VARIoT IoT vulnerabilities database

GB-50A is a browser-based management control system for Mitsubishi central air-conditioning systems.  GB-50A has a vulnerability in implementing the authentication mechanism, and remote attackers may use this vulnerability to unauthorizedly operate the air conditioner.  The GB-50A Web controller uses a set of Java applets for its own interaction, and the communication between these applets uses a series of unauthenticated or encrypted xml messages. Can perform various unauthorized operations, including turning on or off the air conditioner or setting the temperature at will.

servlet/MIMEReceiveServlet in the web controller for Mitsubishi Electric GB-50 and GB-50A air-conditioning control systems allows remote attackers to cause a denial of service (air-conditioning outage) via an XML document containing a setRequest command. The Mitsubishi Electric GB-50A is prone to multiple authentication-bypass vulnerabilities. Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible

Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623. ASUS Remote Console is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ASUS Remote Console 2.0.0.19 is vulnerable; other versions may also be affected. There is a buffer overflow vulnerability in the ARC service when processing ultra-long user requests, and remote attackers may use this vulnerability to control the server. The main component of the ARC service is a telnet server named DpcProxy that listens on port 623 and provides an IPMI interface. The function stores the received data into a stack buffer of about 1024 bytes, and then checks for the end of the line separator (carriage return). If the user submits super-long data, it can trigger a stack overflow, resulting in the execution of arbitrary instructions. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: ASUS Remote Console DPC Proxy Service Buffer Overflow SECUNIA ADVISORY ID: SA29402 VERIFY ADVISORY: http://secunia.com/advisories/29402/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: ASUS Remote Console 2.x http://secunia.com/product/18006/ DESCRIPTION: Luigi Auriemma has discovered a vulnerability in ASUS Remote Console, which can be exploited by malicious people to compromise a vulnerable system. sending an overly long string to default port 623/TCP. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.0.0.19 and reported in version 2.0.0.24. SOLUTION: Restrict network access to the service. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/asuxdpc-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface to the Belkin Wireless G router and ADSL2 modem F5D7632-4V6 with firmware 6.01.08 allows remote attackers to bypass authentication and gain administrator privileges via a direct request to (1) statusprocess.exe, (2) system_all.exe, or (3) restore.exe in cgi-bin/. NOTE: the setup_dns.exe vector is already covered by CVE-2008-1244. The Belkin F5D7632-4V6 Wireless G Router is prone to multiple vulnerabilities because of a lack of authentication. Attackers can exploit these issues to perform administrative functions without authorization. Belkin F5D7632-4V6 running firmware 6.01.08 is vulnerable; other devices and firmware versions may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Belkin Wireless G Router Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA29345 VERIFY ADVISORY: http://secunia.com/advisories/29345/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From local network OPERATING SYSTEM: Belkin Wireless G Router http://secunia.com/product/6130/ DESCRIPTION: Some security issues and a vulnerability have been reported in the Belkin Wireless G Router, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). 1) An error in the implementation of authenticated sessions can be exploited to gain access to the router's control panel by establishing a session from a previously authenticated IP address. 2) An error exists within the enforcing of permissions in cgi-bin/setup_dns.exe. This can be exploited to perform restricted administrative actions by directly accessing the vulnerable script. 3) An error exists in the cgi-bin/setup_virtualserver.exe script when processing HTTP POST data. This can be exploited to deny further administrative access to an affected device via specially a crafted HTTP POST request with a "Connection: Keep-Alive" header. The security issues and the vulnerability are reported in model F5D7230-4, firmware version 9.01.10. SOLUTION: Restrict network access to the router's web interface. PROVIDED AND/OR DISCOVERED BY: loftgaia ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

