VARIoT IoT vulnerabilities database
VAR-201107-0101 | CVE-2011-0215 | Windows Run on Apple Safari of ImageIO Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
ImageIO in Apple Safari before 5.0.6 on Windows does not properly address re-entrancy issues, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file. WebKit is prone to a memory-corruption vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user to visit a malicious webpage.
Successful exploits will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 48808 (Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue does not affect Mac
OS X systems.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation. This issue does not affect
Mac OS X systems.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution. For Mac OS X v10.5 systems, this issue
is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings. For Mac OS X v10.6 systems, this issue
is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0201 : Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of
Type 1 fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution. For Mac OS X v10.6 systems, this issue is addressed in Mac
OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in
Security Update 2011-004.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2011-004.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2011-0219 : Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers. Visiting a maliciously crafted website may lead to an
information disclosure.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes. Visiting a maliciously crafted website may lead to a cross-
site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Subscribing to a maliciously crafted RSS feed and clicking
on a link within it may lead to an information disclosure
Description: A canonicalization issue existed in the handling of
URLs. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
CVE-ID
CVE-2011-0244 : Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may
connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. Safari 5.1 is provided for Mac OS X v10.6,
and Windows systems. Safari 5.0.6 is provided for
Mac OS X v10.5 systems.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
-----END PGP SIGNATURE-----
. iDefense Security Advisory 07.20.11
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 20, 2011
I. BACKGROUND
WebKit is an open source web browser engine. It is currently used by
Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For
more information, see the vendor's site at the following link.
http://webkit.org/
II. <BR>
<BR> The vulnerability occurs during the processing of a malformed TIFF
image. Specifically, it is possible to trigger a use-after-free
vulnerability when Safari fails to properly release an object. The
object's memory is freed; however, a reference to the object remains.
When the reference is later used to access the object, this now invalid
memory is treated as a valid object and the object's vtable is used to
make an indirect function call.
III. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
After the user visits the malicious Web page, no further user
interaction is needed.
IV. DETECTION
Safari versions prior to 5.1 and 5.0.6 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of effective workarounds for this
vulnerability, as it is not possible to disable TIFF support; however,
disabling JavaScript will make it more difficult to exploit the
vulnerability.
VI. VENDOR RESPONSE
Apple Inc. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4808
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0215 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/02/2011 Initial Vendor Notification
02/02/2011 Initial Vendor Reply
07/20/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Juan Pablo Lopez
Yacubian.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
1) An error within CFNetwork when handling the "text/plain" content
type can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
18) A cross-origin error when handling certain URLs containing a
username can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.
19) A cross-origin error when handling DOM nodes can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
SOLUTION:
Update to version 5.1 or 5.0.6.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201107-0100 | CVE-2011-0223 | Apple Safari Used in WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. WebKit is prone to a heap-based memory-corruption vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user to visit a malicious webpage.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
NOTE: This issue was previously discussed in BID 48808 (Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6
Safari 5.1 and Safari 5.0.6 are now available and address the
following:
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: In certain situations, Safari may treat a file as HTML,
even if it is served with the 'text/plain' content type. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files. This issue is addressed through improved
handling of 'text/plain' content.
CVE-ID
CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability
Research (MSVR), Neal Poole of Matasano Security
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: Authenticating to a maliciously crafted website may lead to
arbitrary code execution
Description: The NTLM authentication protocol is susceptible to a
replay attack referred to as credential reflection. Authenticating to
a maliciously crafted website may lead to arbitrary code execution.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue does not affect Mac
OS X systems.
CVE-ID
CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research
CFNetwork
Available for: Windows 7, Vista, XP SP2 or later
Impact: A root certificate that is disabled may still be trusted
Description: CFNetwork did not properly validate that a certificate
was trusted for use by a SSL server. As a result, if the user had
marked a system root certificate as not trusted, Safari would still
accept certificates signed by that root. This issue is addressed
through improved certificate validation. This issue does not affect
Mac OS X systems.
CVE-ID
CVE-2011-0214 : An anonymous reporter
ColorSync
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution. For Mac OS X v10.5 systems, this issue
is addressed in Security Update 2011-004.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreFoundation
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use the CoreFoundation framework may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An off-by-one buffer overflow issue existed in the
handling of CFStrings. For Mac OS X v10.6 systems, this issue
is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0201 : Harry Sintonen
CoreGraphics
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in the handling of
Type 1 fonts. Viewing or downloading a document containing a
maliciously crafted embedded font may lead to arbitrary code
execution. For Mac OS X v10.6 systems, this issue is addressed in Mac
OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in
Security Update 2011-004.
CVE-ID
CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert
of the Google Security Team
International Components for Unicode
Available for: Windows 7, Vista, XP SP2 or later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's handling of
uppercase strings. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF
image may lead to an unexpected application termination or arbitrary
code execution.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A reentrancy issue existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. This
issue does not affect Mac OS X systems.
CVE-ID
CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP
ImageIO
Available for: Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
TIFF images. Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004.
CVE-ID
CVE-2011-0204 : Dominic Chell of NGS Secure
libxslt
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of addresses on the heap
Description: libxslt's implementation of the generate-id() XPath
function disclosed the address of a heap buffer. Visiting a
maliciously crafted website may lead to the disclosure of addresses
on the heap. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2011-004.
CVE-ID
CVE-2011-0195 : Chris Evans of the Google Chrome Security Team
libxml
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data. Visiting a maliciously crafted website may lead
to an unexpected application termination or arbitrary code execution.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Safari
Available for: Mac OS X v10.6.8 or later,
Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later
Impact: If the "AutoFill web forms" feature is enabled, visiting a
maliciously crafted website and typing may lead to the disclosure of
information from the user's Address Book
Description: Safari's "AutoFill web forms" feature filled in non-
visible form fields, and the information was accessible by scripts on
the site before the user submitted the form. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites.
This issue is addressed by running Java applets in a separate
process.
CVE-ID
CVE-2011-0219 : Joshua Smith of Kaon Interactive
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution.
CVE-ID
CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability
Research (MSVR), wushi of team509, and Yong Li of Research In Motion
Ltd
CVE-2011-0164 : Apple
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with
iDefense VCP
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative, wushi of team509 working with iDefense VCP
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0237 : wushi of team509 working with iDefense VCP
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0240 : wushi of team509 working with iDefense VCP
CVE-2011-0253 : Richard Keen
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with
iDefense VCP
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers. Visiting a maliciously crafted website may lead to an
information disclosure.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. Visiting a maliciously crafted website may
lead to a cross-site scripting attack. This issue is addressed
through improved handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes. Visiting a maliciously crafted website may lead to a cross-
site scripting attack.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Subscribing to a maliciously crafted RSS feed and clicking
on a link within it may lead to an information disclosure
Description: A canonicalization issue existed in the handling of
URLs. Subscribing to a maliciously crafted RSS feed and clicking on a
link within it may lead to arbitrary files being sent from the user's
system to a remote server. This update addresses the issue through
improved handling of URLs.
CVE-ID
CVE-2011-0244 : Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may
connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. Safari 5.1 is provided for Mac OS X v10.6,
and Windows systems. Safari 5.0.6 is provided for
Mac OS X v10.5 systems.
Safari 5.1 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/
Safari 5.0.6 is available via the Apple Software Update
application, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Safari for Mac OS X v10.6.8 and later
The download file is named: Safari5.1SnowLeopard.dmg
Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24
Safari for Mac OS X v10.5.8
The download file is named: Safari5.0.6Leopard.dmg
Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f
Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36
Safari for Windows 7, Vista or XP from the Microsoft Choice Screen
The download file is named: Safari_Setup.exe
Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b
Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw
up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD
MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY
nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb
vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/
KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ=
=fOfF
-----END PGP SIGNATURE-----
. iDefense Security Advisory 07.20.11
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 20, 2011
I. BACKGROUND
WebKit is an open source web browser engine. It is currently used by
Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For
more information, see the vendor's site at the following link.
http://webkit.org/
II.
