Vulnerability Summary for the Week of December 13, 2010
Released
Dec 20, 2010
Document ID
SB10-354
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| exim -- exim | Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging. | 2010-12-14 | 9.3 | CVE-2010-4344 OSVDB MLIST CONFIRM CONFIRM CONFIRM VUPEN VUPEN VUPEN VUPEN VUPEN UBUNTU MISC REDHAT MISC MLIST DEBIAN SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA MLIST SUSE CONFIRM |
| microsoft -- publisher | pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3, 2003 SP3, and 2007 SP2 does not properly handle an unspecified size field in certain older file formats, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted Publisher file, aka "Size Value Heap Corruption in pubconv.dll Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-2569 MS |
| microsoft -- publisher | Heap-based buffer overflow in pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3, 2003 SP3, 2007 SP2, and 2010 allows remote attackers to execute arbitrary code via a crafted Publisher file that uses an old file format, aka "Heap Overrun in pubconv.dll Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-2570 MS |
| microsoft -- publisher | Array index error in pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted Publisher 97 file, aka "Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-2571 MS |
| microsoft -- windows_7 | The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888. | 2010-12-16 | 7.2 | CVE-2010-3338 MS |
| microsoft -- ie | Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3340 MS |
| microsoft -- ie | Microsoft Internet Explorer 6 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3343 MS |
| microsoft -- ie | Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Element Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3345 MS |
| microsoft -- ie | Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Element Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3346 MS |
| microsoft -- windows_2003_server | Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via vectors related to improper memory allocation for copies from user mode, aka "Win32k Buffer Overflow Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3939 MS |
| microsoft -- windows_2003_server | Double free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted application, aka "Win32k PFE Pointer Double Free Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3940 MS |
| microsoft -- windows_2003_server | Double free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold and SP2, and Windows 7 allows local users to gain privileges via a crafted application, aka "Win32k Double Free Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3941 MS |
| microsoft -- windows_2003_server | win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for copies from user mode, which allows local users to gain privileges via a crafted application, aka "Win32k WriteAV Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3942 MS |
| microsoft -- windows_2003_server | win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly link driver objects, which allows local users to gain privileges via a crafted application that triggers linked-list corruption, aka "Win32k Cursor Linking Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3943 MS |
| microsoft -- windows_7 | win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3944 MS |
| microsoft -- office | Buffer overflow in the CGM image converter in the graphics filters in Microsoft Office XP SP3, Office 2003 SP3, and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted CGM image in an Office document, aka "CGM Image Converter Buffer Overrun Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3945 MS |
| microsoft -- office | Integer overflow in the PICT image converter in the graphics filters in Microsoft Office XP SP3, Office 2003 SP3, and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted PICT image in an Office document, aka "PICT Image Converter Integer Overflow Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3946 MS |
| microsoft -- office | Heap-based buffer overflow in the TIFF image converter in the graphics filters in Microsoft Office XP SP3, Office Converter Pack, and Works 9 allows remote attackers to execute arbitrary code via a crafted TIFF image in an Office document, aka "TIFF Image Converter Heap Overflow Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3947 MS |
| microsoft -- office | Buffer overflow in the TIFF image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted TIFF image in an Office document, aka "TIFF Image Converter Buffer Overflow Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3949 MS |
| microsoft -- office | The TIFF image converter in the graphics filters in Microsoft Office XP SP3, Office Converter Pack, and Works 9 does not properly convert data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF image in an Office document, aka "TIFF Image Converter Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3950 MS |
