Vulnerability Summary for the Week of August 30, 2010
Released
Sep 07, 2010
Document ID
SB10-249
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe -- device_central_cs5 | Untrusted search path vulnerability in Adobe Device Central CS5 3.0.0(376), 3.0.1.0 (3027), and probably other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse qtcf.dll that is located in the same folder as an ADCP file. | 2010-08-27 | 9.3 | CVE-2010-3149 EXPLOIT-DB |
| adobe -- premier_pro_cs4 | Untrusted search path vulnerability in Adobe Premier Pro CS4 4.0.0 (314 (MC: 160820)) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as a .pproj, .prfpset, .prexport, .prm, .prmp, .prpreset, .prproj, .prsl, .prtl, or .vpr file. | 2010-08-27 | 9.3 | CVE-2010-3150 EXPLOIT-DB |
| adobe -- onlocation_cs4 | Untrusted search path vulnerability in Adobe On Location CS4 Build 315 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as an OLPROJ file. | 2010-08-27 | 9.3 | CVE-2010-3151 EXPLOIT-DB |
| adobe -- illustrator | Untrusted search path vulnerability in Adobe Illustrator CS4 14.0.0, CS5 15.0.1, and possibly other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll or aires.dll that is located in the same folder as an .ait or .eps file. | 2010-08-27 | 9.3 | CVE-2010-3152 EXPLOIT-DB |
| adobe -- indesign_cs4 | Untrusted search path vulnerability in Adobe InDesign CS4 6.0 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as an .indl, .indp, .indt, or .inx file. | 2010-08-27 | 9.3 | CVE-2010-3153 EXPLOIT-DB |
| adobe -- extension_manager_cs5 | Untrusted search path vulnerability in Adobe Extension Manager CS5 5.0.298 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .mxi or .mxp file. | 2010-08-27 | 9.3 | CVE-2010-3154 EXPLOIT-DB |
| adobe -- extendedscript_toolkit_cs5 | Untrusted search path vulnerability in Adobe ExtendScript Toolkit (ESTK) CS5 3.5.0.52 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .jsx file. | 2010-08-27 | 9.3 | CVE-2010-3155 EXPLOIT-DB |
| adobe -- captivate | Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and possibly other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .cptx file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-08-31 | 9.3 | CVE-2010-3191 SECUNIA |
| apple -- quicktime | The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshaling of an untrusted pointer. | 2010-08-31 | 9.3 | CVE-2010-1818 MISC MISC MISC |
| bsplayer -- bs.player | Untrusted search path vulnerability in the Indeo filter (iac25_32.ax) in Microsoft Windows, as used in BS.Player, Media Player Classic, and possibly other products, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse iacenc.dll that is located in the same folder as an AVI, .mka, .ra, or .ram file. NOTE: some of these details are obtained from third party information. | 2010-08-27 | 9.3 | CVE-2010-3138 MISC SECUNIA |
| ibm -- websphere_application_server | IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors. | 2010-08-30 | 10.0 | CVE-2010-3186 CONFIRM CONFIRM CONFIRM SECUNIA |
| ibm -- aix | Buffer overflow in ftpd in IBM AIX 5.3 and earlier allows remote attackers to execute arbitrary code via a long NLST command. | 2010-08-30 | 10.0 | CVE-2010-3187 CONFIRM OSVDB AIXAPAR AIXAPAR AIXAPAR AIXAPAR EXPLOIT-DB EXPLOIT-DB SECTRACK FULLDISC FULLDISC FULLDISC FULLDISC |
| ibm -- db2 | Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors. | 2010-08-31 | 10.0 | CVE-2010-3193 XF VUPEN CONFIRM CONFIRM AIXAPAR AIXAPAR AIXAPAR SECUNIA |
| ibm -- db2 | The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner. | 2010-08-31 | 7.5 | CVE-2010-3194 XF VUPEN CONFIRM CONFIRM AIXAPAR AIXAPAR AIXAPAR SECUNIA |
| ifdefined -- bugtracker.net | SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page. | 2010-08-31 | 7.5 | CVE-2010-3188 XF BUGTRAQ CONFIRM SECUNIA |
| microsoft -- windows | Untrusted search path vulnerability in Microsoft Windows Progman Group Converter (grpconv.exe) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse imm.dll that is located in the same folder as a .grp file. | 2010-08-27 | 9.3 | CVE-2010-3139 VUPEN EXPLOIT-DB SECUNIA |
| microsoft -- windows_xp | Untrusted search path vulnerability in Microsoft Windows Internet Communication Settings on Windows XP SP3 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse schannel.dll that is located in the same folder as an ISP file. | 2010-08-27 | 9.3 | CVE-2010-3140 EXPLOIT-DB |
| microsoft -- powerpoint | Untrusted search path vulnerability in Microsoft Power Point 2010 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse pptimpconv.dll that is located in the same folder as a .odp, .pot, .potm, .potx, .ppa, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pwz, .sldm, or .sldx file. | 2010-08-27 | 9.3 | CVE-2010-3141 EXPLOIT-DB |
| microsoft -- powerpoint | Untrusted search path vulnerability in Microsoft Office PowerPoint 2007 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse rpawinet.dll that is located in the same folder as a .odp, .pothtml, .potm, .potx, .ppa, .ppam, .pps, .ppt, .ppthtml, .pptm, .pptxml, .pwz, .sldm, .sldx, and .thmx file. | 2010-08-27 | 9.3 | CVE-2010-3142 EXPLOIT-DB |
| microsoft -- windows | Untrusted search path vulnerability in Microsoft Windows Contacts allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32res.dll that is located in the same folder as a .contact, .group, .p7c, .vcf, or .wab file. | 2010-08-27 | 9.3 | CVE-2010-3143 EXPLOIT-DB |
| microsoft -- windows | Untrusted search path vulnerability in Microsoft Internet Connection Signup Wizard allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse smmscrpt.dll that is located in the same folder as an ISP file. | 2010-08-27 | 9.3 | CVE-2010-3144 EXPLOIT-DB |
| microsoft -- windows_vista | Untrusted search path vulnerability in the Microsoft Vista BitLocker Drive Encryption API allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse fveapi.dll that is located in the same folder as a .wbcat file. | 2010-08-27 | 9.3 | CVE-2010-3145 EXPLOIT-DB |
| microsoft -- groove | Untrusted search path vulnerability in Microsoft Office Groove 2007 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mso.dll or GroovePerfmon.dll that is located in the same folder as a .vcg or .gta file. | 2010-08-27 | 9.3 | CVE-2010-3146 EXPLOIT-DB |
| microsoft -- outlook_express | Untrusted search path vulnerability in Microsoft Address Book (wab.exe) 6.00.2900.5512 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32res.dll that is located in the same folder as a .wab, vCard (.vcf), or .p7c file. | 2010-08-27 | 9.3 | CVE-2010-3147 EXPLOIT-DB |
| microsoft -- visio | Untrusted search path vulnerability in Microsoft Visio 2003 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mfc71enu.dll that is located in the same folder as a .vtx file. | 2010-08-27 | 9.3 | CVE-2010-3148 EXPLOIT-DB |
| microsoft -- visual_studio | Untrusted search path vulnerability in ATL MFC Trace Tool (AtlTraceTool8.exe), as used in Microsoft Visual Studio, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a TRC, cur, rs, rct, or res file. | 2010-08-31 | 9.3 | CVE-2010-3190 MISC SECUNIA |
| realnetworks -- realplayer | Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow. | 2010-08-30 | 9.3 | CVE-2010-0116 CONFIRM MISC |
| realnetworks -- realplayer | RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content. | 2010-08-30 | 9.3 | CVE-2010-0117 CONFIRM MISC |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content. | 2010-08-30 | 9.3 | CVE-2010-0120 CONFIRM MISC |
| realnetworks -- realplayer | Array index error in RealNetworks RealPlayer 11.0 through 11.1 on Windows allows remote attackers to execute arbitrary code via a malformed header in a RealMedia .IVR file. | 2010-08-30 | 9.3 | CVE-2010-2996 MISC BUGTRAQ CONFIRM |
| realnetworks -- realplayer | Multiple integer overflows in the ParseKnownType function in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allow remote attackers to execute arbitrary code via crafted (1) HX_FLV_META_AMF_TYPE_MIXEDARRAY or (2) HX_FLV_META_AMF_TYPE_ARRAY data in an FLV file. | 2010-08-30 | 9.3 | CVE-2010-3000 MISC BUGTRAQ CONFIRM |
| realnetworks -- realplayer | Unspecified vulnerability in an ActiveX control in the Internet Explorer (IE) plugin in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows has unknown impact and attack vectors related to "multiple browser windows." | 2010-08-30 | 9.3 | CVE-2010-3001 CONFIRM |
| realnetworks -- realplayer | Unspecified vulnerability in RealNetworks RealPlayer 11.0 through 11.1 allows attackers to bypass intended access restrictions on files via unknown vectors. | 2010-08-30 | 9.3 | CVE-2010-3002 CONFIRM |
| trendmicro -- internet_security | The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer. | 2010-08-31 | 9.3 | CVE-2010-3189 CONFIRM XF MISC VUPEN SECTRACK BUGTRAQ SECUNIA |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| cisco -- ios_xr | Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers to cause a denial of service (peering reset) via a crafted prefix announcement, as demonstrated in the wild in August 2010 with attribute type code 99, aka Bug ID CSCti62211. | 2010-08-30 | 5.0 | CVE-2010-3035 CISCO MLIST |
| common1 -- moobbs | Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-08-31 | 4.3 | CVE-2010-2364 CONFIRM SECUNIA JVNDB JVN |
| common1 -- moobbs2 | Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-08-31 | 4.3 | CVE-2010-2365 CONFIRM SECUNIA JVNDB JVN |
| fedoraproject -- sssd | The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. | 2010-08-30 | 5.1 | CVE-2010-2940 CONFIRM XF SECUNIA |
| hp -- hp-ux | Unspecified vulnerability in Software Distributor (sd) in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors. | 2010-08-30 | 6.8 | CVE-2010-2712 HP HP XF SECTRACK SECUNIA |
| ibm -- db2 | Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration." | 2010-08-31 | 5.0 | CVE-2010-3195 XF VUPEN CONFIRM CONFIRM AIXAPAR AIXAPAR AIXAPAR SECUNIA |
| ibm -- db2 | IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors. | 2010-08-31 | 5.0 | CVE-2010-3197 CONFIRM AIXAPAR |
| iij -- seil/b1_firmware | The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the SEIL/X1, SEIL/X2, and SEIL/B1 routers with firmware 1.00 through 2.73, when strict mode is used, does not properly drop packets, which might allow remote attackers to bypass intended access restrictions via a spoofed IP address. | 2010-08-30 | 5.8 | CVE-2010-2363 CONFIRM JVNDB JVN |
| kde -- kde_sc | Heap-based buffer overflow in the RLE decompression functionality in the TranscribePalmImageToJPEG function in generators/plucker/inplug/image.cpp in Okular in KDE SC 4.3.0 through 4.5.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image in a PDB file. | 2010-08-30 | 6.8 | CVE-2010-2575 CONFIRM CONFIRM XF VUPEN VUPEN BUGTRAQ OSVDB MANDRIVA MISC SECUNIA FEDORA |
| simone_rota -- slim_simple_login_manager | The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp. | 2010-08-30 | 6.9 | CVE-2010-2945 MLIST MLIST CONFIRM SECUNIA |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- db2 | IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view. | 2010-08-31 | 3.5 | CVE-2010-3196 CONFIRM AIXAPAR |
| redhat -- spice-xpi | Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to obtain sensitive information, and conduct man-in-the-middle attacks, by providing a UNIX socket for communication between this plug-in and the client (aka qspice-client) in qspice 0.3.0, and then accessing this socket. | 2010-08-30 | 3.3 | CVE-2010-2792 REDHAT REDHAT CONFIRM |
| redhat -- spice-xpi | The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to overwrite arbitrary files via a symlink attack on an unspecified log file. | 2010-08-30 | 3.3 | CVE-2010-2794 CONFIRM REDHAT |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.