VARIoT IoT vulnerabilities database
| VAR-201103-0360 | No CVE | SAP NetWeaver Parameter vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP NetWeaver has input validation errors. Passing the \"logger\" parameter to the ViewLogger.jsp and \"class\" parameters passed to the ShowMemLog servlet. Inputs are missing before use, which can result in injecting arbitrary HTML and script code when the malicious data is viewed. Executed on the user's browser. The input of the \"logonUrl\" parameter is missing filtering before returning to the user, which can lead to cross-site scripting attacks. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SAP NetWeaver Cross-Site Scripting and Script Insertion
Vulnerabilities
SECUNIA ADVISORY ID:
SA43737
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43737/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43737
RELEASE DATE:
2011-03-14
DISCUSS ADVISORY:
http://secunia.com/advisories/43737/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43737/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43737
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in SAP NetWeaver, which
can be exploited by malicious users to conduct script insertion
attacks and by malicious people to conduct cross-site scripting
attacks.
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
1, 3, 4) Dmitriy Evdokimov, Digital Security Research Group (DSecRG)
2) Alexey Sintsov, Digital Security Research Group (DSecRG)
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1438191
https://service.sap.com/sap/support/notes/1450270
https://service.sap.com/sap/support/notes/1512776
Digital Security Research Group (DSECRG-11-009, DSECRG-11-010,
DSECRG-11-012, DSECRG-11-013):
http://dsecrg.com/pages/vul/show.php?id=309
http://dsecrg.com/pages/vul/show.php?id=310
http://dsecrg.com/pages/vul/show.php?id=312
http://dsecrg.com/pages/vul/show.php?id=313
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0073 | CVE-2011-0609 | Adobe Flash Player contains unspecified code execution vulnerability |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011. Adobe Flash contains an arbitrary code execution vulnerability. Adobe Flash contains a memory corruption vulnerability that may lead to arbitrary code execution. Attacks leveraging this vulnerability have been confirmed.Crafted Flash Viewing a document with embedded content may lead to arbitrary code execution. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Both Adobe Reader and Acrobat are products of the American company Adobe. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Unspecified Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA43751
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43751/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43751
RELEASE DATE:
2011-03-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43751/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43751/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43751
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Adobe Flash Player, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error. Further
information is currently not available.
The vulnerability is reported in versions 10.2.152.33 and prior for
Windows, Macintosh, Linux, and Solaris, versions 10.2.154.18 and
prior for Chrome, and versions 10.1.106.16 and prior for Android.
NOTE: The vulnerability is reportedly being actively exploited.
SOLUTION:
Adobe plans to release a fixed version during the week of March 21,
2011.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://www.adobe.com/support/security/advisories/apsa11-01.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA43751
SOLUTION:
Do not browse untrusted sites. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). This fixes a
vulnerability, which can be exploited by malicious people to
compromise a user's system.
For more information:
SA43751
SOLUTION:
Updated packages are available via Red Hat Network.
SOLUTION:
Delete, rename, or remove access to authplay.dll to prevent running
SWF content in PDF files.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers and Adobe Security Advisories and
Bulletins referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201103-0384 | No CVE | Comtrend CT-5367 \"password.cgi\" Secure Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Comtrend CT-5367 ADSL Router is an ADSL router. Since the device allows unauthenticated access to the \"password.cgi\" script, a remote attacker can gain access to the device by submitting a specially crafted HTTP request, changing the administrator password. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Comtrend CT-5367 "password.cgi" Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA43653
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43653/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43653
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43653/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43653/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43653
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Comtrend CT-5367, which can be
exploited by malicious people to bypass certain security
restrictions.
The vulnerability is caused due to the device allowing unrestricted
access to the "password.cgi" script. This can be exploited to e.g.
SOLUTION:
Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY:
Todor Donev
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0082 | CVE-2011-1416 | RIM of BlackBerry Torch 9800 Vulnerability in reading content in memory area |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0.246 allows attackers to read the contents of memory locations via unknown vectors, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. Blackberry Torch 9800 is prone to a remote security vulnerability. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011
| VAR-201103-0081 | CVE-2011-1415 | Research In Motion BlackBerry Torch WebKit Integer overflow vulnerability |
CVSS V2: - CVSS V3: - Severity: CRITICAL |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1290. Reason: This candidate is a duplicate of CVE-2011-1290. Notes: All CVE users should reference CVE-2011-1290 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. An integer overflow vulnerability exists in WebKit in Research In Motion (RIM) BlackBerry Torch 9800 with firmware version 6.0.0.246. A remote attacker can execute arbitrary code with the help of an unknown vector. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011
| VAR-201103-0261 | CVE-2011-0160 | plural Apple Product WebKit Vulnerabilities in which authentication information is obtained |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle redirects in conjunction with HTTP Basic Authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43698
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43698/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43698/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43698/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people to disclose potentially sensitive
information, conduct cross-site scripting and spoofing attacks, cause
a DoS (Denial of Service), and compromise a vulnerable device.
