Computer Security
[EN] securityvulns.ru no-pyccku


Clear iSpot / Clearspot crossite request forgery
Published:15.12.2010
Source:
SecurityVulns ID:11298
Type:remote
Threat Level:
4/10
Description:Crossite request forgery in administration interface.
CVE:CVE-2010-4507 (Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi.)
Original documentdocumentTrustwave Advisories, TWSL-2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities (15.12.2010)

Microsoft Windows multiple security vulnerabilities
Published:15.12.2010
Source:
SecurityVulns ID:11301
Type:remote
Threat Level:
9/10
Description:OpenType Font parsing memory corruption, task scheduler privilege escalation, usafe DLL loading, multiple kernel vulnerabilities, Consent User Interface privilege escalation, Netlogon DoS.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
CVE:CVE-2010-3967 (Untrusted search path vulnerability in Microsoft Windows Movie Maker (WMM) 2.6 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Movie Maker (MSWMM) file, aka "Insecure Library Loading Vulnerability.")
 CVE-2010-3966 (Untrusted search path vulnerability in Microsoft Windows Server 2008 R2 and Windows 7, when BranchCache is supported, allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains an EML file, an RSS file, or a WPOST file, aka "BranchCache Insecure Library Loading Vulnerability.")
 CVE-2010-3965 (Untrusted search path vulnerability in Windows Media Encoder 9 on Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Windows Media Profile (PRX) file, aka "Insecure Library Loading Vulnerability.")
 CVE-2010-3963 (Buffer overflow in the Routing and Remote Access NDProxy component in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, related to the Routing and Remote Access service (RRAS) and improper copying from user mode to the kernel, aka "Kernel NDProxy Buffer Overflow Vulnerability.")
 CVE-2010-3961 (The Consent User Interface (UI) in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly handle an unspecified registry-key value, which allows local users with SeImpersonatePrivilege rights to gain privileges via a crafted application, aka "Consent UI Impersonation Vulnerability.")
 CVE-2010-3959 (The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted CMAP table in an OpenType font, aka "OpenType CMAP Table Vulnerability.")
 CVE-2010-3957 (Double free vulnerability in the OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Double Free Vulnerability.")
 CVE-2010-3956 (The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly perform array indexing, which allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Index Vulnerability.")
 CVE-2010-3944 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Vulnerability.")
 CVE-2010-3943 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly link driver objects, which allows local users to gain privileges via a crafted application that triggers linked-list corruption, aka "Win32k Cursor Linking Vulnerability.")
 CVE-2010-3942 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for copies from user mode, which allows local users to gain privileges via a crafted application, aka "Win32k WriteAV Vulnerability.")
 CVE-2010-3941 (Double free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold and SP2, and Windows 7 allows local users to gain privileges via a crafted application, aka "Win32k Double Free Vulnerability.")
 CVE-2010-3940 (Double free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted application, aka "Win32k PFE Pointer Double Free Vulnerability.")
 CVE-2010-3939 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via vectors related to improper memory allocation for copies from user mode, aka "Win32k Buffer Overflow Vulnerability.")
 CVE-2010-3338 (The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.)
 CVE-2010-3147 (Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a Trojan horse wab32res.dll file in the current working directory, as demonstrated by a directory that contains a Windows Address Book (WAB), VCF (aka vCard), or P7C file, aka "Insecure Library Loading Vulnerability.")
 CVE-2010-3144 (Untrusted search path vulnerability in the Internet Connection Signup Wizard in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a Trojan horse smmscrpt.dll file in the current working directory, as demonstrated by a directory that contains an ISP or INS file, aka "Internet Connection Signup Wizard Insecure Library Loading Vulnerability.")
 CVE-2010-2742 (The Netlogon RPC Service in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, and R2, when the domain controller role is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and reboot) via a crafted RPC packet, aka "Netlogon RPC Null dereference DOS Vulnerability.")
Original documentdocumentACROS Security, ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book (15.12.2010)
Files:Microsoft Security Bulletin MS10-091 - Critical Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)
 Microsoft Security Bulletin MS10-092 - Important Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
 Microsoft Security Bulletin MS10-093 - Important Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
 Microsoft Security Bulletin MS10-094 - Important Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
 Microsoft Security Bulletin MS10-095 - Important Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
 Microsoft Security Bulletin MS10-096 - Important Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
 Microsoft Security Bulletin MS10-097 - Important Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
 Microsoft Security Bulletin MS10-098 - Important Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
 Microsoft Security Bulletin MS10-099 - Important Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
 Microsoft Security Bulletin MS10-100 - Important Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
 Microsoft Security Bulletin MS10-101 - Important Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)

