[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Fri Apr 1 04:20:08 PST 2011
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 249 Published: Fri, 01 Apr 2011 00:26:24 GMT
New Fixlets:
============
***************************************************************
Title: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1164901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11649.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3553
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class.
***************************************************************
Title: Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1166201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11662.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3559
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this involves an incorrect sign extension in the HeadspaceSoundbank.nGetName function, which allows attackers to execute arbitrary code via a crafted BANK record that leads to a buffer overflow.
***************************************************************
Title: Input validation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1181901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11819.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0592
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to input validation vulnerability. A flaw is present in the applications, which fail to properly perform input validation. Successful exploitation allows remote attackers to execute arbitrary code using a crafted 3D file.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 and earlier versions
Severity: High
Fixlet ID: 1187601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11876.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3567
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.
***************************************************************
Title: Arbitrary code execution vulnerability Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1192101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval11921.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0596
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows remote attackers to inject scripting code or execute arbitrary commands by tricking a user into opening a malicious PDF document
***************************************************************
Title: Security bypass vulnerability in the extract function in PHP before 5.2.15
Severity: Medium
Fixlet ID: 1201601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12016.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0752
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Severity: High
Fixlet ID: 1204001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12040.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3566
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile.
***************************************************************
Title: Integer overflow vulnerability in ACE.dll of Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1208101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12081.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0598
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to integer overflow vulnerability. A flaw is present in ACE.dll, which cause an error due to several multiplications of controlled byte values. This leads to an allocation of a small buffer which can subsequently be overflowed. Successful exploitation allows remote attackers to execute arbitrary code using a crafted ICC data
***************************************************************
Title: Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1219301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12193.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0585
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to unspecified vulnerability. A flaw is present in the applications, which fail to properly process malformed contents within a PDF document. Successful exploitation allows attackers to cause a denial of service or possibly execute arbitrary code using unknown vectors.
***************************************************************
Title: Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: Medium
Fixlet ID: 1221701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12217.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0587
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to cross-site scripting (XSS) vulnerability. A flaw is present in the applications, which fails to properly validate user-supplied input. An unspecified parameter in a specially-crafted URL could execute a script in a victim's Web browser within the security context of the hosting web site, once the URL is clicked. Successful exploitation allows attackers to steal victim's cookie-based authentication credentials.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1223101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12231.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3571
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in the color profile parser that allows remote attackers to execute arbitrary code via a crafted Tag structure in a color profile.
***************************************************************
Title: Remote code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1224801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12248.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0567
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to remote code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while parsing images. Successful exploitation allows attackers to execute arbitrary code or cause a denial of service using a crafted image.
***************************************************************
Title: Input validation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1225801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12258.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0593
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to input validation vulnerability. A flaw is present in the applications, which fail to properly perform input validation. Successful exploitation allows remote attackers to execute arbitrary code using a crafted 3D file.
***************************************************************
Title: Library-loading vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: Medium
Fixlet ID: 1226201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12262.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0570
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to library-loading vulnerability. A flaw is present in the applications, which fail to directly specify a fully qualified path to a dynamic-linked library (DLL). Successful exploitation allows attackers to execute arbitrary code on the system using a specially-crafted library.
***************************************************************
Title: Race condition vulnerability in the PCNTL extension in PHP before 5.3.4
Severity: Medium
Fixlet ID: 1227101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12271.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0753
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.
***************************************************************
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and earlier versions
Severity: Medium
Fixlet ID: 1227401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12274.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3573
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1232801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12328.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3562
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.
***************************************************************
Title: Vulnerability in the Standard PHP Library (SPL) extension in PHP before 5.3.4
Severity: Medium
Fixlet ID: 1233401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12334.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0754
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check.
***************************************************************
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: Medium
Fixlet ID: 1236701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12367.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3574
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests.
***************************************************************
Title: Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: Medium
Fixlet ID: 1237801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12378.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0588
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to untrusted search path vulnerability. A flaw is present in the applications, which does not directly specify a fully qualified path to a dynamic-linked library (DLL) while running on Microsoft Windows. Successful exploitation allows attackers to execute arbitrary code on the system using a specially-crafted library.
***************************************************************
Title: Arbitrary code execution vulnerability Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1242401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12424.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0599
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows remote attackers to inject scripting code, or execute arbitrary commands by tricking a user into opening a malicious PDF document.
***************************************************************
Title: Arbitrary code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1242801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12428.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0600
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in U3D component, which fails to properly validate Parent Node count that calculates the size of an allocation. The result of this size calculation can be wrapped to an unexpectedly small and insufficient value causing buffer-out-of-bound condition. Successful exploitation allows remote attackers to execute arbitrary code under the context of the application.
***************************************************************
Title: Remote code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1244401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12444.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0594
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to remote code execution vulnerability. A flaw is present in the applications, which fails to properly parse fonts. Successful exploitation allows remote attackers to execute arbitrary code using a crafted font.
***************************************************************
Title: Remote code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1245201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12452.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0563
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows attackers to execute arbitrary code or cause a denial of service condition using unspecified vectors.
***************************************************************
Title: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Severity: High
Fixlet ID: 1245901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12459.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3561
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this involves the use of the privileged accept method in the ServerSocket class, which does not limit which hosts can connect and allows remote attackers to bypass intended network access restrictions.
***************************************************************
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Severity: High
Fixlet ID: 1248401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12484.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3569
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times.
***************************************************************
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Severity: Medium
Fixlet ID: 1248801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12488.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3551
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors.