| microsoft -- office | Buffer overflow in the FlashPix image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code via a crafted FlashPix image in an Office document, aka "FlashPix Image Converter Buffer Overflow Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3951 MS |
| microsoft -- office | The FlashPix image converter in the graphics filters in Microsoft Office XP SP3 and Office Converter Pack allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted FlashPix image in an Office document, aka "FlashPix Image Converter Heap Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3952 MS |
| microsoft -- publisher | Microsoft Publisher 2002 SP3, 2003 SP3, and 2010 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Publisher file, aka "Microsoft Publisher Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3954 MS |
| microsoft -- publisher | pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2002 SP3 does not properly perform array indexing, which allows remote attackers to execute arbitrary code via a crafted Publisher file that uses an old file format, aka "Array Indexing Memory Corruption Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3955 MS |
| microsoft -- windows_2003_server | The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly perform array indexing, which allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Index Vulnerability." | 2010-12-16 | 9.3 | CVE-2010-3956 MS |
| microsoft -- windows_7 | The Consent User Interface (UI) in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly handle an unspecified registry-key value, which allows local users with SeImpersonatePrivilege rights to gain privileges via a crafted application, aka "Consent UI Impersonation Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3961 MS |
| microsoft -- windows_2003_server | Buffer overflow in the Routing and Remote Access NDProxy component in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, related to the Routing and Remote Access service (RRAS) and improper copying from user mode to the kernel, aka "Kernel NDProxy Buffer Overflow Vulnerability." | 2010-12-16 | 7.2 | CVE-2010-3963 MS |
| microsoft -- sharepoint_server | Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability." | 2010-12-16 | 7.5 | CVE-2010-3964 MS |
| mozilla -- firefox | Use-after-free vulnerability in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via vectors involving a change to an nsDOMAttribute node. | 2010-12-10 | 9.3 | CVE-2010-3766 CONFIRM CONFIRM |
| mozilla -- firefox | Integer overflow in the NewIdArray function in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via a JavaScript array with many elements. | 2010-12-10 | 9.3 | CVE-2010-3767 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do not properly validate downloadable fonts before use within an operating system's font implementation, which allows remote attackers to execute arbitrary code via vectors related to @font-face Cascading Style Sheets (CSS) rules. | 2010-12-10 | 9.3 | CVE-2010-3768 CONFIRM CONFIRM CONFIRM |
| mozilla -- firefox | The line-breaking implementation in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 on Windows does not properly handle long strings, which allows remote attackers to execute arbitrary code via a crafted document.write call that triggers a buffer over-read. | 2010-12-10 | 9.3 | CVE-2010-3769 CONFIRM CONFIRM OSVDB |
| mozilla -- firefox | Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly calculate index values for certain child content in a XUL tree, which allows remote attackers to execute arbitrary code via vectors involving a DIV element within a treechildren element. | 2010-12-10 | 9.3 | CVE-2010-3772 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle certain redirections involving data: URLs and Java LiveConnect scripts, which allows remote attackers to start processes, read arbitrary local files, and establish network connections via vectors involving a refresh value in the http-equiv attribute of a META element. | 2010-12-10 | 9.3 | CVE-2010-3775 CONFIRM CONFIRM CONFIRM CONFIRM |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2010-12-10 | 9.3 | CVE-2010-3776 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| mozilla -- firefox | Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13 and Thunderbird 3.1.x before 3.1.7 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2010-12-10 | 9.3 | CVE-2010-3777 CONFIRM CONFIRM |
| mozilla -- firefox | Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16, Thunderbird before 3.0.11, and SeaMonkey before 2.0.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2010-12-10 | 9.3 | CVE-2010-3778 CONFIRM CONFIRM |
| realnetworks -- realplayer | The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. | 2010-12-14 | 10.0 | CVE-2010-0121 CONFIRM |
| realnetworks -- realplayer | RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. | 2010-12-14 | 10.0 | CVE-2010-0125 CONFIRM |
| realnetworks -- realplayer | Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted StreamTitle tag in an ICY SHOUTcast stream, related to the SMIL file format. | 2010-12-14 | 9.3 | CVE-2010-2997 MISC CONFIRM |
