Vulnerability Summary for the Week of October 15, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

High Vulnerabilities:

Adobe — Flash Player
Opera Software — Opera   
Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, when running on Opera before 9.24 on Mac OS X, has unknown “Highly Severe” impact and unknown attack vectors.

Apple — Safari
Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouch) and iPhone 1.1.1 allows user-assisted remote attackers to cause a denial of service (application crash), and enable filesystem browsing by the local user, via a certain TIFF file.

gdata — antivirus
Buffer overflow in a certain ActiveX control in ScanObjectBrowser.DLL in G DATA Antivirus 2007 might allow remote attackers to execute arbitrary code via unspecified parameters to the SelectPath function. NOTE: this issue might not cross privilege boundaries in most environments, since it is not marked as safe for scripting.

HP — Linux Imaging and Printing Project   
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.

Juniper — HTTP Service
Heap-based buffer overflow in the Juniper HTTP Service allows remote attackers to execute arbitrary code via a crafted HTTP packet. NOTE: as of 20071016, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Microsoft — Internet Explorer   
Microsoft Internet Explorer 7 and earlier allows remote attackers to bypass the “File Download – Security Warning” dialog box and download arbitrary .exe files by placing a ‘?’ (question mark) followed by a non-.exe filename after the .exe filename, as demonstrated by (1) .txt, (2) .cda, (3) .log, (4) .dif, (5) .sol, (6) .htt, (7) .itpc, (8) .itms, (9) .dvr-ms, (10) .dib, (11) .asf, (12) .tif, and unspecified other extensions, a different issue than CVE-2004-1331.

Microsoft — ActiveSync   
Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user’s PIN/Password over the USB connection from the host to the device, which might allow attackers to (1) sniff the PIN/Password or (2) spoof the docking process to trick the user into providing the PIN/Password.

Opera Software — Opera   

  • Unspecified vulnerability in Opera before 9.24 allows remote attackers to overwrite functions on pages from other domains and bypass the same-origin policy via unknown vectors.
  • Unspecified vulnerability in Opera before 9.24, when using an “external” newsgroup or e-mail client, allows remote attackers to execute arbitrary commands via unknown vectors.

PHP — PHP   
The disable_functions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using ini_alter when ini_set is disabled.

Complete list at http://www.us-cert.gov/cas/bulletins/SB07-295.html

Leave a Reply