For more information:
SA43582
1) An error in the WebKit component when handling regular expressions
can be exploited to corrupt memory.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
This may be related to:
SA40110
4) Two errors in the WebKit component when handling Cascading Style
Sheets (CSS) and cached resources.
For more information see vulnerabilities #2 and #3:
SA43696
5) An unspecified error in the WebKit component can be exploited to
corrupt memory.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart.
The vulnerabilities are reported in versions prior to 4.3.
SOLUTION:
Update to version 4.3.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1-4) Reported by the vendor
The vendor also credits:
5) Benoit Jacob, Mozilla
6) Nitesh Dhanjani, Ernst & Young LLP
7) Scott Boyd, ePlus Technology, Inc.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4564
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0294 | CVE-2011-1290 |
WebKit Vulnerable to arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201103-0867 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Integer overflow in WebKit, as used on the Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0.246, in Google Chrome before 10.0.648.133, and in Apple Safari before 5.0.5, allows remote attackers to execute arbitrary code via unknown vectors related to CSS "style handling," nodesets, and a length value, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. WebKit Is CSS There is a flaw in the handling of styles, node sets, and length values that could allow arbitrary code execution.Skillfully crafted by a third party Web Through the site, you may get important information on the heap memory address. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the WebKit library's implementation of a CSS style. When totaling the length of it's string elements, the library will store the result into a 32bit integer. This value will be used for an allocation and then later will be used to initialize the allocated buffer. Due to the number of elements being totaled being variable, this will allow an aggressor to provide as many elements as necessary in order to cause the integer value to wrap causing an under-allocation. Initialization of this data will then cause a heap-based buffer overflow. This can lead to code execution under the context of the application. WebKit is prone to a memory-corruption vulnerability.
An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 46833 (Blackberry Browser Multiple Unspecified Information Disclosure and Integer Overflow Vulnerabilities), but has been given its own record to better document it. Google Chrome is a web browser developed by Google (Google). This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011. ZDI-11-104: (Pwn2Own) Webkit CSS Text Element Count Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-104
April 14, 2011
-- CVE ID:
CVE-2011-1290
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
WebKit
-- Affected Products:
WebKit WebKit
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11087.
-- Vendor Response:
Apple patch on April 14, 2011:
http://support.apple.com/kb/HT4606
http://support.apple.com/kb/HT4607
http://support.apple.com/kb/HT4596
-- Disclosure Timeline:
2011-03-31 - Vulnerability reported to vendor
2011-04-14 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
* Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
.
Gents,
If you are a lucky BlackBerry owner, or an administrator of many BB
devices, you can do a quick security check of your smartphone(s), by
browsing this web page from your device (free quick check):
http://tehtris.com/bbcheck
For now, this will check for you if you are potentially vulnerable
against those exploits:
-> Nov 2007 - US-CERT Advisory VU#282856 - Exploit from Michael Kemp
http://www.blackberry.com/btsc/KB12577
-> Jan 2011 - CVE-2010-2599 - Exploit found by TEHTRI-Security
http://www.blackberry.com/btsc/KB24841
-> Mar 2011 - CVE-2011-1290 - Awesome Pwn2own/CSW exploit from Vincenzo
Iozzo, Ralf Philipp Weinmann, and Willem Pinckaers
A workaround for this latest vulnerability (CVE-2011-1290) could be to
disable JavaScript, as explained on RIM resources.
You should definitely read this: http://www.blackberry.com/btsc/KB26132
Have a nice day,
Laurent OUDOT, CEO TEHTRI-Security -- "This is not a game"
http://www.tehtri-security.com/
Follow us: @tehtris
=> Join us for more hacking tricks during next awesome events:
- SyScan Singapore (April) -- Training: "Advanced PHP Hacking"
http://www.syscan.org/index.php/sg/training
- HITB Amsterdam (May) -- Training: "Hunting Web Attackers"
http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=16
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2192-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
March 15, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium-browser
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0779 CVE-2011-1290
Several vulnerabilities were discovered in the Chromium browser.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2011-0779
Google Chrome before 9.0.597.84 does not properly handle a missing key in an
extension, which allows remote attackers to cause a denial of service
(application crash) via a crafted extension.
