Next Page >>
3rd party
user interaction).
AOL's "Classic AIM 5.9" is an official alternative client for nostalgic
users and is not vulnerable due to the fact that instead of using MSHTML
to render HTML it appears to include limited rendering functionality
either provided by a third party library or homebrew code. Although there
is no guarantee that its implementation lacks vulnerabilities, in our
tests it did prevent the attack vectors described in this advisory. So
is the case for AOL‟s AOL 6.5.3.12 which although it is embedding an
Internet Explorer server control in the message window, could not be
exploited during our tests.
user interaction).
AOL's "Classic AIM 5.9" is an official alternative client for nostalgic
users and is not vulnerable due to the fact that instead of using MSHTML
to render HTML it appears to include limited rendering functionality
either provided by a third party library or homebrew code. Although there
is no guarantee that its implementation lacks vulnerabilities, in our
tests it did prevent the attack vectors described in this advisory. So
is the case for AOL‟s AOL 6.5.3.12 which although it is embedding an
Internet Explorer server control in the message window, could not be
exploited during our tests.
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...
So... with all this commentary, in the end, I still didn't read from the
"big'uns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?
How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didn't read from
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
It's only "default" for people running XP standalone/consumer that are
not even in a home network settings.
That kinda slices and dices that default down to a VERY narrow sub sub
. 2009-08-27:
Core requests a status update from HP SSRT.
. 2009-08-27:
HP SSRT informs Core that the vulnerabilities are in third-party code
and that the third-party vendor has been notified but there isn't a
schedule for fixes yet. HP SSRT indicates that it is sure HP will not
have a solution ready by September 7th.
. 2009-08-27:
CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0003
Synopsis: Third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-02-10
Updated on: 2011-02-10 (initial release of advisory)
CVE numbers: --- Apache Tomcat ---
CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
>> course it's vulnerable to any and all gobs of stuff out there. But
>> it's
>> goal and intent is to allow Small shops to deploy Win7. If you need
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
> course it's vulnerable to any and all gobs of stuff out there. But
> it's
> goal and intent is to allow Small shops to deploy Win7. If you need
desktop client in conjunction with IBM’s Lotus Domino server application.
The email functionality of Lotus Notes supports previewing and processing
file attachments in various formats. To preview and process files in the
Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client
uses a library from a third-party software vendor (Autonomy’s Verity
KeyView SDK). Several buffer overflow vulnerabilities were found in the
third-party library used by Lotus Notes to process Lotus 1-2-3 file
attachments.
These vulnerabilities could allow attackers to remotely execute arbitrary
configured to utilize Microsoft dial-up networking to launch a dial-up
networking dialog box. This action may allow users to elevate their
privileges.
This vulnerability has been addressed by requiring that the configuration
option "Allow launching of third party applications before logon," which
is located in the "Windows Logon Properties" dialog box (available under
Options-> Windows Logon Properties...), be enabled to use, from the
Windows logon screen, a VPN profile that is configured for Microsoft
Dial-Up Networking.
AFFECTED SOFTWARE
=================
CVE-2010-1324
Kerberos application client and server software (including third-party
applications) using GSS-API libraries from MIT releases krb5-1.7 and
newer are vulnerable to the DES GSS-API issue if they use GSS-API for
integrity protection of unencrypted messages.
Kerberos application server software (including third-party
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link. The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
Thanks for the link. The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Thanks for the link. The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
Next Page>>
|