The vulnerability occurs when parsing a frameset element with a
malicious style attribute. Specifically, by setting the padding property
to certain values it is possible to trigger a heap based memory
corruption vulnerability.
III. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
After the user visits the malicious web page, no further user
interaction is needed.
IV. DETECTION
Safari versions prior to 5.1 and 5.0.6 are vulnerable.
V. WORKAROUND
iDefense is currently unaware of an effective workaround for this
vulnerability as it occurs in the core parsing code. However, disabling
scripting will make the vulnerability more difficult to exploit using
known techniques.
VI. VENDOR RESPONSE
Apple Inc. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4808
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0223 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/25/2011 Initial Vendor Notification
02/25/2011 Initial Vendor Reply
07/20/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Jose A. Vazquez of
{http://spa-s3c.blogspot.com}.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
1) An error within CFNetwork when handling the "text/plain" content
type can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
18) A cross-origin error when handling certain URLs containing a
username can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.
19) A cross-origin error when handling DOM nodes can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
SOLUTION:
Update to version 5.1 or 5.0.6.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201106-0117 | CVE-2011-2094 | Adobe Reader and Acrobat Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2095 and CVE-2011-2097. Adobe Reader and Acrobat Contains a buffer overflow vulnerability. This vulnerability CVE-2011-2095 and CVE-2011-2097 Is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the application explicitly trusting a string's length embedded within a particular file loaded by the 3difr.x3d component. The application will duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-16.html
-- Disclosure Timeline:
2010-11-29 - Vulnerability reported to vendor
2011-06-14 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Adobe has released Security Bulletin APSB11-17, which describes
multiple vulnerabilities affecting Adobe Shockwave Player.
Adobe has released Security Bulletin APSB11-18, which describes
multiple vulnerabilities affecting Adobe Flash Player.
I.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in, which can automatically open PDF documents hosted on a
website, is available for multiple web browsers and operating
systems.
Adobe Security Bulletin APSB11-17 describes a number of
vulnerabilities affecting Adobe Shockwave Player. These
vulnerabilities affect Shockwave Player 11.5.9.620 and earlier
versions.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Shockwave content. Shockwave content is
commonly hosted on a web page, but it can also be embedded in PDF
and other documents or provided as a stand-alone file.
Adobe Security Bulletin APSB11-18 describes a number of
vulnerabilities affecting Adobe Flash Player. These vulnerabilities
affect Flash Player 10.3.181.23 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems. These
vulnerabilities also affect Flash Player 10.3.185.23 and earlier
versions for Android.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Flash content. Flash content is commonly
hosted on a web page, but it can also be embedded in PDF and other
documents or provided as a stand-alone file.
II. Impact
These vulnerabilities could allow a remote attacker to execute
arbitrary code, write arbitrary files or folders to the file
system, escalate local privileges, or cause a denial of service on
an affected system as the result of a user opening a malicious PDF
file.
III. Solution
Update Reader
Adobe has released updates to address this issue.
Update Adobe Shockwave Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-17 and update
vulnerable versions of Adobe Shockwave Player.
Update Adobe Flash Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-18 and update
vulnerable versions of Adobe Adobe Flash Player.
Disable Flash in your web browser
Uninstall Flash or restrict which sites are allowed to run Flash.
To the extent possible, only run trusted Flash content on trusted
domains. For more information, see Securing Your Web Browser.
Disable Flash in Adobe Reader and Acrobat
Disabling Flash in Adobe Reader will mitigate attacks that rely on
Flash content embedded in a PDF file. Disabling 3D & Multimedia
support does not directly address the vulnerability, but it does
provide additional mitigation and results in a more user-friendly
error message instead of a crash. To disable Flash and 3D &
Multimedia support in Adobe Reader 9, delete, rename, or remove
access to these files:
Microsoft Windows
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
Apple Mac OS X
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
GNU/Linux (locations may vary among distributions)
"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe
products that include Flash and 3D & Multimedia support. Disabling
these plugins will reduce functionality and will not protect
against Flash content hosted on websites. Depending on the update
schedule for products other than Flash Player, consider leaving
Flash and 3D & Multimedia support disabled unless they are
absolutely required. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
Acrobat JavaScript).
Adobe provides a framework to blacklist specific JavaScipt APIs. If
JavaScript must be enabled, this feature may be useful when
specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF files in the web browser
Preventing PDF files from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied, it may also mitigate future vulnerabilities.
To prevent PDF files from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox.
Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those
hosted on websites or delivered as email attachments. Please see
Cyber Security Tip ST04-010.
IV. References
* Security update available for Adobe Reader and Acrobat -
<http://www.adobe.com/support/security/bulletins/apsb11-16.html>
* Adobe Reader and Acrobat JavaScript Blacklist Framework -
<http://kb2.adobe.com/cps/504/cpsid_50431.html>
* Security update available for Adobe Flash Player -
<http://www.adobe.com/support/security/bulletins/apsb11-18.html>
* Security update available for Adobe Shockwave Player -
<http://www.adobe.com/support/security/bulletins/apsb11-17.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA11-166A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA11-166A Feedback" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
June 15, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTfjkdz6pPKYJORa3AQL96Af/bfXjpbygssCruFOpIPCRkp2YprLJLjjc
D+ydEKvBTLYUqm5QgUD99bKwcUjQvwbZRuQDM2hhb49+TeTQPWR3gKvSqasviAC9
wu73HEw6I5ystOW/v0m+IglgbQH6qBr1VdycxOQf3z63sWbt4XafBpbY3t4klcfj
Wc9ysRAY0RbInH5oyxJrOZz68OFUJj+ZsJw7wvnC3kgd3r6Q92nEM0cAiuNxmk0l
4g+HR0LuQRrgurAiX/zdAylByhOVmzBAqHhPk9pEdlf6XgEAhu/nSHrPa9jD+YKh
DtDSf9ETAnsqjY7zjP1RdgjcUU1HbzU1Egs3LOy33zfHEzKZZJe2QA==
=p3nZ
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43269
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43269/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
RELEASE DATE:
2011-06-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43269/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43269/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose potentially sensitive
information, bypass certain security restrictions, and compromise a
user's system.
1) An error in 3difr.x3d due to the component trusting the provided
string length when processing certain files can be exploited to cause
a stack-based buffer overflow.
2) An error in tesselate.x3d due to the component trusting the
provided string length when processing certain files can be exploited
to cause a stack-based buffer overflow.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
4) An integer overflow error in ACE.dll when parsing the "desc" ICC
chunk can be exploited to corrupt memory via a specially crafted PDF
file.
5) An unspecified error can be exploited to corrupt memory.
6) An unspecified error can be exploited to corrupt memory.
7) An error due to the application loading certain unspecified
libraries in an insecure manner can be exploited to load arbitrary
libraries by tricking a user into e.g. opening a file located on a
remote WebDAV or SMB share.
9) An unspecified error can be exploited to bypass certain security
restrictions.
10) An unspecified error can be exploited to corrupt memory.
11) An unspecified error can be exploited to corrupt memory.
12) An unspecified error can be exploited to corrupt memory.
13) An unspecified error can be exploited to corrupt memory.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1, 2) An anonymous person via ZDI.
4) Secunia Research.
The vendor also credits:
3, 6) Tarjei Mandt, Norman.
5) Rodrigo Rubira Branco.
7) Mila Parkour.
8) Billy Rios, Google Security Team.
9) Christian Navarrete, CubilFelino Security Research Lab.
10) Tavis Ormandy, Google Security Team.
11) Brett Gervasoni, Sense of Security.
12) Will Dormann, CERT/CC.
13) James Quirk, Los Alamos, New Mexico.
ORIGINAL ADVISORY:
Adobe (APSB11-16):
http://www.adobe.com/support/security/bulletins/apsb11-16.html
Secunia Research:
http://secunia.com/secunia_research/2011-41/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-218/
http://www.zerodayinitiative.com/advisories/ZDI-11-219/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201107-0023 | CVE-2011-0234 | Apple Safari Used in WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. When freeing the container holding the Frame element, the reference will still be available. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the application manages a reference to an anonymous block located near a particular element within the document. When cloning this element, the application will duplicate a reference to the block and then later re-attach this element to the rendering tree. During this process the library will free the original rendering element. Subsequent access to the same element will then cause the library to use the freed object. This can be utilized to achieve code execution under the context of the application. WebKit is prone to a memory corruption vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful attacks may result in information disclosure, remote code execution, denial of service, or other consequences. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in 48808 (Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities) but has been given its own record to better document it. This may
lead to a cross-site scripting attack on sites that allow untrusted
users to post text files.
To mitigate this issue, Safari has been updated to utilize protection
mechanisms recently added to Windows. This issue does not affect Mac
OS X systems. This issue does not affect
Mac OS X systems. For Mac OS X v10.5 systems, this issue
is addressed in Security Update 2011-004. For Mac OS X v10.6 systems, this issue
is addressed in Mac OS X v10.6.8. For Mac OS X v10.6 systems, this issue is addressed in Mac
OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in
Security Update 2011-004. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004. This
issue does not affect Mac OS X systems. For
Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
For Mac OS X v10.5 systems, this issue is addressed in Security
Update 2011-004. This issue is addressed by generating an ID based on the
difference between the addresses of two heap buffers. For Mac OS X
v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac
OS X v10.5 systems, this issue is addressed in Security Update
2011-004. This issue is addressed
by displaying all fields that will be filled, and requiring the
user's consent before AutoFill information is available to the form.
CVE-ID
CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah
Grossman]
Safari
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: With a certain Java configuration, visiting a malicious
website may lead to unexpected text being displayed on other sites
Description: A cross origin issue existed in the handling of Java
Applets. This applies when Java is enabled in Safari, and Java is
configured to run within the browser process. Fonts loaded by a Java
applet could affect the display of text content from other sites. A maliciously crafted website may have been able to
cause a different URL to be shown in the address bar.
CVE-ID
CVE-2011-0244 : Jason Hullinger
WebKit
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later,
Windows 7, Vista, XP SP2 or later
Impact: Applications that use WebKit, such as mail clients, may
connect to an arbitrary DNS server upon processing HTML content
Description: DNS prefetching was enabled by default in WebKit.
Applications that use WebKit, such a s mail clients, may connect to
an arbitrary DNS server upon processing HTML content. This update
addresses the issue by requiring applications to opt in to DNS
prefetching.
CVE-ID
CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd.
Note: Safari 5.1 is included with OS X Lion.
Safari 5.1 and Safari 5.0.6 address the same set of security
issues. Safari 5.1 is provided for Mac OS X v10.6,
and Windows systems. Safari 5.0.6 is provided for
Mac OS X v10.5 systems. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
1) An error within CFNetwork when handling the "text/plain" content
type can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
18) A cross-origin error when handling certain URLs containing a
username can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.
19) A cross-origin error when handling DOM nodes can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. iDefense Security Advisory 07.20.11
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 20, 2011
I. BACKGROUND
Safari is Apple's web browser, and is based on the open source WebKit
browser engine. MobileSafari is Safari for Apple's mobile devices
including the iPad and iPhone. For more information, see the vendor's
site found at the following link.
http://www.apple.com/safari/
II.
Safari is Apple's Web browser and is based on the open source WebKit
browser engine.
This vulnerability occurs when Safari incorrectly handles an error state
when encountering a broken XHTML tag. Specifically, the tag enclosing
the tag being processed is freed and is then referenced after it has
already been freed.
III. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
IV. DETECTION
Safari versions prior to 5.1 and 5.0.6 are vulnerable.
V. WORKAROUND
Disabling JavaScript is an effective workaround for this vulnerability.
VI. VENDOR RESPONSE
Apple Inc. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4808
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0234 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/01/2011 Initial Vendor Notification
06/01/2011 Initial Vendor Reply
07/20/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by wushi of team509.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-1 iOS 5 Software Update
iOS 5 Software Update is now available and addresses the following:
CalDAV
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information from a CalDAV
calendar server
Description: CalDAV did not check that the SSL certificate presented
by the server was trusted.
CVE-ID
CVE-2011-3253 : Leszek Tasiemski of nSense
Calendar
Available for: iOS 4.2.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 4.2.0 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 4.2.0 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted calendar invitation may inject
script in the local domain
Description: A script injection issue existed in Calendar's handling
of invitation notes. This issue is addressed through improved
escaping of special characters in invitation notes. This issues does
not affect devices prior to iOS 4.2.0.
CVE-ID
CVE-2011-3254 : Rick Deacon
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: User's AppleID password may be logged to a local file
Description: A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-3255 : Peter Quade of qdevelop
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization.
CVE-ID
CVE-2011-0259 : Apple
CoreGraphics
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a document containing a maliciously crafted font may
lead to arbitrary code execution
Description: Multiple memory corruption existed in freetype, the
most serious of which may lead to arbitrary code execution when
processing a maliciously crafted font.
CVE-ID
CVE-2011-3256 : Apple
CoreMedia
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
Data Access
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description: When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3389
Home screen
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Switching between applications may lead to the disclosure of
sensitive application information
Description: When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may result in an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libTIFF's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0192 : Apple
ImageIO
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF images.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
International Components for Unicode
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A buffer overflow issue existed in ICU's generation of
collation keys for long strings of mostly uppercase letters.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A remote attacker may cause a device reset
Description: The kernel failed to promptly reclaim memory from
incomplete TCP connections. An attacker with the ability to connect
to a listening service on an iOS device could exhaust system
resources.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A local user may be able to cause a system reset
Description: A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego
Keyboards
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A user may be able to determine information about the last
character of a password
Description: The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-3245 : Paul Mousdicas
libxml
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Word file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in OfficeImport's handling of
Microsoft Word documents.
CVE-ID
CVE-2011-3260 : Tobias Klein working with Verisign iDefense Labs
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Viewing a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in OfficeImport's handling
of Excel files.
CVE-ID
CVE-2011-3261 : Tobias Klein of www.trapkit.de
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in OfficeImport's
handling of Microsoft Office files.
CVE-ID
CVE-2011-0208 : Tobias Klein working with iDefense VCP
OfficeImport
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Downloading a maliciously crafted Excel file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in OfficeImport's
handling of Excel files.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP
Safari
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications. Any script in files
served with this header value would run as if the file had been
served inline, with full access to other resources on the origin
server. This issue is addressed by loading attachments in an isolated
security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with physical access to a device may be able to
recover the restrictions passcode
Description: The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Misleading UI
Description: Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result. This
issue is addressed by fixing a localization error.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT
UIKit Alerts
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website may cause an unexpected device
hang
Description: An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs. This issue is addressed by using a
more reasonable maximum URI size.
CVE-ID
CVE-2011-3432 : Simon Young of Anglia Ruskin University
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username. This issue is addressed through improved
handling of URLs with an embedded username.
