VARIoT IoT vulnerabilities database
| VAR-201012-0244 | CVE-2010-4383 | RealNetworks RealPlayer In RA5 Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 12.0.0.1444, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted RA5 file. RealNetworks RealPlayer Is RA5 A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0242 | CVE-2010-4381 | RealNetworks RealPlayer In AAC Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 allows remote attackers to have an unspecified impact via a crafted AAC file. RealNetworks RealPlayer Is AAC A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0240 | CVE-2010-4379 | RealNetworks RealPlayer In SIPR Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted SIPR file. RealNetworks RealPlayer Is SIPR A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. Remote attackers can use specially crafted SIPR files to cause unspecified effects. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0224 | CVE-2010-4397 | RealNetworks RealPlayer of pnen3260.dll Module integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted TIT2 atom in an AAC file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in RealPlayer's pnen3260.dll module while parsing the TIT2 atom within AAC files. The code within this module does not account for a negative size during an allocation and later uses the value as unsigned within a copy loop. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ZDI-10-269: RealNetworks RealPlayer AAC TIT2 Atom Integer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-269
December 10, 2010
-- CVE ID:
CVE-2010-4397
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8279.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0204 | CVE-2010-2579 | RealNetworks RealPlayer of cook Codec arbitrary memory access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. Real Networks RealPlayer is prone to a memory-access vulnerability. Successful exploits may allow attackers to gain access to sensitive information, cause a denial-of-service condition or memory corruption. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
26/02/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-2579 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-14/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0015 | CVE-2010-0125 | RealNetworks RealPlayer of AAC Vulnerability in spectral data analysis processing |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to compromise a user's system.
======================================================================
6) Time Table
01/03/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0125 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-15/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0017 | CVE-2010-0121 | RealNetworks RealPlayer of cook Vulnerability in codec |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
24/02/2010 - Vendor notified.
25/02/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0121 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-9/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0368 | No CVE | D-Link DIR Router \"bsc_lan.php\" Secure Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
D-Link DIR is a wireless router for the SOHO series. The D-Link DIR implementation has an error that allows remote attackers to bypass security restrictions and modify device configuration. The device does not correctly restrict access to the \"bsc_lan.php\" script. Requests with \"NO_NEED_AUTH\" parameter \"1\" and \"AUTH_GROUP\" parameter \"0\" can directly access the management interface. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
D-Link DIR Routers "bsc_lan.php" Security Issue
SECUNIA ADVISORY ID:
SA42425
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42425/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42425/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42425/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Craig Heffner has reported a security issue in multiple D-Link DIR
routers, which can be exploited by malicious people to bypass certain
security restrictions and compromise a vulnerable device.
This may be related to vulnerability #5:
SA33692
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Craig Heffner
ORIGINAL ADVISORY:
http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201209-0075 | CVE-2010-5269 | Intel Threading Building Blocks of tbb.dll Vulnerability gained in |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Untrusted search path vulnerability in tbb.dll in Intel Threading Building Blocks (TBB) 2.2.013 allows local users to gain privileges via a Trojan horse tbbmalloc.dll file in the current working directory, as demonstrated by a directory that contains a .pbk file. NOTE: some of these details are obtained from third party information. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. tbbmalloc.dll It may be possible to get permission through the file. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Intel Threading Building Blocks (TBB) Insecure Library Loading
Vulnerability
SECUNIA ADVISORY ID:
SA42506
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42506/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42506/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42506/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in Intel Threading Building
Blocks (TBB), which can be exploited by malicious people to
compromise a user's system.
The vulnerability is caused due to the "tbb.dll" loading libraries
(e.g. tbbmalloc.dll) in an insecure manner. This can be exploited to
load arbitrary libraries when an application using this library e.g.
opens a file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 2.2.013. Other versions may
also be affected.
SOLUTION:
Upgrade to version 3.0.4.127.
PROVIDED AND/OR DISCOVERED BY:
Originally reported in a CORE IMPACT exploit module for Adobe Pixel
Bender Toolkit by Core Security Technologies.
Additional information provided by Secunia Research.
ORIGINAL ADVISORY:
http://www.coresecurity.com/content/adobe-pixel-bender-toolkit-tbbmalloc-dll-hijacking-exploit-10-5
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0350 | CVE-2010-3920 | Vulnerability in Epson printer driver installer where access permissions are changed |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The Seiko Epson printer driver installers for LP-S9000 before 4.1.11 and LP-S7100 before 4.1.7, or as downloaded from the vendor between May 2010 and 20101125, set weak permissions for the "C:\Program Files" folder, which might allow local users to bypass intended access restrictions and create or modify arbitrary files and directories. As a result, users that do not have permission to access that folder can gain access to that folder. According to the developer, printer drivers that were included with the product or downloaded from the developer website from the initial release of May 2010 through November 25, 2010 are affected by this vulnerability. Also, users of Windows Vista and later operating systems are not affected. The Epson LP-S7100 / LP-S9000 is a family of high performance printers. There is a problem with the Epson LP-S7100 / LP-S9000 driver installation, allowing local users to increase privileges. Because the default permissions for \"C:\\Program Files\" and its subdirectories are not set correctly (\"Everyone\" group is fully controlled), local users can exploit the vulnerability to overwrite any file in these folders, resulting in elevation of privilege.
Local attackers can exploit this issue to gain elevated privileges on affected devices.
The following driver versions are vulnerable:
LP-S7100 4.1.0fi through 4.1.7fi and 4.1.0hi through 4.1.7hi
LP-S9000 4.1.0fc through 4.1.11fc and 4.1.0hc through 4.1.11hc. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Epson LP-S7100 / LP-S9000 Drivers Insecure Default Permissions
SECUNIA ADVISORY ID:
SA42540
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42540/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42540
RELEASE DATE:
2010-12-08
DISCUSS ADVISORY:
http://secunia.com/advisories/42540/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42540/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42540
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in Epson LP-S7100 / LP-S9000
drivers, which can be exploited by malicious, local users to gain
escalated privileges.
The security issue is reported in the following versions:
* LP-S7100 32bit edition versions 4.1.0fi through 4.1.7fi
* LP-S7100 64bit edition versions 4.1.0hi through 4.1.7hi
* LP-S9000 32bit edition versions 4.1.0fc through 4.1.11fc
* LP-S9000 64bit edition versions 4.1.0hc through 4.1.11hc
SOLUTION:
Update to a patched version and reset permissions. Please see the
vendor's advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.epson.jp/support/misc/lps7100_9000/index.htm
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0106 | CVE-2010-4557 | Invensys Wonderware InBatch lm_tcp Service Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in the lm_tcp service in Invensys Wonderware InBatch 8.1 and 9.0, as used in Invensys Foxboro I/A Series Batch 8.1 and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted request to port 9001. Invensys Wonderware InBatch and Foxboro I/A Series Batch of lm_tcp The service can experience buffer overflow. Wonderware InBatch and Foxboro I/A Batch of database lock manager (lm_tcp) The service includes 150 When copying a string to a byte buffer, a buffer overflow can occur. This service is 9001/tcp using.lm_tcp Service disruption by a third party with access to the service (DoS) An attacker may be able to attack or execute arbitrary code. RDM Embedded is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The issue affects the 'lm_tcp' service. Failed exploit attempts may crash the application, denying service to legitimate users.
The issue affects lm_tcp <= 9.0.0 0248.18.0.0; other versions may also be affected. Wonderware InBatch is prone to a denial-of-service vulnerability. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Wonderware InBatch / Foxboro I/A Series "lm_tcp" Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA42528
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42528/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42528
RELEASE DATE:
2010-12-24
DISCUSS ADVISORY:
http://secunia.com/advisories/42528/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42528/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42528
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Wonderware InBatch and Foxboro
I/A Series Batch, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system. write 16bits with the value 0 (0x0000) to an arbitrary
memory location by sending a specially crafted packet to port 9001.
SOLUTION:
Apply patches when available. See vendor's advisory for possible
mitigation steps.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
Luigi Auriemma:
http://aluigi.altervista.org/adv/inbatch_1-adv.txt
Invensys:
http://iom.invensys.com/EN/Pages/IOM_CyberSecurityUpdates.aspx
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0213 | CVE-2010-3801 | Apple QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-259
December 7, 2010
-- CVE ID:
CVE-2010-3801
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10654.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-06-01 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Apple Quicktime Memory Corruption when parsing FPX files
CVE-2010-3801
INTRODUCTION
Apple Quicktime is a "powerful media technology that works on Mac and PC with just about
every popular video or audio format you come across. So you can play the digital media
you want to play".
