VARIoT IoT vulnerabilities database
| VAR-200801-0007 | CVE-2008-0027 | Cisco Unified Communications Manager (CUCM) and CallManager Heap overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the Certificate Trust List (CTL) Provider service (CTLProvider.exe) in Cisco Unified Communications Manager (CUCM) 4.2 before 4.2(3)SR3 and 4.3 before 4.3(1)SR1, and CallManager 4.0 and 4.1 before 4.1(3)SR5c, allows remote attackers to cause a denial of service or execute arbitrary code via a long request. Cisco Unified Communications Manager (CUCM) and CallManager Contains a heap overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code or to cause denial-of-service conditions. Authentication is not
required to exploit this vulnerability. The service operates
over a SSL encrypted transport. Due to a logic flaw in the way data is
received in a loop a heap allocation can be arbitrarily overflown
resulting in the control of subsequent heap chunks.
The vulnerability is due to a loop that occurs during receive of socket
data. An initial buffer is allocated at 0x19000 bytes, as can bee seen
here.
.text:00406077 191A8 68+ push 19000h
; size_t
.text:0040607C 191AC FF+ call ds:__imp_malloc
.text:00406082 191AC 83+ add esp, 10h
.text:00406085 1919C 89+ mov [edi+14h], eax
.text:00406088 1919C 85+ test eax, eax
.text:0040608A 1919C 0F+ jz loc_406238
Once allocated data is read in 0x19000 chunks. If more than 0x4000
bytes of data are left on the socket we loop again as can be seen
here.
.text:004060A5 191AC FF+ push dword ptr [ebp-14h]
; size_t
.text:004060A8 191B0 8D+ lea eax, [ebp-1919Ch]
.text:004060AE 191B0 50 push eax
; void *
.text:004060AF 191B4 8B+ mov eax, [edi+14h]
.text:004060B2 191B4 03+ add eax, [ebp-1Ch]
.text:004060B5 191B4 50 push eax
; void *
.text:004060B6 191B8 E8+ call memcpy
.text:004060B6 191B8 2F+
.text:004060BB 191B8 B8+ mov eax, 16384
.text:004060C0 191B8 83+ add esp, 1Ch
.text:004060C3 1919C 39+ cmp [ebp-14h], eax
.text:004060C6 1919C 75+ jnz short loc_4060F8
.text:004060C8 1919C 50 push eax
; int
.text:004060C9 191A0 68+ push offset str__ErrDExceeds16k
; 'err %d exceeds 16K'
.text:004060CE 191A4 8D+ lea eax, [ebp-88h]
.text:004060D4 191A4 68+ push 80000h
; int
.text:004060D9 191A8 50 push eax
; int
.text:004060DA 191AC E8+ call log_message
.text:004060DA 191AC B7+
.text:004060DF 191AC 83+ add esp, 10h
.text:004060E2 1919C 81+ add dword ptr [ebp-1Ch], 4000h
.text:004060E9 1919C 68+ push offset
str__MaybeThereIsMoreData__readAgain ; "Maybe there is more data..Read
again"
.text:004060EE 191A0 68+ push 10000h
.text:004060F3 191A4 E9+ jmp loc_405FFF
This will continue until heap chunks are overwritten at the users
control, which can be exploited to overwrite memory and further lead to
arbitrary code execution.
-- Vendor Response:
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml
-- Disclosure Timeline:
2007.06.04 - Vulnerability reported to vendor
2008.01.16 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Cody Pierce - TippingPoint DVLabs.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Successful exploitation allows execution of arbitrary code.
CUCM 4.0:
Update to a fixed version of CUCM 4.1 or later.
CUCM 4.1:
Update to CUCM 4.1(3)SR5c, CUCM 4.1(3)SR6, or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2
CUCM 4.2:
Update to CUCM 4.2(3)SR3 or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2
CUCM 4.3:
Update to CUCM 4.3(1)SR1, CUCM 4.3(1)SR1a, or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Cody Pierce, TippingPoint DVLabs
ORIGINAL ADVISORY:
TPTI-08-02:
http://dvlabs.tippingpoint.com/advisory/TPTI-08-02
Cisco (100345):
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. There is a workaround for this vulnerability.
Cisco has made free software available to address these
vulnerabilities for affected customers.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0027
has been assigned to this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml. CUCM Versions
3.3, 4.0, 4.1 and 5.0 retain the Cisco Unified CallManager name.
Products Confirmed Not Vulnerable
+--------------------------------
CUCM Versions 3.3, 5.0, 5.1, 6.0, 6.1 and Cisco CallManager Express
are not affected by this vulnerability. No other Cisco products are
currently known to be affected by this vulnerability.
Details
=======
Cisco Unified Communications Manager (CUCM) is the call processing
component of the Cisco IP telephony solution that extends enterprise
telephony features and functions to packet telephony network devices,
such as IP phones, media processing devices, voice-over-IP (VoIP)
gateways, and multimedia applications. The CTL contains public keys and other
information to allow the Cisco IP Phone devices to establish a
trusted relationship with a CUCM server. The CTL is provisioned using
the CTL Provider service on a CUCM server and with the CTL Provider
client on an administrator workstation. The CTL Provider service
needs to be enabled during the initial configuration of a CUCM server
/cluster or when changes are required to the CTL. Please consult the
Workarounds section of this advisory for information on how to
determine if the CTL Provider service is enabled on a CUCM server. The CTL Provider
service listens on TCP port 2444 by default, but the port can be
modified by the user. This issue is documented in Cisco Bug ID
CSCsj22605.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
Version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsj22605 - CUCM CTL Provider Heap Overflow Vulnerability
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may result in a DoS
condition or the execution of arbitrary code.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
It is possible to workaround the vulnerability by disabling the CTL
Provider service when not in use. Access to the CTL Provider service
is required for the initial configuration of the CUCM authentication
and encryption features, or during configuration updates. For the
CUCM 4.x systems, please consult the following documentation for
details on how to disable the CUCM services:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html
Filtering traffic to the affected CUCM systems on screening devices
can be used as a mitigation technique for this vulnerability. To
mitigate the CTL Producer service overflow, access to TCP port 2444
should be permitted only between the CUCM servers and administrator
workstations running the CTL Provider client. There is currently no
supported method to configure filtering directly on a CUCM system.
