VARIoT IoT vulnerabilities database

Stack-based buffer overflow in Apple QuickTime before 7.3.1, as used in QuickTime Player on Windows XP and Safari on Mac OS X, allows remote Real Time Streaming Protocol (RTSP) servers to execute arbitrary code via an RTSP response with a long Content-Type header. Apple QuickTime RTSP of Content-Type A stack buffer overflow vulnerability exists in the handling of headers. Winodws Plate and Mac Edition QuickTime Are affected by this vulnerability. Also, iTunes Such QuickTime Systems that have installed software that uses Microsoft are also affected by this vulnerability. In addition, verification code that exploits this vulnerability has already been published.Crafted by a remote third party RTSP stream Arbitrary code could be executed when a user connects to. This issue occurs when handling specially crafted RTSP Response headers. Attackers can leverage this issue to execute arbitrary machine code in the context of the user running the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. UPDATE (December 4, 2007): Attackers are exploiting this issue through the Second Life Viewer to steal Linden dollars from unsuspecting victims. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. I. Most versions of QuickTime prior to and including 7.3 running on all supported Apple Mac OS X and Microsoft Windows platforms are vulnerable. An attacker could exploit this vulnerability by convincing a user to access a specially crafted HTML document such as a web page or email message. The HTML document could use a variety of techniques to cause QuickTime to load a specially crafted RTSP stream. Common web browsers, including Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari can be used to pass RTSP streams to QuickTime, exploit the vulnerability, and execute arbitrary code. Exploit code for this vulnerability was first posted publicly on November 25, 2007. II. III. To block attack vectors, consider the following workarounds. Block the rtsp:// protocol Using a proxy or firewall capable of recognizing and blocking RTSP traffic can mitigate this vulnerability. Known public exploit code for this vulnerability uses the default RTSP port 554/tcp, however RTSP can use a variety of ports. Disable file association for QuickTime files Disable the file association for QuickTime file types. This can be accomplished by deleting the following registry keys: HKEY_CLASSES_ROOT\QuickTime.* This will remove the association for approximately 32 file types that are configured to open with QuickTime Player. Disable the QuickTime ActiveX controls in Internet Explorer The QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} {4063BE15-3B08-470D-A0D5-B37161CFFD69} More information about how to set the kill bit is available in Microsoft Knolwedgebase Article 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}] "Compatibility Flags"=dword:00000400 Disable the QuickTime plug-in for Mozilla-based browsers Users of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article Uninstalling Plugins. Disable JavaScript For instructions on how to disable JavaScript, please refer to the Securing Your Web Browser document. This can help prevent some attack techniques that use the QuickTime plug-in or ActiveX control. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. Do not access QuickTime files from untrusted sources Do not open QuickTime files from any untrusted sources, including unsolicited files or links received in email, instant messages, web forums, or internet relay chat (IRC) channels. References * US-CERT Vulnerability Note VU#659761 - <http://www.kb.cert.org/vuls/id/659761> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * Mozilla Uninstalling Plugins - <http://plugindoc.mozdev.org/faqs/uninstall.html> * How to stop an ActiveX control from running in Internet Explorer - <http://support.microsoft.com/kb/240797> * IETF RFC 2326 Real Time Streaming Protocol - <http://tools.ietf.org/html/rfc2326> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-334A.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-334A Feedback VU#659761" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History November 30, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR1ArKvRFkHkM87XOAQJg7wf/X4wAipFWO2ZJ5MdPzTwzE+x1OUIJxenP cFuLApajAMZ33yAyTTjA0sYhKveYhxSwqQTetEPiAWp5r/KPkJL5ugkeSvtzbAgf U6rsCICcRpjPJ7IjqsW/u6Hk2PBVqWwgip+FhZG5J5mjRPUdRr3JbmKlsEm/XDxi +ENxwrAgcoQHkLn76xn/9+1vTbI3zxi0GoyAR+GIFzs+Fsn+LazMCCrDI4ltPMnS c+Qpa3/qkOC+svz63yyHBjhq6eT2HQBP/X/50syweUOf4SrpDOdexX+mRPr03i6+ 9byGzjid5sObMAbpH1AzCtiDB56ai3zf+G5qV0uK2ziXihvNEn7JKA== =Jc+L -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. tricked into opening a malicious QTL file or visiting a malicious web site. The vulnerability is confirmed in version 7.3. SOLUTION: Do not browse untrusted websites, follow untrusted links, nor open untrusted QTL files. PROVIDED AND/OR DISCOVERED BY: h07 ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/4648 OTHER REFERENCES: VU#659761: http://www.kb.cert.org/vuls/id/659761 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Note: This update removes the affected binary Quicktime library. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Win32 binary codecs: Multiple vulnerabilities Date: March 04, 2008 Bugs: #150288 ID: 200803-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in the Win32 codecs for Linux may result in the remote execution of arbitrary code. Background ========== Win32 binary codecs provide support for video and audio playback. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/win32codecs < 20071007-r2 >= 20071007-r2 Description =========== Multiple buffer overflow, heap overflow, and integer overflow vulnerabilities were discovered in the Quicktime plugin when processing MOV, FLC, SGI, H.264 and FPX files. Workaround ========== There is no known workaround at this time. Resolution ========== All Win32 binary codecs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/win32codecs-20071007-r2" Note: Since no updated binary versions have been released, the Quicktime libraries have been removed from the package. Please use the free alternative Quicktime implementations within VLC, MPlayer or Xine for playback. References ========== [ 1 ] CVE-2006-4382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4382 [ 2 ] CVE-2006-4384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4384 [ 3 ] CVE-2006-4385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4385 [ 4 ] CVE-2006-4386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4386 [ 5 ] CVE-2006-4388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4388 [ 6 ] CVE-2006-4389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389 [ 7 ] CVE-2007-4674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4674 [ 8 ] CVE-2007-6166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Hitachi JP1/File Transmission Server/FTP 01-00 through 08-10-02 on Windows might allow remote attackers to cause a denial of service (service stop) via a "specific file" argument to an FTP command. Hitachi JP1/File Transmission Server/FTP is prone to a denial-of-service vulnerability due to an unspecified error. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: JP1/File Transmission Server/FTP Authentication Bypass and DoS SECUNIA ADVISORY ID: SA27735 VERIFY ADVISORY: http://secunia.com/advisories/27735/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Hitachi JP1/File Transmission Server/FTP http://secunia.com/product/3821/ DESCRIPTION: Two vulnerabilities have been reported in JP1/File Transmission Server/FTP, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions. 1) An unspecified error can be exploited to bypass authentication and view files in a specific directory. The vulnerability affects HP-UX, HP-UX(IPF), AIX, Solaris, Linux, Linux(IPF), HP-UX(English version), and HI-UX/WE2. The vulnerability affects Windows(x86), Windows(IPF), Windows(English version), and Windows9X. SOLUTION: Update to the latest versions (please see vendor advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS07-037_e/index-e.html http://www.hitachi-support.com/security_e/vuls_e/HS07-038_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

JP1 / File Transmission Server / FTP is an FTP-based file transfer server designed by Hitachi.  JP1 / File Transmission Server / FTP has vulnerabilities in processing abnormal user requests. Remote attackers may use the vulnerabilities to obtain sensitive information or cause denial of service.  Remote users can bypass authentication on the JP1 / File Transmission Server / FTP server to view files in a specific directory; in addition, if a special FTP command is issued, it may cause a denial of service.

Unspecified vulnerability in Hitachi JP1/File Transmission Server/FTP 01-00 through 08-10-01 allows remote attackers to bypass authentication and "view files" via unspecified vectors. Attackers can exploit this issue to bypass security restrictions and obtain potentially sensitive information that could aid in further attacks. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: JP1/File Transmission Server/FTP Authentication Bypass and DoS SECUNIA ADVISORY ID: SA27735 VERIFY ADVISORY: http://secunia.com/advisories/27735/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: Hitachi JP1/File Transmission Server/FTP http://secunia.com/product/3821/ DESCRIPTION: Two vulnerabilities have been reported in JP1/File Transmission Server/FTP, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions. The vulnerability affects HP-UX, HP-UX(IPF), AIX, Solaris, Linux, Linux(IPF), HP-UX(English version), and HI-UX/WE2. 2) An error in the processing of an unspecified FTP command can be exploited to stop the FTP service via a specially crafted file. The vulnerability affects Windows(x86), Windows(IPF), Windows(English version), and Windows9X. SOLUTION: Update to the latest versions (please see vendor advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS07-037_e/index-e.html http://www.hitachi-support.com/security_e/vuls_e/HS07-038_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 might leave "media pinholes" open upon a restart of the SIP module, which might make it easier for remote attackers to conduct unauthorized activities. Ingate Siparator is prone to a denial-of-service vulnerability. Unknown vulnerabilities exist in Ingate Firewall and SIParator

Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure permissions (Everyone/Full Control), which allows remote authenticated attackers, and possibly anonymous users, to execute arbitrary programs. Invensys Wonderware InTouch is prone to a privilege-escalation vulnerability because of poor default permissions on a NetDDE share. Attackers can exploit this issue to execute arbitrary applications that accept NetDDE connections. This can compromise the application and possibly the underlying computer. InTouch 8.0 is vulnerable. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Invensys Wonderware InTouch Insecure NetDDE Share Permissions Security Issue SECUNIA ADVISORY ID: SA27751 VERIFY ADVISORY: http://secunia.com/advisories/27751/ CRITICAL: Less critical IMPACT: System access WHERE: >From local network SOFTWARE: Invensys Wonderware InTouch 8.x http://secunia.com/product/16628/ DESCRIPTION: A security issue has been reported in Invensys Wonderware InTouch, which potentially can be exploited by malicious users to compromise a vulnerable system. The security issue is reported in version 8.0. SOLUTION: Apply updates or upgrade to version 9.0 or later (see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Discovered by Neutralbit and reported via US-CERT with assistance from Digital Bond. ORIGINAL ADVISORY: Wonderware: http://pacwest.wonderware.com/web/News/NewsDetails.aspx?NewsThreadID=2&NewsID=201804 US-CERT VU#138633: http://www.kb.cert.org/vuls/id/138633 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Belkin F5D7230-4 Wireless G Router allows remote attackers to cause a denial of service (degraded networking and logging) via a flood of TCP SYN packets, a related issue to CVE-1999-0116. Successfully exploiting this issue allows remote attackers to crash the logging system of affected devices. This may aid in obfuscating further attacks. Belkin Wireless G routers with model number F5D7230-4 are vulnerable to this issue; other versions may also be affected

Buffer overflow in libsrtp in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27688 VERIFY ADVISORY: http://secunia.com/advisories/27688/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Ingate Firewall 4.x http://secunia.com/product/4050/ Ingate SIParator 4.x http://secunia.com/product/5687/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people or users to cause a DoS (Denial of Service) or gain knowledge of sensitive information, or by malicious people to compromise a vulnerable system. 2) An error in the SRTP component when processing an overly large RTCP index could cause a kernel crash. 3) An error when processing IPsec phase two proposals without PFS could cause the IPSec module to crash. 4) An error in the SIP component when using Remote NAT Traversal could allow user's registrations to conflict and messages to be sent to the wrong user. 5) Passwords of administrators with less privileges are stored in clear text. Other issues have also been reported, which may have security impacts. SOLUTION: Update to version 4.6.0. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-460.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SRTP implementation in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 allows remote attackers to cause a denial of service (kernel crash) via an RTCP index that is "much more than expected.". Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27688 VERIFY ADVISORY: http://secunia.com/advisories/27688/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Ingate Firewall 4.x http://secunia.com/product/4050/ Ingate SIParator 4.x http://secunia.com/product/5687/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people or users to cause a DoS (Denial of Service) or gain knowledge of sensitive information, or by malicious people to compromise a vulnerable system. 1) A boundary error in libsrtp can be exploited to cause a buffer overflow. 3) An error when processing IPsec phase two proposals without PFS could cause the IPSec module to crash. 4) An error in the SIP component when using Remote NAT Traversal could allow user's registrations to conflict and messages to be sent to the wrong user. 5) Passwords of administrators with less privileges are stored in clear text. Other issues have also been reported, which may have security impacts. SOLUTION: Update to version 4.6.0. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-460.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The IPsec module in the VPN component in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 allows remote attackers to cause a denial of service (module crash) via an IPsec Phase 2 proposal that lacks Perfect Forward Secrecy (PFS). Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27688 VERIFY ADVISORY: http://secunia.com/advisories/27688/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Ingate Firewall 4.x http://secunia.com/product/4050/ Ingate SIParator 4.x http://secunia.com/product/5687/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people or users to cause a DoS (Denial of Service) or gain knowledge of sensitive information, or by malicious people to compromise a vulnerable system. 1) A boundary error in libsrtp can be exploited to cause a buffer overflow. 2) An error in the SRTP component when processing an overly large RTCP index could cause a kernel crash. 4) An error in the SIP component when using Remote NAT Traversal could allow user's registrations to conflict and messages to be sent to the wrong user. 5) Passwords of administrators with less privileges are stored in clear text. Other issues have also been reported, which may have security impacts. SOLUTION: Update to version 4.6.0. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-460.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SIP component in Ingate Firewall before 4.6.0 and SIParator before 4.6.0, when Remote NAT Traversal is employed, does not properly perform user registration and message distribution, which might allow remote authenticated users to receive messages intended for other users. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27688 VERIFY ADVISORY: http://secunia.com/advisories/27688/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Ingate Firewall 4.x http://secunia.com/product/4050/ Ingate SIParator 4.x http://secunia.com/product/5687/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people or users to cause a DoS (Denial of Service) or gain knowledge of sensitive information, or by malicious people to compromise a vulnerable system. 1) A boundary error in libsrtp can be exploited to cause a buffer overflow. 2) An error in the SRTP component when processing an overly large RTCP index could cause a kernel crash. 3) An error when processing IPsec phase two proposals without PFS could cause the IPSec module to crash. 5) Passwords of administrators with less privileges are stored in clear text. Other issues have also been reported, which may have security impacts. SOLUTION: Update to version 4.6.0. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-460.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ingate Firewall before 4.6.0 and SIParator before 4.6.0 use cleartext storage for passwords of "administrators with less privileges," which might allow attackers to read these passwords via unknown vectors. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices. Sensitive information disclosure vulnerabilities exist in Ingate Firewall and SIParator. The password of the administrator \"administration\" account is stored in plain text, which may cause malicious attackers to obtain the password information of the management account through unknown means. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27688 VERIFY ADVISORY: http://secunia.com/advisories/27688/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Ingate Firewall 4.x http://secunia.com/product/4050/ Ingate SIParator 4.x http://secunia.com/product/5687/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Ingate Firewall and SIParator, which potentially can be exploited by malicious people or users to cause a DoS (Denial of Service) or gain knowledge of sensitive information, or by malicious people to compromise a vulnerable system. 1) A boundary error in libsrtp can be exploited to cause a buffer overflow. 2) An error in the SRTP component when processing an overly large RTCP index could cause a kernel crash. 3) An error when processing IPsec phase two proposals without PFS could cause the IPSec module to crash. 4) An error in the SIP component when using Remote NAT Traversal could allow user's registrations to conflict and messages to be sent to the wrong user. Other issues have also been reported, which may have security impacts. SOLUTION: Update to version 4.6.0. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-460.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the ICMP implementation in Ingate Firewall before 4.6.0 and SIParator before 4.6.0 has unknown impact and remote attack vectors, related to ICMP packets that are "incorrectly accepted.". Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices

Ingate Firewall before 4.6.0 and SIParator before 4.6.0 do not log truncated (1) ICMP, (2) UDP, and (3) TCP packets, which has unknown impact and remote attack vectors; and do not log (4) serial-console login attempts with nonexistent usernames, which might make it easier for attackers with physical access to guess valid login credentials while avoiding detection. Ingate Firewall and SIParator products are prone to multiple vulnerabilities that include buffer-overflow, information-disclosure, and denial-of-service issues. An attacker may access sensitive information, cause denial-of-service conditions, or potentially execute arbitrary code. Versions prior to Ingate Firewall 4.6.0 and Ingate SIParator 4.6.0 are vulnerable. Both Ingate Firewall and SIParator are enterprise-level hardware firewall devices

Cross-site scripting (XSS) vulnerability in the login page in the management interface in the Aruba 800 Mobility Controller 2.5.4.18 and earlier, and 2.4.8.6-FIPS and earlier, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /screens URI, related to the url variable. The problem is url Related to variables.By a third party /screens URI To PATH_INFO Through any Web Script or HTML May be inserted. Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible

Multiple stack-based buffer overflows in the VSFlexGrid.VSFlexGridL ActiveX control in ComponentOne FlexGrid 7.1 Light allow remote attackers to cause a denial of service and possibly execute arbitrary code via a long string in the (1) Text, (2) EditSelText, (3) EditText, and (4) CellFontName property values. ComponentOne FlexGrid ActiveX Control is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to adequately check boundaries on user-supplied input. ComponentOne FlexGrid 7.1 Light is vulnerable; other versions may also be affected

The Application Firewall in Apple Mac OS X 10.5 does not apply changed settings to processes that are started by launchd until the processes are restarted, which might allow attackers to bypass intended access restrictions. This issue may result in a false sense of security and leave certain processes vulnerable to external attack. This issue affects Mac OS X 10.5 and Mac OS X Server 10.5; earlier versions are not affected. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Application Firewall Weaknesses and Security Issue SECUNIA ADVISORY ID: SA27695 VERIFY ADVISORY: http://secunia.com/advisories/27695/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Some weaknesses and a security issue have been reported in Apple Mac OS X, which can lead to exposure of certain services. 1) The Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections even though the option "Block all incoming connections" is set. NOTE: The update changes the name of the option and updates the documentation. 2) The Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections even though the executable has been added to the list of blocked applications via the "Set access for specific services and applications" option. This may lead to exposure of certain services. Mac OS X 10.5.1 Update: http://www.apple.com/support/downloads/macosx1051update.html Mac OS X Server 10.5.1 Update http://www.apple.com/support/downloads/macosxserver1051update.html PROVIDED AND/OR DISCOVERED BY: J\xfcrgen Schmidt ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307004 heise Security: http://www.heise-security.co.uk/articles/98120 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Application Firewall in Apple Mac OS X 10.5 does not prevent a root process from accepting incoming connections, even when "Block incoming connections" has been set for its associated executable, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X is prone to a weakness that results in unauthorized network access to certain applications. This issue affects the Application Firewall when the 'Set access for specific services and applications' setting is enabled for certain applications. This weakness exposes the computer to unauthorized remote access and can lead to a false sense of security. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. NOTE: The update changes the name of the option and updates the documentation. 3) Changes to Application Firewall settings do not affect processes started by launchd until they are restarted. This may lead to exposure of certain services. The weaknesses and the security issue have been reported in Mac OS X 10.5 (Leopard). SOLUTION: Update to Mac OS X 10.5.1. Mac OS X 10.5.1 Update: http://www.apple.com/support/downloads/macosx1051update.html Mac OS X Server 10.5.1 Update http://www.apple.com/support/downloads/macosxserver1051update.html PROVIDED AND/OR DISCOVERED BY: J\xfcrgen Schmidt ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307004 heise Security: http://www.heise-security.co.uk/articles/98120 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Application Firewall in Apple Mac OS X 10.5, when "Block all incoming connections" is enabled, does not prevent root processes or mDNSResponder from accepting connections, which might allow remote attackers or local root processes to bypass intended access restrictions. Apple Mac OS X 10.5's Application Firewall is prone to a misleading configuration weakness because of a flaw in the application's configuration dialog and documentation. This issue may lead to a false sense of security, potentially aiding in network-based attacks. Apple Mac OS X 10.5 is vulnerable to this issue. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. NOTE: The update changes the name of the option and updates the documentation. 3) Changes to Application Firewall settings do not affect processes started by launchd until they are restarted. This may lead to exposure of certain services. Mac OS X 10.5.1 Update: http://www.apple.com/support/downloads/macosx1051update.html Mac OS X Server 10.5.1 Update http://www.apple.com/support/downloads/macosxserver1051update.html PROVIDED AND/OR DISCOVERED BY: J\xfcrgen Schmidt ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307004 heise Security: http://www.heise-security.co.uk/articles/98120 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted IOCTL request that adds an AppleTalk zone to a routing table. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. 20) A boundary error exists when adding a new AppleTalk zone. 21) An arithmetic error exists in AppleTalk when handling memory allocations. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. This and other updates are available via Apple Update or via Apple Downloads. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- . BACKGROUND AppleTalk, a set of networking protocols developed by Apple, was originally implemented on early Mac operating systems. AppleTalk is compiled into the default kernel, but must be turned on in order to be used. More information can be found at the following URL. http://docs.info.apple.com/article.html?artnum=50039 II. A zone can be thought of as something similar to a Windows Domain. When copying the user provided zone information into a fixed size stack buffer, the kernel uses a user provided length as the number of bytes to copy into the destination buffer. This results in an exploitable stack buffer overflow in the kernel. III. Unsuccessful attempts will likely crash the system. In order to exploit this vulnerability, the system needs to have AppleTalk configured in routing mode. This is not enabled by default. It would likely be enabled on a Mac system running on a network with legacy Mac hosts. IV. Previous versions may also be affected. To determine if AppleTalk is running, the following command can be executed on the command line. $ appletalk -s V. WORKAROUND Disabling AppleTalk will prevent exploitation of this vulnerability. Executing the following command will disable AppleTalk if it is enabled. # appletalk -d VI. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307041 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4267 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/08/2007 Initial vendor notification 08/09/2007 Initial vendor response 11/14/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/