<< Previous Next >>
Vendor Response
The specific flaw exist in the parsing of Poly type opcodes (opcodes
0x0070-74). Due to improper handling of a malformed element in the
structure heap corruption occurs. If properly constructed this can lead
to code execution.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More details
can be found at:
http://docs.info.apple.com/article.html?artnum=306896
The specific flaw exists in the parsing of the CTAB atom. While reading
the CTAB RGB values, an invalid color table size can cause QuickTime to
write past the end of the heap chunk. This memory corruption can lead
to the execution of arbitrary code.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More details
can be found at:
http://docs.info.apple.com/article.html?artnum=306896
objects defined inside Director files. An undocumented 4-byte field
within record type 0xFFFFFF49 can be modified to cause corruption of
heap memory. This corruption can be used to modify function pointers and
achieve code execution.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Cinepak Video Codec. When parsing the data in the MDAT atom, there
exists a signedness error which leads to a heap overflow. When this
occurs it can be further leveraged to execute arbitrary code under the
context of the current user.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3403
ListManager administrative interface allows an attacker
to create new accounts that collide with existing accounts. This
collision will result in overwriting data in the original account
with the data from the new account.
Vendor Response:
Vendor has acknowledged and corrected the issue in several versions
of the product.
Recommendation:
III. Solution
This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17.
IV. Vendor Response
2007/12/06 Initial contact with <product-security@apple.com>
2007/12/06 Acknowledgement of received report
2007/12/12 Agreement on public release date
2007/12/17 Coordinated release of updates and advisory
The flaw exists due to improper use of the "cloneNode" and "nodeValue"
javascript functions. When a specially crafted element is used during a
repetitive call to one of these functions memory corruption can occur
leading to remote code execution.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
offset and updates pointers accordingly. By crafting a large enough
value and seeking the file pointer past the end of a buffer this can be
abused to corrupt heap memory. An attacker can abuse this to execute
arbitrary code under the context of the user running the browser.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
====================
2) Report Timeline
====================
2010-01-06 Vendor Contacted
2010-01-09 Vendor Response
2010-01-09 Vendor request a PoC
2010-01-10 PoC is sent to the vendor
2010-01-12 Vendor confirme they received PoC
2010-01-13 Vendor confirm the vulnerability
2010-03-22 Public release of this advisory
The software can be downloaded for free from the vendors site:
http://usa.autodesk.com/adsk/servlet/home?siteID=123112&id=129446
Vendor Response:
"The backburner package is intended to be used in a closed network
i.e. one that does not have routing between its hosts and the rest
of the world. If a customer decides that he cannot do without
Internet connectivity, he should take the appropriate measures to
argument an unchecked memcpy() copies user data from the file to the
stack, overflowing key exception structures. Exploitation of this
vulnerability can lead to remote compromise of the affected system under
the context of the currently logged in user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspx
port 3465. Insufficient checks on URLs containing paths such as '~root'
allows attackers to access arbitrary files in the underlying OS.
Accessing configuration files that contain LDAP and database
credentials can lead to further compromise.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability.
-- Disclosure Timeline:
2006.12.18 - Vulnerability reported to vendor
2006.12.21 - Digital Vaccine released to TippingPoint customers
Timeline:
---------
Vendor Notified: March 19, 2009
Vendor Status: Replied on March 19 and March 30, vulnerability
confirmed
Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14.
Problem will be fixed in version 6.
Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14
and above
References:
from a sample description atom (STSD). The application will read a
length from the file, subtract 1 and then use it as a counter for a
loop. Certain values may cause memory corruption and can result in code
execution under the context of the current user.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4104
value from incoming packets which it arbitrarily calls. Exploitation of
this issue leads to code execution under the context of the SYSTEM
user.
-- Vendor Response:
EMC states:
Customers who are using older versions are advised to upgrade to EMC
AutoStart 5.3 SP2
For EMC AutoStart 5.3. SP2 Software navigate to the following location:
Powerlink > Support > Software Downloads and Licensing > Downloads A-B >
Versions Affected: 1.14a
Vendor URL: http://www.powerscripts.org/
Bug: Remote/Local File Include
Exploits: YES
Reported: 01.02.2008
Vendor Response: none
Solution: none
Date of Public Advisory: ..2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
contents before copying in to a fixed-length stack buffer. This can be
leveraged by remote attackers to execute arbitrary code under the
context of the webserver process.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379
The specific flaw exists during the processing of malicious parameters
to the routine msDataSourceObject() and results in transfer of control
to unallocated memory. This issue can be exploited to execute arbitrary
code under the context of the currently logged in user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/bulletin/MS09-043.mspx
When multiple DOM elements are cloned and linked to one another and the
browser is reloaded, a memory corruption occurs resulting in a double
free. This can be leveraged to execute arbitrary code under the context
of the current user.
-- Vendor Response:
Mozilla Firefox has issued an update to correct this vulnerability. More
details can be found at:
http://www.mozilla.org/security/announce/2009/mfsa2009-08.html
>
> > Timeline:
> > ---------
> > Vendor Status: MSRC tracking case closed
> > Vendor Notified: March 31st 2008
> > Vendor Response: May 6th 2008
> > Advisory Release: October 15th 2008
> > Patch available: - (vulnerability not high priority)
>
>
Severity: Low
Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage. It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised.
Vendor Response:
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone.
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.
Recommendation:
Upgrade to version 3.8 or above.
Vendor: ntop
Vendor URL: www.ntop.org
Vendor Response: None
Description:
A denial of service condition can be reached by specifying an invalid value for the Authorization
HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on
write to the memory mapped files. The impact of which is that an
attacker could potentially inject active content such as Lotus
Script.
Vendor Response:
* Fixed for the Notes client with 6.5.6, 7.0.3 and 8.0
* Fixed for the Domino server with 6.5.5 FP3, 6.5.6, 7.0.2
FP1, 7.0.3, 8.0
>
> Vendor: ntop
>
> Vendor URL: www.ntop.org
>
> Vendor Response: None
>
> Description:
>
> A denial of service condition can be reached by specifying an invalid value for the Authorization
> HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on
> from 2.6.30, where the RDS protocol was first included. Installations are only
> vulnerable if the CONFIG_RDS kernel configuration option is set, and if there
> are no restrictions on unprivileged users loading packet family modules, as is
> the case on most stock distributions.
>
> Vendor Response
> - ---------------
> The following timeline details Linux's response to the reported issue.
>
> 2010-10-13 Vulnerability reported to Linux security team
> 2010-10-13 Response, agreement on disclosure date
Vendor: FirmChannel
Vendor URL: www.firmchannel.com
Vendor Response: Vendor has been notified and has since addressed the issue in the latest software release.
Description:
A cross-site scripting vulnerability is present within Firm Channel's Indoor & Outdoor Digital SIGNAGE version 3.24 (and potentially below).
References:
http://www.appsecinc.com/resources/alerts/oracle/2008-08.shtml
Timeline:
Vendor Notification - 3/20/2008
Vendor Response - 3/24/2008
Fix - 10/14/2008
Public Disclosure - 11/11/2008
Application Security, Inc's database security solutions have helped
over 1000 organizations secure their databases from all internal and
over SSL. This protocol allows a client to make a method call into a
module. The 'spf' RPC call is implemented unsafely allowing remote
attackers to load arbitrary modules over the network resulting in code
execution under the context of the service.
-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&ext
ernalId=7003640&sliceId=1&docTypeID=DT_TID_1_1&dialogID=72895793
getIcon() method of a Collab object, proper bounds checking is not
performed resulting in a stack overflow. If successfully exploited full
control of the affected machine running under the credentials of the
currently logged in user can be achieved.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
threads. Due to mishandling the array data type while processing posted
messages, a web worker thread can be made to corrupt heap memory. An
attacker can exploit this vulnerability to execute arbitrary code under
the context of the user running the browser.
-- Vendor Response:
Mozilla Firefox has issued an update to correct this vulnerability. More
details can be found at:
http://www.mozilla.org/security/announce/2010/mfsa2010-02.html
<<Previous Next>>
|