CVE-ID
CVE-2011-0242 : Jobert Abma of Online24
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of DOM
nodes.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object.
CVE-ID
CVE-2011-1107 : Jordi Chancel
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A configuration issue existed in WebKit's use of
libxslt. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution. This issue is addressed through improved
libxslt security settings.
CVE-ID
CVE-2011-1774 : Nicolas Gregoire of Agarri
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website and dragging content in the
page may lead to an information disclosure
Description: A cross-origin issue existed in WebKit's handling of
HTML5 drag and drop. This issue is addressed by disallowing drag and
drop across different origins.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to an
information disclosure
Description: A cross-origin issue existed in the handling of Web
Workers.
CVE-ID
CVE-2011-1190 : Daniel Divricean of divricean.ro
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
window.open method.
CVE-ID
CVE-2011-2805 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of
inactive DOM windows.
CVE-ID
CVE-2011-3243 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of the
document.documentURI property.
CVE-ID
CVE-2011-2819 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to track the URLs
that a user visits within a frame
Description: A cross-origin issue existed in the handling of the
beforeload event.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WiFi
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: WiFi credentials may be logged to a local file
Description: WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials.
CVE-ID
CVE-2011-3434 : Laurent OUDOT of TEHTRI Security
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOldmtAAoJEGnF2JsdZQee/qMIAIPxmIiOqj+FMLFHZtPeC/Dp
3s4JliKOOgNnjXkxErfaNvYGmeVbDaUER5jdVrWccTauzlYmy8G4uK0An2GD2YiP
gB5AiCQXpONdBCi38QNdRqrYoYjc8Sa0nUp4r5uWPoiHoj5KfxvBpgygEL+zjHXS
fmnrONOCWhOYp0w4q6mdTg5BH2uJCbXscD/JjbmgHQI0Vs/iUZKSRyqFo2b0Mvze
NiSyzcj/4l62Cxx7xM9VbdrYL7Al2yyHfNYJQsZmoeDUlJQcdgEgEMXvOuhY3sFK
maxYr2oCp6Mtf53fplAeJIV4ijLynEWAKxTuTznAyW1k7oiGrDTfORSFKPEB9MQ=
=LCQZ
-----END PGP SIGNATURE-----
VAR-201106-0031 | CVE-2011-2102 | Adobe Reader and Acrobat Vulnerable to access restrictions |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Adobe Reader and Acrobat before 10.1 on Windows and Mac OS X allows attackers to bypass intended access restrictions via unknown vectors.
An attacker can exploit this issue to bypass intended security restrictions; this may aid in other attacks.
Adobe Reader and Acrobat 10.x versions prior to 10.1 are affected.
Adobe has released Security Bulletin APSB11-17, which describes
multiple vulnerabilities affecting Adobe Shockwave Player.
Adobe has released Security Bulletin APSB11-18, which describes
multiple vulnerabilities affecting Adobe Flash Player.
I.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in, which can automatically open PDF documents hosted on a
website, is available for multiple web browsers and operating
systems.
Adobe Security Bulletin APSB11-17 describes a number of
vulnerabilities affecting Adobe Shockwave Player. These
vulnerabilities affect Shockwave Player 11.5.9.620 and earlier
versions.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Shockwave content. Shockwave content is
commonly hosted on a web page, but it can also be embedded in PDF
and other documents or provided as a stand-alone file.
Adobe Security Bulletin APSB11-18 describes a number of
vulnerabilities affecting Adobe Flash Player. These vulnerabilities
affect Flash Player 10.3.181.23 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems. These
vulnerabilities also affect Flash Player 10.3.185.23 and earlier
versions for Android.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Flash content. Flash content is commonly
hosted on a web page, but it can also be embedded in PDF and other
documents or provided as a stand-alone file.
II. Impact
These vulnerabilities could allow a remote attacker to execute
arbitrary code, write arbitrary files or folders to the file
system, escalate local privileges, or cause a denial of service on
an affected system as the result of a user opening a malicious PDF
file.
If a user opens specially crafted Shockwave content, a remote
attacker may be able to execute arbitrary code.
If a user opens specially crafted Flash content, a remote attacker
may be able to execute arbitrary code.
III. Solution
Update Reader
Adobe has released updates to address this issue.
Update Adobe Shockwave Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-17 and update
vulnerable versions of Adobe Shockwave Player.
Update Adobe Flash Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-18 and update
vulnerable versions of Adobe Adobe Flash Player.
Disable Flash in your web browser
Uninstall Flash or restrict which sites are allowed to run Flash.
To the extent possible, only run trusted Flash content on trusted
domains. For more information, see Securing Your Web Browser.
Disable Flash in Adobe Reader and Acrobat
Disabling Flash in Adobe Reader will mitigate attacks that rely on
Flash content embedded in a PDF file. Disabling 3D & Multimedia
support does not directly address the vulnerability, but it does
provide additional mitigation and results in a more user-friendly
error message instead of a crash. To disable Flash and 3D &
Multimedia support in Adobe Reader 9, delete, rename, or remove
access to these files:
Microsoft Windows
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
Apple Mac OS X
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
GNU/Linux (locations may vary among distributions)
"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe
products that include Flash and 3D & Multimedia support. Disabling
these plugins will reduce functionality and will not protect
against Flash content hosted on websites. Depending on the update
schedule for products other than Flash Player, consider leaving
Flash and 3D & Multimedia support disabled unless they are
absolutely required.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
Acrobat JavaScript).
Adobe provides a framework to blacklist specific JavaScipt APIs. If
JavaScript must be enabled, this feature may be useful when
specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF files in the web browser
Preventing PDF files from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied, it may also mitigate future vulnerabilities.
To prevent PDF files from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox.
Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those
hosted on websites or delivered as email attachments. Please see
Cyber Security Tip ST04-010.
IV. References
* Security update available for Adobe Reader and Acrobat -
<http://www.adobe.com/support/security/bulletins/apsb11-16.html>
* Adobe Reader and Acrobat JavaScript Blacklist Framework -
<http://kb2.adobe.com/cps/504/cpsid_50431.html>
* Security update available for Adobe Flash Player -
<http://www.adobe.com/support/security/bulletins/apsb11-18.html>
* Security update available for Adobe Shockwave Player -
<http://www.adobe.com/support/security/bulletins/apsb11-17.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA11-166A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA11-166A Feedback" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
June 15, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTfjkdz6pPKYJORa3AQL96Af/bfXjpbygssCruFOpIPCRkp2YprLJLjjc
D+ydEKvBTLYUqm5QgUD99bKwcUjQvwbZRuQDM2hhb49+TeTQPWR3gKvSqasviAC9
wu73HEw6I5ystOW/v0m+IglgbQH6qBr1VdycxOQf3z63sWbt4XafBpbY3t4klcfj
Wc9ysRAY0RbInH5oyxJrOZz68OFUJj+ZsJw7wvnC3kgd3r6Q92nEM0cAiuNxmk0l
4g+HR0LuQRrgurAiX/zdAylByhOVmzBAqHhPk9pEdlf6XgEAhu/nSHrPa9jD+YKh
DtDSf9ETAnsqjY7zjP1RdgjcUU1HbzU1Egs3LOy33zfHEzKZZJe2QA==
=p3nZ
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43269
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43269/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
RELEASE DATE:
2011-06-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43269/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43269/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose potentially sensitive
information, bypass certain security restrictions, and compromise a
user's system.
1) An error in 3difr.x3d due to the component trusting the provided
string length when processing certain files can be exploited to cause
a stack-based buffer overflow.