QuickTime player does not properly parse .fpx media files, which causes a memory corruption by
opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.
This problem was confirmed in the following versions of Apple Quicktime and browsers, other
versions may be also affected.
QuickTime Player version 7.6.8 (1675) in all Operating Systems
QuickTime Player version 7.6.6 (1671) in all Operating Systems
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
The problem is triggered by PoC repro.fpx which causes invalid memory access in all the
refered versions and is available to interested parties only.
DETAILS
Disassembly:
668E2387 F7C7 03000000 TEST EDI,3
668E238D 75 15 JNZ SHORT QuickT_1.668E23A4
668E238F C1E9 02 SHR ECX,2
668E2392 83E2 03 AND EDX,3
668E2395 83F9 08 CMP ECX,8
668E2398 72 2A JB SHORT QuickT_1.668E23C4
668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here
EDI = 0x089A0020
ESI = 0x61626364
(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
| VAR-201012-0212 | CVE-2010-3800 | Apple QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted PICT file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the application's implementation of a custom compression algorithm. The application will trust a field within a DirectBitsRect structure which is used for an allocation, and later attempt to decompress data into this buffer. Due to the value for the allocation being different from the length of the data being decompressed a buffer overflow will occur which can lead to code execution with the privileges of the application. This can lead to code execution under the context of the application.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. The software is capable of handling multiple sources such as digital video, media segments, and more. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-11-05 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Moritz Jodeit of n.runs AG
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. iDefense Security Advisory 12.07.10
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 07, 2010
I. BACKGROUND
QuickTime is Apple's media player product used to render video and other
media. The PICT file format was developed by Apple Inc. in 1984. PICT
files can contain both object-oriented images and bitmaps. For more
information visit http://www.apple.com/quicktime/
II.
The vulnerability specifically exists in the way specially crafted PICT
image files are handled by the QuickTime PictureViewer.
When processing specially crafted PICT image files, Quicktime
PictureViewer uses a set value from the file to control the length of a
byte swap operation. The byte swap operation is used to convert big
endian data to little endian data. QuickTime fails to validate the
length value properly before using it.
III. To exploit this vulnerability, an
attacker must persuade a victim into using QuickTime to open a
specially crafted PICT picture file. This could be accomplished by
either direct link or referenced from a website under the attacker's
control. An attacker could host a Web page containing a malformed PICT
file. Upon visiting the malicious Web page exploitation would occur and
execution of arbitrary code would be possible. Alternatively a PICT file
could be attached within an e-mail file.
IV.
V. WORKAROUND
iDefense recommends disabling the QuickTime Plugin and altering the
.pct, .pic and .pict filetype associations within the registry.
Disabling the plugin will prevent Web browsers from utilizing QuickTime
Player to view associated media files. Removing the filetype
associations within the registry will prevent QuickTime Player and
Picture Viewer from opening .pct, .pic and .pict files.
VI. VENDOR RESPONSE
Apple Inc. has released patches which addresses this issue. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4447
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-3800 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/31/2010 Initial Vendor Notification
03/31/2010 Initial Vendor Reply
12/07/2010 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Hossein Lotfi (s0lute).
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information
| VAR-201012-0209 | CVE-2010-3802 | Apple QuickTime Integer sign error vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer signedness error in Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted panorama atom in a QuickTime Virtual Reality (QTVR) movie file. User interaction is required to exploit this vulnerability in that a user must be coerced into visiting a malicious page or opening a malicious file.The specific flaw exists within Apple's support for Panoramic Images and occurs due to the application trusting a particular field for calculation of an offset. Due to the field being treated as a signed integer, the calculated offset can result in a pointer outside the bounds of the expected buffer. Upon usage of this out-of-bounds pointer, the application will write proceed to write image data to the invalid location. Successful exploitation can lead to code execution under the context of the application.
Successful exploits allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-03-22 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0195 | CVE-2010-1508 | Windows Run on Apple QuickTime Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.9 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Track Header (aka tkhd) atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Quicktime.qts module responsible for parsing media files. While handling 3GP streams a function within this module a loop trusts a value directly from the media file and uses it during memory copy operations. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the user accessing the file.