It is possible to change the default ports of the CTL Provider (TCP
port 2444) service. If changed, filtering should be based on the port
value used. The value of the port can be viewed in CUCM
Administration interface by following the System > Service Parameters
menu and selecting the CTL Provider service.
Filters blocking access to TCP port 2444 should be deployed at the
network edge as part of a transit access control list (tACL). Further
information about transit access control lists is available in the
white paper "Transit Access Control Lists: Filtering at Your Edge,"
which is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080116-cucmctl.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Fixed software for CUCM can be obtained here:
+-------------------------------------------------+
| CUCM | Fixed | Recommended | Download |
| Version | Release | Release | Location |
|---------+---------+-------------+---------------|
| | | Upgrade to | |
| CUCM | | a fixed | |
| 4.0 | N/A | Version of | N/A |
| | | CUCM 4.1 or | |
| | | later | |
|---------+---------+-------------+---------------|
| | | | http:// |
| | CUCM | CUCM 4.1(3) | www.cisco.com |
| CUCM | 4.1(3) | SR6 or | /pcgi-bin/ |
| 4.1 | SR5c | later | tablebuild.pl |
| | | | /callmgr-41? |
| | | | psrtdcat20e2 |
|---------+---------+-------------+---------------|
| | | | http:// |
| | CUCM | CUCM 4.2(3) | www.cisco.com |
| CUCM | 4.2(3) | SR3 or | /pcgi-bin/ |
| 4.2 | SR3 | later | tablebuild.pl |
| | | | /callmgr-42? |
| | | | psrtdcat20e2 |
|---------+---------+-------------+---------------|
| | | | http:// |
| | CUCM | CUCM 4.3(1) | www.cisco.com |
| CUCM | 4.3(1) | SR1a or | /pcgi-bin/ |
| 4.3 | SR1 | later | tablebuild.pl |
| | | | /callmgr-43? |
| | | | psrtdcat20e2 |
+-------------------------------------------------+
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by TippingPoint. Cisco would
like to thank TippingPoint for reporting this vulnerability and
working with us towards resolution of this problem.
Status of This Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml.
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-January-16 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkeOKKYACgkQ86n/Gc8U/uDywwCfVk/A68YckSgZ070lK8aW10By
djAAnR/h+tI2S3/7csJyQHrHeZ7Nrhbz
=h46X
-----END PGP SIGNATURE-----
| VAR-200801-0305 | CVE-2008-0324 | Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) 5.0.02.0090 allows local users to cause a denial of service (crash) by calling the 0x80002038 IOCTL with a small size value, which triggers memory corruption.
Successfully exploiting this issue allows local attackers to crash affected computers, denying further service to legitimate users.
This issue affects 'cvpndrva.sys' 5.0.02.0090; other versions of the driver may also be affected. Cisco VPN Client is a set of cross-platform VPN client software from Cisco.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched. This can be exploited
to cause a memory corruption within kernel space by sending specially
crafted IOCTLs to the affected driver, resulting in a system crash.
The vulnerability is reported in CVPNDRVA.sys version 5.0.02.0090.
SOLUTION:
Restrict access to trusted users.
PROVIDED AND/OR DISCOVERED BY:
mu-b, Digit-Labs
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/4911
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0014 | CVE-2008-0042 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Argument injection vulnerability in Terminal.app in Terminal in Apple Mac OS X 10.4.11 and 10.5 through 10.5.1 allows remote attackers to execute arbitrary code via unspecified URL schemes. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0013 | CVE-2008-0041 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Parental Controls in Apple Mac OS X 10.5 through 10.5.1 contacts www.apple.com "when a website is unblocked," which allows remote attackers to determine when a system is running Parental Controls. A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0011 | CVE-2008-0039 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Mail in Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary commands via a crafted file:// URL. Apple Mac OS X is prone to multiple security vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0012 | CVE-2008-0040 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in NFS in Apple Mac OS X 10.5 through 10.5.1 allows remote attackers to cause a denial of service (system shutdown) or execute arbitrary code via unknown vectors related to mbuf chains that trigger memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. If the system is used as an NFS client or server, a malicious NFS server or client can cause the system to shut down unexpectedly or execute arbitrary commands.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0010 | CVE-2008-0038 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Launch Services in Apple Mac OS X 10.5 through 10.5.1 allows an uninstalled application to be launched if it is in a Time Machine backup, which might allow local users to bypass intended security restrictions or exploit vulnerabilities in the application. A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. Apple Mac Operating System X 10.5 to 10.5.1, its Launch service is an API for opening applications, document files, or URLs in a manner similar to Finder or Dock.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200802-0009 | CVE-2008-0037 | Apple Mac OS X fails to properly handle a crafted URL |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
X11 in Apple Mac OS X 10.5 through 10.5.1 does not properly handle when the "Allow connections from network client" preference is disabled, which allows remote attackers to bypass intended access restrictions and connect to the X server. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes. This can be exploited to launch an application with
arbitrary command line parameters and may allow execution of
arbitrary code when a user visits a specially crafted web page.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0013 | CVE-2008-0034 | Apple iPhone Vulnerabilities that prevent authentication in passcode lock |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Passcode Lock in Apple iPhone 1.0 through 1.1.2 allows users with physical access to execute applications without entering the passcode via vectors related to emergency calls.
