Next Page >>
interaction
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
configuration weaknesses.
In particular this attack vector exposes workstations to:
- - Direct remote execution of arbitrary commands without user interaction.
- - Direct exploitation of IE bugs without user interaction. For example,
exploitation bugs that normally require the user to click on a URL
provided by the attacker can be exploited directly using this attack
vector.
- - Direct injection of scripting code in Internet Explorer. For example,
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
configuration weaknesses.
In particular this attack vector exposes workstations to:
- - Direct remote execution of arbitrary commands without user interaction.
- - Direct exploitation of IE bugs without user interaction. For example,
exploitation bugs that normally require the user to click on a URL
provided by the attacker can be exploited directly using this attack
vector.
- - Direct injection of scripting code in Internet Explorer. For example,
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
ClickOnce is a deployment technology that allows you to create
self-updating Windows-based applications that can be installed and run
with minimal user interaction. A ClickOnce application is any Windows
Forms or Console application published using ClickOnce technology.
Applications can be published from a web page, a file share, or from
media (i.e. CD-ROM). ClickOnce is available in .NET 2.0 and later.
An application that is deployed through ClickOnce consists of at least
PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals
Description:
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are
vulnerable to a XSS vulnerability affecting the 'name' parameter which
is submitted to the '/portal/server.pt' server-side script.
Date found: 12th September 2006
Google Notebook is a service where it's possible to "add text, images, and links from web pages without leaving your browser window."
Google Bookmarks is a service where it's possible to save bookmarks.
II. Description:
Three cross site scripting vulnerabilities were identified inside Google Notebook. A remote attacker can make a malformed block notes and invite, through the sharing option inside Google Notebook, other users to see it to obtain their cookie. User interaction is required to exploit all three vulnerabilies.
Browser affected: Firefox 3.
Browser not affected: Internet Explorer 7, Opera 9.5, Safari 3.
One cross site scripting vulnerability was identified inside Google Bookmarks. A remote attacker can make a malformed bookmark inside his account and then share it with other users to obtain their cookie. User interaction is required to exploit this vulnerability.
That's an interesting figure (86% that is). Can you give us some
insight into what you define as "user interaction"?
If it is clicking a link or reading an HTML email, then OK. If it is
opening an .exe from an email, I'd like to see what client you are
talking about and what environment (meaning, what OS/email client and
what did they have to do to get it to run). But specifically, how many
were exploits where a user had to visit an untrusted site, download an
executable, run it, and explicitly give it administrative credentials to
run? Not just people running as administrator, but typing in the admin
===========
Multiple vulnerabilities have been discovered in Adobe Flash Player:
* The access scope of SystemsetClipboard() allows ActionScript
programs to execute the method without user interaction
(CVE-2008-3873).
* The access scope of FileReference.browse() and
FileReference.download() allows ActionScript programs to execute the
methods without user interaction (CVE-2008-4401).
On Thursday 01 November 2007 11:49:09 Alex Eckelberry wrote:
> The future of malware is going to be largely through social engineering.
> Does that mean we ignore every threat that comes out because it requires
> user interaction? Seems like whistling past the graveyard to me.
Alex, no-one is saying we should ignore it. I would say we downgrade the level
of threat if it requires user interaction. If it requires a lot of
interaction to launch the threat, we downgrade it some more.
I included any exploit that took any end-user's interaction into the 86%
number. I included the list of exploits and what I considered a
client-side attack (versus truly remote) in the article:
http://weblog.infoworld.com/securityadviser/archives/WindowsExploitAnaly
sis.xls
It's not perfect, and may even contain a few mistakes. However, I don't
think any of the mistakes would change the overall numbers much. The
exploit chart (I listed two years of vulnerabilities, not three as I
http://www.tippingpoint.com
- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.
The specific flaw exists within JavaFX, a downloadable Java extension.
The JavaFX Jar file is signed by Oracle and can be installed without
Oracle Java Runtime
- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.
The specific flaw exists in the Java GlueGen library. This library is not
installed by default with Java, but it is available as a signed .jar
Oracle Java Runtime
- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.
The specific flaw exists in the Java OpenAL (JOAL) library. This library is
not installed by default with Java, but it is available as a signed .jar
II. Impact
Email Notification System:
A remote attacker is able to construct a malicious email that will cause the Palm Pre WebOS to execute arbitrary HTML code if the notification system is enabled. Upon receiving a malicious email where the FROM field contains HTML code, the Palm Pre WebOS will issue a user a notification that an email has arrived and execute the HTML code of the attacker’s choice. This vulnerability does not require user interaction.
Calendar Application:
A remote attacker can create a malicious calendar event putting arbitrary HTML code inside the event/title field that can be executed without user interaction. To trigger this vulnerability, any of the following conditions can occur:
Minimo includes a password manager feature that allows users to store
user/password information of sites they visit. There are two ways this
feature can be abused. First, the action of any form can be changed
dynamically via JavaScript, which could be introduced into a site via a
cross-site scripting (XSS)bug. Second, the form fields can be
automatically filled in without user interaction. As a result, a XSS bug
could allow an attacker to inject an invisible form into a victims
browser that could collect the user/pass without any interaction or
visible indication.
Note: The Password Manager bug is often misunderstood for how it work.
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Oracle Java Runtime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific flaw is due to insufficient defenses against system
clipboard hijacking. When in focus, a handle to the system clipboard can
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple OS X. User interaction is required to
exploit this vulnerability in that the target must open a malicious
file.
The specific flaw exists in the handling of internet enabled disk image
files. When a specially crafted Menu Extras plugin is included in the
loop. When exploiting the vulnerability, one event may be based on a
method call, but the other must correspond to user input or some other
type of message.
Although designing a Web page to provoke a user input message without
user interaction is not difficult, Internet Explorer 9 offers another
possibility by introducing asynchronous events. If a Web page is
viewed in IE9 standards mode, certain events (for example,
body.onfocus) will instead be mediated by messages with an identifier
value of 0x8003, which are generated via
MSHTML!CEventMgr::QueueAsyncEvent ->
http://www.tippingpoint.com
- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard Application Lifecycle
Management. User interaction is required to exploit this vulnerability in
that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the XGO.ocx ActiveX control. The control
exposed two vulnerable functions: 'SetShapeNodeType', which is vulnerable
to a type confusion allowing user specified memory to be used as an object;
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Office. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific vulnerability exists in the OWC10.Spreadsheet.10 ActiveX
control installed by Microsoft Office. By accessing specific methods in
-- Affected Products:
Oracle Secure Backup
-- Vulnerability Details:
This vulnerability allows remote attackers to bypass authentication on
vulnerable installations of Oracle Secure Backup. User interaction is
not required to exploit this vulnerability.
The specific flaw exists in the logic used to authenticate a user to the
administration server running on port 443. The script login.php does not
properly sanitize the 'username' variable before using it in a database
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows an attacker to execute remote code on
vulnerable installations of the Hewlett-Packard Data Protector client.
User interaction is not required to exploit this vulnerability.
The specific flaw exists within the filtering of the EXEC_CMD command.
The Data Protector client only verifies file names, not their contents.
By supplying malicious code within specific script files, arbitrary code
execution is possible under the context of the current user.
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific flaw exists in the parsing of the QuickTime Channel
Compositor atom. When the movie file contains a malformed 'chan' atom, a
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to leak authentication
details on vulnerable installations of the Oracle Java Runtime. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists in the handling of NTLM authentication
requested generated in the context of the Java Runtime. The Java Virtual
Machine will ignore browser policies and respond to WWW-Authenticate
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.
The flaw exists within jsound!XGetSamplePtrFromSnd. When extracting a
sample from a soundbank stream user supplied data is used to calculate
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the implementation of a particular
element within the XUL namespace. Due to a method for the element having
-- Affected Products:
RealNetworks RealPlayer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The flaw exists within the temporary file naming scheme used for storage
of references to Real Media files. This easily predictable temporary
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page or opening the
file. Since PDF files can be embedded into web pages and parsed without
interaction by default, this vulnerability can be exploited as a
typical browser vulnerability. To exploit this vulnerability, a
targeted user must load a malicious webpage created by an attacker. An
attacker typically accomplishes this via social engineering or
injecting content into compromised, trusted sites. After the user
visits the malicious web page, no further user interaction is needed.
-- Affected Products:
Adobe Shockwave Player
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the parsing of the undocumented tSAC
RIFF chunk. By setting a specified field within this structure to NULL,
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within the code responsible for parsing font
structures within Director files. While processing data within the PFR1
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute code on vulnerable
installations of RealNetworks RealPlayer. User interaction is required
in that a user must visit a malicious website or open a malicious file
and accept a dialog to switch player skins.
The specific flaw exists during parsing of malformed RealPlayer .RJS
skin files. While loading a skin the application copies certain variable
Next Page>>
|