Successful exploits allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a very popular multimedia player. A heap overflow vulnerability exists in QuickTime's handling of Track Header (tkhd) atoms. Viewing a specially crafted video could cause an unexpected application termination or arbitrary code execution. ======================================================================
Secunia Research 08/12/2010
- QuickTime Track Dimensions Buffer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Apple QuickTime 7.6.6 and 7.6.8
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"When you hop aboard QuickTime 7 Player, you\x92re assured of a truly
rich multimedia experience.".
Product Link:
http://www.apple.com/quicktime/player/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in QuickTime, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by a boundary error when copying track
content based on the track's dimensions and can be exploited to cause
a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
Update to version 7.6.9
======================================================================
6) Time Table
04/05/2010 - Vendor notified.
05/05/2010 - Vendor response.
12/10/2010 - Vendor provides status update.
08/12/2010 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-1508 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-72/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-01-06 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Moritz Jodeit of n.runs AG
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0046 | CVE-2010-4009 | Apple QuickTime Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. Apple QuickTime is prone to a remote code-execution vulnerability because of an integer-overflow error.
Successful exploits allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more
| VAR-201012-0018 | CVE-2010-0530 | Windows Run on Apple QuickTime Vulnerability in which important information is obtained |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple QuickTime before 7.6.9 on Windows sets weak permissions for the Apple Computer directory in the profile of a user account, which allows local users to obtain sensitive information by reading files in this directory. Apple QuickTime for Windows is prone to a local information-disclosure vulnerability.
A local attacker can exploit this issue to obtain sensitive information that may aid in further attacks.
Versions prior to Apple QuickTime 7.6.9 are vulnerable. The software is capable of handling multiple sources such as digital video, media segments, and more
| VAR-201012-0374 | No CVE | D-Link DIR-615 \"tools_admin.php\" does not properly filter vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
The D-Link DIR-615 is a small wireless router. D-Link DIR-615 has a bug in its implementation. The input to the \"pingIP\" parameter passed to tools_vct.php was not properly filtered before being returned to the user. A malicious attacker could exploit this vulnerability to bypass certain security restrictions and control the affected device. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
D-Link DIR-615 "tools_admin.php" Security Issue
SECUNIA ADVISORY ID:
SA42439
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42439/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42439
RELEASE DATE:
2010-12-02
DISCUSS ADVISORY:
http://secunia.com/advisories/42439/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42439/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42439
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Karol Celinski has reported a vulnerability in D-Link DIR-615, which
can be exploited by malicious people to bypass certain security
restrictions and compromise a vulnerable device.
For more information see vulnerability #4:
SA33692
The vulnerability is reported in firmware versions prior to revision
D.4-13B01.
SOLUTION:
Update to the latest firmware version.
PROVIDED AND/OR DISCOVERED BY:
Karol Celinski
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0193 | CVE-2010-4180 | Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL (0.9.8o). OpenSSL is prone to a security weakness that may allow attackers to downgrade the ciphersuite.
Successfully exploiting this issue in conjunction with other latent vulnerabilities may allow attackers to gain access to sensitive information or gain unauthorized access to an affected application that uses OpenSSL.
Releases prior to OpenSSL 1.0.0c are affected. Summary:
JBoss Enterprise Web Server 1.0.2 is now available from the Red Hat
Customer Portal for Red Hat Enterprise Linux 4, 5 and 6, Solaris, and
Microsoft Windows.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section. Description:
JBoss Enterprise Web Server is a fully-integrated and certified set of
components for hosting Java web applications.
This is the first release of JBoss Enterprise Web Server for Red Hat
Enterprise Linux 6. For Red Hat Enterprise Linux 4 and 5, Solaris, and
Microsoft Windows, this release serves as a replacement for JBoss
Enterprise Web Server 1.0.1, and includes a number of bug fixes. Refer to
the Release Notes, linked in the References, for more information.
This update corrects security flaws in the following components:
tomcat6:
A cross-site scripting (XSS) flaw was found in the Manager application,
used for managing web applications on Apache Tomcat. If a remote attacker
could trick a user who is logged into the Manager application into visiting
a specially-crafted URL, the attacker could perform Manager application
tasks with the privileges of the logged in user. (CVE-2010-4172)
tomcat5 and tomcat6:
It was found that web applications could modify the location of the Apache
Tomcat host's work directory. As web applications deployed on Tomcat have
read and write access to this directory, a malicious web application could
use this flaw to trick Tomcat into giving it read and write access to an
arbitrary directory on the file system. (CVE-2010-3718)
A second cross-site scripting (XSS) flaw was found in the Manager
application. A malicious web application could use this flaw to conduct an
XSS attack, leading to arbitrary web script execution with the privileges
of victims who are logged into and viewing Manager application web pages.
(CVE-2011-0013)
A possible minor information leak was found in the way Apache Tomcat
generated HTTP BASIC and DIGEST authentication requests. For configurations
where a realm name was not specified and Tomcat was accessed via a proxy,
the default generated realm contained the hostname and port used by the
proxy to send requests to the Tomcat server. (CVE-2010-1157)
httpd:
A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled certain requests. If a remote attacker were to send a carefully
crafted request to the server, it could cause the httpd child process to
crash. (CVE-2010-1452)
A flaw was discovered in the way the mod_proxy_http module of the Apache
HTTP Server handled the timeouts of requests forwarded by a reverse proxy
to the back-end server. In some configurations, the proxy could return
a response intended for another user under certain timeout conditions,
possibly leading to information disclosure. Note: This issue only affected
httpd running on the Windows operating system. (CVE-2010-2068)
apr:
It was found that the apr_fnmatch() function used an unconstrained
recursion when processing patterns with the '*' wildcard. An attacker could
use this flaw to cause an application using this function, which also
accepted untrusted input as a pattern for matching (such as an httpd server
using the mod_autoindex module), to exhaust all stack memory or use an
excessive amount of CPU time when performing matching. (CVE-2011-0419)
apr-util:
It was found that certain input could cause the apr-util library to
allocate more memory than intended in the apr_brigade_split_line()
function. An attacker able to provide input in small chunks to an
application using the apr-util library (such as httpd) could possibly use
this flaw to trigger high memory consumption. (CVE-2010-1623)
The following flaws were corrected in the packages for Solaris and Windows.
Updates for Red Hat Enterprise Linux can be downloaded from the Red Hat
Network.
Multiple flaws in OpenSSL, which could possibly cause a crash, code
execution, or a change of session parameters, have been corrected.
(CVE-2009-3245, CVE-2010-4180, CVE-2008-7270)
Two denial of service flaws were corrected in Expat. (CVE-2009-3560,
CVE-2009-3720)
An X.509 certificate verification flaw was corrected in OpenLDAP.
(CVE-2009-3767)
More information about these flaws is available from the CVE links in the
References. Solution:
All users of JBoss Enterprise Web Server 1.0.1 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Enterprise Web Server
1.0.2, which corrects these issues.
The References section of this erratum contains a download link (you must
log in to download the update). Before installing the update, backup your
existing JBoss Enterprise Web Server installation (including all
applications and configuration files). Apache Tomcat and the Apache HTTP
Server must be restarted for the update to take effect. Bugs fixed (http://bugzilla.redhat.com/):
530715 - CVE-2009-3767 OpenLDAP: Doesn't properly handle NULL character in subject Common Name
531697 - CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences
533174 - CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences
570924 - CVE-2009-3245 openssl: missing bn_wexpand return value checks
585331 - CVE-2010-1157 tomcat: information disclosure in authentication headers
618189 - CVE-2010-1452 httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments
632994 - CVE-2010-2068 httpd (mod_proxy): Sensitive response disclosure due improper handling of timeouts
640281 - CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
656246 - CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack
660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
675786 - CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
675792 - CVE-2010-3718 tomcat: file permission bypass flaw
703390 - CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
5. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02824483
Version: 1
HPSBOV02670 SSRT100475 rev.1 - HP OpenVMS running SSL, Remote Denial of Service (DoS), Unauthorized Disclosure of Information, Unauthorized Modification
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-05
Last Updated: 2011-05-05
Potential Security Impact: Remote Denial of Service (DoS), Unauthorized disclosure of information, unauthorized modification
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP OpenVMS running SSL. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or unauthorized disclosure of information, or by a remote unauthorized user to modify data, prompts, or responses.
References: CVE-2011-0014, CVE-2010-4180, CVE-2010-4252, CVE-2010-3864
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SSL for OpenVMS v 1.4 and earlier.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-4180 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2010-4252 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-3864 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve these vulnerabilities.
