VARIoT IoT vulnerabilities database

Cisco PIX 500 Series Security Appliances and ASA 5500 Series Adaptive Security Appliances, when running 7.0(x) up to 7.0(5) and 7.1(x) up to 7.1(2.4), and Firewall Services Module (FWSM) 3.1(x) up to 3.1(1.6), causes the EXEC password, local user passwords, and the enable password to be changed to a "non-random value" under certain circumstances, which causes administrators to be locked out and might allow attackers to gain access. Cisco PIX Firewall In the case where the configuration process is incomplete, the software crashes or the password stored in the startup configuration is unintentionally specified by the user when multiple users change the configuration in parallel. There is a vulnerability that changes to the value of.There is a possibility of unauthorized access to the target device using the changed password. Multiple Cisco Firewall appliances are prone to an authentication-bypass vulnerability. The vulnerability occurs because the firmware fails to properly handle certain configuration errors, resulting in unintended password changes to non-random specific passwords. This issue allows remote attackers to gain unauthorized access to the affected network appliances with administrative or local user privileges. These issues are tracked by Cisco Bug IDs CSCse02703 and CSCsd81487. Cisco PIX, ASA, and FWSM are very popular firewall devices that provide firewall services capable of stateful packet filtering and deep packet inspection. There are only two situations that can trigger this software bug: * Software crashes, usually caused by software bugs. Note that not all software crashes lead to the undesirable results described above. * Two or more users make configuration changes simultaneously on the same device. The vulnerability is triggered regardless of the method used to access the device (Command Line Interface [CLI], Adaptive Security Device Manager [ASDM], Firewall Management Center, etc.). Note that when saving the configuration to a stable medium that stores the startup configuration via the write memory or copy running-config startup-config commands, the password in the startup configuration is changed. In normal operation, the password in the startup configuration is not changed without saving the running configuration. If an AAA server (RADIUS or TACACS+) is used for authentication, regardless of whether LOCAL authentication is configured as fallback, only changing the password in the startup configuration when the AAA server is unavailable will cause the above undesirable results. This prevents administrators from being able to log in to the device if authentication is configured to use a password stored in the launch configuration. If a malicious user is able to guess the new password and restarts the device, whether it is an automatic restart caused by a software crash or a manual restart by a network administrator, unauthorized access to the device is possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Products Unintentional Password Modification SECUNIA ADVISORY ID: SA21616 VERIFY ADVISORY: http://secunia.com/advisories/21616/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ Cisco Firewall Services Module (FWSM) 2.x http://secunia.com/product/5088/ Cisco Firewall Services Module (FWSM) 1.x http://secunia.com/product/2273/ DESCRIPTION: A security issue has been reported in various Cisco Firewall products, which may allow malicious people to bypass certain security restrictions. The error may happen during a software crash or multiple users configuring a device at the same time. This may result in users being locked out or lead to unauthorised access to an affected device. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Terje Bless, Helse Nord IKT. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Cisco VPN 3000 series concentrators before 4.1, 4.1.x up to 4.1(7)L, and 4.7.x up to 4.7(2)F allow attackers to execute the (1) CWD, (2) MKD, (3) CDUP, (4) RNFR, (5) SIZE, and (6) RMD FTP commands to modify files or create and delete directories via unknown vectors. The Cisco VPN 3000 series concentrators are prone to a vulnerability that allows attackers to access arbitrary files. An attacker can exploit this issue to rename and delete arbitrary files on the affected device in the context of the FTP server process. This may facilitate further attacks. The Cisco VPN Series Concentrators consist of a general-purpose remote-access virtual private network (VPN) platform and client software that combines high availability, performance, and scalability with today's most advanced encryption and authentication technologies for professional operations Provide services to merchants or enterprise users. * Change the configuration of the hub by renaming or deleting configuration and certificate files through RNFR and RMD FTP commands. Please note that since none of these vulnerabilities allow unauthorized users to upload or download files from the hub, it is not possible to obtain device configurations or upload modified configurations by exploiting these vulnerabilities. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities SECUNIA ADVISORY ID: SA21617 VERIFY ADVISORY: http://secunia.com/advisories/21617/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Cisco VPN 3000 Concentrator http://secunia.com/product/90/ DESCRIPTION: Two vulnerabilities have been reported in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to bypass certain security restrictions. This can e.g. be exploited to delete configuration files and certificates on the device. Successful exploitation requires that the device has been configured to use FTP as a management protocol (default setting). The vulnerabilities affect models 3005, 3015, 3020, 3030, 3060, and 3080 running the following versions: * Any version prior to 4.1 * Any 4.1.x version prior to, and including, 4.1(7)L * Any 4.7.x version prior to, and including, 4.7(2)F SOLUTION: Update to version 4.1(7)M or 4.7(2)G. http://www.cisco.com/pcgi-bin/tablebuild.pl/vpn3000-3des?psrtdcat20e2 Network security best practises recommend restricting access to the FTP service (or disabling it if not needed to manage the VPN 3000 concentrator). PROVIDED AND/OR DISCOVERED BY: The vendor credits NCC Group. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Symantec Norton Personal Firewall 2006 9.1.0.33, and possibly earlier, does not properly protect Norton registry keys, which allows local users to provide Trojan horse libraries to Norton by using RegSaveKey and RegRestoreKey to modify HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners, as demonstrated using NISProd.dll. NOTE: in most cases, this attack would not cross privilege boundaries, because modifying the SuiteOwners key requires administrative privileges. However, this issue is a vulnerability because the product's functionality is intended to protect against privileged actions such as this. An attacker may exploit this vulnerability to bypass Norton's registry protection mechanism and modify the 'SuiteOwners' registry entry to load an arbitrary library file. This will likely lead to further attacks. The individual who discovered this issue claims to have tested it on Norton Personal Firewall 2006 version 9.1.0.33. Other versions could also be affected. Norton Internet Security products that include the vulnerable application may also be affected. RETIRED: This BID is being retired; further investigation indicates that the application is not vulnerable to this issue. Norton uses its own registry key to prevent the operation of other applications, but can use the API functions RegSaveKey and RegRestoreKey to bypass the protection of the registry key HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners. This registry key is also used to store some important information such as NISProd.dll. Malicious applications can use RegSaveKey and RegRestoreKey to modify the value in SuiteOwners, causing Norton to load fake function libraries into the process. Malicious code in the fake function library can manipulate any Norton component and bypass all security protections

Buffer overflow in the Xsan Filesystem driver on Mac OS X 10.4.7 and OS X Server 10.4.7 allows local users with Xsan write access, to execute arbitrary code via unspecified vectors related to "processing a path name.". A buffer overflow vulnerability in Apple's Xsan product may allow a local attacker to run arbitrary code with root privileges or create a denial-of-service condition. Apple Xsan filesystem is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it into an insufficiently sized buffer. Failed exploit attempts will likely crash the system, denying service to legitimate users. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Xsan Filesystem Path Name Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA21551 VERIFY ADVISORY: http://secunia.com/advisories/21551/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Xsan Filesystem 1.x http://secunia.com/product/11577/ DESCRIPTION: A vulnerability has been reported in Xsan Filesystem, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error in the Xsan Filesystem driver when processing path names and can be exploited to cause a buffer overflow. SOLUTION: Update to version 1.4. http://www.apple.com/support/downloads/xsanfilesystem14formacosx104.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Andrew Wellington, Australian National University. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304188 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Netgear FVG318 running firmware 1.0.40 allows remote attackers to cause a denial of service (router reset) via TCP packets with bad checksums. Netgear FVG318 wireless routers are prone to a remote denial-of-service vulnerability. Exploiting this issue may permit an attacker to crash affected devices, denying further network services to legitimate users. Firmware version 1.0.40 is vulnerable; other versions may also be affected