Attackers with physical access to the device can exploit this issue to gain unauthorized access to applications. This may aid in various attacks, including information disclosure.
Versions prior to iPhone 1.1.3 and 2.1 are vulnerable. Apple iPhone is a smart phone of Apple (Apple).
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple iPhone / iPod touch Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28497
VERIFY ADVISORY:
http://secunia.com/advisories/28497/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple iPhone 1.x
http://secunia.com/product/15128/
Apple iPod touch 1.x
http://secunia.com/product/16074/
DESCRIPTION:
Two vulnerabilities and a security issue have been reported in Apple
iPhone and iPod touch, which can be exploited by malicious people to
conduct cross-site scripting attacks, bypass certain security
restrictions, or to compromise a vulnerable device.
1) An unspecified error in the handling of URLs exists in Safari.
This can be exploited to cause a memory corruption when a user is
enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
This security issue is reported in iPhone v1.0 through v1.1.2 only.
3) An error in Safari can be exploited by malicious people to conduct
cross-site scripting attacks.
For more information see vulnerability #21 in:
SA28136
SOLUTION:
Update to version 1.1.3 (downloadable and installable via iTunes).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307302
OTHER REFERENCES:
SA28136:
http://secunia.com/advisories/28136/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0023 | CVE-2008-0081 | Microsoft Excel memory corruption vulnerability in |
CVSS V2: 9.3 CVSS V3: 9.8 Severity: CRITICAL |
Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490. Microsoft Excel for, Excel There is a memory corruption vulnerability due to a flaw in the handling of file headers.crafted by a third party Excel The file may lead to arbitrary code execution. Microsoft Excel is prone to a remote code-execution vulnerability.
An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. There are multiple code execution vulnerabilities in the way of processing data when Excel imports files, the way of processing Style record data, the way of processing conditional format values, and the way of processing macros.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
NOTE: According to Microsoft, this is currently being actively
exploited.
SOLUTION:
Do not open untrusted Excel files. Please see the vendor's advisory for details.
PROVIDED AND/OR DISCOVERED BY:
Discovered as a 0-day.
ORIGINAL ADVISORY:
Microsoft (KB947563):
http://www.microsoft.com/technet/security/advisory/947563.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-071A
Microsoft Updates for Multiple Vulnerabilities
Original release date: March 11, 2008
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Office
* Microsoft Outlook
* Microsoft Excel
* Microsoft Excel Viewer
* Microsoft Office for Mac
* Microsoft Office Web Componenets
Overview
Microsoft has released updates that address vulnerabilities in
Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and
Office Web Components.
I. Description
Microsoft has released updates to address vulnerabilities that affect
Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and
Office Web Components as part of the Microsoft Security Bulletin
Summary for March 2008. For more
information, see the US-CERT Vulnerability Notes Database.
II.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the March
2008 security bulletin. The security bulletin describe any known
issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).
IV. References
* US-CERT Vulnerability Notes for Microsoft March 2008 updates
- <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-mar>
* Microsoft Security Bulletin Summary for March 2008
- <http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx>
* Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/>
* Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-071A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-071A Feedback VU#393305" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR9b0APRFkHkM87XOAQLTUwf9HHlM9vQfwMpmCv77RuJKdZgdn5bNTPQA
HjsABoxmVZzE4XnArclHPyMivO8x/oel6UFvZgG/h2oGFarK7h1WpvCFQKE/cNO8
c5o0tRhxMx+ri7w7DnkhmhbWTLQ8coqKjzAioKoc2mboNz+PamQO22INjS3ktOyL
dRA+qwxSsPN3Bi7NDS2DOdUeAA+VdMn0cQTDLHJ7ZPhzy7JOiVXwQwyO3CwNDeOl
C6+FGSk8o1BsMjdP6kRaGnQkgivBi1ID4dcAQA8h0K2IGDPkCBIYiGTvj9pNnpwZ
lrP6DdHyd2idzGEXr2R0VlTQPrhabs+YpZq+qzVh6f2tg+Lc9xBwHg==
=aCnE
-----END PGP SIGNATURE-----
| VAR-200801-0010 | CVE-2008-0031 | Apple QuickTime In Soreson 3 Memory corruption vulnerability in handling video files |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Apple QuickTime before 7.4 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted Sorenson 3 video file, which triggers memory corruption. Apple QuickTime is prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the application.
This issue affects versions prior to QuickTime 7.4 running on the following operating systems:
Mac OS X 10.3.9
Mac OS X 10.4.9 or later
Mac OS X 10.5 or later
Microsoft Windows XP
Microsoft Windows Vista.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-016A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 16, 2008
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X running versions of QuickTime prior to 7.4
* Microsoft Windows running versions of QuickTime prior to 7.4
Overview
Apple QuickTime contains multiple vulnerabilities.
I. Description
Apple QuickTime 7.4 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access a
specially crafted image or media file that could be hosted on a web
page.
Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable.
II. For
further information, please see About the security content of
QuickTime 7.4.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.4.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.
References
* About the security content of the QuickTime 7.4 Update -
<http://docs.info.apple.com/article.html?artnum=307301>
* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-016A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-016A Feedback VU#818697" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 16, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR45mevRFkHkM87XOAQLP6AgAj7J4sy83ZWEKfcDb2brgHptxAwqvArkZ
HzV+5lGg1A86V4/MARlxXctWv5JH3e2knx5ZoMUN8napP9VEag2Ra68Zdh9lKu1S
nfCRRwcIj38iakuv7xKrNt1AJHj3rHguzCjvWu8gHEJtlb15zqVr97Ci9LuNdLP3
W4hdsIxuzYQl7Ou5+j0Z9bhH1WWZRjmabsop+b0ApxeZI2F6mJn0rscRvxPQYBls
ims6CP7YseK4+ElJHAMEJfW/6gPhwyedjgesd0jssYvhtYdufn4OCZvwL+p9QSlQ
+E+UKcws4BHlEpg0dQhA13REQxwqqMgSWdm3NU8hbGdEJAJGH0cYNQ==
=emKJ
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28502
VERIFY ADVISORY:
http://secunia.com/advisories/28502/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a vulnerable system.
2) An error exists in the processing of Macintosh Resources embedded
in QuickTime movies.
3) An error in the parsing of malformed Image Descriptor (IDSC) atoms
can be exploited to cause a heap corruption via a specially crafted
movie file.
4) A boundary error exists within the processing of compressed PICT
images and can be exploited to cause a buffer overflow.
QuickTime 7.4 for Leopard:
http://www.apple.com/support/downloads/quicktime74forleopard.html
QuickTime 7.4 for Tiger:
http://www.apple.com/support/downloads/quicktime74fortiger.html
QuickTime 7.4 for Panther:
http://www.apple.com/support/downloads/quicktime74forpanther.html
QuickTime 7.4 for Windows:
http://www.apple.com/support/downloads/quicktime74forwindows.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Joe Schottman of Virginia Tech
2) Jun Mao, VeriSign iDefense Labs.
3) Cody Pierce, TippingPoint DVLabs
4) The vendor credits Chris Ries, Carnegie Mellon University
Computing Services
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307301
TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-08-01
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=642
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0012 | CVE-2008-0033 | Apple QuickTime In Image Descriptor (IDSC) Atom analysis memory corruption vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Apple QuickTime before 7.4 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a movie file with Image Descriptor (IDSC) atoms containing an invalid atom size, which triggers memory corruption. Apple QuickTime is prone to a memory-corruption vulnerability.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects versions prior to Apple QuickTime 7.4 running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X.
I. Description
Apple QuickTime 7.4 resolves multiple vulnerabilities in the way
different types of image and media files are handled.
Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable.
II. For
further information, please see About the security content of
QuickTime 7.4.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.4. This and other updates for Mac OS X are
available via Apple Update.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.
References
* About the security content of the QuickTime 7.4 Update -
<http://docs.info.apple.com/article.html?artnum=307301>
* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-016A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-016A Feedback VU#818697" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 16, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR45mevRFkHkM87XOAQLP6AgAj7J4sy83ZWEKfcDb2brgHptxAwqvArkZ
HzV+5lGg1A86V4/MARlxXctWv5JH3e2knx5ZoMUN8napP9VEag2Ra68Zdh9lKu1S
nfCRRwcIj38iakuv7xKrNt1AJHj3rHguzCjvWu8gHEJtlb15zqVr97Ci9LuNdLP3
W4hdsIxuzYQl7Ou5+j0Z9bhH1WWZRjmabsop+b0ApxeZI2F6mJn0rscRvxPQYBls
ims6CP7YseK4+ElJHAMEJfW/6gPhwyedjgesd0jssYvhtYdufn4OCZvwL+p9QSlQ
+E+UKcws4BHlEpg0dQhA13REQxwqqMgSWdm3NU8hbGdEJAJGH0cYNQ==
=emKJ
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28502
VERIFY ADVISORY:
http://secunia.com/advisories/28502/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a vulnerable system.
2) An error exists in the processing of Macintosh Resources embedded
in QuickTime movies. This can be exploited to cause a memory
corruption via an overly large length value stored in the resource
header in a specially crafted QuickTime movie file.
3) An error in the parsing of malformed Image Descriptor (IDSC) atoms
can be exploited to cause a heap corruption via a specially crafted
movie file.
4) A boundary error exists within the processing of compressed PICT
images and can be exploited to cause a buffer overflow.
QuickTime 7.4 for Leopard:
http://www.apple.com/support/downloads/quicktime74forleopard.html
QuickTime 7.4 for Tiger:
http://www.apple.com/support/downloads/quicktime74fortiger.html
QuickTime 7.4 for Panther:
http://www.apple.com/support/downloads/quicktime74forpanther.html
QuickTime 7.4 for Windows:
http://www.apple.com/support/downloads/quicktime74forwindows.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Joe Schottman of Virginia Tech
2) Jun Mao, VeriSign iDefense Labs.
3) Cody Pierce, TippingPoint DVLabs
4) The vendor credits Chris Ries, Carnegie Mellon University
Computing Services
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307301
TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-08-01
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=642
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Specifying a malicious atom size can result in
an under allocated heap chunk and subsequently an exploitable heap
corruption situation.
-- Vendor Response:
http://docs.info.apple.com/article.html?artnum=307301
-- Disclosure Timeline:
2007.10.19 - Vulnerability reported to vendor
2008.01.15 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Cody Pierce - TippingPoint DVLabs.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200801-0015 | CVE-2008-0036 | Apple QuickTime In PICT Buffer overflow vulnerability in image decoding |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in Apple QuickTime before 7.4 allows remote attackers to execute arbitrary code via a crafted compressed PICT image, which triggers the overflow during decoding. Apple QuickTime is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted PICT file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects versions prior to Apple QuickTime 7.4 running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X. If a user is tricked into opening a malicious PICT file, this overflow may be triggered, resulting in denial of service or execution of arbitrary instructions.
I. Description
Apple QuickTime 7.4 resolves multiple vulnerabilities in the way
different types of image and media files are handled.
Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable.
II. For
further information, please see About the security content of
QuickTime 7.4.
III. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.4. This and other updates for Mac OS X are
available via Apple Update.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.
References
* About the security content of the QuickTime 7.4 Update -
<http://docs.info.apple.com/article.html?artnum=307301>
* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-016A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-016A Feedback VU#818697" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 16, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR45mevRFkHkM87XOAQLP6AgAj7J4sy83ZWEKfcDb2brgHptxAwqvArkZ
HzV+5lGg1A86V4/MARlxXctWv5JH3e2knx5ZoMUN8napP9VEag2Ra68Zdh9lKu1S
nfCRRwcIj38iakuv7xKrNt1AJHj3rHguzCjvWu8gHEJtlb15zqVr97Ci9LuNdLP3
W4hdsIxuzYQl7Ou5+j0Z9bhH1WWZRjmabsop+b0ApxeZI2F6mJn0rscRvxPQYBls
ims6CP7YseK4+ElJHAMEJfW/6gPhwyedjgesd0jssYvhtYdufn4OCZvwL+p9QSlQ
+E+UKcws4BHlEpg0dQhA13REQxwqqMgSWdm3NU8hbGdEJAJGH0cYNQ==
=emKJ
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
2) An error exists in the processing of Macintosh Resources embedded
in QuickTime movies. This can be exploited to cause a memory
corruption via an overly large length value stored in the resource
header in a specially crafted QuickTime movie file.
QuickTime 7.4 for Leopard:
http://www.apple.com/support/downloads/quicktime74forleopard.html
QuickTime 7.4 for Tiger:
http://www.apple.com/support/downloads/quicktime74fortiger.html
QuickTime 7.4 for Panther:
http://www.apple.com/support/downloads/quicktime74forpanther.html
QuickTime 7.4 for Windows:
http://www.apple.com/support/downloads/quicktime74forwindows.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Joe Schottman of Virginia Tech
2) Jun Mao, VeriSign iDefense Labs. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple TV Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31034
VERIFY ADVISORY:
http://secunia.com/advisories/31034/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple TV 2.x
http://secunia.com/product/19289/
DESCRIPTION:
Some vulnerabilities have been reported in Apple TV, which can be
exploited by malicious people to compromise a vulnerable system.
1) A boundary error in the handling of data reference atoms in movie
files can be exploited to cause a buffer overflow.
For more information see vulnerability #3 in:
SA29650
2) A boundary error in the handling of "crgn" atoms in movie files
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #5 in:
SA29650
3) A boundary error in the handling of "chan" atoms in movie files
can be exploited to cause a heap-based buffer overflow.
For more information see vulnerability #6 in:
SA29650
4) An error in the handling of "file:" URLs can be exploited to e.g.
execute arbitrary programs.
For more more information see vulnerability #5 in:
SA29293
5) A boundary error when handling RTSP replies can be exploited to
cause a heap-based buffer overflow.
For more information see vulnerability #4 in:
SA28502
SOLUTION:
Update to version 2.1.
PROVIDED AND/OR DISCOVERED BY:
1,6) Chris Ries of Carnegie Mellon University Computing Services.
2) Sanbin Li, reporting via ZDI.
3) An anonymous researcher, reporting via ZDI.
4) Independently discovered by:
* Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs
* Petko D. (pdp) Petkov, GNUCITIZEN
5) Luigi Auriemma
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT2304
OTHER REFERENCES:
SA28423:
http://secunia.com/advisories/28423/
SA28502:
http://secunia.com/advisories/28502/
SA29293:
http://secunia.com/advisories/29293/
SA29650:
http://secunia.com/advisories/29650/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0011 | CVE-2008-0032 | Apple QuickTime In Macintosh Resource Memory corruption vulnerability in record handling |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Apple QuickTime before 7.4 allows remote attackers to execute arbitrary code via a movie file containing a Macintosh Resource record with a modified length value in the resource header, which triggers heap corruption. Apple QuickTime is prone to a memory-corruption vulnerability.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects versions prior to Apple QuickTime 7.4 running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X. iDefense Security Advisory 01.15.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 15, 2008
I. BACKGROUND
Quicktime is Apple's media player product, and is used to render video
and other media. For more information visit the vendor's web site at
the following URL.
http://www.apple.com/quicktime/
II.
The vulnerability specifically exists in the handling of Macintosh
Resources embedded in QuickTime movies. When processing these records,
a length value stored in the resource header is not properly validated.
When a length value larger than the actual buffer size is supplied,
potentially exploitable memory corruption occurs.
III.
IV. DETECTION
iDefense Labs confirmed this vulnerability exists in QuickTime Player
version 7.3.1. Previous versions are suspected to be vulnerable.
V. WORKAROUND
iDefense is currently unaware of any effective workaround for this
issue.
VI. VENDOR RESPONSE
Apple has released QuickTime 7.4 which resolves this issue. More
information is available via Apple's QuickTime Security Update page at
the URL shown below.
http://docs.info.apple.com/article.html?artnum=307301
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0032 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
09/13/2007 Initial vendor notification
09/13/2007 Initial vendor response
01/15/2008 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Jun Mao of VeriSign iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
I. Description
Apple QuickTime 7.4 resolves multiple vulnerabilities in the way
different types of image and media files are handled.
Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable. Solution
Upgrade QuickTime
Upgrade to QuickTime 7.4. This and other updates for Mac OS X are
available via Apple Update.
Secure your web browser
To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.
References
* About the security content of the QuickTime 7.4 Update -
<http://docs.info.apple.com/article.html?artnum=307301>
* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>
* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-016A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-016A Feedback VU#818697" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
January 16, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR45mevRFkHkM87XOAQLP6AgAj7J4sy83ZWEKfcDb2brgHptxAwqvArkZ
HzV+5lGg1A86V4/MARlxXctWv5JH3e2knx5ZoMUN8napP9VEag2Ra68Zdh9lKu1S
nfCRRwcIj38iakuv7xKrNt1AJHj3rHguzCjvWu8gHEJtlb15zqVr97Ci9LuNdLP3
W4hdsIxuzYQl7Ou5+j0Z9bhH1WWZRjmabsop+b0ApxeZI2F6mJn0rscRvxPQYBls
ims6CP7YseK4+ElJHAMEJfW/6gPhwyedjgesd0jssYvhtYdufn4OCZvwL+p9QSlQ
+E+UKcws4BHlEpg0dQhA13REQxwqqMgSWdm3NU8hbGdEJAJGH0cYNQ==
=emKJ
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28502
VERIFY ADVISORY:
http://secunia.com/advisories/28502/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a vulnerable system.
3) An error in the parsing of malformed Image Descriptor (IDSC) atoms
can be exploited to cause a heap corruption via a specially crafted
movie file.
4) A boundary error exists within the processing of compressed PICT
images and can be exploited to cause a buffer overflow.
QuickTime 7.4 for Leopard:
http://www.apple.com/support/downloads/quicktime74forleopard.html
QuickTime 7.4 for Tiger:
http://www.apple.com/support/downloads/quicktime74fortiger.html
QuickTime 7.4 for Panther:
http://www.apple.com/support/downloads/quicktime74forpanther.html
QuickTime 7.4 for Windows:
http://www.apple.com/support/downloads/quicktime74forwindows.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Joe Schottman of Virginia Tech
2) Jun Mao, VeriSign iDefense Labs.
3) Cody Pierce, TippingPoint DVLabs
4) The vendor credits Chris Ries, Carnegie Mellon University
Computing Services
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307301
TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-08-01
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=642
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200801-0014 | CVE-2008-0035 | plural Apple Product of Foundation Memory corruption vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Foundation, as used in Apple iPhone 1.0 through 1.1.2, iPod touch 1.1 through 1.1.2, and Mac OS X 10.5 through 10.5.1, allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted URL that triggers memory corruption in Safari. Apple Safari for iPhone and iPod Touch is prone to a remote code-execution vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may exploit this issue by enticing victims into viewing a maliciously crafted URI.
Successfully exploiting this issue can allow attackers to crash the application or to execute arbitrary code in the context of the affected application.
This issue affects iPhone v1.0 to v1.1.2 and iPod Touch v1.1 to v1.1.2. The iPod touch (also known as iTouch) is an MP4 player released by Apple, and the iPhone is a smartphone released by it. Remote attackers may use this vulnerability to control the user's system.
2) An error in the handling of emergency calls can be exploited to
bypass the Passcode Lock feature and allows users with physical
access to an iPhone to launch applications without the passcode.
For more information see vulnerability #21 in:
SA28136
SOLUTION:
Update to version 1.1.3 (downloadable and installable via iTunes).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
I. Further
details are available in the US-CERT Vulnerability Notes Database. These products include Samba
and X11.
II. Impact
The impacts of these vulnerabilities vary.
III. These and other updates are available via Software Update or
via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
February 12, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg
jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp
/1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO
PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet
r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9
SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug==
=qwP5
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA28891
VERIFY ADVISORY:
http://secunia.com/advisories/28891/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of system information, Privilege
escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and weaknesses.
1) An unspecified error exists within Foundation in Safari's handling
of URLs. This can be exploited to cause a memory corruption when a
user is enticed to access a specially crafted URL.
Successful exploitation may allow execution of arbitrary code.
2) A weakness exists due to Launch Services allowing users to start
uninstalled applications from a Time Machine Backup.
3) An error in the handling of file:// URLs in Mail can be exploited
to execute arbitrary applications without warning when a user is
enticed to click on a URL within a message.
4) An unspecified error exists within NFS when handling mbuf chains.
This can be exploited to cause a memory corruption and allows a
system shutdown and potential execution of arbitrary code.
5) The problem is that Parental Controls contacts www.apple.com when
a site is unblocked and allows for detection of computers running
Parental Controls.
6) A boundary error in Samba can be exploited by malicious people to
compromise a vulnerable system.
For more information:
SA27760
7) An input validation error exists in Terminal when processing URL
schemes.
8) Multiple vulnerabilities in X11 X Font Server can be exploited by
malicious, local users to gain escalated privileges.
For more information:
SA27040
9) An error exists in X11, which causes certain settings ("Allow
connections from network client") not to be applied.
SOLUTION:
Update to Mac OS X 10.5.2 or apply Security Update 2008-001.
Security Update 2008-001 (PPC):
http://www.apple.com/support/downloads/securityupdate2008001ppc.html
Security Update 2008-001 (Universal):
http://www.apple.com/support/downloads/securityupdate2008001universal.html
Mac OS X 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosx1052comboupdate.html
Mac OS X Server 10.5.2 Combo Update:
http://www.apple.com/support/downloads/macosxserver1052comboupdate.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits Steven Fisher of Discovery Software Ltd. and
Ian Coutier.
4) The vendor credits Oleg Drokin, Sun Microsystems.
5) The vendor credits Jesse Pearson.
6) Alin Rad Pop, Secunia Research.
7) The vendor credits Olli Leppanen of Digital Film Finland, and
Brian Mastenbrook.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307430
OTHER REFERENCES:
SA27040:
http://secunia.com/advisories/27040/
SA27760:
http://secunia.com/advisories/27760/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0243 | CVE-2008-0265 |
F5 BIG-IP Vulnerable to cross-site scripting
Related entries in the VARIoT exploits database: VAR-E-200801-0221 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the Search function in the web management interface in F5 BIG-IP 9.4.3 allow remote attackers to inject arbitrary web script or HTML via the SearchString parameter to (1) list_system.jsp, (2) list_pktfilter.jsp, (3) list_ltm.jsp, (4) resources_audit.jsp, and (5) list_asm.jsp in tmui/Control/jspmap/tmui/system/log/; and (6) list.jsp in certain directories. (1) tmui/Control/jspmap/tmui/system/log/ Subordinate list_system.jsp (2) tmui/Control/jspmap/tmui/system/log/ Subordinate list_pktfilter.jsp (3) tmui/Control/jspmap/tmui/system/log/ Subordinate list_ltm.jsp (4) tmui/Control/jspmap/tmui/system/log/ Subordinate resources_audit.jsp (5) tmui/Control/jspmap/tmui/system/log/ Subordinate list_asm.jsp (6) Under other directories list.jsp. F5 BIG-IP is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
BIG-IP firmware version 9.4.3 is vulnerable; other versions may also be affected.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
F5 BIG-IP "SearchString" Cross-Site Scripting Vulnerabilities
SECUNIA ADVISORY ID:
SA28505
VERIFY ADVISORY:
http://secunia.com/advisories/28505/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
OPERATING SYSTEM:
BIG-IP 9.x
http://secunia.com/product/3158/
DESCRIPTION:
nnposter has reported a vulnerability in F5 BIG-IP, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Input passed to the "SearchString" parameter in various files is not
properly sanitised before being returned to a user.
The vulnerability is reported in the following files:
/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/http/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/ftp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/rtsp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/sip/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/persistence/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/fastl4/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/fasthttp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/httpclass/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/tcp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/udp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/sctp/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/clientssl/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/serverssl/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/authn/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/connpool/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/statistics/list.jsp
/tmui/Control/jspmap/tmui/locallb/profile/stream/list.jsp
/tmui/Control/jspmap/tmui/locallb/pool/list.jsp
/tmui/Control/jspmap/tmui/locallb/node/list.jsp
/tmui/Control/jspmap/tmui/locallb/monitor/list.jsp
/tmui/Control/jspmap/tmui/locallb/ssl_certificate/list.jsp
/tmui/Control/jspmap/tmui/system/user/list.jsp
/tmui/Control/jspmap/tmui/system/log/list_system.jsp
/tmui/Control/jspmap/tmui/system/log/list_pktfilter.jsp
/tmui/Control/jspmap/tmui/system/log/list_ltm.jsp
/tmui/Control/jspmap/tmui/system/log/resources_audit.jsp
/tmui/Control/jspmap/tmui/system/log/list_asm.jsp
The vulnerability is reported in version 9.4.3.
SOLUTION:
Filter malicious characters and character sequences using a web
proxy.
PROVIDED AND/OR DISCOVERED BY:
nnposter
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200909-0034 | CVE-2008-7161 | Fortinet FortiGuard Fortinet FortiGate-1000 In URL Vulnerabilities that bypass the filter |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Fortinet FortiGuard Fortinet FortiGate-1000 3.00 build 040075,070111 allows remote attackers to bypass URL filtering via fragmented GET or POST requests that use HTTP/1.0 without the Host header. NOTE: this issue might be related to CVE-2005-3058.
An attacker can exploit this issue to view unauthorized websites, bypassing certain security restrictions. This may lead to other attacks.
NOTE: This issue may be related to the vulnerability described in BID 16599 (Fortinet Fortigate URL Filtering Bypass Vulnerability)
| VAR-200801-0339 | CVE-2008-0298 | Apple Safari KHTML WebKit Remote Denial of Service Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
KHTML WebKit as used in Apple Safari 2.x allows remote attackers to cause a denial of service (browser crash) via a crafted web page, possibly involving a STYLE attribute of a DIV element. Apple Safari is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Apple Safari 2 running on Mac OS X is vulnerable. Safari is the WEB browser bundled with the Apple family operating system by default. A vulnerability exists when Safari handles malformed HTML documents. Remote attackers may exploit this vulnerability to cause the browser to crash. Safari does not properly validate KHTML Webkit. If the user is tricked into visiting a malicious HTML page, the browser will crash
| VAR-200801-0206 | CVE-2008-0228 | Linksys WRT54GL Wireless-G Broadband Router Vulnerable to cross-site request forgery |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
1. *Advisory Information*
Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
Advisory ID: CORE-2008-0228
Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free
Date published: 2008-12-10
Date of last update: 2008-12-10
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Arbitrary free
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 29633
CVE Name: CVE-2008-4024
3. *Vulnerability Description*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. The vulnerability could allow remote code
execution if a user opens a specially crafted Word file that includes a
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the
user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt'
field value (offset '0x4f0') inside the File Information Block (FIB) can
corrupt the heap structure on vulnerable Word versions and enable an
arbitrary free with controlled values.
4. *Vulnerable packages*
. Microsoft Word 2000 Service Pack 3
. Microsoft Word 2002 Service Pack 3
5. *Non-vulnerable packages*
. Microsoft Word 2003 Service Pack 3
. Microsoft Word 2007
6. *Vendor Information, Solutions and Workarounds*
Microsoft has released patches for this vulnerability. For more
information refer to the Microsoft Security Bulletin MS08-072 released
on December 9th, 2008, available at
http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
7. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. A Word file with a specially crafted
'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information
Block (FIB) can corrupt the heap structure on vulnerable Word versions,
and enable an arbitrary free with controlled values. If successfully
exploited, this vulnerability could allow an attacker to execute
arbitrary code on vulnerable systems with the privileges of the user
running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to
use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc'
file, and then change the byte at offset 0x4f0, this is the
'lcbPlcfBkfSdt' field value located inside the File Information Block
(FIB). By simply changing this byte from 0 to 1, we obtain a file that
will make vulnerable Word versions crash when closing the file. This can
be improved to make Word crash when opening the file by changing some
other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled
to choose the address that will be used as parameter of a call to the
free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0,
modifying this pointer has no effect. But if this value is 1, then
modifying this arbitrary pointer will cause the free function to close
the program.
The execution of '__MsoPvFree' is reached with two controlled values,
the pointer that was directly changed in the .doc file and the contents
of the memory position that it points to. That is, both of them are
controlled, one directly and the other in an indirect manner, we can
thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such
that different arbitrary blocks are allocated when closing the file
before 'free' is called. However this scenario is complex due to the
limitations of the '__MsoPvFree' API, including checks that make the
exploitation difficult.
The vendor's analysis indicates that the root cause of this
vulnerability is the processing of a 'PlfLfo' structure that is read in
from the file. It contains an array of 'Lfo' objects. If any of those
'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4
bytes) value that is non-zero, Word will attempt to free memory at
'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with
a valid pointer to allocated memory, but if 'clfolvl' is 0 this
initialization step is skipped. Later on cleanup code will check if
'plfolvl' has a non-zero value and if so, attempt to free the memory
chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash
('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An
illustrated explanation can be downloaded from Core's website (see
reference [3]).
9. *Report Timeline*
. 2008-03-13: Core notifies the vendor of the vulnerability and sends
the advisory draft. The advisory's publication is preliminary set to
April 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft's plans to
fix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft's
schedule to produce a fix. The advisory publication is rescheduled for
May 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation
and threat model analysis and that fixes will not be included in the
Word Security Bulletin of May. Vendor estimates that it will take a few
months to produce and test a fix for the vulnerability. Vendor promises
an update on May 23th. 2008-04-25: Core sends additional information with low level details
of the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for
the vulnerability fix in order to coordinate the publication of the
advisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix
schedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix
schedule, root cause of the problem and confirmation of vulnerable
versions. Core reschedules the publication of the advisory for June
11th, 2008 as "user release" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the
advisory with the release of a fixed version, Core reschedules
publication for the second Wednesday of July, under "user release" mode.
The latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue
as "no action until 6/23". Vendor informs that they are working on a fix
plan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the
vulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this
vulnerability, and informs that the issue described in advisory
CORE-2008-0228 is marked to be addressed in October 2008. It also
informs that they don't have reports of the vulnerability being
exploited in the wild. 2008-07-08: Vendor informs that they have binaries available to
pre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the
vendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory
and PoC files. 2008-08-26: Core requests the vendor a more precise date for the
release of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October
14th, and that patches will be sent to Core for inspection the following
week. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for
this vulnerability has slipped out to December 11th. Vendor supplies
Core a draft of their own security bulletin and a copy of the Office
2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions
the advisory will be published in December 9th (second Tuesday of the
month). 2008-10-01: Vendor confirms that the release date of fixes is December
9th and supplies Core with a copy of their own security bulletin and a
copy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory
CORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix
for December 9th. 2008-11-11: Core informs the vendor that the patch was tested and
works on Office XP (i.e. the crash avoided) and confirms that it intends
to publish advisory CORE-2008-0228 on December 9th as previously
established by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published.
10. *References*
[1] Word 97-2007 Binary File Format (*.doc) Specification
http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf
[2] Microsoft Word Arbitrary Free Vulnerability PoC
http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc
[3] Microsoft Word Arbitrary Free Vulnerability Explained
http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6
QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs
=hR/7
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Linksys WRT54GL Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA28364
VERIFY ADVISORY:
http://secunia.com/advisories/28364/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
OPERATING SYSTEM:
Linksys WRT54GL 4.x
http://secunia.com/product/17134/
DESCRIPTION:
Tomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which
can be exploited by malicious people to conduct cross-site request
forgery attacks. This can be exploited to e.g.
disable the firewall by enticing a logged-in administrator to visit a
malicious site.
The vulnerability is reported in firmware version 4.30.9. Other
versions may also be affected.
SOLUTION:
The vendor is currently working on a fix.
Do not browse untrusted websites or follow untrusted links while
logged on to the application.
PROVIDED AND/OR DISCOVERED BY:
Tomaz Bratusa, Team Intell
ORIGINAL ADVISORY:
TISA-2008-01 (via Bugtraq):
http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200801-0241 | CVE-2008-0263 | Ingate Firewall Such as SIP Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The SIP module in Ingate Firewall before 4.6.1 and SIParator before 4.6.1 does not reuse SIP media ports in unspecified call hold and send-only stream scenarios, which allows remote attackers to cause a denial of service (port exhaustion) via unspecified vectors. Ingate Firewall and SIParator of SIP Module contains service disruption ( Port depletion ) There is a vulnerability that becomes a condition.Service disruption by a third party ( Port depletion ) There is a possibility of being put into a state. Ingate Firewall and SIParator products are prone to a remote denial-of-service vulnerability.
Successful exploits allow remote attackers to consume all available network ports, which will cause the device to refuse further calls, thus denying service to legitimate users.
Versions prior to Ingate Firewall 4.6.1 and Ingate SIParator 4.6.1 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. Vulnerabilities exist when Ingate Firewall and SIParator process SIP protocol data.
----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.
Download and test it today:
https://psi.secunia.com/
Read more about this new version:
https://psi.secunia.com/?page=changelog
----------------------------------------------------------------------
TITLE:
Ingate Firewall and SIParator Port Exhaustion Denial of Service
SECUNIA ADVISORY ID:
SA28394
VERIFY ADVISORY:
http://secunia.com/advisories/28394/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
Ingate Firewall 4.x
http://secunia.com/product/4050/
Ingate SIParator 4.x
http://secunia.com/product/5687/
DESCRIPTION:
Ingate has acknowledged a vulnerability in Ingate Firewall and
SIParator, which can be exploited by malicious people to cause a DoS
(Denial of Service).
The vulnerability is caused due to an error in the re-usage of media
ports after a call has ended. This can be exploited to exhaust all
available ports until no new calls can be established. Other
versions may also be affected.
Note: Other, potentially security relevant problems were also
reported.
SOLUTION:
Update to version 4.6.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.ingate.com/relnote-461.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------