HP SSL V1.4-453 for OpenVMS Alpha and OpenVMS Integrity servers:
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0013
Synopsis: VMware third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-10-27
Updated on: 2011-10-27 (initial release of advisory)
CVE numbers: --- openssl ---
CVE-2008-7270 CVE-2010-4180
--- libuser ---
CVE-2011-0002
--- nss, nspr ---
CVE-2010-3170 CVE-2010-3173
--- Oracle (Sun) JRE 1.6.0 ---
CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549
CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553
CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557
CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561
CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566
CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570
CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574
CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4450
CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462
CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467
CVE-2010-4468 CVE-2010-4469 CVE-2010-4470 CVE-2010-4471
CVE-2010-4472 CVE-2010-4473 CVE-2010-4474 CVE-2010-4475
CVE-2010-4476
--- Oracle (Sun) JRE 1.5.0 ---
CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4454
CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4468
CVE-2010-4469 CVE-2010-4473 CVE-2010-4475 CVE-2010-4476
CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0864
CVE-2011-0802 CVE-2011-0814 CVE-2011-0871 CVE-2011-0867
CVE-2011-0865
--- SFCB ---
CVE-2010-2054
- ------------------------------------------------------------------------
1. Summary
Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
Hypervisor (ESXi) 4.1 and ESX 4.1 addresses several security issues.
2. Relevant releases
vCenter Server 4.1 without Update 2
vCenter Update Manager 4.1 without Update 2
ESXi 4.1 without patch ESX410-201110201-SG.
ESX 4.1 without patches ESX410-201110201-SG,
ESX410-201110204-SG, ESX410-201110206-SG,ESX410-201110214-SG.
3. Problem Description
a. ESX third party update for Service Console openssl RPM
The Service Console openssl RPM is updated to
openssl-0.9.8e.12.el5_5.7 resolving two security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-7270 and CVE-2010-4180 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any any not affected
ESX 4.1 ESX ESX410-201110204-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console libuser RPM
The Service Console libuser RPM is updated to version
0.54.7-2.1.el5_5.2 to resolve a security issue.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2011-0002 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110206-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nss and nspr RPMs
The Service Console Network Security Services (NSS) and Netscape
Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1
and nss-3.12.8-4 resolving multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-3170 and CVE-2010-3173 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110214-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. vCenter Server and ESX, Oracle (Sun) JRE update 1.6.0_24
Oracle (Sun) JRE is updated to version 1.6.0_24, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
JRE 1.6.0_24: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448,
CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454,
CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466,
CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470,
CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474,
CVE-2010-4475 and CVE-2010-4476.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
JRE 1.6.0_22: CVE-2010-1321, CVE-2010-3541, CVE-2010-3548,
CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552,
CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556,
CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560,
CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565,
CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569,
CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573 and
CVE-2010-3574.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 5.0 Windows not affected
vCenter 4.1 Windows Update 2
vCenter 4.0 Windows not applicable **
VirtualCenter 2.5 Windows not applicable **
Update Manager 5.0 Windows not affected
Update Manager 4.1 Windows not applicable **
Update Manager 4.0 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX not applicable **
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.5.0 family
e. vCenter Update Manager Oracle (Sun) JRE update 1.5.0_30
Oracle (Sun) JRE is updated to version 1.5.0_30, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_30: CVE-2011-0862, CVE-2011-0873,
CVE-2011-0815, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814,
CVE-2011-0871, CVE-2011-0867 and CVE-2011-0865.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_28: CVE-2010-4447, CVE-2010-4448,
CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465,
CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4473,
CVE-2010-4475, CVE-2010-4476.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 5.0 Windows not applicable **
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows patch pending
VirtualCenter 2.5 Windows patch pending
Update Manager 5.0 Windows not applicable **
Update Manager 4.1 Windows Update 2
Update Manager 4.0 Windows patch pending
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable **
ESX 4.0 ESX patch pending
ESX 3.5 ESX patch pending
ESX 3.0.3 ESX affected, no patch planned
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.6.0 family
f. Integer overflow in VMware third party component sfcb
This release resolves an integer overflow issue present in the
third party library SFCB when the httpMaxContentLength has been
changed from its default value to 0 in in /etc/sfcb/sfcb.cfg.
The integer overflow could allow remote attackers to cause a
denial of service (heap memory corruption) or possibly execute
arbitrary code via a large integer in the Content-Length HTTP
header.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-2054 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201110201-SG
ESXi 4.0 ESXi not affected
ESXi 3.5 ESXi not affected
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware vCenter Server 4.1
----------------------------------------------
vCenter Server 4.1 Update 2
The download for vCenter Server includes VMware Update Manager.
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
https://www.vmware.com/support/pubs/vum_pubs.html
File: VMware-VIMSetup-all-4.1.0-493063.iso
md5sum: d132326846a85bfc9ebbc53defeee6e1
sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541
File: VMware-VIMSetup-all-4.1.0-493063.zip
md5sum: 7fd7b09e501bd8fde52649b395491222
sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESXi 4.1
---------------
VMware ESXi 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html
File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso
md5sum: 0aa78790a336c5fc6ba3d9807c98bfea
sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce
File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip
md5sum: 459d9142a885854ef0fa6edd8d6a5677
sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33
File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip
md5sum: 3047fac78a4aaa05cf9528d62fad9d73
sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f
File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG.
VMware ESX 4.1
--------------
VMware ESX 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
File: ESX-4.1.0-update02-502767.iso
md5sum: 9a2b524446cbd756f0f1c7d8d88077f8
sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c
File: pre-upgrade-from-esx4.0-to-4.1-502767.zip
md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf
sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4
File: upgrade-from-esx4.0-to-4.1-update02-502767.zip
md5sum: 4b60f36ee89db8cb7e1243aa02cdb549
sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f
File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESX 4.1 Update 2 contains ESX410-201110204-SG,
ESX410-201110206-SG, ESX410-201110201-SG and
ESX410-201110214-SG.
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0873
- ------------------------------------------------------------------------
6. Change log
2011-10-27 VMSA-2011-0013
Initial security advisory in conjunction with the release of
Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1,
vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6qRrIACgkQDEcm8Vbi9kPemwCeM4Q4S8aRp8X/8/LQ8NGVdU8l
lJkAmweROyq5t0iWwM0EN2iP9ly6trbc
=Dm8O
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: OpenSSL: Multiple vulnerabilities
Date: October 09, 2011
Bugs: #303739, #308011, #322575, #332027, #345767, #347623,
#354139, #382069
ID: 201110-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in OpenSSL, allowing for the
execution of arbitrary code and other attacks.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.0e >= 1.0.0e
Description
===========
Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.
Impact
======
A context-dependent attacker could cause a Denial of Service, possibly
execute arbitrary code, bypass intended key requirements, force the
downgrade to unintended ciphers, bypass the need for knowledge of
shared secrets and successfully authenticate, bypass CRL validation, or
obtain sensitive information in applications that use OpenSSL.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSSL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0e"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 17, 2011. It is likely that your system is
already no longer affected by most of these issues.
References
==========
[ 1 ] CVE-2009-3245
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245
[ 2 ] CVE-2009-4355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4355
[ 3 ] CVE-2010-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433
[ 4 ] CVE-2010-0740
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740
[ 5 ] CVE-2010-0742
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742
[ 6 ] CVE-2010-1633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633
[ 7 ] CVE-2010-2939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939
[ 8 ] CVE-2010-3864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864
[ 9 ] CVE-2010-4180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4180
[ 10 ] CVE-2010-4252
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4252
[ 11 ] CVE-2011-0014
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0014
[ 12 ] CVE-2011-3207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207
[ 13 ] CVE-2011-3210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections.
The OpenSSL security team would like to thank Martin Rex for reporting this
issue.
This vulnerability is tracked as CVE-2010-4180
OpenSSL JPAKE validation error
===============================
Sebastian Martini found an error in OpenSSL's J-PAKE implementation
which could lead to successful validation by someone with no knowledge
of the shared secret. This error is fixed in 1.0.0c. Details of the
problem can be found here:
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
Note that the OpenSSL Team still consider our implementation of J-PAKE
to be experimental and is not compiled by default.
Any OpenSSL based SSL/TLS server is vulnerable if it uses
OpenSSL's internal caching mechanisms and the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this
by using the SSL_OP_ALL option).
All users of OpenSSL's experimental J-PAKE implementation are vulnerable
to the J-PAKE validation error.
Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
and/or SSL_OP_ALL flags.
Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release
which contains a patch to correct this issue and also contains a corrected
version of the CVE-2010-3864 vulnerability fix.
If upgrading is not immediately possible, the relevant source code patch
provided in this advisory should be applied.
Any user of OpenSSL's J-PAKE implementaion (which is not compiled in by
default) should upgrade to OpenSSL 1.0.0c.
Patch
=====
Index: ssl/s3_clnt.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
retrieving revision 1.129.2.16
diff -u -r1.129.2.16 s3_clnt.c
--- ssl/s3_clnt.c 10 Oct 2010 12:33:10 -0000 1.129.2.16
+++ ssl/s3_clnt.c 24 Nov 2010 14:32:37 -0000
@@ -866,8 +866,11 @@
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id))
{
+/* Workaround is now obsolete */
+#if 0
if (!(s->options &
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
Index: ssl/s3_srvr.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v
retrieving revision 1.171.2.22
diff -u -r1.171.2.22 s3_srvr.c
--- ssl/s3_srvr.c 14 Nov 2010 13:50:29 -0000 1.171.2.22
+++ ssl/s3_srvr.c 24 Nov 2010 14:34:28 -0000
@@ -985,6 +985,10 @@
break;
}
}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
{
/* Special case as client bug workaround: the previously used cipher may
@@ -999,6 +1003,7 @@
j = 1;
}
}
+#endif
if (j == 0)
{
/* we need to have the cipher in the cipher
References
===========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20101202.txt
URL for updated CVS-2010-3864 Security Advisory:
http://www.openssl.org/news/secadv_20101116-2.txt
.
HP Integrated Lights-Out 2 (iLO2) firmware versions 2.05 and earlier.
HP Integrated Lights-Out 3 (iLO3) firmware versions 1.16 and earlier.
The latest firmware and installation instructions are available from the HP Business Support Center: http://www.hp.com/go/bizsupport
HP Integrated Lights-Out 2 (iLO2) Online ROM Flash Component for Linux and Windows v2.06 or subsequent.
HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows v1.20 or subsequent
| VAR-201012-0280 | CVE-2010-4487 | Google Chrome Vulnerabilities associated with incomplete blacklists \ |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Incomplete blacklist vulnerability in Google Chrome before 8.0.552.215 on Linux and Mac OS X allows remote attackers to have an unspecified impact via a "dangerous file.". Google Chrome is prone to multiple vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial-of-service conditions, gain access to sensitive information, and bypass intended security restrictions; other attacks are also possible.
Versions prior to Chrome 8.0.552.215 are vulnerable. Google Chrome is a web browser developed by Google (Google). Remote attackers can use \"dangerous files\" to cause unknown effects. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Google Chrome Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42472
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42472/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42472
RELEASE DATE:
2010-12-04
DISCUSS ADVISORY:
http://secunia.com/advisories/42472/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42472/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42472
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities and weaknesses have been reported in Google
Chrome, where some have an unknown impact and other can potentially
be exploited by malicious people to compromise a vulnerable system.
1) An unspecified error exists, which can lead to cross-origin video
theft with canvas.
2) An unspecified error can be exploited to cause a crash with HTML5
databases.
3) An unspecified error can be exploited to cause excessive file
dialogs, potentially leading to a crash.
4) A use-after-free error in the history handling can be exploited to
corrupt memory.
5) An unspecified error related to HTTP proxy authentication can be
exploited to cause a crash.
6) An unspecified error in WebM video support can be exploited to
trigger an out-of-bounds read.
7) An error related to incorrect indexing with malformed video data
can be exploited to cause a crash.
8) An unspecified error in the handling of privileged extensions can
be exploited to corrupt memory.
9) An use-after-free error in the handling of SVG animations can be
exploited to corrupt memory.
10) A use-after-free error in the mouse dragging event handling can
be exploited to corrupt memory.
11) A double-free error in the XPath handling can be exploited to
corrupt memory.
SOLUTION:
Fixed in version 8.0.552.215.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
2) Google Chrome Security Team (Inferno)
3) Cezary Tomczak (gosu.pl)
4) Stefan Troger
5) Mohammed Bouhlel
6) Google Chrome Security Team (Chris Evans)
7) miaubiz
8, 10) kuzzcc
9) Sławomir Błażek
11) Yang Dingning from NCNIPC, Graduate University of Chinese Academy
of Sciences
ORIGINAL ADVISORY:
http://googlechromereleases.blogspot.com/2010/12/stable-beta-channel-updates.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------