PHP remote file inclusion vulnerability in SAPID CMS 123 rc3 allows remote attackers to execute arbitrary PHP code via a URL in the (1) root_path parameter in usr/extensions/get_infochannel.inc.php and the (2) GLOBALS["root_path"] parameter in usr/extensions/get_tree.inc.php. (1) usr/extensions/get_infochannel.inc.php of root_path Parameters (2) usr/extensions/get_tree.inc.php of GLOBALS["root_path"] Parameters. Multiple SAPID applications are prone to multiple remote file-include vulnerabilities. These may facilitate a compromise of the application and the underlying system; other attacks are also possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SAPID CMS "root_path" File Inclusion Vulnerability SECUNIA ADVISORY ID: SA21410 VERIFY ADVISORY: http://secunia.com/advisories/21410/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SAPID CMS 1.x http://secunia.com/product/6323/ DESCRIPTION: Simo64 has discovered some vulnerabilities in SAPID CMS, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "root_path" parameter in usr/extensions/get_infochannel.inc.php and usr/extensions/get_tree.inc.php is not properly verified before being used to include files. Successful exploitation requires that "register_globals" is enabled. The vulnerabilities have been confirmed in version 1.2.3 Stable and 1.2.3 RC3. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Simo64 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer allows remote attackers to cause a denial of service (crash) via an IFRAME with a certain XML file and XSL stylesheet that triggers a crash in mshtml.dll when a refresh is called, probably a null pointer dereference. Microsoft Internet Explorer is prone to a denial-of-service vulnerability when handling malicious HTML files. Successfully exploiting this issue allows attackers to consume excessive CPU resources in the affected browser and eventually cause Internet Explorer to crash, causing a denial-of-service

Linksys WRT54g firmware 1.00.9 does not require credentials when making configuration changes, which allows remote attackers to modify arbitrary configurations via a direct request to Security.tri, as demonstrated using the SecurityMode and layout parameters, a different issue than CVE-2006-2559. Linksys WRT54G routers do not properly validate user credentials before allowing configuration changes. This vulnerability CVE-2006-2559 Is a different vulnerability.By a third party Security.tri Any setting may be changed through a direct request to. Linksys WRT54GS is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication. Linksys WRT54GS is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device. This issue is reported to affect firmware version 1.00.9; other firmware versions may also be affected. Linksys WRT54GS is a wireless router device that combines several functions. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Linksys WRT54G Configuration Manipulation and Request Forgery SECUNIA ADVISORY ID: SA21372 VERIFY ADVISORY: http://secunia.com/advisories/21372/ CRITICAL: Less critical IMPACT: Hijacking, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: Ginsu Rabbit has reported a vulnerability and a security issue in Linksys WRT54G, which can be exploited by malicious people to conduct cross-site request forgery attacks and manipulate the configuration. disable wireless security). 2) An error exists in the web interface caused due to the device allowing users to change the router configuration via HTTP requests without performing any validity checks to verify the user's request. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Ginsu Rabbit ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048495.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco PIX 500 Series Security Appliances allows remote attackers to send arbitrary UDP packets to intranet devices via unspecified vectors involving Session Initiation Protocol (SIP) fixup commands, a different issue than CVE-2006-4032. NOTE: the vendor, after working with the researcher, has been unable to reproduce the issue. Cisco PIX is reportedly prone to an unauthorized UDP port-forwarding vulnerability. Attackers may exploit this issue to forward UDP datagrams to arbitrary hosts protected by affected firewall devices, potentially bypassing firewall rules. This may aid attackers in further attacks against computers protected by affected firewall devices. This BID will be updated as further information becomes available