***************************************************************
Title: Memory corruption vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1249201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12492.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0603
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to memory corruption vulnerability. A flaw is present in the applications, which fail to parse images. Successful exploitation allows remote attackers to execute arbitrary code or cause a denial of service condition using a crafted image.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1249601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12496.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3556
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Remote code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1249701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12497.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0589
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows attackers to execute arbitrary code or cause a denial of service condition using unspecified vectors.
***************************************************************
Title: Arbitrary code execution vulnerability Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1250001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12500.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0595
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows remote attackers to inject scripting code or execute arbitrary commands by tricking a user into opening a malicious PDF document.
***************************************************************
Title: Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update and 21 and earlier versions
Severity: High
Fixlet ID: 1250201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12502.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3558
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update and 21 and earlier versions
Severity: High
Fixlet ID: 1250801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12508.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3563
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to "how Web Start retrieves security policies," BasicServiceImpl, and forged policies that bypass sandbox restrictions.
***************************************************************
Title: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: Medium
Fixlet ID: 1251801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12518.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3557
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static."
***************************************************************
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Severity: High
Fixlet ID: 1253101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12531.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3568
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization.
***************************************************************
Title: Input validation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1253501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12535.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0586
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to input validation vulnerability. A flaw is present in the applications, which fails to properly perform input validation. Successful exploitation allows attackers to execute arbitrary code using unknown vectors.
***************************************************************
Title: Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1253601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12536.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3572
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Privilege escalation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1254801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12548.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0564
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to privilege escalation vulnerability. A flaw is present in the applications, which is caused due to insecure permissions. Successful exploitation allows attackers to gain elevated privileges using unknown vectors.
***************************************************************
Title: Stack-based buffer overflow in rt3d.dll of Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1255001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12550.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0606
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to stack-based buffer overflow vulnerability. A flaw is present in rt3d.dll, which fails to properly perform bounds check while parsing certain files. It explicitly trusts a length embedded within a particular file in order to calculate the length of a buffer. The application will then duplicate an arbitrarily sized string into a statically sized buffer located on the stack. Successful exploitation allows remote attackers to execute arbitrary code or cause a denial of service condition using unspecified vectors.
***************************************************************
Title: Unspecified vulnerability in the New Java Plug-in component in Oracle Java SE and Java for Business 6 Update and 21 and earlier versions
Severity: High
Fixlet ID: 1255201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12552.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3552
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the New Java Plug-in component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Library-loading vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: Medium
Fixlet ID: 1255501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12555.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0562
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to library-loading vulnerability. A flaw is present in the applications, which fail to directly specify a fully qualified path to a dynamic-linked library (DLL). Successful exploitation allows attackers to execute arbitrary code on the system using a specially-crafted library.
***************************************************************
Title: Input validation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1255801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12558.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0591
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to input validation vulnerability. A flaw is present in the applications, which fail to properly perform input validation. Successful exploitation allows remote attackers to execute arbitrary code using a crafted 3D file.
***************************************************************
Title: Arbitrary code execution vulnerability Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1256201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12562.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0602
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to arbitrary code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while processing malformed contents within a PDF document. Successful exploitation allows remote attackers to inject scripting code or execute arbitrary commands by tricking a user into opening a malicious PDF document.
***************************************************************
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Severity: High
Fixlet ID: 1257101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12571.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3565
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.
***************************************************************
Title: Unspecified vulnerability in the Deployment Toolkit component in Oracle Java SE and Java for Business 6 Update 21 and earlier versions
Severity: High
Fixlet ID: 1258201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12582.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3570
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Deployment Toolkit component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Integer overflow vulnerability in the mt_rand function in PHP before 5.3.4
Severity: Medium
Fixlet ID: 1258901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12589.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0755
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.
***************************************************************
Title: Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Severity: High
Fixlet ID: 1259001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12590.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3550
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
***************************************************************
Title: Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: Medium
Fixlet ID: 1259201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12592.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0604
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to cross-site scripting (XSS) vulnerability. A flaw is present in the applications, which fail to properly validate user-supplied input that leads to execution of scripts, once the URL is clicked in a victim's web browser within the security context of the hosting web site. Successful exploitation allows remote attackers to inject arbitrary web script or HTML using unspecified vectors.
***************************************************************
Title: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Severity: High
Fixlet ID: 1259701
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12597.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3554
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to "permissions granted to certain system objects."
***************************************************************
Title: Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1260601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12606.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0565
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to unspecified vulnerability. A flaw is present in the applications, which causes some errors when processing malformed contents within a PDF document. Successful exploitation allows attackers to cause a denial of service or possibly execute arbitrary code using unknown vectors.
***************************************************************
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update and 21 and earlier versions
Severity: Low
Fixlet ID: 1261401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12614.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3560
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality via unknown vectors.
***************************************************************
Title: Input validation vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1262101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12621.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0590
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to input validation vulnerability. A flaw is present in the applications, which fail to properly perform input validation. Successful exploitation allows remote attackers to execute arbitrary code using a crafted 3D file.
***************************************************************
Title: Remote code execution vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6
Severity: High
Fixlet ID: 1263001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12630.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0566
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The host is installed with Adobe Reader and Acrobat and is prone to remote code execution vulnerability. A flaw is present in the applications, which cause memory corruptions while parsing images. Successful exploitation allows attackers to execute arbitrary code or cause a denial of service using a crafted image.
***************************************************************
Title: Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update and 21 and earlier versions
Severity: High
Fixlet ID: 1264601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12646.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3555
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that the ActiveX Plugin does not properly initialize an object field that is used as a window handle, which allows attackers to execute arbitrary code.
More information about the WinVulns-Announcements
mailing list