2) An error in tesselate.x3d due to the component trusting the
provided string length when processing certain files can be exploited
to cause a stack-based buffer overflow.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
4) An integer overflow error in ACE.dll when parsing the "desc" ICC
chunk can be exploited to corrupt memory via a specially crafted PDF
file.
5) An unspecified error can be exploited to corrupt memory.
6) An unspecified error can be exploited to corrupt memory.
7) An error due to the application loading certain unspecified
libraries in an insecure manner can be exploited to load arbitrary
libraries by tricking a user into e.g. opening a file located on a
remote WebDAV or SMB share.
8) Certain unspecified input is not properly sanitised and can be
exploited to execute arbitrary script code.
10) An unspecified error can be exploited to corrupt memory.
11) An unspecified error can be exploited to corrupt memory.
12) An unspecified error can be exploited to corrupt memory.
13) An unspecified error can be exploited to corrupt memory.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1, 2) An anonymous person via ZDI.
4) Secunia Research.
The vendor also credits:
3, 6) Tarjei Mandt, Norman.
5) Rodrigo Rubira Branco.
7) Mila Parkour.
8) Billy Rios, Google Security Team.
9) Christian Navarrete, CubilFelino Security Research Lab.
10) Tavis Ormandy, Google Security Team.
11) Brett Gervasoni, Sense of Security.
12) Will Dormann, CERT/CC.
13) James Quirk, Los Alamos, New Mexico.
ORIGINAL ADVISORY:
Adobe (APSB11-16):
http://www.adobe.com/support/security/bulletins/apsb11-16.html
Secunia Research:
http://secunia.com/secunia_research/2011-41/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-218/
http://www.zerodayinitiative.com/advisories/ZDI-11-219/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201106-0030 | CVE-2011-2101 | Adobe Reader and Acrobat Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows and Mac OS X do not properly restrict script, which allows attackers to execute arbitrary code via a crafted document, related to a "cross document script execution vulnerability.". Adobe Reader and Acrobat are prone to an unspecified cross-domain scripting vulnerability.
Adobe Reader and Acrobat versions prior to 10.1 are affected.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA11-166A
Adobe Updates for Multiple Vulnerabilities
Original release date: June 15, 2011
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader X (10.0.1) and earlier 10.x versions for Windows
* Adobe Reader X (10.0.3) and earlier 10.x versions for Macintosh
* Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh
* Adobe Reader 8.2.6 and earlier 8.x versions for Windows and Macintosh
* Adobe Acrobat X (10.0.3) and earlier 10.x versions for Windows and Macintosh
* Adobe Acrobat 9.4.3 and earlier 9.x versions for Windows and Macintosh
* Adobe Acrobat 8.2.6 and earlier 8.x versions for Windows and Macintosh
* Shockwave Player 11.5.9.620 and earlier versions for Windows and Macintosh.
Adobe has released Security Bulletin APSB11-17, which describes
multiple vulnerabilities affecting Adobe Shockwave Player.
Adobe has released Security Bulletin APSB11-18, which describes
multiple vulnerabilities affecting Adobe Flash Player.
I.
An attacker could exploit these vulnerabilities by convincing a
user to open a specially crafted PDF file. The Adobe Reader browser
plug-in, which can automatically open PDF documents hosted on a
website, is available for multiple web browsers and operating
systems.
Adobe Security Bulletin APSB11-17 describes a number of
vulnerabilities affecting Adobe Shockwave Player. These
vulnerabilities affect Shockwave Player 11.5.9.620 and earlier
versions.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Shockwave content. Shockwave content is
commonly hosted on a web page, but it can also be embedded in PDF
and other documents or provided as a stand-alone file.
Adobe Security Bulletin APSB11-18 describes a number of
vulnerabilities affecting Adobe Flash Player. These vulnerabilities
affect Flash Player 10.3.181.23 and earlier versions for Windows,
Macintosh, Linux and Solaris operating systems. These
vulnerabilities also affect Flash Player 10.3.185.23 and earlier
versions for Android.
An attacker could exploit this vulnerability by convincing a user
to open specially crafted Flash content. Flash content is commonly
hosted on a web page, but it can also be embedded in PDF and other
documents or provided as a stand-alone file.
II. Impact
These vulnerabilities could allow a remote attacker to execute
arbitrary code, write arbitrary files or folders to the file
system, escalate local privileges, or cause a denial of service on
an affected system as the result of a user opening a malicious PDF
file.
III. Solution
Update Reader
Adobe has released updates to address this issue.
Update Adobe Shockwave Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-17 and update
vulnerable versions of Adobe Shockwave Player.
Update Adobe Flash Player
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB11-18 and update
vulnerable versions of Adobe Adobe Flash Player.
Disable Flash in your web browser
Uninstall Flash or restrict which sites are allowed to run Flash.
To the extent possible, only run trusted Flash content on trusted
domains. For more information, see Securing Your Web Browser.
Disable Flash in Adobe Reader and Acrobat
Disabling Flash in Adobe Reader will mitigate attacks that rely on
Flash content embedded in a PDF file. Disabling 3D & Multimedia
support does not directly address the vulnerability, but it does
provide additional mitigation and results in a more user-friendly
error message instead of a crash. To disable Flash and 3D &
Multimedia support in Adobe Reader 9, delete, rename, or remove
access to these files:
Microsoft Windows
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
Apple Mac OS X
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
GNU/Linux (locations may vary among distributions)
"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe
products that include Flash and 3D & Multimedia support. Disabling
these plugins will reduce functionality and will not protect
against Flash content hosted on websites. Depending on the update
schedule for products other than Flash Player, consider leaving
Flash and 3D & Multimedia support disabled unless they are
absolutely required. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
Acrobat JavaScript).
Adobe provides a framework to blacklist specific JavaScipt APIs. If
JavaScript must be enabled, this feature may be useful when
specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to a safer option that
prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF files in the web browser
Preventing PDF files from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied, it may also mitigate future vulnerabilities.
To prevent PDF files from automatically being opened in a web
browser, do the following:
1.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox.
Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those
hosted on websites or delivered as email attachments. Please see
Cyber Security Tip ST04-010.
IV. References
* Security update available for Adobe Reader and Acrobat -
<http://www.adobe.com/support/security/bulletins/apsb11-16.html>
* Adobe Reader and Acrobat JavaScript Blacklist Framework -
<http://kb2.adobe.com/cps/504/cpsid_50431.html>
* Security update available for Adobe Flash Player -
<http://www.adobe.com/support/security/bulletins/apsb11-18.html>
* Security update available for Adobe Shockwave Player -
<http://www.adobe.com/support/security/bulletins/apsb11-17.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA11-166A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA11-166A Feedback" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
June 15, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTfjkdz6pPKYJORa3AQL96Af/bfXjpbygssCruFOpIPCRkp2YprLJLjjc
D+ydEKvBTLYUqm5QgUD99bKwcUjQvwbZRuQDM2hhb49+TeTQPWR3gKvSqasviAC9
wu73HEw6I5ystOW/v0m+IglgbQH6qBr1VdycxOQf3z63sWbt4XafBpbY3t4klcfj
Wc9ysRAY0RbInH5oyxJrOZz68OFUJj+ZsJw7wvnC3kgd3r6Q92nEM0cAiuNxmk0l
4g+HR0LuQRrgurAiX/zdAylByhOVmzBAqHhPk9pEdlf6XgEAhu/nSHrPa9jD+YKh
DtDSf9ETAnsqjY7zjP1RdgjcUU1HbzU1Egs3LOy33zfHEzKZZJe2QA==
=p3nZ
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43269
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43269/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
RELEASE DATE:
2011-06-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43269/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43269/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose potentially sensitive
information, bypass certain security restrictions, and compromise a
user's system.
1) An error in 3difr.x3d due to the component trusting the provided
string length when processing certain files can be exploited to cause
a stack-based buffer overflow.
2) An error in tesselate.x3d due to the component trusting the
provided string length when processing certain files can be exploited
to cause a stack-based buffer overflow.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
4) An integer overflow error in ACE.dll when parsing the "desc" ICC
chunk can be exploited to corrupt memory via a specially crafted PDF
file.
5) An unspecified error can be exploited to corrupt memory.
6) An unspecified error can be exploited to corrupt memory.
7) An error due to the application loading certain unspecified
libraries in an insecure manner can be exploited to load arbitrary
libraries by tricking a user into e.g. opening a file located on a
remote WebDAV or SMB share.
9) An unspecified error can be exploited to bypass certain security
restrictions.
10) An unspecified error can be exploited to corrupt memory.
11) An unspecified error can be exploited to corrupt memory.
12) An unspecified error can be exploited to corrupt memory.
13) An unspecified error can be exploited to corrupt memory.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1, 2) An anonymous person via ZDI.
4) Secunia Research.
The vendor also credits:
3, 6) Tarjei Mandt, Norman.
5) Rodrigo Rubira Branco.
7) Mila Parkour.
8) Billy Rios, Google Security Team.
9) Christian Navarrete, CubilFelino Security Research Lab.
10) Tavis Ormandy, Google Security Team.
11) Brett Gervasoni, Sense of Security.
12) Will Dormann, CERT/CC.
13) James Quirk, Los Alamos, New Mexico.
ORIGINAL ADVISORY:
Adobe (APSB11-16):
http://www.adobe.com/support/security/bulletins/apsb11-16.html
Secunia Research:
http://secunia.com/secunia_research/2011-41/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-218/
http://www.zerodayinitiative.com/advisories/ZDI-11-219/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201105-0218 | CVE-2011-1804 | Google Chrome Used in WebKit of rendering/RenderBox.cpp Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
rendering/RenderBox.cpp in WebCore in WebKit before r86862, as used in Google Chrome before 11.0.696.71, does not properly render floats, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer.". Google Chrome is prone to a memory-corruption vulnerability because of a NULL-pointer-dereference error.
An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage.
Successful exploits will allow attackers to execute arbitrary code in the context of the browser. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to Chrome 11.0.696.71 are vulnerable. Google Chrome is a web browser developed by Google (Google). The vulnerability is caused by a null pointer dereference error when rendering floating-point data
VAR-201105-0008 | CVE-2011-0628 | Adobe Flash Player Integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code via ActionScript that improperly handles a long array object. Adobe Flash Player is prone to a remote integer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers and Adobe Security Advisories and
Bulletins referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43269
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43269/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
RELEASE DATE:
2011-06-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43269/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43269/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43269
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose potentially sensitive
information, bypass certain security restrictions, and compromise a
user's system.
1) An error in 3difr.x3d due to the component trusting the provided
string length when processing certain files can be exploited to cause
a stack-based buffer overflow.
2) An error in tesselate.x3d due to the component trusting the
provided string length when processing certain files can be exploited
to cause a stack-based buffer overflow.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
4) An integer overflow error in ACE.dll when parsing the "desc" ICC
chunk can be exploited to corrupt memory via a specially crafted PDF
file.
5) An unspecified error can be exploited to corrupt memory.
6) An unspecified error can be exploited to corrupt memory.
7) An error due to the application loading certain unspecified
libraries in an insecure manner can be exploited to load arbitrary
libraries by tricking a user into e.g. opening a file located on a
remote WebDAV or SMB share.
9) An unspecified error can be exploited to bypass certain security
restrictions.
This vulnerability affects Adobe Reader and Acrobat X 10.x only.
10) An unspecified error can be exploited to corrupt memory.
This vulnerability affects 8.x versions only.
11) An unspecified error can be exploited to corrupt memory.
12) An unspecified error can be exploited to corrupt memory.
13) An unspecified error can be exploited to corrupt memory.
For more information:
SA44590
SA44846
The vulnerabilities are reported in the following products:
* Adobe Reader X (10.0.1) and earlier for Windows.
* Adobe Reader X (10.0.3) and earlier for Macintosh.
* Adobe Reader 9.4.4 and earlier for Windows and Macintosh.
* Adobe Reader 8.2.6 and earlier for Windows and Macintosh.
* Adobe Acrobat X (10.0.3) and earlier for Windows and Macintosh.
* Adobe Acrobat 9.4.4 and earlier for Windows and Macintosh.
* Adobe Acrobat 8.2.6 and earlier for Windows and Macintosh.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1, 2) An anonymous person via ZDI.
4) Secunia Research.
The vendor also credits:
3, 6) Tarjei Mandt, Norman.
5) Rodrigo Rubira Branco.
7) Mila Parkour.
8) Billy Rios, Google Security Team.
9) Christian Navarrete, CubilFelino Security Research Lab.
10) Tavis Ormandy, Google Security Team.
11) Brett Gervasoni, Sense of Security.
12) Will Dormann, CERT/CC.
13) James Quirk, Los Alamos, New Mexico.
ORIGINAL ADVISORY:
Adobe (APSB11-16):
http://www.adobe.com/support/security/bulletins/apsb11-16.html
Secunia Research:
http://secunia.com/secunia_research/2011-41/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-218/
http://www.zerodayinitiative.com/advisories/ZDI-11-219/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201401-0008 | CVE-2011-1936 | Xen Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors. ( Guest crash ) There are vulnerabilities that are put into a state.Service disruption by local guest users ( Guest crash ) There is a possibility of being put into a state. Xen is prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause the guest and host operating systems to crash, denying service to legitimate users. Hitachi JP1 products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following products are affected:
JP1/IT Resource Management - Manager
JP1/IT Service Level Management - Manager.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
This update fixes the following security issues:
* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,
unprivileged user to cause a denial of service or escalate their
privileges. (CVE-2010-4649, Important)
* A race condition in the way new InfiniBand connections were set up could
allow a remote user to cause a denial of service. (CVE-2011-0695,
Important)
* A flaw in the Stream Control Transmission Protocol (SCTP) implementation
could allow a remote attacker to cause a denial of service if the sysctl
"net.sctp.addip_enable" variable was turned on (it is off by default).
(CVE-2011-1573, Important)
* Flaws in the AGPGART driver implementation when handling certain IOCTL
commands could allow a local, unprivileged user to cause a denial of
service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022,
Important)
* An integer overflow flaw in agp_allocate_memory() could allow a local,
unprivileged user to cause a denial of service or escalate their
privileges. (CVE-2011-1746, Important)
* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)
packets. An attacker on the local network could trigger this flaw by
sending specially-crafted packets to a target system, possibly causing a
denial of service. (CVE-2011-1576, Moderate)
* An integer signedness error in next_pidmap() could allow a local,
unprivileged user to cause a denial of service.
(CVE-2011-1936, Moderate)
* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)
* A missing initialization flaw in the XFS file system implementation
could lead to an information leak. (CVE-2011-0711, Low)
* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to
cause an information leak. (CVE-2011-1044, Low)
* A missing validation check was found in the signals implementation. A
local, unprivileged user could use this flaw to send signals via the
sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed
process and user IDs, to other processes. Note: This flaw does not allow
existing permission checks to be bypassed; signals can only be sent if your
privileges allow you to already do so. (CVE-2011-1182, Low)
* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation
could allow a local attacker to cause a denial of service by mounting a
disk containing specially-crafted partition tables. (CVE-2011-1776, Low)
* Structure padding in two structures in the Bluetooth implementation
was not initialized properly before being copied to user-space, possibly
allowing local, unprivileged users to leak kernel stack memory to
user-space. (CVE-2011-2492, Low)
Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;
Vasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and
CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for
reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and
CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting
CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke
and Filip Palian for reporting CVE-2011-2492.
Bug fix documentation will be available shortly from the Technical Notes
document linked to in the References.
Users should upgrade to these updated packages, which contain backported
patches to correct these issues, and fix the bugs noted in the Technical
Notes. The system must be rebooted for this update to take effect. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system. Bugs fixed (http://bugzilla.redhat.com/):
653648 - CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler
667916 - CVE-2010-4649 CVE-2011-1044 kernel: IB/uverbs: Handle large number of entries in poll CQ
677260 - CVE-2011-0711 kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
690028 - CVE-2011-1182 kernel signal spoofing issue
695173 - CVE-2011-1576 kernel: net: Fix memory leak/corruption on VLAN GRO_DROP
695383 - CVE-2011-1573 kernel: sctp: fix to calc the INIT/INIT-ACK chunk length correctly to set
697822 - CVE-2011-1593 kernel: proc: signedness issue in next_pidmap()
698996 - CVE-2011-1745 CVE-2011-2022 kernel: agp: insufficient pg_start parameter checking in AGPIOC_BIND and AGPIOC_UNBIND ioctls
698998 - CVE-2011-1746 kernel: agp: insufficient page_count parameter checking in agp_allocate_memory()
703019 - CVE-2011-2492 kernel: bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace
703026 - CVE-2011-1776 kernel: validate size of EFI GUID partition entries
703056 - [RHEL5.5] Panic in iscsi_sw_tcp_data_ready() [rhel-5.6.z]
706323 - CVE-2011-1936 kernel: xen: vmx: insecure cpuid vmexit
707899 - The pci resource for vf is not released after hot-removing Intel 82576 NIC [rhel-5.6.z]
711519 - GFS2: resource group bitmap corruption resulting in panics and withdraws
714536 - CVE-2011-2213 kernel: inet_diag: insufficient validation
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-238.19.1.el5.src.rpm
i386:
kernel-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.i686.rpm
kernel-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-headers-2.6.18-238.19.1.el5.i386.rpm
kernel-xen-2.6.18-238.19.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.19.1.el5.i686.rpm
noarch:
kernel-doc-2.6.18-238.19.1.el5.noarch.rpm
x86_64:
kernel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.19.1.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-238.19.1.el5.src.rpm
i386:
kernel-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.i686.rpm
kernel-devel-2.6.18-238.19.1.el5.i686.rpm
kernel-headers-2.6.18-238.19.1.el5.i386.rpm
kernel-xen-2.6.18-238.19.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.19.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.19.1.el5.i686.rpm
ia64:
kernel-2.6.18-238.19.1.el5.ia64.rpm
kernel-debug-2.6.18-238.19.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.ia64.rpm
kernel-devel-2.6.18-238.19.1.el5.ia64.rpm
kernel-headers-2.6.18-238.19.1.el5.ia64.rpm
kernel-xen-2.6.18-238.19.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-238.19.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-238.19.1.el5.ia64.rpm
noarch:
kernel-doc-2.6.18-238.19.1.el5.noarch.rpm
ppc:
kernel-2.6.18-238.19.1.el5.ppc64.rpm
kernel-debug-2.6.18-238.19.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.ppc64.rpm
kernel-devel-2.6.18-238.19.1.el5.ppc64.rpm
kernel-headers-2.6.18-238.19.1.el5.ppc.rpm
kernel-headers-2.6.18-238.19.1.el5.ppc64.rpm
kernel-kdump-2.6.18-238.19.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-238.19.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-238.19.1.el5.ppc64.rpm
s390x:
kernel-2.6.18-238.19.1.el5.s390x.rpm
kernel-debug-2.6.18-238.19.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.s390x.rpm
kernel-devel-2.6.18-238.19.1.el5.s390x.rpm
kernel-headers-2.6.18-238.19.1.el5.s390x.rpm
kernel-kdump-2.6.18-238.19.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-238.19.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-238.19.1.el5.s390x.rpm
x86_64:
kernel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.19.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.19.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.19.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.19.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-4649.html
https://www.redhat.com/security/data/cve/CVE-2011-0695.html
https://www.redhat.com/security/data/cve/CVE-2011-0711.html
https://www.redhat.com/security/data/cve/CVE-2011-1044.html
https://www.redhat.com/security/data/cve/CVE-2011-1182.html
https://www.redhat.com/security/data/cve/CVE-2011-1573.html
https://www.redhat.com/security/data/cve/CVE-2011-1576.html
https://www.redhat.com/security/data/cve/CVE-2011-1593.html
https://www.redhat.com/security/data/cve/CVE-2011-1745.html
https://www.redhat.com/security/data/cve/CVE-2011-1746.html
https://www.redhat.com/security/data/cve/CVE-2011-1776.html
https://www.redhat.com/security/data/cve/CVE-2011-1936.html
https://www.redhat.com/security/data/cve/CVE-2011-2022.html
https://www.redhat.com/security/data/cve/CVE-2011-2213.html
https://www.redhat.com/security/data/cve/CVE-2011-2492.html
https://access.redhat.com/security/updates/classification/#important
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.6_Technical_Notes/kernel.html#RHSA-2011-0927
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
VAR-201401-0007 | CVE-2011-1166 | Xen Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. ( Host crash ) There is a possibility of being put into a state. The implementation of Xen Hypervisor included in Red Hat Linux is prone to a denial-of-service vulnerability.
A privileged guest user can exploit this issue to cause the host and the guest to lock up, denying service to legitimate users. Hitachi JP1 products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The following products are affected:
JP1/IT Resource Management - Manager
JP1/IT Service Level Management - Manager.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system. (CVE-2011-1093, Important)
* Multiple buffer overflow flaws were found in the Linux kernel's
Management Module Support for Message Passing Technology (MPT) based
controllers. A local, unprivileged user could use these flaws to cause a
denial of service, an information leak, or escalate their privileges. (CVE-2011-1166, Moderate)
* A flaw was found in the way the Xen hypervisor implementation checked for
the upper boundary when getting a new event channel port. (CVE-2011-1763, Moderate)
* The start_code and end_code values in "/proc/[pid]/stat" were not
protected. In certain scenarios, this flaw could be used to defeat Address
Space Layout Randomization (ASLR). (CVE-2011-0726, Low)
* A missing initialization flaw in the sco_sock_getsockopt() function could
allow a local, unprivileged user to cause an information leak.
(CVE-2011-1078, Low)
* A missing validation of a null-terminated string data structure element
in the do_replace() function could allow a local user who has the
CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)
* A buffer overflow flaw in the DEC Alpha OSF partition implementation in
the Linux kernel could allow a local attacker to cause an information leak
by mounting a disk that contains specially-crafted partition tables.
(CVE-2011-1163, Low)
* Missing validations of null-terminated string data structure elements in
the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(),
and do_arpt_get_ctl() functions could allow a local user who has the
CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170,
CVE-2011-1171, CVE-2011-1172, Low)
* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT)
implementation could allow a local attacker to cause a denial of service
by mounting a disk that contains specially-crafted partition tables.
(CVE-2011-1577, Low)
Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and
CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078,
CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook
for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163
and CVE-2011-1577.
This update also fixes several bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section.