Barracuda Spam Firewall (BSF), possibly 3.3.03.053, contains a hardcoded password for the admin account for logins from 127.0.0.1 (localhost), which allows local users to gain privileges. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. Using a hardware-encoded password for the administrator account when logging in locally could allow an attacker to gain access. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. Prior versions may also be affected. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouch) and iPhone 1.1.1 allows user-assisted remote attackers to cause a denial of service (application crash), and enable filesystem browsing by the local user, via a certain TIFF file. Safari is prone to a denial-of-service vulnerability. The iPod touch (also known as iTouch) is an MP4 player released by Apple, and the iPhone is a smartphone released by it. There is a vulnerability in the Safari browser of iPod touch when processing malformed TIFF images. Attackers may use this vulnerability to control the user's system. If a user is tricked into viewing a specially crafted TIFF graphic using the Safari browser embedded in the above product, it may trigger a buffer overflow, resulting in denial of service or execution of arbitrary commands. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iPod touch / iPhone TIFF Image Processing Vulnerability SECUNIA ADVISORY ID: SA27213 VERIFY ADVISORY: http://secunia.com/advisories/27213/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ Apple iPod touch 1.x http://secunia.com/product/16074/ DESCRIPTION: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected. This may be related to: SA21304 SOLUTION: Do not browse untrusted web sites and do not open untrusted TIFF images. PROVIDED AND/OR DISCOVERED BY: Niacin ORIGINAL ADVISORY: http://www.toc2rta.com/?q=node/22 OTHER REFERENCES: SA21304: http://secunia.com/advisories/21304/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy, Google Security Team. For more information: SA21304 SOLUTION: Apply updated packages

Unspecified vulnerability in Cisco IOS CallManager Express (CME) allows remote attackers to gain sensitive information (user names) from the Session Initiation Protocol (SIP) user directory via certain SIP messages, aka bug CSCse92417. Cisco CallManager Express is prone to an information-disclosure vulnerability because the application fails to protect sensitive data from an attacker. An attacker could exploit this issue to retrieve potentially sensitive information that may aid in further attacks. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco CallManager Express SIP User Directory Disclosure SECUNIA ADVISORY ID: SA21335 VERIFY ADVISORY: http://secunia.com/advisories/21335/ CRITICAL: Not critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: Cisco CallManager Express 3.x http://secunia.com/product/11230/ DESCRIPTION: A weakness has been reported in Cisco CallManager Express, which can be exploited by malicious people to disclose potentially sensitive information. This can be exploited to disclose the names of the users in the SIP user database by sending specially crafted SIP messages. SOLUTION: The vendor recommends implementing the VoIP (Voice over Internet Protocol) infrastructure and data devices on separate VLANs according to best security practices. PROVIDED AND/OR DISCOVERED BY: The vendor credits Dave Endler and Mark Collier. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060802-sip.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Intel 2100 PRO/Wireless Network Connection driver PROSet before 7.1.4.6 allows local users to corrupt memory and execute code via "requests for capabilities from higher-level protocol drivers or user-level applications" involving crafted frames, a different issue than CVE-2006-3992. Microsoft Windows drivers for Intel 2100 PRO/Wireless Network Connection Hardware contain a memory corruption vulnerability. This vulnerability may allow an attacker to execute arbitrary code on a vulnerable system. Intel PRO/Wireless 2100 versions prior to 7.1.4.6 with driver version 1.2.4.37 for Windows are vulnerable

Unspecified vulnerability in the Centrino (1) w22n50.sys, (2) w22n51.sys, (3) w29n50.sys, and (4) w29n51.sys Microsoft Windows drivers for Intel 2200BG and 2915ABG PRO/Wireless Network Connection before 10.5 with driver 9.0.4.16 allows remote attackers to execute arbitrary code via certain frames that trigger memory corruption. Microsoft Windows drivers for Intel Centrino wireless adapters fail to properly handle malformed frames. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer. Intel PRO/Wireless 2200BG and 2915ABG versions prior to 10.5 with driver version 9.0.4.16 for Windows are vulnerable

Hewlett-Packard (HP) ProCurve 3500yl, 6200yl, and 5400zl switches with software before K.11.33 allow remote attackers to cause a denial of service (possibly memory leak or system crash) via unknown vectors. ProCurve is prone to an unspecified remote denial-of-service vulnerability. This issue is most likely due to a failure in the device to properly sanitize user-supplied input. An attacker can exploit this issue to crash an affected device, effectively denying service to legitimate users. This issue affects ProCurve switches running software prior to K.11.33. Remote attackers can cause the switch to deny service by sending specially crafted packets. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: HP ProCurve Switch Denial of Service Vulnerability SECUNIA ADVISORY ID: SA21316 VERIFY ADVISORY: http://secunia.com/advisories/21316/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: HP ProCurve Switch 3500yl series http://secunia.com/product/11225/ HP ProCurve Switch 5400zl series http://secunia.com/product/11226/ HP ProCurve Switch 6200yl series http://secunia.com/product/11227/ DESCRIPTION: A vulnerability has been reported in HP ProCurve Switch, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability has been reported in the following products: * ProCurve Switch 3500yl series * ProCurve Switch 6200yl series * ProCurve Switch 5400zl series SOLUTION: Update switch software to version K.11.33 or later. http://www.hp.com/rnd/software/switches.htm PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBGN02136 SSRT061173: http://itrc.hp.com/service/cki/docDisplay.do?docId=c00732233 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean allows remote user-assisted attackers to execute arbitrary commands via long string parameters, which are later used in vsprintf. McAfee SecurityCenter is prone to a stack-based buffer-overflow vulnerability. This vulnerability requires a certain amount of user-interaction for an attack to occur, such as visiting a malicious website. A successful exploit would let a remote attacker execute code with the privileges of the currently logged in user. This issue is reported to affect versions 4.3 through 6.0.22. Please see the affected packages section for a list of McAfee consumer products that ship with vulnerable versions of the McAfee SecurityCenter. McAfee Subscription Manager (McAfee Subscription Manager) is a component released together with many McAfee products to manage product permissions. It is an ActiveX control, through which manufacturers can check the legality of product use. McSubMgr.dll, the implementation module of the product inspection manager, does not check the length of the incoming parameters. Remote attackers can lure users to visit malicious websites, and transmit data exceeding 3000 bytes to McSubMgr.dll in web scripts, resulting in stack overflow. to execute arbitrary commands. Link: http://www.securityfocus.com/archive/1/442495/30/0/threaded. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to an unspecified error and allows execution of arbitrary code. No more information is currently available. SOLUTION: Sufficient information about the vulnerability is not available to suggest a proper workaround. PROVIDED AND/OR DISCOVERED BY: eEye Digital Security ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/upcoming/20060719.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. Although the guest account has only limited access, the following information can be obtained: * System configuration, including IP address, administrator IP ACL; * Email message log (but not the content of the message); * Spam/antivirus definition version information and system firmware version. There is also a file disclosure vulnerability in Barracuda's preview_email.cgi script. This script was used to retrieve messages from Barracuda's local message database, but did not properly filter the file parameter passed through GET to limit file retrieval to the message database directory, resulting in access to any Web Server user accessible files from the web interface. In addition, it is possible to execute arbitrary commands using the pipe symbol (|). Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote attackers to execute commands via shell metacharacters ("|" pipe symbol) in the file parameter. NOTE: the attack can be extended to arbitrary commands by the presence of CVE-2006-4000. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall (BSF) of preview_email.cgi Contains a command execution vulnerability. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Although the guest account has only limited access, the following information can be obtained: * System configuration, including IP address, administrator IP ACL; * Email message log (but not the content of the message); * Spam/antivirus definition version information and system firmware version. Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Login.pm in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 contains a hard-coded password for the guest account, which allows remote attackers to read sensitive information such as e-mail logs, and possibly e-mail contents and the admin password. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. There is also a file disclosure vulnerability in Barracuda's preview_email.cgi script. This script was used to retrieve messages from Barracuda's local message database, but did not properly filter the file parameter passed through GET to limit file retrieval to the message database directory, resulting in access to any Web Server user accessible files from the web interface. In addition, it is possible to execute arbitrary commands using the pipe symbol (|). Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebCore in Apple Mac OS X 10.3.9 and 10.4 through 10.4.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted HTML that triggers a "memory management error" in WebKit, possibly due to a buffer overflow, as originally reported for the KHTMLParser::popOneBlock function in Apple Safari 2.0.4 using Javascript that changes document.body.innerHTML within a DIV tag. Apple Workgroup Manager fails to properly enable ShadowHash passwords in a NetInfo parent. Workgroup Manager may appear to use ShadowHash passwords when crypt is used. A vulnerability exists in how Apple OS X handles PICT images. If successfully exploited, this vulnerability may allow a remote attacker to execute arbitrary code, or create a denial-of-service condition. This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls. Adobe Flash Player fails to properly handle malformed strings. Safari is prone to a buffer-overflow vulnerability. This issue is triggered when an attacker entices a victim user to visit a malicious website or to open a malicious HTML file. Failed exploit attempts result in crashing the application, effectively denying service to legitimate users. Possible buffer overflow. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. The vulnerability is caused due to an error in the "KHTMLParser::popOneBlock()" function. This can be exploited to cause a memory corruption via a script element in a div element redefining the document body. The vulnerability has been confirmed in version 2.0.4 (419.3). Other versions may also be affected. SOLUTION: Disable JavaScript support. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22187 VERIFY ADVISORY: http://secunia.com/advisories/22187/ CRITICAL: Highly critical IMPACT: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error in the CFNetwork component may allow a malicious SSL site to pose as a trusted SLL site to CFNetwork clients (e.g. Safari). 4) An error in the kernel's error handling mechanism known as Mach exception ports can be exploited by malicious, local users to execute arbitrary code in privileged applications. 5) An unchecked error condition in the LoginWindow component may result in Kerberos tickets being accessible to other local users after an unsuccessful attempt to log in. 6) Another error in the LoginWindow component during the handling of "Fast User Switching" may result in Kerberos tickets being accessible to other local users. 8) An error makes it possible for an account to manage WebObjects applications after the "Admin" privileges have been revoked. 9) A memory corruption error in QuickDraw Manager when processing PICT images can potentially be exploited via a specially crafted PICT image to execute arbitrary code. 10) An error in SASL can be exploited by malicious people to cause a DoS (Denial of Service) against the IMAP service. For more information: SA19618 11) A memory management error in WebKit's handling of certain HTML can be exploited by malicious people to compromise a user's system. SOLUTION: Update to version 10.4.8 or apply Security Update 2006-006. 3) The vendor credits Tom Saxton, Idle Loop Software Design. 4) The vendor credits Dino Dai Zovi, Matasano Security. 5) The vendor credits Patrick Gallagher, Digital Peaks Corporation. 6) The vendor credits Ragnar Sundblad, Royal Institute of Technology. 8) The vendor credits Phillip Tejada, Fruit Bat Software. 12) The vendor credits Chris Pepper, The Rockefeller University. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304460 OTHER REFERENCES: SA19618: http://secunia.com/advisories/19618/ SA20971: http://secunia.com/advisories/20971/ SA21271: http://secunia.com/advisories/21271/ SA21865: http://secunia.com/advisories/21865/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . visiting a malicious website. 2) An unspecified error can be exploited to bypass the "allowScriptAccess" option. 3) Unspecified errors exist in the way the ActiveX control is invoked by Microsoft Office products on Windows. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stuart Pearson, Computer Terrorism UK Ltd, for reporting one of the vulnerabilities. 2) Reported by the vendor. 3) Reported by the vendor