GE Fanuc iFIX 5.0 and earlier relies on client-side authentication involving a weakly encrypted local password file, which allows remote attackers to bypass intended access restrictions and start privileged server login sessions by recovering a password or by using a modified program module. Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges. Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value, which may prevent Windows from effectively disabling AutoRun and AutoPlay features. GE Fanuc iFIX Is Human Machine Interface With components, Microsoft Windows CE , NT , 2000 , Server 2003 , XP and Vista Work on SCADA client / Server software. iFIX Vulnerabilities exist in authentication. The user name and password are stored in a local file on the client side, and the password is encrypted with a low-strength algorithm. GE Fanuc according to: Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft WindowsR network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them. iFIX Since authentication is performed within the client, an attacker could tamper and replace the authentication module. GE Fanuc according to: Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell. Also, iFIX Is Technical Cyber Security Alert TA09-020A Published on “Microsoft Windows Notes on disabling the auto-execution function ” There is a possibility of being affected. Any code executed using the auto-execution function iFIX Enviroment Protection May result in the authentication module being tampered with and replaced.An attacker could gain access to a file containing authentication information or intercept network traffic. As a result, by the attacker iFIX Unauthorized access to the system is possible. GE Fanuc iFIX 5.0 are earlier are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-020A Microsoft Windows Does Not Disable AutoRun Properly Original release date: January 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Overview Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability. I. Description Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations: * A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction. * A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive's contents, this action can cause code execution. * The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. II. Impact By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer. III. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround. IV. References * The Dangers of Windows AutoRun - <http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html> * US-CERT Vulnerability Note VU#889747 - <http://www.kb.cert.org/vuls/id/889747> * Nick Brown's blog: Memory stick worms - <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms> * TR08-004 Disabling Autorun - <http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx> * How to Enable or Disable Automatically Running CD-ROMs - <http://support.microsoft.com/kb/155217> * NoDriveTypeAutoRun - <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx> * Autorun.inf Entries - <http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx> * W32.Downadup - <http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99> * MS08-067 Worm, Downadup/Conflicker - <http://www.f-secure.com/weblog/archives/00001576.html> * Social Engineering Autoplay and Windows 7 - <http://www.f-secure.com/weblog/archives/00001586.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-020A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-020A Feedback VU#889747" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79 VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm 5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA== =6/cp -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Windows Vista "NoDriveTypeAutoRun" Security Issue SECUNIA ADVISORY ID: SA29458 VERIFY ADVISORY: http://secunia.com/advisories/29458/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: Local system OPERATING SYSTEM: Microsoft Windows Vista http://secunia.com/product/13223/ DESCRIPTION: CERT/CC has reported a security issue in Windows Vista, which can be exploited by malicious people to bypass certain security settings. AutoPlay is a feature designed to immediately begin reading from a drive (e.g. run a setup file) when a media is inserted. Successful exploitation may result in execution of arbitrary code, but requires physical access to a vulnerable system or that a user is tricked into inserting a malicious media (e.g. USB device). SOLUTION: Restrict access to affected systems. Do not insert any untrusted media even with the registry key value set to disable AutoPlay for all drives. PROVIDED AND/OR DISCOVERED BY: Will Dormann and Jeff Gennari, CERT/CC. ORIGINAL ADVISORY: US-CERT VU#889747: http://www.kb.cert.org/vuls/id/889747 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This can be exploited to gain knowledge of user names and passwords by obtaining (e.g. by modifying certain used modules. 3) It is possible to bypass the run-time Environment Protection via the Autoplay feature by attaching an external storage device containing an automatically launched script. Use in a trusted network environment only. Description The presence of a Conficker infection may be detected if a user is unable to surf to the following websites: * http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm * http://www.mcafee.com If a user is unable to reach either of these websites, a Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in http://support.microsoft.com/kb/962007. Solution US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Miscrosoft in October 2008), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software