For the stable distribution (squeeze), these problems have been fixed
in version 6.0.472.63~r59945-5+squeeze4
For the testing distribution (wheezy), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed
version 10.0.648.133~r77742-1
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk1/lHMACgkQNxpp46476ao/EwCdFThT2dtAQ9HB8yza9Z4gIqV4
FeIAn3zISoa/86EhpLs5qjhMB9gQ6Oc0
=QJZP
-----END PGP SIGNATURE-----
| VAR-201103-0083 | CVE-2011-1417 | plural Apple Run on product QuickLook Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari on the iPhone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the support for parsing Office files. When handling the OfficeArtMetafileHeader the process trusts the cbSize field and performs arithmetic on it before making an allocation. As the result is not checked for overflow, the subsequent allocation can be undersized. Later when copying into this buffer, memory can be corrupted leading to arbitrary code execution under the context of the mobile user on the iPhone.
An attacker can exploit this issue by enticing an unsuspecting user into viewing a specially crafted website. Failed exploits will likely result in a denial-of-service condition.
Apple iOS 4.3 and earlier are vulnerable.
NOTE: Due to memory protections in place in iOS 4.3, code execution will be difficult. An integer overflow vulnerability exists in QuickLook used in MobileSafari in Apple Mac OS X versions prior to 10.6.7 and Apple iOS versions prior to 4.2.7, 4.3.2 and 4.3.x when parsing OfficeArtBlips.
CVE-ID
CVE-2011-1417 : Charlie Miller and Dion Blazakis working with
TippingPoint's Zero Day Initiative
Pages for iOS v1.5 is available for download via the App Store.
To check the current version of software, select
"Settings -> Pages -> Version". ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). Other
versions may also be affected.
SOLUTION:
Do not browse untrusted websites. ----------------------------------------------------------------------
A step-by-step discussion of the latest Flash Player 0-day exploit:
http://secunia.com/blog/210
----------------------------------------------------------------------
TITLE:
Apple iOS for iPhone 4 (CDMA) Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA44154
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44154/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44154
RELEASE DATE:
2011-04-16
DISCUSS ADVISORY:
http://secunia.com/advisories/44154/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44154/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44154
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities has been reported in Apple iOS for iPhone 4
(CDMA), which can be exploited by malicious people to compromise a
vulnerable device.
1) A boundary error exists within QuickLook.
For more information see vulnerability #29 in:
SA43814
2) An integer overflow error exists within WebKit.
For more information:
SA43748
3) A use-after-free error exists within WebKit.
The vulnerabilities are reported in iOS for iPhone 4 (CDMA) versions
4.2.5 through 4.2.6.
SOLUTION:
Update to iOS for iPhone 4 (CDMA) 4.2.7 (downloadable and installable
via iTunes).
PROVIDED AND/OR DISCOVERED BY:
1) Charlie Miller and Dion Blazakis via ZDI.
2) Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann via
ZDI.
3) Vupen via ZDI. The vendor also credits Martin Barbella.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4607
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-109/
http://www.zerodayinitiative.com/advisories/ZDI-11-104/
http://www.zerodayinitiative.com/advisories/ZDI-11-135/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-2 iWork 9.1 Update
iWork 9.1 Update is now available and addresses the following:
Numbers
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of Excel
files.
CVE-ID
CVE-2010-3785 : Apple
Numbers
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
Excel files.
CVE-ID
CVE-2010-3786 : Tobias Klein, working with VeriSign iDefense Labs
Pages
Available for: iWork 9.0 through 9.0.5
Impact: Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in the handling of
Microsoft Word documents.
CVE-ID
CVE-2011-1417 : Charlie Miller and Dion Blazakis working with
TippingPoint's Zero Day Initiative
iWork 9.1 Update is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The download file is named: iWork9.1Update.dmg
Its SHA-1 digest is: ecb38db74d7d1954cbcee9220c73dac85cace3e1
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOKcGrAAoJEGnF2JsdZQeewcYH/RhHdLa6x14PX+ZTC+sm1Mjc
W1xBpOxMuBpAx3Li6INXXLvMablTgPIs5e3pbtsV0RYtsJy99JdPySPI8bpQu0Si
CVWuXXSBYy2gdTtRAf6MI3j+oOyM1JhE7GunLBWcmAzv5TxS8TRf0HtNErFEe8NA
StV8QBWLErNyHxqjUQsIb5d1KbIbOysFQZy3O6pyZ6SRwr8tlIPKnY4KsaDYS5Ry
tpv3lMysde5NqCy8BeOQEtW/WAmE7i9NCCNfU2L+OfGQOXIdXmKl7Orjj+d9l23L
umGo9GCACvBVO1Ot6jKDlCW+ZuDRGuz+fhQnwOdyoqtwUwiNCsS6VIwuYYrcmxw=
=wrny
-----END PGP SIGNATURE-----
.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4581
-- Disclosure Timeline:
2011-03-09 - Vulnerability reported to vendor
2011-03-22 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Charlie Miller and Dion Blazakis
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201103-0270 | CVE-2011-0169 | Apple Safari Windows function vulnerable to arbitrary local file transmission |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
WebKit in Apple Safari before 5.0.4, when the Web Inspector is used, does not properly handle the window.console._inspectorCommandLineAPI property, which allows user-assisted remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy.
An attacker can exploit this issue to execute arbitrary code in the context of a different domain. Successful exploits may result in privilege escalation. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43696
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43696/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43696/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43696/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple Safari, which
can be exploited by malicious people to disclose potentially
sensitive information, conduct cross-site scripting and spoofing
attacks, and compromise a user's system.
For more information:
SA43582
1) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
2) An error in the WebKit component when handling the Attr.style
accessor can be exploited to inject an arbitrary Cascading Style
Sheet (CSS) into another document.
3) A type checking error in the WebKit component when handling cached
resources can be exploited to poison the cache and prevent certain
resources from being requested.
4) An error in the WebKit component when handling HTML5 drag and drop
operations across different origins can be exploited to disclose
certain content to another site.
5) An error in the tracking of window origins within the WebKit
component can be exploited to disclose the content of files to a
remote server.
6) Input passed to the "window.console._inspectorCommandLineAPI"
property while browsing using the Web Inspector is not properly
sanitised before being returned to the user.
The vulnerabilities are reported in versions prior to 5.0.4.
SOLUTION:
Update to version 5.0.4.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2, 3, 6) Reported by the vendor.
The vendor also credits:
1) McIntosh Cooey, Twelve Hundred Group
1) Harald Hanche-Olsen
1) Chuck Hohn, 1111 Internet LLC via CERT
1) Paul Hinze, Braintree
4) Michal Zalewski, Google Inc.
5) Aaron Sigel, vtty.com
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4566
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0268 | CVE-2011-0167 | Apple Safari Windows function vulnerable to arbitrary local file transmission |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The windows functionality in WebKit in Apple Safari before 5.0.4 allows remote attackers to bypass the Same Origin Policy, and force the upload of arbitrary local files from a client computer, via a crafted web site. WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy.
Successfully exploiting this issue will allow attackers to send the content of arbitrary files from the user's system to a remote server controlled by them. This results in disclosure of potentially sensitive information which may aid in further attacks. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. A vulnerability exists in a windows functionality in WebKit versions of Apple Safari prior to 5.0.4. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43696
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43696/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43696/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43696/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple Safari, which
can be exploited by malicious people to disclose potentially
sensitive information, conduct cross-site scripting and spoofing
attacks, and compromise a user's system.
For more information:
SA43582
1) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
2) An error in the WebKit component when handling the Attr.style
accessor can be exploited to inject an arbitrary Cascading Style
Sheet (CSS) into another document.
3) A type checking error in the WebKit component when handling cached
resources can be exploited to poison the cache and prevent certain
resources from being requested.
4) An error in the WebKit component when handling HTML5 drag and drop
operations across different origins can be exploited to disclose
certain content to another site.
6) Input passed to the "window.console._inspectorCommandLineAPI"
property while browsing using the Web Inspector is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
The vulnerabilities are reported in versions prior to 5.0.4.
SOLUTION:
Update to version 5.0.4.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2, 3, 6) Reported by the vendor.
The vendor also credits:
1) McIntosh Cooey, Twelve Hundred Group
1) Harald Hanche-Olsen
1) Chuck Hohn, 1111 Internet LLC via CERT
1) Paul Hinze, Braintree
4) Michal Zalewski, Google Inc.
5) Aaron Sigel, vtty.com
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4566
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0263 | CVE-2011-0162 | plural Apple Product Wi-Fi Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Wi-Fi in Apple iOS before 4.3 and Apple TV before 4.2 does not properly perform bounds checking for Wi-Fi frames, which allows remote attackers to cause a denial of service (device reset) via unspecified traffic on the local wireless network. Apple iOS is the latest operating system that runs on Apple iPhone and iPod touch devices. Apple iOS has a boundary check error when processing Wi-Fi frames. When connected to WI-FI, an attacker on the same network segment can restart the device. Multiple Apple products are prone to a remote denial-of-service vulnerability when connected to a Wi-Fi network. This issue is related to insufficient bounds-checking on certain Wi-Fi frames.
Attackers on the same network can exploit this issue to cause the affected device to reset, denying service to legitimate users
| VAR-201103-0262 | CVE-2011-0161 | plural Apple Product WebKit In CSS Token sequence insertion vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site. WebKit is prone to a cross-domain script-injection vulnerability.
Successful exploits will allow attackers to execute arbitrary script code within the context of the affected application. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43698
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43698/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43698/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43698/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people to disclose potentially sensitive
information, conduct cross-site scripting and spoofing attacks, cause
a DoS (Denial of Service), and compromise a vulnerable device.
