US-CERT: United States Computer Emergency Readiness Team
National Cyber Alert System
Cyber Security Bulletin SB10-053
Last updated February 23, 2010
Cyber Security Bulletin SB10-053
Vulnerability Summary for the Week of February 15, 2010
|
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis. |
| High Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|
apple -- webkit google -- chrome |
WebKit before r53525, as used in Google Chrome before 4.0.249.89, allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed RUBY element, as demonstrated by a <ruby>><rt> sequence.</rt><table> <tbody><tr> | 2010-02-18 | 9.3 | CVE-2010-0647 CONFIRM |
|
apple -- webkit google -- chrome |
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method. | 2010-02-18 | 7.5 | CVE-2010-0661 CONFIRM CONFIRM |
|
dokuwiki -- dokuwiki |
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. | 2010-02-15 | 7.5 | CVE-2010-0288 CONFIRM DEBIAN SECUNIA FEDORA FEDORA CONFIRM |
|
google -- chrome |
Multiple integer overflows in factory.cc in Google V8 before r3560, as used in Google Chrome before 4.0.249.89, allow remote attackers to execute arbitrary code in the Chrome sandbox via crafted use of JavaScript arrays. | 2010-02-18 | 9.3 | CVE-2010-0645 CONFIRM |
|
google -- chrome |
Multiple integer signedness errors in factory.cc in Google V8 before r3560, as used in Google Chrome before 4.0.249.89, allow remote attackers to execute arbitrary code in the Chrome sandbox via crafted use of JavaScript arrays. | 2010-02-18 | 10.0 | CVE-2010-0646 VUPEN CONFIRM |
|
google -- chrome |
Integer overflow in the CrossCallParamsEx::CreateFromBuffer function in sandbox/src/crosscall_server.cc in Google Chrome before 4.0.249.89 allows attackers to leverage renderer access to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a malformed message, related to deserializing of sandbox messages. | 2010-02-18 | 9.3 | CVE-2010-0649 CONFIRM |
|
google -- chrome |
Use-after-free vulnerability in Google Chrome before 4.0.249.78 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving the display of a blocked popup window during navigation to a different web site. | 2010-02-18 | 9.3 | CVE-2010-0655 CONFIRM |
|
google -- chrome |
Google Chrome before 4.0.249.78 on Windows does not perform the expected encoding, escaping, and quoting for the URL in the --app argument in a desktop shortcut, which allows user-assisted remote attackers to execute arbitrary programs or obtain sensitive information by tricking a user into creating a crafted shortcut. | 2010-02-18 | 9.3 | CVE-2010-0657 CONFIRM SECTRACK CONFIRM CONFIRM |
|
google -- chrome |
Multiple integer overflows in Skia, as used in Google Chrome before 4.0.249.78, allow remote attackers to execute arbitrary code in the Chrome sandbox or cause a denial of service (memory corruption and application crash) via vectors involving CANVAS elements. | 2010-02-18 | 9.3 | CVE-2010-0658 CONFIRM |
|
juniper -- odyssey_access_client |
Stack-based buffer overflow in dsInstallerService.dll in the Juniper Installer Service, as used in Juniper Odyssey Access Client 4.72.11421.0 and other products, allows remote attackers to execute arbitrary code via a long string in a malformed DSSETUPSERVICE_CMD_UNINSTALL command to the NeoterisSetupService named pipe. | 2010-02-15 | 10.0 | CVE-2009-4643 MISC IDEFENSE |
|
realnetworks -- helix_player realnetworks -- realplayer |
Buffer overflow in the Unescape function in common/util/hxurl.cpp and player/hxclientkit/src/CHXClientSink.cpp in Helix Player 1.0.6 and RealPlayer allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a URL argument containing a % (percent) character that is not followed by two hex digits. | 2010-02-18 | 7.5 | CVE-2010-0416 CONFIRM CONFIRM REDHAT MLIST |
|
sun -- openoffice.org |
Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow. | 2010-02-16 | 9.3 | CVE-2009-2949 VUPEN |
|
sun -- openoffice.org |
Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression. | 2010-02-16 | 9.3 | CVE-2009-2950 CONFIRM XF VUPEN BID REDHAT CONFIRM CONFIRM DEBIAN SECTRACK SECUNIA SECUNIA |
|
sun -- openoffice.org |
Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document. | 2010-02-16 | 9.3 | CVE-2009-3301 CONFIRM XF VUPEN BID REDHAT CONFIRM CONFIRM DEBIAN SECTRACK SECUNIA SECUNIA |
|
sun -- openoffice.org |
filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw." | 2010-02-16 | 9.3 | CVE-2009-3302 CONFIRM XF VUPEN BID REDHAT CONFIRM CONFIRM DEBIAN SECTRACK SECUNIA SECUNIA |
|
sun -- openoffice.org |
OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. | 2010-02-16 | 9.3 | CVE-2010-0136 BID MLIST DEBIAN SECTRACK |
| Back to top | ||||
| Medium Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|
adobe -- blazeds adobe -- coldfusion adobe -- flex_data_services adobe -- lifecycle adobe -- lifecycle_data_services |
Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents. | 2010-02-15 | 4.3 | CVE-2009-3960 BID OSVDB CONFIRM SECTRACK |
|
adobe -- adobe_air adobe -- flash_player |
Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130 allows remote attackers to bypass intended sandbox restrictions and make cross-domain requests via unspecified vectors. | 2010-02-15 | 6.8 | CVE-2010-0186 CONFIRM |
|
adobe -- adobe_air adobe -- flash_player |
Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130 allow remote attackers to cause a denial of service (application crash) via a modified SWF file. | 2010-02-15 | 4.3 | CVE-2010-0187 REDHAT CONFIRM BID MISC CONFIRM SECTRACK MISC |
|
apple -- safari apple -- webkit google -- chrome |
WebKit before r52784, as used in Google Chrome before 4.0.249.78 and Apple Safari, permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. | 2010-02-18 | 4.3 | CVE-2010-0651 CONFIRM |
|
apple -- webkit google -- chrome |
WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted local HTML document. | 2010-02-18 | 4.3 | CVE-2010-0656 CONFIRM |
|
apple -- webkit google -- chrome |
The image decoder in WebKit before r52833, as used in Google Chrome before 4.0.249.78, does not properly handle a failure of memory allocation, which allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed GIF file that specifies a large size. | 2010-02-18 | 6.8 | CVE-2010-0659 CONFIRM |
|
cisco -- collaboration_server |
Cross-site scripting (XSS) vulnerability in webline/html/admin/wcs/LoginPage.jhtml in Cisco Collaboration Server (CCS) 5 allows remote attackers to inject arbitrary web script or HTML via the dest parameter. | 2010-02-17 | 4.3 | CVE-2010-0641 XF BID MISC |
|
cisco -- collaboration_server |
Cisco Collaboration Server (CCS) 5 allows remote attackers to read the source code of JHTML files via URL encoded characters in the filename extension, as demonstrated by (1) changing .jhtml to %2Ejhtml, (2) changing .jhtml to .jhtm%6C, (3) appending %00 after .jhtml, and (4) appending %c0%80 after .jhtml, related to the (a) doc/docindex.jhtml, (b) browserId/wizardForm.jhtml, (c) webline/html/forms/callback.jhtml, (d) webline/html/forms/callbackICM.jhtml, (e) webline/html/agent/AgentFrame.jhtml, (f) webline/html/agent/default/badlogin.jhtml, (g) callme/callForm.jhtml, (h) webline/html/multichatui/nowDefunctWindow.jhtml, (i) browserId/wizard.jhtml, (j) admin/CiscoAdmin.jhtml, (k) msccallme/mscCallForm.jhtml, and (l) webline/html/admin/wcs/LoginPage.jhtml components. | 2010-02-17 | 5.0 | CVE-2010-0642 XF BID MISC |
|
dokuwiki -- dokuwiki |
Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. | 2010-02-15 | 5.0 | CVE-2010-0287 CONFIRM DEBIAN SECUNIA FEDORA FEDORA CONFIRM |
|
dokuwiki -- dokuwiki |
Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. | 2010-02-15 | 6.8 | CVE-2010-0289 CONFIRM DEBIAN SECUNIA FEDORA FEDORA CONFIRM |
|
google -- chrome |
browser/login/login_prompt.cc in Google Chrome before 4.0.249.89 populates an authentication dialog with credentials that were stored by Password Manager for a different web site, which allows user-assisted remote HTTP servers to obtain sensitive information via a URL that requires authentication, as demonstrated by a URL in the SRC attribute of an IMG element. | 2010-02-18 | 4.3 | CVE-2010-0556 CONFIRM |
|
google -- chrome |
Google Chrome before 4.0.249.89 attempts to make direct connections to web sites when all configured proxy servers are unavailable, which allows remote HTTP servers to obtain potentially sensitive information about the identity of a client user via standard HTTP logging, as demonstrated by a proxy server that was configured for the purpose of anonymity. | 2010-02-18 | 4.3 | CVE-2010-0643 CONFIRM |
|
google -- chrome |
Google Chrome before 4.0.249.89, when a SOCKS 5 proxy server is configured, sends DNS queries directly, which allows remote DNS servers to obtain potentially sensitive information about the identity of a client user via request logging, as demonstrated by a proxy server that was configured for the purpose of anonymity. | 2010-02-18 | 4.3 | CVE-2010-0644 CONFIRM |
|
google -- chrome |
Google Chrome before 4.0.249.78 sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive information via standard HTTP logging. | 2010-02-18 | 5.0 | CVE-2010-0660 CONFIRM |
|
google -- chrome |
The ParamTraits |
2010-02-18 | 4.3 | CVE-2010-0662 CONFIRM |
|
google -- chrome |
The ParamTraits |
2010-02-18 | 4.3 | CVE-2010-0663 CONFIRM |
|
google -- chrome |
Stack consumption vulnerability in the ChildProcessSecurityPolicy::CanRequestURL function in browser/child_process_security_policy.cc in Google Chrome before 4.0.249.78 allows remote attackers to cause a denial of service (memory consumption and application crash) via a URL that specifies multiple protocols, as demonstrated by a URL that begins with many repetitions of the view-source: substring. | 2010-02-18 | 4.3 | CVE-2010-0664 CONFIRM |
|
intel -- e1000 linux -- kernel linux -- kernel |
The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess." | 2010-02-15 | 4.6 | CVE-2010-0291 CONFIRM |
|
intel -- e1000 linux -- kernel linux -- kernel |
The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function. | 2010-02-17 | 4.7 | CVE-2010-0307 CONFIRM BID MLIST MLIST MLIST MLIST CONFIRM MISC CONFIRM MLIST CONFIRM |
|
k5n -- webcalendar |
Cross-site request forgery (CSRF) vulnerability in WebCalendar 1.2.0 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-02-15 | 6.8 | CVE-2010-0638 SECUNIA |
|
linux -- kernel |
The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set. | 2010-02-17 | 4.6 | CVE-2010-0415 CONFIRM |
|
microsoft -- internet_explorer |
Microsoft Internet Explorer permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. | 2010-02-18 | 4.3 | CVE-2010-0652 MISC |
|
mozilla -- firefox |
Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. | 2010-02-18 | 4.3 | CVE-2010-0648 MISC MISC |
|
mozilla -- firefox |
Mozilla Firefox permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. | 2010-02-18 | 4.3 | CVE-2010-0654 MISC |
|
opera -- opera_browser |
Opera permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. | 2010-02-18 | 4.3 | CVE-2010-0653 MISC |
|
realnetworks -- helix_player realnetworks -- realplayer |
Buffer overflow in common/util/rlstate.cpp in Helix Player 1.0.6 and RealPlayer allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a RuleBook structure with a large number of rule-separator characters that trigger heap memory corruption. | 2010-02-18 | 5.0 | CVE-2010-0417 CONFIRM CONFIRM REDHAT MLIST |
|
squid-cache -- squid |
The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0 through 3.0.STABLE23 allows remote attackers to cause a denial of service (crash) via crafted packets to the HTCP port, which triggers a NULL pointer dereference. | 2010-02-15 | 5.0 | CVE-2010-0639 VUPEN MISC MISC CONFIRM SECTRACK BID OSVDB MISC |
| Back to top | ||||
| Low Vulnerabilities | ||||
|---|---|---|---|---|
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|
apple -- safari google -- chrome |
WebKit, as used in Google Chrome before 4.0.249.78 and Apple Safari, allows remote attackers to bypass intended restrictions on popup windows via crafted use of a mouse click event. | 2010-02-18 | 2.6 | CVE-2010-0650 CONFIRM CONFIRM SECTRACK CONFIRM CONFIRM |
|
linux -- kernel |
The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. | 2010-02-15 | 2.1 | CVE-2010-0622 CONFIRM |
|
linux -- kernel |
The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. | 2010-02-15 | 2.1 | CVE-2010-0623 CONFIRM |
| Back to top | ||||