Unspecified vulnerability in Apple AirPort Extreme Base Station Firmware 7.3.1 allows remote attackers to cause a denial of service (file sharing hang) via a crafted AFP request, related to "input validation.". Apple AirPort Extreme Base Station is a small wireless access solution.  Apple AirPort Extreme Base Station has a vulnerability in processing malformed requests. If a special AFP request is sent to the device, file sharing will become unresponsive. AirPort Extreme running firmware versions prior to 7.3.1 are affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. SOLUTION: Update to one of the following firmware versions: * AirPort Extreme with 802.11n (Fast Ethernet) 7.3.1 * AirPort Extreme with 802.11n (Gigabit Ethernet) 7.3.1 PROVIDED AND/OR DISCOVERED BY: The vendor credits Alex deVries. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1226 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint. The Check Point VPN-1 firewall contains an information disclosure vulnerability that may allow an authenticated attacker to access data that they are not authorized to access. The issue occurs because the application fails to adequately handle IP address collisions. Attackers can exploit this issue to break site-to-site VPN connectivity between a VPN-1 gateway and a third party, denying access to legitimate users. If SecuRemote back-connections are enabled, the attacker can leverage this issue to re-route site-to-site VPN traffic from the VPN gateway to their SecuRemote client. Under certain conditions, this will cause data that was destined for the third party to be sent to the attacker's client instead. This could contain sensitive information that would aid in further attacks. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: CheckPoint VPN-1 IP Address Collision Security Issue SECUNIA ADVISORY ID: SA29394 VERIFY ADVISORY: http://secunia.com/advisories/29394/ CRITICAL: Less critical IMPACT: Exposure of sensitive information, DoS WHERE: >From local network SOFTWARE: Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ Check Point VPN-1 UTM NGX http://secunia.com/product/13346/ Check Point VPN-1 Power NGX http://secunia.com/product/13348/ DESCRIPTION: Robert Mitchell has reported a security issue in CheckPoint VPN-1, which can lead to a DoS (Denial of Service) or disclosure of sensitive information. SOLUTION: The vendor has issued hotfixes to resolve the issue (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Robert Mitchell ORIGINAL ADVISORY: CheckPoint: https://secureknowledge.checkpoint.com/SecureKnowledge/login.do?OriginalAction=solution&id=sk34579 http://updates.checkpoint.com/fileserver/ID/8141/FILE/VPN-1_NGX_R65_HFA02_Supplement3.pdf Robert Mitchell: http://puresecurity.com.au/index.php?action=fullnews&id=5 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Printing component in Apple Mac OS X 10.5.2 uses 40-bit RC4 when printing to an encrypted PDF file, which makes it easier for attackers to decrypt the file via brute force methods. Attackers can use trivial brute-force tactics to view data that was encrypted with the insecure algorithm. Information harvested may aid in further attacks. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. NOTE: This BID is being retired. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. If users are tricked into opening malicious URLs, sensitive information may be leaked