For more information:
SA43582
1) An error in the WebKit component when handling regular expressions
can be exploited to corrupt memory.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #1:
SA41738
3) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
For more information see vulnerabilities #2 and #3:
SA43696
5) An unspecified error in the WebKit component can be exploited to
corrupt memory.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart.
The vulnerabilities are reported in versions prior to 4.3.
SOLUTION:
Update to version 4.3.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1-4) Reported by the vendor
The vendor also credits:
5) Benoit Jacob, Mozilla
6) Nitesh Dhanjani, Ernst & Young LLP
7) Scott Boyd, ePlus Technology, Inc.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4564
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0259 | CVE-2011-0158 | Apple iOS of MobileSafari of URL Service interruption in handlers (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
MobileSafari in Apple iOS before 4.3 does not properly implement application launching through URL handlers, which allows remote attackers to cause a denial of service (persistent application crash) via crafted JavaScript code. Apple Mobile Safari on iOS is prone to a denial-of-service vulnerability when handling specially crafted webpages.
Attackers can exploit this issue by enticing an unsuspecting user to view a malicious webpage.
Successfully exploiting this issue will cause another arbitrary targeted application to launch while causing Mobile Safari to exit.
Versions prior to iOS 4.3 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43698
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43698/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43698/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43698/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people to disclose potentially sensitive
information, conduct cross-site scripting and spoofing attacks, cause
a DoS (Denial of Service), and compromise a vulnerable device.
For more information:
SA43582
1) An error in the WebKit component when handling regular expressions
can be exploited to corrupt memory.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #1:
SA41738
3) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
4) Two errors in the WebKit component when handling Cascading Style
Sheets (CSS) and cached resources.
For more information see vulnerabilities #2 and #3:
SA43696
5) An unspecified error in the WebKit component can be exploited to
corrupt memory.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart.
SOLUTION:
Update to version 4.3.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1-4) Reported by the vendor
The vendor also credits:
5) Benoit Jacob, Mozilla
6) Nitesh Dhanjani, Ernst & Young LLP
7) Scott Boyd, ePlus Technology, Inc.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4564
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0260 | CVE-2011-0159 | Apple iOS of Safari It is in Safari User-trackable vulnerability in configuration function |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Safari Settings feature in Safari in Apple iOS 4.x before 4.3 does not properly implement the clearing of cookies during execution of the Safari application, which might make it easier for remote web servers to track users by setting a cookie.
This issue may allow websites to bypass certain security restrictions and gain access to potentially sensitive information.
Versions prior to iOS 4.3 are vulnerable. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43698
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43698/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43698/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43698/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people to disclose potentially sensitive
information, conduct cross-site scripting and spoofing attacks, cause
a DoS (Denial of Service), and compromise a vulnerable device.
For more information:
SA43582
1) An error in the WebKit component when handling regular expressions
can be exploited to corrupt memory.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #1:
SA41738
3) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
4) Two errors in the WebKit component when handling Cascading Style
Sheets (CSS) and cached resources.
For more information see vulnerabilities #2 and #3:
SA43696
5) An unspecified error in the WebKit component can be exploited to
corrupt memory.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart.
SOLUTION:
Update to version 4.3.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1-4) Reported by the vendor
The vendor also credits:
5) Benoit Jacob, Mozilla
6) Nitesh Dhanjani, Ernst & Young LLP
7) Scott Boyd, ePlus Technology, Inc.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4564
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0264 | CVE-2011-0163 | plural Apple Product WebKit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle unspecified "cached resources," which allows remote attackers to cause a denial of service (resource unavailability) via a crafted web site that conducts a cache-poisoning attack. plural Apple Product WebKit Has a deficiency in the processing of cache resources. (DoS) There is a vulnerability that becomes a condition.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Mobile Safari on iOS is prone to a denial-of-service vulnerability when handling specially crafted webpages.
Attackers can exploit this issue to prevent other sites from requesting resources.
Versions prior to iOS 4.3 are vulnerable. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43696
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43696/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43696/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43696/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple Safari, which
can be exploited by malicious people to disclose potentially
sensitive information, conduct cross-site scripting and spoofing
attacks, and compromise a user's system.
For more information:
SA43582
1) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
2) An error in the WebKit component when handling the Attr.style
accessor can be exploited to inject an arbitrary Cascading Style
Sheet (CSS) into another document.
4) An error in the WebKit component when handling HTML5 drag and drop
operations across different origins can be exploited to disclose
certain content to another site.
5) An error in the tracking of window origins within the WebKit
component can be exploited to disclose the content of files to a
remote server.