Microsoft Hyper-V DoS
Published:15.12.2010
Source:
SecurityVulns ID:11302
Type:local
Threat Level:
5/10
Description:VMBus messages vulnerability
Affected:MICROSOFT : Windows 2008 Server
CVE:CVE-2010-3960 (Hyper-V in Microsoft Windows Server 2008 Gold, SP2, and R2 allows guest OS users to cause a denial of service (host OS hang) by sending a crafted encapsulated packet over the VMBus, aka "Hyper-V VMBus Vulnerability.")
Files:Microsoft Security Bulletin MS10-102 - Important Vulnerability in Hyper-V Could Allow Denial of Service (2345316)

Apple Safari / Google Chrome address spoofing
Published:15.12.2010
Source:
SecurityVulns ID:11304
Type:client
Threat Level:
4/10
Original documentdocumentMichal Zalewski, minor browser UI nitpicking (15.12.2010)

HP OpenVMS Integrity Servers DoS
Published:15.12.2010
Source:
SecurityVulns ID:11305
Type:local
Threat Level:
4/10
Affected:HP : OpenVMS 8.3
 HP : OpenVMS 8.4
CVE:CVE-2010-4110 (Unspecified vulnerability in HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform on Integrity servers allows local users to gain privileges or cause a denial of service via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of Service (DoS), Gain Privileged Access (15.12.2010)

IBM Tivoli Storage Manager buffer overflow
Published:15.12.2010
Source:
SecurityVulns ID:11306
Type:local
Threat Level:
4/10
Description:Buffer overflow in suid root dsmtca backup client.
Affected:IBM : Tivoli Storage Manager 5.5
 IBM : Tivoli Storage Manager 6.1
Original documentdocumentKryptos Logic Secure, Kryptos Logic Advisory: IBM Tivoli Storage Manager (TSM) Local Root (15.12.2010)

Microsoft Sharepoint code execution
Published:15.12.2010
Source:
SecurityVulns ID:11308
Type:remote
Threat Level:
7/10
Description:Document Conversions Launcher Service code execution on SOAP request processing.
Affected:MICROSOFT : SharePoint Server 2007
CVE:CVE-2010-3964 (Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability.")
Files:Microsoft Security Bulletin MS10-104 - Important Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)

Microsoft Exchange Server DoS
Published:15.12.2010
Source:
SecurityVulns ID:11309
Type:remote
Threat Level:
5/10
Description:Endless loop on RPC request processing.
Affected:MICROSOFT : Exchange Server 2007
CVE:CVE-2010-3937 (Microsoft Exchange Server 2007 SP2 on the x64 platform allows remote authenticated users to cause a denial of service (infinite loop and MSExchangeIS outage) via a crafted RPC request, aka "Exchange Server Infinite Loop Vulnerability.")

Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.12.2010
Published:16.12.2010
Source:
SecurityVulns ID:11300
Type:client
Threat Level:
9/10
Description:Crossite data access, multiple memory corruptions.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
CVE:CVE-2010-3345 (Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Element Memory Corruption Vulnerability.")
 CVE-2010-3343 (Microsoft Internet Explorer 6 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability.")
 CVE-2010-3342 (Microsoft Internet Explorer 6, 7, and 8 does not prevent rendering of cached content as HTML, which allows remote attackers to access content from a different (1) domain or (2) zone via unspecified script code, aka "Cross-Domain Information Disclosure Vulnerability," a different vulnerability than CVE-2010-3348.)
 CVE-2010-3340 (Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability.")
Original documentdocumentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer Animation Use-after-free Vulnerability (VUPEN-SR-2010-199) (16.12.2010)
 documentIDEFENSE, iDefense Security Advisory 12.14.10: Microsoft Internet Explorer CSS Style Table Layout Uninitialized Memory Vulnerability (15.12.2010)
 documentIDEFENSE, iDefense Security Advisory 12.14.10: Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability (15.12.2010)
 documentMICROSOFT, Microsoft Security Bulletin MS10-090 - Critical Cumulative Security Update for Internet Explorer (2416400) (15.12.2010)
Files:Microsoft Security Bulletin MS10-090 - Critical Cumulative Security Update for Internet Explorer (2416400)

HP StorageWorks MSA2000 backdoor account
updated since 15.12.2010
Published:17.12.2010
Source:
SecurityVulns ID:11299
Type:remote
Threat Level:
6/10
Description:Hidden backdoor account 'admin' with password '!admin'
Affected:HP : StorageWorks MSA2000
CVE:CVE-2010-4115 (HP StorageWorks Modular Smart Array P2000 G3 firmware TS100R011, TS100R025, TS100P002, TS200R005, TS201R014, and TS201R015 installs an undocumented admin account with a default "!admin" password, which allows remote attackers to gain privileges.)
Original documentdocumentHP, [security bulletin] HPSBST02620 SSRT100356 rev.1 - HP StorageWorks Modular Smart Array P2000 G3, Remote Unauthorized Access (17.12.2010)
 documentPavel Kankovsky, Re: hidden admin user on every HP MSA2000 G3 (15.12.2010)
 documenthpdisclosure_(at)_anonmail.de, hidden admin user on every HP MSA2000 G3 (15.12.2010)

