security bugs
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
operation systems.
Thus applications with bugs that are not exploitable when running in
non-virtualized operating systems become exploitable if running within a
guest OS of Virtual PC. In particular, an application running on Windows
_______________________________________________________________________
Problem Description:
A new version of the CGI Perl module has been released to CPAN,
which fixes several security bugs which directly affect Bugzilla
(these two security bugs where first discovered as affecting Bugzilla,
then identified as being bugs in CGI.pm itself).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
9. *Report Timeline*
. 2009-10-23:
Core Security Technologies sends an email to IBM AIX Security team
requesting a security point of contact to report security bugs in
SolidDB and asks whether the report should be sent to SolidDB security
instead.
. 2009-10-27:
IBM AIX Security replies indicating that they forwarded the request to
Timeline:
2008-04-30: vendor contacts oCERT asking patch analysis
2008-05-06: analysis results in bug being found, test case sent upstream
2008-05-07: vendor submits second set of patches for analysis
2008-05-07: vendor provides issue private exposure to some vendors
2008-05-07: vendor proposes patch for the found security bug
2008-05-25: Full analysis results supplied to vendor and another PoC
2008-05-27: oCERT contacts vendor regarding timeline and coordination
2008-05-28: vendor asks for clarification
2008-06-09: oCERT contacts vendor offering help
2008-06-11: vendor supplies patches
> ... another solution -- allow fcntl() to remove read-only and
> append-only limitations, so that behaviour is at least explicit.
Do not lower security, just to emulate /proc sloppiness. (That would be
like fixing a root security bug by doing away with the root password.)
Is there anything (currently) relying on that security?
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Core suggests to the VLC team another patch after the calloc (at
line 923) to avoid the possible null pointer reference, for completeness.
. 2008-02-12:
Core notifies Miro player team that their software is also affected
by the security bug in VLC 0.8.6b.
. 2008-02-12:
Miro player team acknowledges and says that they have already moved
to VLC 0.8.6c.
An old unfixed Windows functional bug was just upgraded to a security bug. Our
researchers have discovered that Windows' inability to consistently expand
environment variables in user and system PATH breaks the binary planting protection
provided by the SetDllDirectory function. The article describes how already fixed
iTunes and Safari - both using SetDllDirectory - can again be successfully
binary-planted due to this bug. This time it's not Apple's fault.
http://blog.acrossecurity.com/2010/10/breaking-setdlldirectory-protection.html
http://www.[DOMAIN].tld/[PATH]/default.asp?mode=advanced_login&mode2=[XSS]
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+===========================================================================+
+ MailBee WebMail Pro <=3.4 (XSS) Multiple Remote Vulnerabilities +
+===========================================================================+
Vendor Response
---------------
The following timeline details Google's response to the reported issue:
2010-01-20 VSR submitted a security bug report [3]. Chromium development
team began researching the issue.
2010-01-21 VSR provided additional details on the test scenario. Chromium
developers successfully reproduced the issue and committed a fix
to the source repository [4].
Title: Multiple Security Bugs In Hosting Controller
Critical: Extremely critical
Impact: Full system administrator access
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A From company - There is temporary solution in this report
Exploit: Available
Release Date: 2007 - December
Credit: www.BugReport.ir
RFP, to be credited for all the vulnerabilities reported
to Apple Inc. - all of which affect the most up-to-date
products available to the public - whether they are
internally known to Apple Inc or not.
2008/04/03 Apple Inc. replies: “Yes, that's our policy: all
reporters of non publicly known security bugs get
credit.€?
2008/05/23 n.runs AG reports another vulnerability and requests a
status update for the previously reported
vulnerabilities
2008/05/29 Apple Inc. sends a status report and asks how n.runs
. 2008-03-18:
Vendor informs that will track the first two issues as crasher-only
bugs but still intends to address them. Further details to determine if
the null pointer de-reference bugs are exploitable are requested. The
vendor will continue to track the third as a security bug and estimates
early April for the release of the software update that fix them.
Additional timing information will be provided closer to the estimated date.
. 2008-03-18:
Core re-schedules the publication to April 7th and indicates that
Again, use of the term "permissions checks".
The ability to send signals to a process is subject to security
restrictions. Therefore, any bug which allows these restrictions to be
bypassed is a security bug.
Linux attempts to apply similar checks to PDEATHSIG, but this bug
allows them to be circumvented.
> > Sending asynchronous signals to setuid/setgid children is supposed to
Best regards,
RISE Security
Bug traq wrote:
> I bought a new beautiful ACER with windows XP... the first thing i looked at is the Windows XP SP2 without upgrades ... o my fucking GOD... i can exploit it with metasploit !!!!!!!!! i dont believe ... lets upgrade ?? ok ... no more exploitation
> :(
>
> You see ... is the same scenario :)
>
Vendor Response
---------------
The following timeline details Cisco's response to the reported issue:
2009-06-05 VSR submitted a security bug report to Cisco PSIRT
2009-06-06 Cisco confirmed receipt of bug report
2009-07-02 Cisco acknowledged the presence of VSR submitted
vulnerabilities
2009-08-04 Cisco confirmed release plans for end-of-line marker
parsing vulnerability
. 2008-03-18:
Vendor informs that will track the first two issues as crasher-only
bugs but still intends to address them. Further details to determine if
the null pointer de-reference bugs are exploitable are requested. The
vendor will continue to track the third as a security bug and estimates
early April for the release of the software update that fix them.
Additional timing information will be provided closer to the estimated date.
. 2008-03-18:
Core re-schedules the publication to April 7th and indicates that
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09
Oracle security bug id: 7391479
For more information contact Oracle Security Team: secalert_us@oracle.com
I really wanted to give a link to a patch, but I think it's better if
this is known by sysadmins so they can filter this using an IDS.
>> Vendor response: 8/18/08
>> Vendor reproduced the issue: 9/10/08
>> Vendor last contact: 9/30/08
>> Public Disclosure: 1/19/09
>>
>> Oracle security bug id: 7391479
>>
>> For more information contact Oracle Security Team: secalert_us@oracle.com
>>
>> I really wanted to give a link to a patch, but I think it's better if
>> this is known by sysadmins so they can filter this using an IDS.
*Disclosure Timeline:*
Disclosed: 25 September 2008
Release Date. September 27 ,2008
*Vendor Response:*
Google acknowledges this vulnerability as security bug
and "fix" will be released soon.
*Credit:*
Aditya K Sood
|