Users should upgrade to these updated packages, which contain backported
patches to correct these issues, and fix the bugs noted in the Technical
Notes. The system must be rebooted for this update to take effect. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system. Bugs fixed (http://bugzilla.redhat.com/):
681259 - CVE-2011-1078 kernel: bt sco_conninfo infoleak
681260 - CVE-2011-1079 kernel: bnep device field missing NULL terminator
681262 - CVE-2011-1080 kernel: ebtables stack infoleak
682954 - CVE-2011-1093 kernel: dccp: fix oops on Reset after close
684569 - CVE-2011-0726 kernel: proc: protect mm start_code/end_code in /proc/pid/stat
688021 - CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
688156 - [5.6][REG]for some uses of 'nfsservctl' system call, the kernel crashes. [rhel-5.6.z]
688579 - CVE-2011-1166 kernel: xen: x86_64: fix error checking in arch_set_info_guest()
689321 - CVE-2011-1170 ipv4: netfilter: arp_tables: fix infoleak to userspace
689327 - CVE-2011-1171 ipv4: netfilter: ip_tables: fix infoleak to userspace
689345 - CVE-2011-1172 ipv6: netfilter: ip6_tables: fix infoleak to userspace
689699 - Deadlock between device driver attachment and device removal with a USB device [rhel-5.6.z]
689700 - [NetApp 5.6 Bug] QLogic 8G FC firmware dumps seen during IO [rhel-5.6.z]
690134 - Time runs too fast in a VM on processors with > 4GHZ freq [rhel-5.6.z]
690239 - gfs2: creating large files suddenly slow to a crawl [rhel-5.6.z]
694021 - CVE-2011-1494 CVE-2011-1495 kernel: drivers/scsi/mpt2sas: prevent heap overflows
695976 - CVE-2011-1577 kernel: corrupted GUID partition tables can cause kernel oops
696136 - RHEL 5.6 (kernel -238) causes audio issues [rhel-5.6.z]
697448 - slab corruption after seeing some nfs-related BUG: warning [rhel-5.6.z]
699808 - dasd: fix race between open and offline [rhel-5.6.z]
701240 - CVE-2011-1763 kernel: xen: improper upper boundary check in get_free_port() function
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-238.12.1.el5.src.rpm
i386:
kernel-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.i686.rpm
kernel-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-headers-2.6.18-238.12.1.el5.i386.rpm
kernel-xen-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.i686.rpm
noarch:
kernel-doc-2.6.18-238.12.1.el5.noarch.rpm
x86_64:
kernel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-238.12.1.el5.src.rpm
i386:
kernel-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.i686.rpm
kernel-devel-2.6.18-238.12.1.el5.i686.rpm
kernel-headers-2.6.18-238.12.1.el5.i386.rpm
kernel-xen-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.i686.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.i686.rpm
ia64:
kernel-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.ia64.rpm
kernel-devel-2.6.18-238.12.1.el5.ia64.rpm
kernel-headers-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.ia64.rpm
noarch:
kernel-doc-2.6.18-238.12.1.el5.noarch.rpm
ppc:
kernel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.ppc64.rpm
kernel-devel-2.6.18-238.12.1.el5.ppc64.rpm
kernel-headers-2.6.18-238.12.1.el5.ppc.rpm
kernel-headers-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-238.12.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-238.12.1.el5.ppc64.rpm
s390x:
kernel-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.s390x.rpm
kernel-devel-2.6.18-238.12.1.el5.s390x.rpm
kernel-headers-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-238.12.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-238.12.1.el5.s390x.rpm
x86_64:
kernel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-238.12.1.el5.x86_64.rpm
kernel-devel-2.6.18-238.12.1.el5.x86_64.rpm
kernel-headers-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-238.12.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-238.12.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0726.html
https://www.redhat.com/security/data/cve/CVE-2011-1078.html
https://www.redhat.com/security/data/cve/CVE-2011-1079.html
https://www.redhat.com/security/data/cve/CVE-2011-1080.html
https://www.redhat.com/security/data/cve/CVE-2011-1093.html
https://www.redhat.com/security/data/cve/CVE-2011-1163.html
https://www.redhat.com/security/data/cve/CVE-2011-1166.html
https://www.redhat.com/security/data/cve/CVE-2011-1170.html
https://www.redhat.com/security/data/cve/CVE-2011-1171.html
https://www.redhat.com/security/data/cve/CVE-2011-1172.html
https://www.redhat.com/security/data/cve/CVE-2011-1494.html
https://www.redhat.com/security/data/cve/CVE-2011-1495.html
https://www.redhat.com/security/data/cve/CVE-2011-1577.html
https://www.redhat.com/security/data/cve/CVE-2011-1763.html
https://access.redhat.com/security/updates/classification/#important
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.6_Technical_Notes/kernel.html#RHSA-2011-0833
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0001
Synopsis: VMware ESXi and ESX updates to third party library
and ESX Service Console
Issue date: 2012-01-30
Updated on: 2012-01-30 (initial advisory)
CVE numbers: --- COS Kernel ---
CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163,
CVE-2011-1166, CVE-2011-1170, CVE-2011-1171,
CVE-2011-1172, CVE-2011-1494, CVE-2011-1495,
CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
CVE-2011-1182, CVE-2011-1573, CVE-2011-1576,
CVE-2011-1593, CVE-2011-1745, CVE-2011-1746,
CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780,
CVE-2011-2525, CVE-2011-2689, CVE-2011-2482,
CVE-2011-2491, CVE-2011-2495, CVE-2011-2517,
CVE-2011-2519, CVE-2011-2901
--- COS cURL ---
CVE-2011-2192
--- COS rpm ---
CVE-2010-2059, CVE-2011-3378
--- COS samba ---
CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522, CVE-2011-2694
--- COS python ---
CVE-2009-3720, CVE-2010-3493, CVE-2011-1015,
CVE-2011-1521
--- python library ---
CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, CVE-2011-1521
----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX updates to third party library and ESX Service
Console address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201201401-SG
ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG
3. Problem Description
a. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console cURL RPM
The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201402-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nspr and nss RPMs
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201404-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. ESX third party update for Service Console rpm RPMs
The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201406-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
e. ESX third party update for Service Console samba RPMs
The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.
Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201407-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
f. ESX third party update for Service Console python package
The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201201405-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
g. ESXi update to third party component python
The python third party library is updated to python 2.5.6 which
fixes multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware ESXi 4.1
---------------
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
md5sum: BDF86F10A973346E26C9C2CD4C424E88
sha1sum: CC0B92869A9AAE4F5E0E5B81BEE109BCD7DA780F
http://kb.vmware.com/kb/2009143
ESXi410-201201401 contains ESXi410-201201401-SG
VMware ESX 4.1
--------------
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F
sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142
ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG
5. References
CVE numbers
--- COS Kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2901
--- COS cURL ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
--- COS rpm ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
--- COS samba ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
--- COS python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
--- python library ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
----------------------------------------------------------------------
6. Change log
2012-01-30 VMSA-2012-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.1 and ESXi 4.1 on 2012-01-30.
----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPJ5DIDEcm8Vbi9kMRAnzCAKCmaAoDp49d61Mr1emzh/U0N8vbgACdFZk8
f2pLxi537s+ew4dvnYNWlJ8=
=OAh4
-----END PGP SIGNATURE-----
.
CVE-2011-1166
A 64-bit guest can get one of its vCPU'ss into non-kernel
mode without first providing a valid non-kernel pagetable,
thereby locking up the host system.
CVE-2011-1898
When using PCI passthrough on Intel VT-d chipsets that do not
have interrupt remapping, guest OS can users to gain host OS
privileges by writing to the interrupt injection registers.
The oldstable distribution (lenny) contains a different version of Xen
not affected by these problems.
For the stable distribution (squeeze), this problem has been fixed in
version 4.0.1-4.
For the testing (wheezy) and unstable distribution (sid), this problem
has been fixed in version 4.1.1-1.
We recommend that you upgrade your xen packages