------------------------------------- A step-by-step discussion of the latest Flash Player 0-day exploit: http://secunia.com/blog/210 ---------------------------------------------------------------------- TITLE: Apple iOS for iPhone 4 (CDMA) Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44154 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44154/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44154 RELEASE DATE: 2011-04-16 DISCUSS ADVISORY: http://secunia.com/advisories/44154/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44154/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44154 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities has been reported in Apple iOS for iPhone 4 (CDMA), which can be exploited by malicious people to compromise a vulnerable device. 1) A boundary error exists within QuickLook. For more information see vulnerability #29 in: SA43814 2) An integer overflow error exists within WebKit. For more information: SA43748 3) A use-after-free error exists within WebKit. The vulnerabilities are reported in iOS for iPhone 4 (CDMA) versions 4.2.5 through 4.2.6. SOLUTION: Update to iOS for iPhone 4 (CDMA) 4.2.7 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: 1) Charlie Miller and Dion Blazakis via ZDI. 2) Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann via ZDI. 3) Vupen via ZDI. The vendor also credits Martin Barbella. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4607 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-109/ http://www.zerodayinitiative.com/advisories/ZDI-11-104/ http://www.zerodayinitiative.com/advisories/ZDI-11-135/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-2 iWork 9.1 Update iWork 9.1 Update is now available and addresses the following: Numbers Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of Excel files. CVE-ID CVE-2010-3785 : Apple Numbers Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of Excel files. CVE-ID CVE-2010-3786 : Tobias Klein, working with VeriSign iDefense Labs Pages Available for: iWork 9.0 through 9.0.5 Impact: Opening a maliciously crafted Microsoft Word document may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of Microsoft Word documents. CVE-ID CVE-2011-1417 : Charlie Miller and Dion Blazakis working with TippingPoint's Zero Day Initiative iWork 9.1 Update is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: iWork9.1Update.dmg Its SHA-1 digest is: ecb38db74d7d1954cbcee9220c73dac85cace3e1 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOKcGrAAoJEGnF2JsdZQeewcYH/RhHdLa6x14PX+ZTC+sm1Mjc W1xBpOxMuBpAx3Li6INXXLvMablTgPIs5e3pbtsV0RYtsJy99JdPySPI8bpQu0Si CVWuXXSBYy2gdTtRAf6MI3j+oOyM1JhE7GunLBWcmAzv5TxS8TRf0HtNErFEe8NA StV8QBWLErNyHxqjUQsIb5d1KbIbOysFQZy3O6pyZ6SRwr8tlIPKnY4KsaDYS5Ry tpv3lMysde5NqCy8BeOQEtW/WAmE7i9NCCNfU2L+OfGQOXIdXmKl7Orjj+d9l23L umGo9GCACvBVO1Ot6jKDlCW+ZuDRGuz+fhQnwOdyoqtwUwiNCsS6VIwuYYrcmxw= =wrny -----END PGP SIGNATURE----- . -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4581 -- Disclosure Timeline: 2011-03-09 - Vulnerability reported to vendor 2011-03-22 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Charlie Miller and Dion Blazakis -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

WebKit in Apple Safari before 5.0.4, when the Web Inspector is used, does not properly handle the window.console._inspectorCommandLineAPI property, which allows user-assisted remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy. An attacker can exploit this issue to execute arbitrary code in the context of a different domain. Successful exploits may result in privilege escalation. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43696 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43696/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43696 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43696/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43696/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43696 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, and compromise a user's system. For more information: SA43582 1) An error in the WebKit component when handling redirects during HTTP Basic Authentication can be exploited to disclose the credentials to another site. This may be related to: SA40110 2) An error in the WebKit component when handling the Attr.style accessor can be exploited to inject an arbitrary Cascading Style Sheet (CSS) into another document. 3) A type checking error in the WebKit component when handling cached resources can be exploited to poison the cache and prevent certain resources from being requested. 4) An error in the WebKit component when handling HTML5 drag and drop operations across different origins can be exploited to disclose certain content to another site. 5) An error in the tracking of window origins within the WebKit component can be exploited to disclose the content of files to a remote server. 6) Input passed to the "window.console._inspectorCommandLineAPI" property while browsing using the Web Inspector is not properly sanitised before being returned to the user. The vulnerabilities are reported in versions prior to 5.0.4. SOLUTION: Update to version 5.0.4. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2, 3, 6) Reported by the vendor. The vendor also credits: 1) McIntosh Cooey, Twelve Hundred Group 1) Harald Hanche-Olsen 1) Chuck Hohn, 1111 Internet LLC via CERT 1) Paul Hinze, Braintree 4) Michal Zalewski, Google Inc. 5) Aaron Sigel, vtty.com ORIGINAL ADVISORY: http://support.apple.com/kb/HT4566 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The windows functionality in WebKit in Apple Safari before 5.0.4 allows remote attackers to bypass the Same Origin Policy, and force the upload of arbitrary local files from a client computer, via a crafted web site. WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy. Successfully exploiting this issue will allow attackers to send the content of arbitrary files from the user's system to a remote server controlled by them. This results in disclosure of potentially sensitive information which may aid in further attacks. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. A vulnerability exists in a windows functionality in WebKit versions of Apple Safari prior to 5.0.4. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43696 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43696/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43696 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43696/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43696/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43696 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, and compromise a user's system. For more information: SA43582 1) An error in the WebKit component when handling redirects during HTTP Basic Authentication can be exploited to disclose the credentials to another site. This may be related to: SA40110 2) An error in the WebKit component when handling the Attr.style accessor can be exploited to inject an arbitrary Cascading Style Sheet (CSS) into another document. 3) A type checking error in the WebKit component when handling cached resources can be exploited to poison the cache and prevent certain resources from being requested. 4) An error in the WebKit component when handling HTML5 drag and drop operations across different origins can be exploited to disclose certain content to another site. 6) Input passed to the "window.console._inspectorCommandLineAPI" property while browsing using the Web Inspector is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 5.0.4. SOLUTION: Update to version 5.0.4. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2, 3, 6) Reported by the vendor. The vendor also credits: 1) McIntosh Cooey, Twelve Hundred Group 1) Harald Hanche-Olsen 1) Chuck Hohn, 1111 Internet LLC via CERT 1) Paul Hinze, Braintree 4) Michal Zalewski, Google Inc. 5) Aaron Sigel, vtty.com ORIGINAL ADVISORY: http://support.apple.com/kb/HT4566 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Wi-Fi in Apple iOS before 4.3 and Apple TV before 4.2 does not properly perform bounds checking for Wi-Fi frames, which allows remote attackers to cause a denial of service (device reset) via unspecified traffic on the local wireless network. Apple iOS is the latest operating system that runs on Apple iPhone and iPod touch devices. Apple iOS has a boundary check error when processing Wi-Fi frames. When connected to WI-FI, an attacker on the same network segment can restart the device. Multiple Apple products are prone to a remote denial-of-service vulnerability when connected to a Wi-Fi network. This issue is related to insufficient bounds-checking on certain Wi-Fi frames. Attackers on the same network can exploit this issue to cause the affected device to reset, denying service to legitimate users

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site. WebKit is prone to a cross-domain script-injection vulnerability. Successful exploits will allow attackers to execute arbitrary script code within the context of the affected application. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43698 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43698/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43698/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43698/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable device. For more information: SA43582 1) An error in the WebKit component when handling regular expressions can be exploited to corrupt memory. For more information see vulnerability #14: SA40664 2) An error in the FreeType library when processing TrueType fonts can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #1: SA41738 3) An error in the WebKit component when handling redirects during HTTP Basic Authentication can be exploited to disclose the credentials to another site. For more information see vulnerabilities #2 and #3: SA43696 5) An unspecified error in the WebKit component can be exploited to corrupt memory. 6) A weakness in MobileSafari when being re-opened after another application is launched via a URL handler can be exploited to prevent the browser from being used. 7) A boundary error when handling Wi-Fi frames can be exploited to cause a device to restart. The vulnerabilities are reported in versions prior to 4.3. SOLUTION: Update to version 4.3. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1-4) Reported by the vendor The vendor also credits: 5) Benoit Jacob, Mozilla 6) Nitesh Dhanjani, Ernst & Young LLP 7) Scott Boyd, ePlus Technology, Inc. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4564 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

MobileSafari in Apple iOS before 4.3 does not properly implement application launching through URL handlers, which allows remote attackers to cause a denial of service (persistent application crash) via crafted JavaScript code. Apple Mobile Safari on iOS is prone to a denial-of-service vulnerability when handling specially crafted webpages. Attackers can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successfully exploiting this issue will cause another arbitrary targeted application to launch while causing Mobile Safari to exit. Versions prior to iOS 4.3 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43698 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43698/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43698/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43698/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable device. For more information: SA43582 1) An error in the WebKit component when handling regular expressions can be exploited to corrupt memory. For more information see vulnerability #14: SA40664 2) An error in the FreeType library when processing TrueType fonts can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #1: SA41738 3) An error in the WebKit component when handling redirects during HTTP Basic Authentication can be exploited to disclose the credentials to another site. This may be related to: SA40110 4) Two errors in the WebKit component when handling Cascading Style Sheets (CSS) and cached resources. For more information see vulnerabilities #2 and #3: SA43696 5) An unspecified error in the WebKit component can be exploited to corrupt memory. 6) A weakness in MobileSafari when being re-opened after another application is launched via a URL handler can be exploited to prevent the browser from being used. 7) A boundary error when handling Wi-Fi frames can be exploited to cause a device to restart. SOLUTION: Update to version 4.3. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1-4) Reported by the vendor The vendor also credits: 5) Benoit Jacob, Mozilla 6) Nitesh Dhanjani, Ernst & Young LLP 7) Scott Boyd, ePlus Technology, Inc. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4564 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Safari Settings feature in Safari in Apple iOS 4.x before 4.3 does not properly implement the clearing of cookies during execution of the Safari application, which might make it easier for remote web servers to track users by setting a cookie. This issue may allow websites to bypass certain security restrictions and gain access to potentially sensitive information. Versions prior to iOS 4.3 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43698 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43698/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 RELEASE DATE: 2011-03-11 DISCUSS ADVISORY: http://secunia.com/advisories/43698/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43698/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43698 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to disclose potentially sensitive information, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable device. For more information: SA43582 1) An error in the WebKit component when handling regular expressions can be exploited to corrupt memory. For more information see vulnerability #14: SA40664 2) An error in the FreeType library when processing TrueType fonts can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #1: SA41738 3) An error in the WebKit component when handling redirects during HTTP Basic Authentication can be exploited to disclose the credentials to another site. This may be related to: SA40110 4) Two errors in the WebKit component when handling Cascading Style Sheets (CSS) and cached resources. For more information see vulnerabilities #2 and #3: SA43696 5) An unspecified error in the WebKit component can be exploited to corrupt memory. 6) A weakness in MobileSafari when being re-opened after another application is launched via a URL handler can be exploited to prevent the browser from being used. 7) A boundary error when handling Wi-Fi frames can be exploited to cause a device to restart. SOLUTION: Update to version 4.3. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1-4) Reported by the vendor The vendor also credits: 5) Benoit Jacob, Mozilla 6) Nitesh Dhanjani, Ernst & Young LLP 7) Scott Boyd, ePlus Technology, Inc. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4564 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------