[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: VulnerabilitiestoWindowsSystems
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Sat Oct 3 05:20:06 PDT 2009
Fixlet Site - VulnerabilitiestoWindowsSystems
Current Version: 187 Published: Fri, 02 Oct 2009 15:58:23 GMT
New Fixlets:
============
***************************************************************
Title: Apple QuickTime before 7.6.4 allows to execute arbitrary code or DOS Vulnerabilities
Severity: High
Fixlet ID: 546701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5467.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2202
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Apple QuickTime before 7.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted H.264 movie file.
***************************************************************
Title: Microsoft Internet Explorer 6 and Internet Explorer 7 KEYGEN element vulnerability
Severity: Medium
Fixlet ID: 551901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5519.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3267
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 6 through 6.0.2900.2180, and 7.0.6000.16711, allows remote attackers to cause a denial of service (CPU consumption) via an automatically submitted form containing a KEYGEN element, a related issue to CVE-2009-1828.
***************************************************************
Title: Apple QuickTime before 7.6.4 allows Buffer Overflow Vulnerability
Severity: High
Fixlet ID: 567201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5672.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2203
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Buffer overflow in Apple QuickTime before 7.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG-4 video file.
***************************************************************
Title: Opera before 10.00 does not properly implement the INPUT TYPE=file functionality
Severity: Medium
Fixlet ID: 567901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5679.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3048
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly implement the "INPUT TYPE=file" functionality, which allows remote attackers to trick a user into uploading an unintended file via vectors involving a "dropped file."
***************************************************************
Title: Mozilla Firefox 'keygen' HTML Tag Denial of Service Vulnerability
Severity: Medium
Fixlet ID: 592801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5928.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1828
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of service (infinite loop, application hang, and memory consumption) via a KEYGEN element in conjunction with (1) a META element specifying automatic page refresh or (2) a JavaScript onLoad event handler for a BODY element. NOTE: it was later reported that earlier versions are also affected.
***************************************************************
Title: TCP/IP Orphaned Connections Vulnerability
Severity: High
Fixlet ID: 596501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5965.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1926
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to cause a denial of service (TCP outage) via a series of TCP sessions that have pending data and a (1) small or (2) zero receive window size, and remain in the FIN-WAIT-1 or FIN-WAIT-2 state indefinitely, aka "TCP/IP Orphaned Connections Vulnerability."
***************************************************************
Title: Mozilla Firefox 3.5.x before 3.5.3 allow Denial of Service Vulnerability
Severity: High
Fixlet ID: 598901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval5989.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3069
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
***************************************************************
Title: Mozilla Firefox before 3.0.14 JavaScript engine allow denial of service Vulnerability
Severity: High
Fixlet ID: 605301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6053.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3074
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the JavaScript engine in Mozilla Firefox before 3.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
***************************************************************
Title: Mozilla Firefox before 3.0.14 allow Denial of Service Vulnerability
Severity: High
Fixlet ID: 607301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6073.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3070
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
***************************************************************
Title: Mozilla Firefox before 3.0.14 allow remote arbitrary code execution Vulnerability
Severity: High
Fixlet ID: 614001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6140.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3076
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Mozilla Firefox before 3.0.14 does not properly implement certain dialogs associated with the (1) pkcs11.addmodule and (2) pkcs11.deletemodule operations, which makes it easier for remote attackers to trick a user into installing or removing an arbitrary PKCS11 module.
***************************************************************
Title: Apple Safari Cross-site scripting (XSS) vulnerability.
Severity: Medium
Fixlet ID: 620801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6208.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1724
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects.
***************************************************************
Title: Opera before 10.00 does not properly display all characters in Internationalized Domain Names
Severity: Medium
Fixlet ID: 623501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6235.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3049
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: HASH(0x3e264f4)
***************************************************************
Title: Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3 allow remote arbitrary code Vulnerability
Severity: High
Fixlet ID: 625001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6250.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3079
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to execute arbitrary JavaScript with chrome privileges via vectors involving an object, the FeedWriter, and the BrowserFeedWriter.
***************************************************************
Title: Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3 allow denial of service Vulnerability
Severity: High
Fixlet ID: 631501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6315.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3072
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
***************************************************************
Title: Buffer overflow in the IPMI dissector in Wireshark.
Severity: Medium
Fixlet ID: 637901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6379.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2559
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Buffer overflow in the IPMI dissector in Wireshark 1.2.0 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an array index error. NOTE: some of these details are obtained from third party information.
***************************************************************
Title: Unspecified vulnerability in the TLS dissector in Wireshark which causes DOS.
Severity: Medium
Fixlet ID: 641301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6413.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3243
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the TLS dissector in Wireshark 1.2.0 and 1.2.1, when running on Windows, allows remote attackers to cause a denial of service (application crash) via unknown vectors related to TLS 1.2 conversations.
***************************************************************
Title: Pidgin before 2.6.2 allow denial of service via TOPIC message
Severity: Medium
Fixlet ID: 643501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6435.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2703
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string.
***************************************************************
Title: Opera before 10.00 trusts root X.509 certificates signed with the MD2 algorithm
Severity: Medium
Fixlet ID: 644201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval6442.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3045
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Opera before 10.00 trusts root X.509 certificates signed with the MD2 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted server certificate.
More information about the WinVulns-Announcements
mailing list