Microsoft Office multiple security vulnerabilities
updated since 15.12.2010
Published:28.12.2010
Source:
SecurityVulns ID:11307
Type:client
Threat Level:
7/10
Description:Multiple memory corruptions in Publisher, multiple memory corruptions in graphics filters.
Affected:MICROSOFT : Office XP
 MICROSOFT : Office 2003
 MICROSOFT : Office 2007
 MICROSOFT : Works 9
 MICROSOFT : Office 2010
CVE:CVE-2010-3955 (pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3 does not properly perform array indexing, which allows remote attackers to execute arbitrary code via a crafted Publisher file that uses an old file format, aka "Array Indexing Memory Corruption Vulnerability.")
 CVE-2010-3954 (Microsoft Publisher 2002 SP3, 2003 SP3, and 2010 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Publisher file, aka "Microsoft Publisher Memory Corruption Vulnerability.")
 CVE-2010-3952 (The FlashPix image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted FlashPix image in an Office document, aka "FlashPix Image Converter Heap Corruption Vulnerability.")
 CVE-2010-3951 (Buffer overflow in the FlashPix image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted FlashPix image in an Office document, aka "FlashPix Image Converter Buffer Overflow Vulnerability.")
 CVE-2010-3950 (The TIFF image converter in the graphics filters in Microsoft Office XP SP3, Office Converter Pack, and Works 9 does not properly convert data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF image in an Office document, aka "TIFF Image Converter Memory Corruption Vulnerability.")
 CVE-2010-3949 (Buffer overflow in the TIFF image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted TIFF image in an Office document, aka "TIFF Image Converter Buffer Overflow Vulnerability.")
 CVE-2010-3947 (Heap-based buffer overflow in the TIFF image converter in the graphics filters in Microsoft Office XP SP3, Office Converter Pack, and Works 9 allows remote attackers to execute arbitrary code via a crafted TIFF image in an Office document, aka "TIFF Image Converter Heap Overflow Vulnerability.")
 CVE-2010-3946 (Integer overflow in the PICT image converter in the graphics filters in Microsoft Office XP SP3, Office 2003 SP3, and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted PICT image in an Office document, aka "PICT Image Converter Integer Overflow Vulnerability.")
 CVE-2010-3945 (Buffer overflow in the CGM image converter in the graphics filters in Microsoft Office XP SP3, Office 2003 SP3, and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted CGM image in an Office document, aka "CGM Image Converter Buffer Overrun Vulnerability.")
 CVE-2010-2571 (Array index error in pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted Publisher 97 file, aka "Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability.")
 CVE-2010-2570 (Heap-based buffer overflow in pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3, 2003 SP3, 2007 SP2, and 2010 allows remote attackers to execute arbitrary code via a crafted Publisher file that uses an old file format, aka "Heap Overrun in pubconv.dll Vulnerability.")
 CVE-2010-2569 (pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3, 2003 SP3, and 2007 SP2 does not properly handle an unspecified size field in certain older file formats, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted Publisher file, aka "Size Value Heap Corruption in pubconv.dll Vulnerability.")
Original documentdocumentSECUNIA, Secunia Research: Microsoft Word LFO Parsing Double-Free Vulnerability (28.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office FlashPix Property Set Parsing Buffer Overflow (22.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office TIFF Image Converter Endian Conversion Vulnerability (21.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office Document Imaging Endian Conversion Vulnerability (21.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office FlashPix Tile Data Two Buffer Overflows (21.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office PICT Filter Integer Truncation Vulnerability (21.12.2010)
 documentSECUNIA, Secunia Research: Microsoft Office TIFF Image Converter Two Buffer Overflows (21.12.2010)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Office Publisher Memory Corruption Vulnerability (VUPEN-SR-2010-041) (16.12.2010)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Office Publisher Size Value Heap Corruption Vulnerability (VUPEN-SR-2010-200) (16.12.2010)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Office Publisher Record Array Indexing Vulnerability (VUPEN-SR-2010-201) (16.12.2010)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Office Publisher "pubconv.dll" Array Indexing Vulnerability (VUPEN-SR-2010-206) (16.12.2010)
Files:Microsoft Security Bulletin MS10-103 - Important Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
 Microsoft Security Bulletin MS10-105 - Important Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod