[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Sat Sep 18 05:20:11 PDT 2010
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 220 Published: Fri, 17 Sep 2010 17:48:28 GMT
New Fixlets:
============
***************************************************************
Title: Google Chrome Image Read Access Restriction Same Origin Policy Bypass Remote Information Disclosure
Severity: Medium
Fixlet ID: 1122101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11221.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3259
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly restrict read access to images, which allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive information via unspecified vectors.
***************************************************************
Title: Google Chrome Notifications Permissions Implementation Unspecified Memory Corruption
Severity: High
Fixlet ID: 1148001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11480.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3253
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The implementation of notification permissions in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
***************************************************************
Title: Mozilla Multiple Products SafeJSObjectWrapper XPCSafeJSObjectWrapper Class Chrome Privileged Object Arbitrary JavaScript Code Execution
Severity: Medium
Fixlet ID: 1149201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11492.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2762
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The wrapper class XPCSafeJSObjectWrapper (SJOW), a security wrapper that allows content-defined objects to be safely accessed by privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may be handed a chrome privileged object which could be leveraged to run arbitrary JavaScript with chrome privileges.
***************************************************************
Title: Mozilla Multiple Products FRAMESET Element cols Attribute Handling Overflow
Severity: High
Fixlet ID: 1151901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11519.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2765
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The implementation of the HTML frameset element contains an integer overflow vulnerability. The code responsible for parsing the frameset columns uses an 8-byte counter for the column numbers, so when a very large number of columns was passed in the counter would overflow. When this counter was subsequently used to allocate memory for the frameset, the memory buffer would be too small, potentially resulting in a heap buffer overflow and execution of attacker-controlled memory.
***************************************************************
Title: Mozilla Multiple Products on Mac OS X data: URL Crafted Font Remote DoS
Severity: High
Fixlet ID: 1155001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11550.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2770
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A specially crafted font could be applied to a document and cause a crash on Mac systems. The crash showed signs of memory corruption and presumably could be used by an attacker to execute arbitrary code on a victim's computer.
***************************************************************
Title: Google Chrome WebSockets Implementation Unspecified Remote DoS
Severity: Medium
Fixlet ID: 1155301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11553.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3251
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.
***************************************************************
Title: Adobe Reader and Acrobat CoolType.dll Font Parsing Buffer Overflow Vulnerability
Severity: High
Fixlet ID: 1158601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11586.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2883
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TTF font in a PDF document, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.
***************************************************************
Title: Mozilla Multiple Products XMLHttpRequest Object statusText Property Cross-origin Request Intranet Server Enumeration
Severity: Medium
Fixlet ID: 1168401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11684.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2764
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The statusText property of an XMLHttpRequest object is readable by the requestor even when the request is made across origins. This status information reveals the presence of a web server and could be used to gather information about servers on internal private networks.
***************************************************************
Title: WebKit Element Run-In Styling Use-After-Free Remote Code Execution Vulnerability
Severity: High
Fixlet ID: 1172901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11729.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1806
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use after free issue exists in WebKit's handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of object pointers.
***************************************************************
Title: Mozilla Multiple Products Document Charset OBJECT Element UTF-7 XSS Protection Mechanism Bypass
Severity: Medium
Fixlet ID: 1173501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11735.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2768
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The type attribute of an 'object' tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an 'object' tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.
***************************************************************
Title: Google Chrome Counter Node Handling Unspecified Memory Corruption
Severity: High
Fixlet ID: 1173601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11736.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3255
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
***************************************************************
Title: Google Chrome _blank Value Handling Pop-up Blocker Bypass
Severity: Medium
Fixlet ID: 1175201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11752.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3246
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly handle the _blank value for the target attribute of unspecified elements, which allows remote attackers to bypass the pop-up blocker via unknown vectors.
***************************************************************
Title: Mozilla Multiple Products normalizeDocument Function DOM Node Removal Deleted Object Arbitrary Code Execution
Severity: High
Fixlet ID: 1177801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11778.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2766
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Code used to normalize a document contained a logical flaw that could be leveraged to run arbitrary code. When the normalization code ran, a static count of the document's child nodes was used in the traversal, so a page could be constructed that would remove DOM nodes during this normalization which could lead to the accessing of a deleted object and potentially the execution of attacker-controlled memory.
***************************************************************
Title: Mozilla Multiple Products nsTreeSelection Selection Range Calculation Overflow
Severity: High
Fixlet ID: 1179901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11799.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2760
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A remaining dangling pointer issue was leftover from the fix to CVE-2010-2753. Under certain circumstances one of the pointers held by a XUL tree selection could be freed and then later reused, potentially resulting in the execution of attacker-controlled memory.
***************************************************************
Title: Apple Safari Search Path Arbitrary Code Execution Vulnerability
Severity: Medium
Fixlet ID: 1195601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11956.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1805
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A search path issue exists in Safari. When displaying the location of a downloaded file, Safari launches Windows Explorer without specifying a full path to the executable. Launching Safari by opening a file in a specific directory will include that directory in the search path. Attempting to reveal the location of a downloaded file may execute an application contained in that directory, which may lead to arbitrary code execution.
***************************************************************
Title: Webkit Floating Point Datatype Remote Code Execution Vulnerability
Severity: High
Fixlet ID: 1196401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11964.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1807
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: An input validation issue exists in WebKit's handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of floating point values.
***************************************************************
Title: Mozilla Multiple Products navigator.plugins DOM Plugin Array Destruction Navigator Object Dangling Pointer Arbitrary Code Execution
Severity: High
Fixlet ID: 1196901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11969.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2767
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A dangling pointer vulnerability exists in the implementation of navigator.plugins in which the navigator object could retain a pointer to the plugins array even after it had been destroyed. An attacker could potentially use this issue to crash the browser and run arbitrary code on a victim's computer.
***************************************************************
Title: Google Chrome Notifications Presenter Use-after-free DoS
Severity: High
Fixlet ID: 1198701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11987.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3252
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the Notifications presenter in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
***************************************************************
Title: Mozilla Multiple Products XUL Tree Removal Property Change Role Restriction Weakness DoS
Severity: High
Fixlet ID: 1200101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12001.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3168
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: XUL 'tree' objects could be manipulated such that the setting of certain properties on the object would trigger the removal of the tree from the DOM and cause certain sections of deleted memory to be accessed. In products based on Gecko version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has been overwritten by a value that will cause an unexploitable crash. In products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0, and SeaMonkey 2.0) and older an attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.
***************************************************************
Title: Google Chrome Stored Autocomplete Entry Quantity Limitation Weakness Unspecified Issue
Severity: Low
Fixlet ID: 1202701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12027.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3256
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly limit the number of stored autocomplete entries, which has unspecified impact and attack vectors.
***************************************************************
Title: Google Chrome Clipboard Copy Restriction Weakness Unspecified Issue
Severity: Medium
Fixlet ID: 1205201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12052.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3248
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly restrict copying to the clipboard, which has unspecified impact and attack vectors.
***************************************************************
Title: Google Chrome Installed Extension Set Remote Enumeration
Severity: Medium
Fixlet ID: 1210601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12106.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3250
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Google Chrome before 6.0.472.53 allows remote attackers to enumerate the set of installed extensions via unknown vectors.
***************************************************************
Title: Mozilla Multiple Products SafeJSObjectWrapper XPCSafeJSObjectWrapper Class Same Origin Policy Bypass Crafted Function XSS
Severity: Medium
Fixlet ID: 1211401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12114.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2763
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The wrapper class XPCSafeJSObjectWrapper (SJOW) on the Mozilla 1.9.1 development branch has a logical error in its scripted function implementation that allows the caller to run the function within the context of another site. This is a violation of the same-origin policy and could be used to mount an XSS attack.
***************************************************************
Title: Google Chrome WebSockets Implementation Integer Handling Unspecified Remote DoS
Severity: High
Fixlet ID: 1211901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12119.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3254
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The WebSockets implementation in Google Chrome before 6.0.472.53 does not properly handle integer values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
***************************************************************
Title: Google Chrome Sandbox Parameter Deserialization Weakness Unspecified Remote Issue
Severity: High
Fixlet ID: 1213301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12133.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3258
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors.
***************************************************************
Title: Mozilla Multiple Products nsTreeContentView Function XUL Tree Node Removal Deleted Memory Dangling Pointer Arbitrary Code Execution
Severity: High
Fixlet ID: 1213601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12136.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3167
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The implementation of XUL 'tree's content view contains a dangling pointer vulnerability. One of the content view's methods for accessing the internal structure of the tree could be manipulated into removing a node prior to accessing it, resulting in the accessing of deleted memory. If an attacker can control the contents of the deleted memory prior to its access they could use this vulnerability to run arbitrary code on a victim's machine.
***************************************************************
Title: Google Chrome Focus Handling Stale Pointer Remote DoS
Severity: High
Fixlet ID: 1213801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12138.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3257
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly perform focus handling, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "stale pointer" issue.
***************************************************************
Title: Mozilla Multiple Products Path Subversion Arbitrary DLL Injection Code Execution
Severity: High
Fixlet ID: 1214301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12143.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3131
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Firefox could be used to load a malicious code library that had been planted on a victim's computer. Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory. An attacker could use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed. If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path.
***************************************************************
Title: Mozilla Multiple Products Browser Engine Unspecified Memory Corruption
Severity: High
Fixlet ID: 1214501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12145.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3169
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
***************************************************************
Title: Google Chrome URL Character Restriction Homographic Sequence URL Bar Spoofing Weakness
Severity: Medium
Fixlet ID: 1217601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12176.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3247
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly restrict the characters in URLs, which allows remote attackers to spoof the appearance of the URL bar via homographic sequences.
***************************************************************
Title: Mozilla Multiple Products nsTextFrameUtils::TransformText Function Bidirectional Text Run Overflow
Severity: High
Fixlet ID: 1218601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12186.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3166
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A heap buffer overflow in code routines responsible for transforming text runs. A page could be constructed with a bidirectional text run which upon reflow could result in an incorrect length being calculated for the run of text. When this value is subsequently used to allocate memory for the text too small a buffer may be created potentially resulting in a buffer overflow and the execution of attacker controlled memory.
***************************************************************
Title: Mozilla Multiple Products Document Selection Addition designMode Property XSS
Severity: Medium
Fixlet ID: 1219201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12192.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2769
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: When an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled the JavaScript will be executed within the context of the site where the code was dropped. A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and in the process running malicious JavaScript within the context of another site.
***************************************************************
Title: Google Chrome SVG Filter Stale Pointer Remote DoS
Severity: High
Fixlet ID: 1221101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12211.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3249
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome before 6.0.472.53 does not properly implement SVG filters, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "stale pointer" issue.
More information about the WinVulns-Announcements
mailing list