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML by using the window.open function to change the security context of a web page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector. Attackers may exploit this issue to run script code in other domains and access the vulnerable computer's filesystem. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 1) An error in the processing of "javascript:" URLs can be exploited to execute arbitrary HTML and script code in context of another site via a specially crafted web page. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. This can be exploited to execute arbitrary script code in the user's security context via a specially crafted web page. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebCore, as used in Apple Safari before 3.1, does not properly mask the password field when reverse conversion is used with the Kotoeri input method, which allows physically proximate attackers to read the password. An attacker can exploit this issue to obtain potentially sensitive information that may aid in further attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28356 Apple Safari CFNetwork Arbitrary Secure Website Spoofing Vulnerability 28321 Apple Safari Error Page Cross-Site Scripting Vulnerability 28328 Apple Safari Javascript URL Parsing Cross-Site Scripting Vulnerability 28330 Apple Safari WebCore 'document.domain' Cross-Site Scripting Vulnerability 28347 Apple Safari Web Inspector Remote Code Injection Vulnerability 28326 Apple Safari WebCore 'Kotoeri' Password Field Information Disclosure Vulnerability 28332 Apple Safari WebCore 'window.open()' Function Cross-Site Scripting Vulnerability 28335 Apple Safari WebCore Java Frame Navigation Cross-Site Scripting Vulnerability 28336 Apple Safari WebCore 'document.domain' Variant Cross-Site Scripting Vulnerability 28337 Apple Safari WebCore History Object Cross-Site Scripting Vulnerability 28338 Apple Safari WebKit JavaScript Regular Expression Handling Buffer Overflow Vulnerability 28342 Apple Safari WebKit Frame Method Cross-Site Scripting Vulnerability. Safari is the WEB browser bundled with the Apple family operating system by default. Safari's version 3.1 fixes multiple security holes, as follows: Under normal circumstances, the password field of a web page is hidden to prevent leakage. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 1) An error in the processing of "javascript:" URLs can be exploited to execute arbitrary HTML and script code in context of another site via a specially crafted web page. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. This can be exploited to execute arbitrary script code in the user's security context via a specially crafted web page. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write arbitrary files via ".." sequences in file attachments. Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks. Note that attackers must be registered wiki users to exploit this issue. Wiki Server from Mac OS X Server 10.5 is vulnerable. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29420 VERIFY ADVISORY: http://secunia.com/advisories/29420/ CRITICAL: Highly critical IMPACT: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. This can be exploited by a malicious, local user to execute arbitrary code with system privileges. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 11) A vulnerability in CUPS can be exploited to execute arbitrary code with system privileges. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 32) An error in NetCfgTool can be exploited by a malicious, local user to execute arbitrary code with escalated privileges via a specially crafted message. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. This can be exploited by malicious users to upload arbitrary files with privileges of the wiki server execute arbitrary code. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in NetCfgTool in the System Configuration component in Apple Mac OS X 10.4.11 and 10.5.2 allows local users to bypass authorization and execute arbitrary code via crafted distributed objects. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. The NetCfgTool privileged tool uses distributed objects to communicate with untrusted client programs on the local machine. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. Safari). 20) A race condition error exists in NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X 10.5.2 allows user-assisted attackers to cause a denial of service (crash) via a crafted Universal Disc Format (UDF) disk image, which triggers a NULL pointer dereference. Attackers can leverage this issue to cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows user-assisted remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted PostScript Printer Description (PPD) file that is not properly handled when querying a network printer. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

notifyd in Apple Mac OS X 10.4.11 does not verify that Mach port death notifications have originated from the kernel, which allows local users to cause a denial of service via spoofed death notifications that prevent other applications from receiving notifications. (DoS) There is a vulnerability that becomes a condition.Disguised disabling notifications by a malicious local user can prevent other applications from receiving notifications. Attackers can leverage this issue to cause denial-of-service conditions. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Printing component in Apple Mac OS X 10.5.2 might save authentication credentials to disk when starting a job on an authenticated print queue, which might allow local users to obtain the credentials. Attackers can leverage this issue to gain access to privileged authentication credentials. Other attacks are also possible. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28356 Apple Safari CFNetwork Arbitrary Secure Website Spoofing Vulnerability 28321 Apple Safari Error Page Cross-Site Scripting Vulnerability 28328 Apple Safari Javascript URL Parsing Cross-Site Scripting Vulnerability 28330 Apple Safari WebCore 'document.domain' Cross-Site Scripting Vulnerability 28347 Apple Safari Web Inspector Remote Code Injection Vulnerability 28326 Apple Safari WebCore 'Kotoeri' Password Field Information Disclosure Vulnerability 28332 Apple Safari WebCore 'window.open()' Function Cross-Site Scripting Vulnerability 28335 Apple Safari WebCore Java Frame Navigation Cross-Site Scripting Vulnerability 28336 Apple Safari WebCore 'document.domain' Variant Cross-Site Scripting Vulnerability 28337 Apple Safari WebCore History Object Cross-Site Scripting Vulnerability 28338 Apple Safari WebKit JavaScript Regular Expression Handling Buffer Overflow Vulnerability 28342 Apple Safari WebKit Frame Method Cross-Site Scripting Vulnerability. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------