| realnetworks -- realplayer | Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed MLLT atom in an AAC file. | 2010-12-14 | 9.3 | CVE-2010-2999 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via malformed multi-rate data in an audio stream. | 2010-12-14 | 9.3 | CVE-2010-4375 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a large Screen Width value in the Screen Descriptor header of a GIF87a file in an RTSP stream. | 2010-12-14 | 9.3 | CVE-2010-4376 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code by specifying many subbands in cook audio codec information in a Real Audio file. | 2010-12-14 | 9.3 | CVE-2010-4377 MISC CONFIRM |
| realnetworks -- realplayer | The drv2.dll (aka RV20 decompression) module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, RealPlayer Enterprise 2.1.2 and 2.1.3, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted value of an unspecified length field in an RV20 video stream. | 2010-12-14 | 9.3 | CVE-2010-4378 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to have an unspecified impact via a crafted SIPR file. | 2010-12-14 | 9.3 | CVE-2010-4379 CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 allows remote attackers to have an unspecified impact via a crafted SOUND file. | 2010-12-14 | 9.3 | CVE-2010-4380 CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 allows remote attackers to have an unspecified impact via a crafted AAC file. | 2010-12-14 | 9.3 | CVE-2010-4381 CONFIRM |
| realnetworks -- realplayer | Multiple heap-based buffer overflows in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Linux RealPlayer 11.0.2.1744 allow remote attackers to have an unspecified impact via a crafted RealMedia file. | 2010-12-14 | 9.3 | CVE-2010-4382 CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to have an unspecified impact via a crafted RA5 file. | 2010-12-14 | 9.3 | CVE-2010-4383 CONFIRM |
| realnetworks -- realplayer | Array index error in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a malformed Media Properties Header (aka MDPR) in a RealMedia file. | 2010-12-14 | 9.3 | CVE-2010-4384 MISC CONFIRM |
| realnetworks -- realplayer | Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Linux RealPlayer 11.0.2.1744 allows remote attackers to have an unspecified impact via crafted frame dimensions in an SIPR stream. | 2010-12-14 | 9.3 | CVE-2010-4385 CONFIRM |
| realnetworks -- realplayer | RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and Linux RealPlayer 11.0.2.1744 allow remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted RealMedia video file. | 2010-12-14 | 9.3 | CVE-2010-4386 CONFIRM IDEFENSE |
| realnetworks -- realplayer | The RealAudio codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted audio stream in a RealMedia file. | 2010-12-14 | 9.3 | CVE-2010-4387 CONFIRM IDEFENSE |
| realnetworks -- realplayer | Heap-based buffer overflow in the cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via unspecified data in the initialization buffer. | 2010-12-14 | 9.3 | CVE-2010-4389 MISC CONFIRM |
| realnetworks -- realplayer | Multiple heap-based buffer overflows in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and Linux RealPlayer 11.0.2.1744 allow remote attackers to have an unspecified impact via a crafted header in an IVR file. | 2010-12-14 | 9.3 | CVE-2010-4390 CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 and 2.1.3 allows remote attackers to execute arbitrary code via a crafted value in an unspecified header field in an RMX file. | 2010-12-14 | 9.3 | CVE-2010-4391 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, RealPlayer Enterprise 2.1.2 and 2.1.3, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via crafted ImageMap data in a RealMedia file, related to certain improper integer calculations. | 2010-12-14 | 9.3 | CVE-2010-4392 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.5 allows remote web servers to execute arbitrary code via a long Server header in a response to an HTTP request that occurs during parsing of a RealPix file. | 2010-12-14 | 9.3 | CVE-2010-4394 MISC CONFIRM |
| realnetworks -- realplayer | Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted conditional component in AAC frame data. | 2010-12-14 | 9.3 | CVE-2010-4395 MISC CONFIRM |
| realnetworks -- realplayer | Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted TIT2 atom in an AAC file. | 2010-12-14 | 9.3 | CVE-2010-4397 MISC CONFIRM |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| exim -- exim | Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive. | 2010-12-14 | 6.9 | CVE-2010-4345 CERT-VN CONFIRM MLIST CONFIRM VUPEN VUPEN MISC MISC MLIST DEBIAN SECUNIA MLIST SUSE MLIST |
| fenrir -- grani | Fenrir Grani 4.5 and earlier does not prevent interaction between web script and the clipboard, which allows remote attackers to read or modify the clipboard contents via a crafted web site. | 2010-12-10 | 5.8 | CVE-2010-3919 CONFIRM SECUNIA JVNDB JVN |
| fenrir-inc -- sleipnir | Fenrir Sleipnir 2.9.6 and earlier does not prevent interaction between web script and the clipboard, which allows remote attackers to read or modify the clipboard contents via a crafted web site. | 2010-12-10 | 5.8 | CVE-2010-3918 CONFIRM CONFIRM OSVDB SECUNIA JVNDB JVN |
| ibm -- lotus_notes_traveler | The encrypted e-mail feature in IBM Lotus Notes Traveler before 8.5.0.2 sends unencrypted messages when the feature is used without uploading a Notes ID file, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. | 2010-12-16 | 5.8 | CVE-2009-5032 CONFIRM AIXAPAR CONFIRM |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.0.2 does not properly handle a "* *" argument sequence for a certain tell command, which allows remote authenticated users to obtain access to other users' data via a sync operation, related to storage of the data of multiple users within the same thread. | 2010-12-16 | 4.0 | CVE-2009-5033 CONFIRM AIXAPAR CONFIRM |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.0.2 allows remote authenticated users to cause a denial of service (memory consumption and daemon crash) by syncing a large volume of data, related to the launch of a new process to handle the data while the previous process is still operating on the data. | 2010-12-16 | 4.0 | CVE-2009-5034 CONFIRM AIXAPAR CONFIRM |
| ibm -- lotus_notes_traveler | The Nokia client in IBM Lotus Notes Traveler before 8.5.0.2 does not properly handle multiple outgoing e-mail messages between sync operations, which might allow remote attackers to read communications intended for other recipients by examining appended messages. | 2010-12-16 | 4.3 | CVE-2009-5035 CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | traveler.exe in IBM Lotus Notes Traveler before 8.0.1.3 CF1 allows remote authenticated users to cause a denial of service (daemon crash) via a malformed invitation document in a sync operation. | 2010-12-16 | 4.0 | CVE-2009-5036 CONFIRM AIXAPAR CONFIRM |
| ibm -- lotus_notes_traveler | Cross-site scripting (XSS) vulnerability in the servlet in IBM Lotus Notes Traveler before 8.5.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-12-16 | 4.3 | CVE-2010-4544 XF VUPEN CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated users to cause a denial of service (resource consumption and sync outage) by syncing a large volume of data. | 2010-12-16 | 4.0 | CVE-2010-4545 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.2 does not reject an attachment download request for an e-mail message with a Prevent Copy attribute, which allows remote authenticated users to bypass intended access restrictions via this request. | 2010-12-16 | 4.0 | CVE-2010-4546 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.3 on the Nokia s60 device successfully performs a Replace Data operation for a prohibited application, which allows remote authenticated users to bypass intended access restrictions via this operation. | 2010-12-16 | 4.0 | CVE-2010-4549 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.3 allows remote attackers to cause a denial of service (sync failure) via a malformed document. | 2010-12-16 | 5.0 | CVE-2010-4550 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by omitting the Internet ID field in the person document, and then using an Apple device to (1) accept or (2) decline an invitation. | 2010-12-16 | 4.0 | CVE-2010-4551 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | Memory leak in IBM Lotus Notes Traveler before 8.5.1.1 allows remote attackers to cause a denial of service (memory consumption and daemon outage) by sending many embedded objects in e-mail messages for iPhone clients. | 2010-12-16 | 5.0 | CVE-2010-4552 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | An unspecified Domino API in IBM Lotus Notes Traveler before 8.5.1.1 does not properly handle MIME types, which allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. | 2010-12-16 | 5.0 | CVE-2010-4553 CONFIRM CONFIRM AIXAPAR |
| linux -- kernel | net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. | 2010-12-10 | 4.9 | CVE-2010-3880 MLIST MLIST MLIST CONFIRM CONFIRM BID CONFIRM SECUNIA |
| linux -- kernel | Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call. | 2010-12-10 | 6.0 | CVE-2010-4157 CONFIRM MLIST MLIST MLIST MLIST MLIST CONFIRM BID CONFIRM MLIST |
| microsoft -- windows_2003_server | The Netlogon RPC Service in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, and R2, when the domain controller role is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and reboot) via a crafted RPC packet, aka "Netlogon RPC Null dereference DOS Vulnerability." | 2010-12-16 | 5.4 | CVE-2010-2742 MS |
| microsoft -- ie | Microsoft Internet Explorer 6, 7, and 8 does not prevent rendering of cached content as HTML, which allows remote attackers to access content from a different (1) domain or (2) zone via unspecified script code, aka "Cross-Domain Information Disclosure Vulnerability," a different vulnerability than CVE-2010-3348. | 2010-12-16 | 4.3 | CVE-2010-3342 MS |
| microsoft -- ie | Microsoft Internet Explorer 6, 7, and 8 does not prevent rendering of cached content as HTML, which allows remote attackers to access content from a different (1) domain or (2) zone via unspecified script code, aka "Cross-Domain Information Disclosure Vulnerability," a different vulnerability than CVE-2010-3342. | 2010-12-16 | 4.3 | CVE-2010-3348 MS |
| microsoft -- exchange_server | Microsoft Exchange Server 2007 SP2 on the x64 platform allows remote authenticated users to cause a denial of service (infinite loop and MSExchangeIS outage) via a crafted RPC request, aka "Exchange Server Infinite Loop Vulnerability." | 2010-12-16 | 4.0 | CVE-2010-3937 MS |
| microsoft -- windows_2003_server | Double free vulnerability in the OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Double Free Vulnerability." | 2010-12-16 | 6.9 | CVE-2010-3957 MS |
| microsoft -- windows_2003_server | The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted CMAP table in an OpenType font, aka "OpenType CMAP Table Vulnerability." | 2010-12-16 | 6.9 | CVE-2010-3959 MS |
| microsoft -- windows_server_2008 | Hyper-V in Microsoft Windows Server 2008 Gold, SP2, and R2 allows guest OS users to cause a denial of service (host OS hang) by sending a crafted encapsulated packet over the VMBus, aka "Hyper-V VMBus Vulnerability." | 2010-12-16 | 4.9 | CVE-2010-3960 MS |
| microsoft -- windows_media_encoder | Untrusted search path vulnerability in Windows Media Encoder 9 on Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Windows Media Profile (PRX) file, aka "Insecure Library Loading Vulnerability." | 2010-12-16 | 6.9 | CVE-2010-3965 MS |
| microsoft -- windows_7 | Untrusted search path vulnerability in Microsoft Windows Server 2008 R2 and Windows 7, when BranchCache is supported, allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains an EML file, an RSS file, or a WPOST file, aka "BranchCache Insecure Library Loading Vulnerability." | 2010-12-16 | 6.9 | CVE-2010-3966 MS |
| microsoft -- windows_movie_maker | Untrusted search path vulnerability in Microsoft Windows Movie Maker (WMM) 2.6 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Movie Maker (MSWMM) file, aka "Insecure Library Loading Vulnerability." | 2010-12-16 | 6.9 | CVE-2010-3967 MS |
| mozilla -- firefox | Multiple cross-site scripting (XSS) vulnerabilities in the rendering engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allow remote attackers to inject arbitrary web script or HTML via (1) x-mac-arabic, (2) x-mac-farsi, or (3) x-mac-hebrew characters. | 2010-12-10 | 4.3 | CVE-2010-3770 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle injection of an ISINDEX element into an about:blank page, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to redirection to a chrome: URI. | 2010-12-10 | 6.8 | CVE-2010-3771 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0179. | 2010-12-10 | 6.8 | CVE-2010-3773 CONFIRM CONFIRM |
| mozilla -- firefox | The NS_SecurityCompareURIs function in netwerk/base/public/nsNetUtil.h in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle (1) about:neterror and (2) about:certerror pages, which allows remote attackers to spoof the location bar via a crafted web site. | 2010-12-10 | 4.3 | CVE-2010-3774 CONFIRM CONFIRM |
| realnetworks -- realplayer | The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. | 2010-12-14 | 5.0 | CVE-2010-2579 CONFIRM |
| realnetworks -- realplayer | The (1) Upsell.htm, (2) Main.html, and (3) Custsupport.html components in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 and 2.1.3 allow remote attackers to inject code into the RealOneActiveXObject process, and consequently bypass intended Local Machine Zone restrictions and load arbitrary ActiveX controls, via unspecified vectors. | 2010-12-14 | 4.3 | CVE-2010-4388 MISC MISC MISC CONFIRM |
| realnetworks -- realplayer | Cross-zone scripting vulnerability in the HandleAction method in a certain ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, and RealPlayer Enterprise 2.1.2 allows remote attackers to inject arbitrary web script or HTML in the Local Zone by specifying a local file in a NavigateToURL action, as demonstrated by a local skin file. | 2010-12-14 | 4.3 | CVE-2010-4396 MISC CONFIRM |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.3, when a multidomain environment is used, does not properly apply policy documents to mobile users from a different Domino domain than the Traveler server, which allows remote authenticated users to bypass intended access restrictions by using credentials from a different domain. | 2010-12-16 | 3.5 | CVE-2010-4547 CONFIRM CONFIRM AIXAPAR |
| ibm -- lotus_notes_traveler | IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated users to cause a denial of service (daemon crash) by accepting a meeting invitation with an iNotes client and then accepting this meeting invitation with an iPhone client. | 2010-12-16 | 2.1 | CVE-2010-4548 CONFIRM CONFIRM AIXAPAR |
| linux -- kernel | The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478. | 2010-12-10 | 2.1 | CVE-2010-3861 MLIST MLIST CONFIRM CONFIRM BID CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.