6) Input passed to the "window.console._inspectorCommandLineAPI"
property while browsing using the Web Inspector is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
SOLUTION:
Update to version 5.0.4.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2, 3, 6) Reported by the vendor.
The vendor also credits:
1) McIntosh Cooey, Twelve Hundred Group
1) Harald Hanche-Olsen
1) Chuck Hohn, 1111 Internet LLC via CERT
1) Paul Hinze, Braintree
4) Michal Zalewski, Google Inc.
5) Aaron Sigel, vtty.com
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4566
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart
| VAR-201103-0258 | CVE-2011-0157 | Apple iOS of WebKit Vulnerable to arbitrary code execution |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple iOS before 4.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2011-03-09-1. WebKit is prone to an unspecified memory-corruption vulnerability.
An attacker can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage with a vulnerable application.
Very few technical details are currently available. We will update this BID when more information emerges.
Successful exploits will allow attackers to execute arbitrary code in the context of the affected browser or cause denial-of-service conditions; other attacks may also be possible. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43698
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43698/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43698/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43698/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43698
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people to disclose potentially sensitive
information, conduct cross-site scripting and spoofing attacks, cause
a DoS (Denial of Service), and compromise a vulnerable device.
For more information:
SA43582
1) An error in the WebKit component when handling regular expressions
can be exploited to corrupt memory.
For more information see vulnerability #14:
SA40664
2) An error in the FreeType library when processing TrueType fonts
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #1:
SA41738
3) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
4) Two errors in the WebKit component when handling Cascading Style
Sheets (CSS) and cached resources.
For more information see vulnerabilities #2 and #3:
SA43696
5) An unspecified error in the WebKit component can be exploited to
corrupt memory.
6) A weakness in MobileSafari when being re-opened after another
application is launched via a URL handler can be exploited to prevent
the browser from being used.
7) A boundary error when handling Wi-Fi frames can be exploited to
cause a device to restart.
The vulnerabilities are reported in versions prior to 4.3.
SOLUTION:
Update to version 4.3.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1-4) Reported by the vendor
The vendor also credits:
5) Benoit Jacob, Mozilla
6) Nitesh Dhanjani, Ernst & Young LLP
7) Scott Boyd, ePlus Technology, Inc.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4564
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0267 | CVE-2011-0166 | Apple Safari of HTML5 Vulnerability in which important information is obtained in the drag and drop function |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The HTML5 drag and drop functionality in WebKit in Apple Safari before 5.0.4 allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via vectors related to the dragging of content. NOTE: this might overlap CVE-2011-0778. WebKit is prone to an information-disclosure vulnerability.
Successful exploits may allow the attacker to gain access to sensitive information. Information obtained may lead to further attacks. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43696
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43696/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43696/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43696/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43696
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple Safari, which
can be exploited by malicious people to disclose potentially
sensitive information, conduct cross-site scripting and spoofing
attacks, and compromise a user's system.
For more information:
SA43582
1) An error in the WebKit component when handling redirects during
HTTP Basic Authentication can be exploited to disclose the
credentials to another site.
This may be related to:
SA40110
2) An error in the WebKit component when handling the Attr.style
accessor can be exploited to inject an arbitrary Cascading Style
Sheet (CSS) into another document.
3) A type checking error in the WebKit component when handling cached
resources can be exploited to poison the cache and prevent certain
resources from being requested.
5) An error in the tracking of window origins within the WebKit
component can be exploited to disclose the content of files to a
remote server.
6) Input passed to the "window.console._inspectorCommandLineAPI"
property while browsing using the Web Inspector is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
The vulnerabilities are reported in versions prior to 5.0.4.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2, 3, 6) Reported by the vendor.
The vendor also credits:
1) McIntosh Cooey, Twelve Hundred Group
1) Harald Hanche-Olsen
1) Chuck Hohn, 1111 Internet LLC via CERT
1) Paul Hinze, Braintree
4) Michal Zalewski, Google Inc.
5) Aaron Sigel, vtty.com
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT4566
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-1 iOS 5 Software Update
iOS 5 Software Update is now available and addresses the following:
CalDAV
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information from a CalDAV
calendar server
Description: CalDAV did not check that the SSL certificate presented
by the server was trusted.
CVE-ID
CVE-2011-3253 : Leszek Tasiemski of nSense
Calendar
Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted calendar invitation may inject
script in the local domain
Description: A script injection issue existed in Calendar's handling
of invitation notes. This issue is addressed through improved
escaping of special characters in invitation notes. This issues does
not affect devices prior to iOS 4.2.0.
CVE-ID
CVE-2011-3254 : Rick Deacon
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: User's AppleID password may be logged to a local file
Description: A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-3255 : Peter Quade of qdevelop
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization.
CVE-ID
CVE-2011-0259 : Apple
CoreGraphics
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description: Multiple memory corruption existed in freetype, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font.
CVE-ID
CVE-2011-3256 : Apple
CoreMedia
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
Data Access
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description: When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3389
Home screen
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Switching between applications may lead to the disclosure of
sensitive application information
Description: When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0192 : Apple
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
International Components for Unicode
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's generation of
collation keys for long strings of mostly uppercase letters.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A remote attacker may cause a device reset
Description: The kernel failed to promptly reclaim memory from
incomplete TCP connections. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A local user may be able to cause a system reset
Description: A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego
Keyboards
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A user may be able to determine information about the last
character of a password
Description: The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-3245 : Paul Mousdicas
libxml
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Word file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in OfficeImport's handling of
Microsoft Word documents.
CVE-ID
CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in OfficeImport's handling
of Excel files.
CVE-ID
CVE-2011-3261 : Tobias Klein of www.trapkit.de
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in OfficeImport's
handling of Microsoft Office files.
CVE-ID
CVE-2011-0208 : Tobias Klein working with iDefense VCP
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in OfficeImport's
handling of Excel files.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP
Safari
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications. Any script in files
served with this header value would run as if the file had been
served inline, with full access to other resources on the origin
server. This issue is addressed by loading attachments in an isolated
security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with physical access to a device may be able to
recover the restrictions passcode
Description: The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Misleading UI
Description: Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result. This
issue is addressed by fixing a localization error.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT
UIKit Alerts
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website may cause an unexpected device
hang
Description: An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs. This issue is addressed by using a
more reasonable maximum URI size.
CVE-ID
CVE-2011-3432 : Simon Young of Anglia Ruskin University
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. This issue is addressed through improved
handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website and dragging content in the
page may lead to an information disclosure
Description: A cross-origin issue existed in WebKit's handling of
HTML5 drag and drop. This issue is addressed by disallowing drag and
drop across different origins.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WiFi
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: WiFi credentials may be logged to a local file
Description: WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials.
CVE-ID
CVE-2011-3434 : Laurent OUDOT of TEHTRI Security
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp
3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP
gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS
fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze
NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK
maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ=
=LCQZ
-----END PGP SIGNATURE-----
| VAR-201103-0124 | CVE-2011-1344 | WebKit Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad; iOS before 4.2.7 for iPhone 4 (CDMA); and possibly other products allows remote attackers to execute arbitrary code by adding children to a WBR tag and then removing the tag, related to text nodes, as demonstrated by Chaouki Bekrar during a Pwn2Own competition at CanSecWest 2011. WebKit Contains a flaw in the execution of arbitrary code due to a flaw in processing related to text nodes.A third party may execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the way the Webkit library handles WBR tags on a webpage. By adding children to a WBR tag and then consequently removing the tag through, for example, a 'removeChild' call it is possible to create a dangling pointer that can result in remote code execution under the context of the current user.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage. Failed exploit attempts will result in a denial-of-service condition. ZDI-11-135: (Pwn2Own) WebKit WBR Tag Removal Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-135
April 14, 2011
-- CVE ID:
CVE-2011-1344
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
WebKit
-- Affected Products:
WebKit WebKit
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10970.
-- Vendor Response:
Google patch on March 12, 2011:
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html
Apple patch on April 14, 2011:
http://support.apple.com/kb/HT4606
http://support.apple.com/kb/HT4607
http://support.apple.com/kb/HT4596
-- Disclosure Timeline:
2011-03-31 - Vulnerability reported to vendor
2011-04-14 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Vupen Security
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product. ----------------------------------------------------------------------
A step-by-step discussion of the latest Flash Player 0-day exploit:
http://secunia.com/blog/210
----------------------------------------------------------------------
TITLE:
Apple iOS for iPhone 4 (CDMA) Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA44154
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44154/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44154
RELEASE DATE:
2011-04-16
DISCUSS ADVISORY:
http://secunia.com/advisories/44154/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44154/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44154
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities has been reported in Apple iOS for iPhone 4
(CDMA), which can be exploited by malicious people to compromise a
vulnerable device.
1) A boundary error exists within QuickLook.
For more information see vulnerability #29 in:
SA43814
2) An integer overflow error exists within WebKit.
For more information:
SA43748
3) A use-after-free error exists within WebKit.
PROVIDED AND/OR DISCOVERED BY:
1) Charlie Miller and Dion Blazakis via ZDI.
2) Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann via
ZDI.
3) Vupen via ZDI. The vendor also credits Martin Barbella.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4607
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-109/
http://www.zerodayinitiative.com/advisories/ZDI-11-104/
http://www.zerodayinitiative.com/advisories/ZDI-11-135/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
SOLUTION:
Update to version 5.0.5. VUPEN Security Research - Apple Safari Text Nodes Remote Use-after-free
Vulnerability (CVE-2011-1344)
http://www.vupen.com/english/research.php
I. BACKGROUND
---------------------
"Apple Safari is a web browser developed by Apple. As of February 2010,
Safari was the fourth most widely used browser, with 4.45% of the
worldwide usage share of web browsers according to Net Application."
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Apple Safari.
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
III. AFFECTED PRODUCTS
---------------------------
Apple Safari version 5.0.4 and prior for Windows and Mac OS X
Apple iOS versions 3.0 through 4.3.1 for iPhone 3GS and later
Apple iOS versions 3.1 through 4.3.1 for iPod touch (3rd generation) and
later
Apple iOS versions 3.2 through 4.3.1 for iPad
Apple iOS versions 4.2.5 through 4.2.6 for iPhone 4 (CDMA)
IV. Binary Analysis & Exploits/PoCs
---------------------------------------
In-depth binary analysis of the vulnerability and a code execution exploit
are available through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/english/services/ba-index.php
V. VUPEN Threat Protection Program
-----------------------------------
To proactively protect critical networks and infrastructures against
unpatched
vulnerabilities and reduce risks related to zero-day attacks, VUPEN shares
its
vulnerability research with governments and organizations members of the
VUPEN
Threat Protection Program (TPP).
VUPEN TPP customers receive fully detailed and technical reports about
security
vulnerabilities discovered by VUPEN and in advance of their public
disclosure.
http://www.vupen.com/english/services/tpp-index.php
VI. SOLUTION
----------------
Upgrade to Apple Safari version 5.0.5 for Windows and Mac OS X.
Upgrade to Apple iOS version 4.3.2 for iPhone, iPod, and iPad.
Upgrade to Apple iOS version 4.2.7 for iPhone 4 (CDMA).
VII. CREDIT
--------------
This vulnerability was discovered by Matthieu Bonetti of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
* VUPEN Vulnerability Notification Service (VNS) :
http://www.vupen.com/english/services/vns-index.php
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php
* VUPEN Threat Protection Program for Govs (TPP) :
http://www.vupen.com/english/services/tpp-index.php
* VUPEN Web Application Security Scanner (WASS) :
http://www.vupen.com/english/services/wass-index.php
IX. REFERENCES
----------------------
http://www.vupen.com/english/research-vuln.php
http://www.vupen.com/english/advisories/2011/0984
http://www.vupen.com/english/advisories/2011/0983
http://support.apple.com/kb/HT4596
http://support.apple.com/kb/HT4606
http://support.apple.com/kb/HT4607
X. DISCLOSURE TIMELINE
-----------------------------
2011-02-26 - Vulnerability Discovered by VUPEN
2011-04-14 - Apple updates available
| VAR-201103-0084 | CVE-2011-1418 | Apple iOS and Apple TV of User tracking vulnerability in stateless address autoconfiguration function |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The stateless address autoconfiguration (aka SLAAC) functionality in the IPv6 networking implementation in Apple iOS before 4.3 and Apple TV before 4.2 places the MAC address into the IPv6 address, which makes it easier for remote IPv6 servers to track users by logging source IPv6 addresses. Multiple Apple products are prone to a security weakness.
An attacker-controlled server may exploit this issue to track specific devices or users across connections. This can aid attackers in launching further attacks.
This issue is fixed in the following versions:
Apple TV 4.2
Apple iOS 4.3
| VAR-201106-0273 | CVE-2011-2475 | Sybase OneBridge Mobile Data Suite of ECTrace.dll Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server and DMZ Proxy in Sybase OneBridge Mobile Data Suite 5.5 and 5.6 allows remote attackers to execute arbitrary code via format string specifiers in unspecified string fields, related to authentication logging. Authentication is not required to exploit this vulnerability.The specific flaw exists within the iMailGatewayService server process (ECTrace.dll) which listens for encrypted requests by default on TCP port 993 (IMAP) and port 587 (SMTP). The process fails to properly sanitize malformed user string inputs before passing to the authentication logging function. A format string vulnerability exists in the Sybase OneBridge server and DMZ agent. Failed exploit attempts will likely result in a denial-of-service condition.
NOTE (June 3, 2011): This BID was previously titled 'Sybase OneBridge Server and DMZ Proxy Unspecified Security Vulnerability'; it has been updated to better reflect the nature of the vulnerability.
Authentication is not required to exploit this vulnerability.
-- Vendor Response:
Sybase has issued an update to correct this vulnerability. More
details can be found at:
http://www.sybase.com/detail?id=1092074
-- Disclosure Timeline:
2011-01-21 - Vulnerability reported to vendor
2011-06-03 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Luigi Auriemma
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi