February 22, 2012

You are here: Home / Archives for Vulnerability

Mozilla Releases Another New Version of Firefox to Fix Yet Another Critical Vulnerability

February 20, 2012 By Leave a Comment

(LiveHacking.Com) – Less then 7 days after the release of Firefox 10.0.1, Mozilla has now released a new version of Firefox (10.0.2) and Thunderbird (also 10.0.2) to fix a Critical libpng integer overflow vulnerability. The bug, which affects Firefox, Thunderbird, SeaMonkey, is an integer overflow in the libpng library that can lead to a heap-buffer overflow when decompressing certain PNG images. This leads to a crash, which may be potentially exploitable.

The presence of the bug first came to light when Google released Chrome 17.0.963.56 to fix the integer overflow in libpng where it was noted that the bug allows remote attackers to cause a denial of service. According to the Chromium source code the fix includes a check for both truncation (64-bit platforms) and integer overflow.

Also fixed in 10.0.2 is a bug where Java applets sometimes caused text input to become unresponsive (bug 718939).

Filed Under: Firefox, Firefox, Mozilla, SeaMonkey, Thunderbird, Vulnerability Tagged With: , ,

Google Release Chrome 17.0.963.56 to Fix Vulnerabilities and Update Flash

February 16, 2012 By 1 Comment

(LiveHacking.Com) – Google has updated Chrome to 17.0.963.56 for Windows, Mac and Linux.  This release includes a number of stability and security fixes and also includes a new version of Flash. Google paid out nearly $7000 to security researchers who contributed to fixing these security issues.

The full list of security related bugs fixed is:

  • [105803] High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team (scarybeasts).
  • [$500] [106336] Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz.
  • [$1000] [108695] High CVE-2011-3017: Possible use-after-free in database handling. Credit to miaubiz.
  • [$1000] [110172] High CVE-2011-3018: Heap overflow in path rendering. Credit to Aki Helin of OUSPG.
  • [110849] High CVE-2011-3019: Heap buffer overflow in MKV handling. Credit to Google Chrome Security Team (scarybeasts) and Mateusz Jurczyk of the Google Security Team.
  • [111575] Medium CVE-2011-3020: Native client validator error. Credit to Nick Bray of the Chromium development community.
  • [$1000] [111779] High CVE-2011-3021: Use-after-free in subframe loading. Credit to Arthur Gerkis.
  • [112236] Medium CVE-2011-3022: Inappropriate use of http for translation script. Credit to Google Chrome Security Team (Jorge Obes).
  • [$500] [112259] Medium CVE-2011-3023: Use-after-free with drag and drop. Credit to pa_kt.
  • [112451] Low CVE-2011-3024: Browser crash with empty x509 certificate. Credit to chrometot.
  • [$500] [112670] Medium CVE-2011-3025: Out-of-bounds read in h.264 parsing. Credit to Sławomir Błażek.
  • [$1337] [112822] High CVE-2011-3026: Integer overflow / truncation in libpng. Credit to Jüri Aedla.
  • [$1000] [112847] High CVE-2011-3027: Bad cast in column handling. Credit to miaubiz.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.  Full details about what changes are in this release are available in the SVN revision log.

Adobe recetnly released a new version of Flash for Windows, OS X, Linux and Android. This new version of Chrome incorporates the updated version. The update addresses critical vulnerabilities in Adobe Flash Player. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. However this is only being exploited in Internet Explorer on Windows and not Chrome. More info on the Flash update is available from Adobe.

Filed Under: Chrome, Google, Vulnerability Tagged With: , , ,

Microsoft Addresses Twenty One Vulnerabilities in Windows, IE and .NET

February 15, 2012 By Leave a Comment

(LiveHacking.Com) – Microsoft has released fixes to address multiple vulnerabilities as part of its February’s Patch Tuesday. The fixes affect Microsoft Windows, Internet Explorer, .Net Framework, Silverlight, Office, and Windows Server Software. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

Twenty one vulnerabilities were addressed. Microsoft recommends that customers focus on the first two critical updates:

  • MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
  • MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.

The other critical bulletins include MS12-008, which addresses vulnerabilities that could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally, and MS12-016, which fixes issues affecting the .NET Framework and Microsoft Silverlight that can be exploited to allow an attacker to remotely execute code.

Filed Under: Microsoft, Microsoft, News, Vulnerability Tagged With: ,

Oracle Releases Critical Patch Update for Java

February 15, 2012 By Leave a Comment

(LiveHacking.Com) – Oracle has released a collection of patches to address multiple security vulnerabilities in Java. The “Critical Patch Update” contains 14 security fixes for the following products:

  • JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 5 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Little else is known about the patches except that 5 of the 14 have a Common Vulnerability Scoring System (CVSS), the severity ratings system used by Oracle, of 10 out of 10.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the update fixes as soon as possible.

Filed Under: Java, Vulnerability Tagged With: , , ,

Mozilla Fixes Critical Vulnerability in Firefox and Thunderbird

February 13, 2012 By 1 Comment

(LiveHacking.Com) – Mozilla has released new versions of Firefox and Thunderbird to fix a “use after free” crash which is potentially exploitable. According to the security advisory Mozilla developers Andrew McCreight and Olli Pettay found that the ReadPrototypeBindings code leaves a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

The Mozilla Foundation said Firefox 9 and earlier browser versions are not affected by this vulnerability.

Filed Under: Firefox, Firefox, Mozilla, SeaMonkey, Thunderbird, Vulnerability Tagged With: , ,

Microsoft Preparing Nine Bulletins for February’s Patch Tuesday

February 10, 2012 By

(LiveHacking.Com) – Microsoft has released its advance notification of the security bulletins it will issue for February’s patch Tuesday. There will be nine bulletins, addressing 21 vulnerabilities, with severity ratings of critical and important for Microsoft Windows, Internet Explorer, Microsoft Silverlight, Microsoft Server Software, Microsoft Office, and Microsoft .NET Framework.

Seven of the nine bulletins cover remote code execution vulnerabilities while the other two are elevation of privilege vulnerabilities. As is often the case with these bulletins all support versions of Windows are affected including XP, Vista and Windows 7 as well as Windows Server 2003 & 2008. The exceptions to this are bulletin 2 (which only affects Vista onwards) and bulletin 7 which only affects Windows Server 2003 and 2008.

The Internet Explorer remote code execution vulnerability is rated Critical and should be considered a mandatory update for all IE users. Affected versions include IE 6, IE 7, IE 8 and IE 9.

Patch Tuesday is scheduled for Tuesday, February 14, 2012.

Filed Under: Microsoft, Microsoft, News, Security, Vulnerability Tagged With: , ,

Google Releases Chrome 17 with Security Fixes and New Malicious Downloads Protection

February 9, 2012 By

(LiveHacking.Com) – Google has released a new version of its Chrome web browser with twenty security fixes and new functionality to try and protect users from malicious downloads. Chrome 17.0.963.46 fixes one Critical security bug, a race condition after crash of the utility process, eight “High” rated vulnerabilities with the remaining being marked as “Medium” or “Low”. Google paid out a total of $11,500 to researchers for their efforts in finding vulnerabilities.

Fixes included in this release include:

  • [73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste event. Credit to Daniel Cheng of the Chromium development community.
  • [92550] Low CVE-2011-3954: Crash with excessive database usage. Credit to Collin Payne.
  • [93106] High CVE-2011-3955: Crash aborting an IndexDB transaction. Credit to David Grogan of the Chromium development community.
  • [103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins inside extensions. Credit to Devdatta Akhawe, UC Berkeley.
  • [$1000] [104056] High CVE-2011-3957: Use-after-free in PDF garbage collection. Credit to Aki Helin of OUSPG.
  • [$2000] [105459] High CVE-2011-3958: Bad casts with column spans. Credit to miaubiz.
  • [$1000] [106441] High CVE-2011-3959: Buffer overflow in locale handling. Credit to Aki Helin of OUSPG.
  • [$500] [108416] Medium CVE-2011-3960: Out-of-bounds read in audio decoding. Credit to Aki Helin of OUSPG.
  • [$1000] [108871] Critical CVE-2011-3961: Race condition after crash of utility process. Credit to Shawn Goertzen.
  • [$500] [108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping. Credit to Aki Helin of OUSPG.
  • [109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image handling. Credit to Atte Kettunen of OUSPG.
  • [109245] Low CVE-2011-3964: URL bar confusion after drag + drop. Credit to Code Audit Labs of VulnHunt.com.
  • [109664] Low CVE-2011-3965: Crash in signature check. Credit to Sławomir Błażek.
  • [$1000] [109716] High CVE-2011-3966: Use-after-free in stylesheet error handling. Credit to Aki Helin of OUSPG.
  • [109717] Low CVE-2011-3967: Crash with unusual certificate. Credit to Ben Carrillo.
  • [$1000] [109743] High CVE-2011-3968: Use-after-free in CSS handling. Credit to Arthur Gerkis.
  • [$1000] [110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit to Arthur Gerkis.
  • [$500] [110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt. Credit to Aki Helin of OUSPG.
  • [$1000] [110374] High CVE-2011-3971: Use-after-free with mousemove events. Credit to Arthur Gerkis.
  • [110559] Medium CVE-2011-3972: Out-of-bounds read in shader translator. Credit to Google Chrome Security Team (Inferno).

Chrome 17 also enhances its use of Google’s Safe Browsing, a continuously-updated list of known phishing and malware websites, to include checking of executable downloads. Chrome checks executable downloads against a list of known good files and publishers. If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website. Google then sends the results back to Chrome, which warns you if you’re at risk.

Chrome 17 also contains a number of new features including:

  • New Extensions APIs
  • Updated Omnibox Prerendering

Chrome 17.0.963.46 is available for Windows, Mac, Linux. More details on the update is available on the Chrome Blog.  Full details about what changes are in this release are available in the SVN revision log.

Filed Under: Chrome, Chrome, Google, Vulnerability Tagged With: , ,

RealPlayer Updated to Address Security Vulnerabilities

February 8, 2012 By

(LiveHacking.Com) – RealNetworks has released new versions of RealPlayer to fix security related vulnerabilities. The new version, RealPlayer 15.02.71, fixes all the known bugs but there are no known reports of any machines actually being compromised as a result of the vulnerabilities.

Affected Windows versions are:

  • RealPlayer 11.0 – 11.1
  • RealPlayer SP 1.0 – 1.1.5
  • RealPlayer 14.0.0 – 14.0.7
  • RealPlayer 15.0.0 – 15.0.1.13

There is also one vulnerability which affects the Mac version of RealPlayer:

  • Mac RealPlayer 12.0.0.1701

All of the vulnerabilities could allow remote code execution:

  • rvrender RMFF Flags Remote Code Execution Vulnerability
  • RV20 Frame Size Array Remote Code Execution Vulnerability
  • VIDOBJ_START_CODE Remote Code Execution Vulnerability
  • RV40 Remote Code Execution Vulnerability
  • RV10 Encoded Height/Width Remote Code Execution Vulnerability
  • RealAudio coded_frame_size Remote Code Execution Vulnerability
  • Atrac Sample Decoding Remote Code Execution Vulnerability
Filed Under: News, Security, Vulnerability Tagged With: ,

Apple Releases Security Updates for OS X

February 7, 2012 By

(LiveHacking.Com) – Apple has released security updates for Apple OS X Lion 10.7 and Mac OS X Snow Leopard 10.6 to fix multiple vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions. The update is an amalgamation of recent security updates for several different components used by Apple (including Apache and PHP) along with fixes for Apple’s own code.

3rd Party

This release brings some of OS X’s third party components up to date including:

Apache: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. Apache disabled the ‘empty fragment’ countermeasure which prevented these attacks. This issue is addressed by providing a configuration parameter to control the countermeasure and enabling it by default.

PHP is updated to version 5.3.8 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. However, it is worth noting that PHP 5.3.10 has since been released to fix the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python).

SquirrelMail is updated to version 1.4.22 to address several vulnerabilities, the most serious of which is a cross-site scripting issue. This issue does not affect OS X Lion systems.

Tomcat is updated to version 6.0.33 to address multiple vulnerabilities, the most serious of which may lead to the disclosure of sensitive information. Tomcat is only provided on Mac OS X Server systems.

X11: A memory corruption issue existed in FreeType’s handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.7.

The update also revokes the trust for root certificates issued by DigiCert Malaysia. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. Back in November it was discovered that DigiCert Malaysia had issued certificates with weak keys that it was unable to revoke.

Apple

Apple components that are updated include:

Address Book supports Secure Sockets Layer (SSL) for accessing CardDAV. A downgrade issue caused Address Book to attempt an unencrypted connection if an encrypted connection failed. An attacker in a privileged network position could abuse this behavior to intercept CardDAV data. This issue is addressed by not downgrading to an unencrypted connection without user approval.

CoreAudio: Playing maliciously crafted audio content may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of AAC encoded audio streams.

CoreMedia: A heap buffer overflow existed in CoreMedia’s handling of H.264 encoded movie files.

QuickTime has been updated to resolve several issues including:

  • Opening a maliciously crafted MP4 encoded file may lead to an unexpected application termination or arbitrary code execution. An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • Viewing a maliciously crafted JPEG2000 image file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of JPEG2000 files.
  • Processing a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of PNG files.

Time Machine: The user may designate a remote AFP volume or Time Capsule to be used for Time Machine backups. Time Machine did not verify that the same device was being used for subsequent backup operations. An attacker who is able to spoof the remote volume could gain access to new backups created by the user’s system. This issue is addressed by verifying the unique identifier associated with a disk for backup operations.

Filed Under: Apple, Apple, Vulnerability Tagged With: , , , ,

PHP 5.3.10 Fixes Critical Security Vulnerability

February 3, 2012 By

(LiveHacking.Com) – The PHP development team have released PHP 5.3.10 to fix a recently discovered remote code execution vulnerability. The vulnerability is a result of the hash table collisions CPU usage denial-of-service fix which was added to 5.3.9. For that fix the maximum possible number of input parameters was limited to 1000, but because of a bug in the implementation a remote attacker could send a large number of specially crafted POST requests, which could crash PHP or allow arbitrary code execution.

PHP 5.3.9 was released just over two weeks ago with over 90 bug fixes, some of which were security related. Among them was a fix for the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python). At the end of last year, Alexander Klink and Julian Wälde revealed that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. So it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition. PHP 5.3.10 fixes the fix for the fix!

The new version of PHP can be downloaded  here and it is recommended that all users to upgrade to the new version. The different Linux distributions have started to update their repositories:

Filed Under: Open Source, Vulnerability Tagged With: ,
« Older Posts