VARIoT IoT vulnerabilities database

Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted NEF image. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Viewing a specially crafted NEF graphic may lead to an unexpected application termination or arbitrary code execution

Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 (JPEG2000) image, related to incorrect calculation and the CGImageReadGetBytesAtOffset function. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Apple ImageIO framework during the parsing of malformed JPEG2000 files. The function CGImageReadGetBytesAtOffset can utilize miscalculated values during a memmove operation that will result in an exploitable heap corruption allowing attackers to execute arbitrary code under the context of the current user. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2010-02-02 - Vulnerability reported to vendor 2010-04-05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 85319bb6e6ab398b334509c50afce5259d42756e -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple stack-based buffer overflows in iChat Server in Apple Mac OS X Server before 10.6.3 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. The following are vulnerable: Mac OS X Server 10.5.8 Mac OS X Server 10.6 prior to 10.6.3 NOTE: These issues were previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but have been assigned their own record to better document them

Use-after-free vulnerability in iChat Server in Apple Mac OS X Server 10.5.8 allows remote authenticated users to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

iChat Server in Apple Mac OS X Server before 10.6.3, when group chat is used, does not perform logging for all types of messages, which might allow remote attackers to avoid message auditing via an unspecified selection of message type. Remote attackers can exploit this issue to send messages which are not logged. This may aid in further attacks. The following are vulnerable: Mac OS X Server 10.5.8 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Event Monitor in Apple Mac OS X before 10.6.3 does not properly validate hostnames of SSH clients, which allows remote attackers to cause a denial of service (arbitrary client blacklisting) via a crafted DNS PTR record, related to a "plist injection issue.". Apple Mac OS X is prone to a remote denial-of-service vulnerability because it fails to properly sanitize user-supplied input. Successful exploits may allow attackers to add arbitrary systems to the firewall blacklist, resulting in denial-of-service conditions. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 through 10.6.2 Mac OS X Server 10.6 through 10.6.2 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Directory traversal vulnerability in FTP Server in Apple Mac OS X Server before 10.6.3 allows remote authenticated users to read arbitrary files via crafted filenames. An attacker can exploit this issue to gain access to files that are outside the FTP root directory. Successful exploits may lead to other attacks. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Directory Services in Apple Mac OS X before 10.6.3 does not properly perform authorization during processing of record names, which allows local users to gain privileges via unspecified vectors. Successful exploits can allow attackers to execute arbitrary code with system-level privileges, resulting in the complete compromise of the affected computer. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 through 10.6.2 Mac OS X Server 10.6 through 10.6.2 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

The default configuration of the FreeRADIUS server in Apple Mac OS X Server before 10.6.3 permits EAP-TLS authenticated connections on the basis of an arbitrary client certificate, which allows remote attackers to obtain network connectivity via a crafted RADIUS Access Request message. Apple Mac OS X is prone to an authentication-bypass vulnerability that exists in the FreeRADIUS component. An attacker can exploit this issue to gain unauthorized network access. Successfully exploiting this issue may lead to further attacks. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. A remote attacker can use EAP-TLS authentication with any valid certificate and connect to a network using FreeRADIUS for authentication

Server Admin in Apple Mac OS X Server before 10.6.3 does not properly enforce authentication for directory binding, which allows remote attackers to obtain potentially sensitive information from Open Directory via unspecified LDAP requests. Remote attackers can exploit this issue to gain anonymous access to Open Directory data, possibly accessing sensitive information. This may aid in further attacks. The following are vulnerable: Mac OS X Server 10.5.8 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Heap-based buffer overflow in QuickTimeAuthoring.qtx in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FLC file, related to crafted DELTA_FLI chunks and untrusted length values in a .fli file, which are not properly handled during decompression. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within QuickTimeAuthoring.qtx during the parsing of DELTA_FLI chunks stored within a malformed .fli file. The applications trusts a user-supplied length for decompression which can be modified to copy more data than necessary leading to a buffer overflow. Successful exploitation can lead to code execution under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when parsing FLC encoded '.fli' movie files. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: Apple states: http://support.apple.com/kb/HT4104 http://support.apple.com/kb/HT4070 -- Disclosure Timeline: 2009-11-06 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Moritz Jodeit of n.runs AG * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . BACKGROUND --------------------- "Apple QuickTime is software that allows Mac and Windows users to play back audio and video on their computers. But taking a deeper look, QuickTime is many things: a file format, an environment for media authoring and a suite of applications" from Apple.com II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a vulnerability in Apple Quicktime. III. AFFECTED PRODUCTS -------------------------------- Apple QuickTime versions prior to 7.6.6 IV. Exploits - PoCs & Binary Analysis ---------------------------------------- In-depth binary analysis of the vulnerability and an exploit code have been released by VUPEN through the VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to Apple QuickTime version 7.6.6 : http://www.apple.com/quicktime/download/ VI. CREDIT -------------- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security --------------------------------- VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits VIII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/0746 http://support.apple.com/kb/HT4104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0520 IX. DISCLOSURE TIMELINE ----------------------------------- 2009-05-28 - Vendor notified 2009-05-28 - Vendor response 2009-07-18 - Status update received 2009-10-30 - Status update received 2010-01-07 - Status update received 2010-03-11 - Status update received 2010-03-31 - Coordinated public Disclosure

Integer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a FlashPix image with a malformed SubImage Header Stream containing a NumberOfTiles field with a large value. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of a malformed SubImage Header Stream from a malicious FlashPix image. The application takes the NumberOfTiles field from this data structure, multiplies it by 16, and then uses it in an allocation. If this result is larger than 32-bits the value will wrap leading to an under-allocated buffer. Later when the application copies data into this buffer, a buffer overflow will occur leading to code execution within the context of the application. Apple QuickTime is prone to an integer-overflow vulnerability when parsing FlashPix encoded files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. An integer overflow vulnerability exists in the handling of FlashPix-encoded movie files in QuickTime versions prior to Apple Mac OS 10.6.3. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with Sorenson encoding. Apple QuickTime is prone to a remote code-execution vulnerability because it fails to sufficiently validate user-supplied data when viewing Sorenson-encoded movie files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with RLE encoding, which triggers memory corruption when the length of decompressed data exceeds that of the allocated heap chunk. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of samples from a malformed .mov file utilizing the RLE codec. While decoding RLE data, the application will fail to validate the size when decompressing the data into a heap chunk. If the length is larger than the size of the chunk allocated, then a memory corruption will occur which can lead to code execution under the context of the currently logged in user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when viewing RLE-encoded movie files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: -- Disclosure Timeline: 2009-08-10 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with M-JPEG encoding, which causes QuickTime to calculate a buffer size using height and width fields, but to use a different field to control the length of a copy operation. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of compressed mjpeg data from a malformed .mov file. The application will utilize the width and height fields in the file for calculating the size of a heap buffer. When copying into this buffer, the application will use a different field in the file to determine when to stop copying. If the first calculated length is smaller than the one used for decompression, a memory corruption will occur which can result in code execution under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when parsing M-JPEG data in '.mov' movie files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with H.264 encoding. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of samples from a malformed MOV file utilizing the H.264 codec. While parsing data to render the stream, the application will miscalculate a length that is used to initialize a heap chunk that was allocated in a header. If the length is larger than the size of the chunk allocated, then a memory corruption will occur which can lead to code execution under the context of the application. Apple QuickTime is prone to a remote code-execution vulnerability because it fails to sufficiently validate user-supplied data when viewing H.264 movie files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. -- Vendor Response: Apple states: Fixed in QuickTime 7.6.6 http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-12-04 - Vulnerability reported to vendor 2010-11-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with H.261 encoding. Apple QuickTime is prone to a remote heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when viewing H.261 encoded movie files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 QuickTime 7 prior to 7.6.6 on Mac OS X 10.5.8 and Microsoft Windows XP, Vista, and 7. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Viewing a specially crafted movie file may result in an unexpected application termination or arbitrary code execution

Podcast Producer in Apple Mac OS X 10.6 before 10.6.3 deletes the access restrictions of a Podcast Composer workflow when this workflow is overwritten, which allows attackers to access a workflow via unspecified vectors. Versions of Mac OS X Server 10.6 through 10.6.2 are vulnerable. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

The Accounts Preferences implementation in Apple Mac OS X 10.6 before 10.6.3, when a network account server is used, does not support Login Window access control that is based solely on group membership, which allows attackers to bypass intended access restrictions by entering login credentials. .An attacker could bypass access restrictions by entering login credentials. Apple Mac OS X is prone to an authentication-bypass vulnerability that affects the Preferences component. An attacker can exploit this issue to gain unauthorized access to the affected computer. Succesful exploits may lead to other attacks. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Password Server in Apple Mac OS X Server before 10.6.3 does not properly perform password replication, which might allow remote authenticated users to obtain login access via an expired password. Remote attackers can exploit this issue to gain unauthorized access to the affected computer by using outdated passwords. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. It may not have copied the password when processing replication, and a remote attacker could use an expired password to log into the system