U.S. Flag Official website of the Department of Homeland Security

Bulletin (SB10-249)

Vulnerability Summary for the Week of August 30, 2010

Original release date: September 07, 2010 | Last revised: February 06, 2013

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- device_central_cs5
Untrusted search path vulnerability in Adobe Device Central CS5 3.0.0(376), 3.0.1.0 (3027), and probably other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse qtcf.dll that is located in the same folder as an ADCP file. 2010-08-27 9.3 CVE-2010-3149
EXPLOIT-DB
adobe -- premier_pro_cs4
Untrusted search path vulnerability in Adobe Premier Pro CS4 4.0.0 (314 (MC: 160820)) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as a .pproj, .prfpset, .prexport, .prm, .prmp, .prpreset, .prproj, .prsl, .prtl, or .vpr file. 2010-08-27 9.3 CVE-2010-3150
EXPLOIT-DB
adobe -- onlocation_cs4
Untrusted search path vulnerability in Adobe On Location CS4 Build 315 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as an OLPROJ file. 2010-08-27 9.3 CVE-2010-3151
EXPLOIT-DB
adobe -- illustrator
Untrusted search path vulnerability in Adobe Illustrator CS4 14.0.0, CS5 15.0.1, and possibly other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll or aires.dll that is located in the same folder as an .ait or .eps file. 2010-08-27 9.3 CVE-2010-3152
EXPLOIT-DB
adobe -- indesign_cs4
Untrusted search path vulnerability in Adobe InDesign CS4 6.0 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ibfs32.dll that is located in the same folder as an .indl, .indp, .indt, or .inx file. 2010-08-27 9.3 CVE-2010-3153
EXPLOIT-DB
adobe -- extension_manager_cs5
Untrusted search path vulnerability in Adobe Extension Manager CS5 5.0.298 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .mxi or .mxp file. 2010-08-27 9.3 CVE-2010-3154
EXPLOIT-DB
adobe -- extendedscript_toolkit_cs5
Untrusted search path vulnerability in Adobe ExtendScript Toolkit (ESTK) CS5 3.5.0.52 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .jsx file. 2010-08-27 9.3 CVE-2010-3155
EXPLOIT-DB
adobe -- captivate
Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and possibly other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .cptx file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2010-08-31 9.3 CVE-2010-3191
SECUNIA
apple -- quicktime
The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshaling of an untrusted pointer. 2010-08-31 9.3 CVE-2010-1818
MISC
MISC
MISC
bsplayer -- bs.player
Untrusted search path vulnerability in the Indeo filter (iac25_32.ax) in Microsoft Windows, as used in BS.Player, Media Player Classic, and possibly other products, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse iacenc.dll that is located in the same folder as an AVI, .mka, .ra, or .ram file. NOTE: some of these details are obtained from third party information. 2010-08-27 9.3 CVE-2010-3138
MISC
SECUNIA
ibm -- websphere_application_server
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors. 2010-08-30 10.0 CVE-2010-3186
CONFIRM
CONFIRM
CONFIRM
SECUNIA
ibm -- aix
Buffer overflow in ftpd in IBM AIX 5.3 and earlier allows remote attackers to execute arbitrary code via a long NLST command. 2010-08-30 10.0 CVE-2010-3187
CONFIRM
OSVDB
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
EXPLOIT-DB
EXPLOIT-DB
SECTRACK
FULLDISC
FULLDISC
FULLDISC
FULLDISC
ibm -- db2
Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors. 2010-08-31 10.0 CVE-2010-3193
XF
VUPEN
CONFIRM
CONFIRM
AIXAPAR
AIXAPAR
AIXAPAR
SECUNIA
ibm -- db2
The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner. 2010-08-31 7.5 CVE-2010-3194
XF
VUPEN
CONFIRM
CONFIRM
AIXAPAR
AIXAPAR
AIXAPAR
SECUNIA
ifdefined -- bugtracker.net
SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page. 2010-08-31 7.5 CVE-2010-3188
XF
BUGTRAQ
CONFIRM
SECUNIA
microsoft -- windows
Untrusted search path vulnerability in Microsoft Windows Progman Group Converter (grpconv.exe) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse imm.dll that is located in the same folder as a .grp file. 2010-08-27 9.3 CVE-2010-3139
VUPEN
EXPLOIT-DB
SECUNIA
microsoft -- windows_xp
Untrusted search path vulnerability in Microsoft Windows Internet Communication Settings on Windows XP SP3 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse schannel.dll that is located in the same folder as an ISP file. 2010-08-27 9.3 CVE-2010-3140
EXPLOIT-DB
microsoft -- powerpoint
Untrusted search path vulnerability in Microsoft Power Point 2010 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse pptimpconv.dll that is located in the same folder as a .odp, .pot, .potm, .potx, .ppa, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pwz, .sldm, or .sldx file. 2010-08-27 9.3 CVE-2010-3141
EXPLOIT-DB
microsoft -- powerpoint
Untrusted search path vulnerability in Microsoft Office PowerPoint 2007 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse rpawinet.dll that is located in the same folder as a .odp, .pothtml, .potm, .potx, .ppa, .ppam, .pps, .ppt, .ppthtml, .pptm, .pptxml, .pwz, .sldm, .sldx, and .thmx file. 2010-08-27 9.3 CVE-2010-3142
EXPLOIT-DB
microsoft -- windows
Untrusted search path vulnerability in Microsoft Windows Contacts allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32res.dll that is located in the same folder as a .contact, .group, .p7c, .vcf, or .wab file. 2010-08-27 9.3 CVE-2010-3143
EXPLOIT-DB
microsoft -- windows
Untrusted search path vulnerability in Microsoft Internet Connection Signup Wizard allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse smmscrpt.dll that is located in the same folder as an ISP file. 2010-08-27 9.3 CVE-2010-3144
EXPLOIT-DB
microsoft -- windows_vista
Untrusted search path vulnerability in the Microsoft Vista BitLocker Drive Encryption API allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse fveapi.dll that is located in the same folder as a .wbcat file. 2010-08-27 9.3 CVE-2010-3145
EXPLOIT-DB
microsoft -- groove
Untrusted search path vulnerability in Microsoft Office Groove 2007 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mso.dll or GroovePerfmon.dll that is located in the same folder as a .vcg or .gta file. 2010-08-27 9.3 CVE-2010-3146
EXPLOIT-DB
microsoft -- outlook_express
Untrusted search path vulnerability in Microsoft Address Book (wab.exe) 6.00.2900.5512 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32res.dll that is located in the same folder as a .wab, vCard (.vcf), or .p7c file. 2010-08-27 9.3 CVE-2010-3147
EXPLOIT-DB
microsoft -- visio
Untrusted search path vulnerability in Microsoft Visio 2003 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mfc71enu.dll that is located in the same folder as a .vtx file. 2010-08-27 9.3 CVE-2010-3148
EXPLOIT-DB
microsoft -- visual_studio
Untrusted search path vulnerability in ATL MFC Trace Tool (AtlTraceTool8.exe), as used in Microsoft Visual Studio, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a TRC, cur, rs, rct, or res file. 2010-08-31 9.3 CVE-2010-3190
MISC
SECUNIA
realnetworks -- realplayer
Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow. 2010-08-30 9.3 CVE-2010-0116
CONFIRM
MISC
realnetworks -- realplayer
RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content. 2010-08-30 9.3 CVE-2010-0117
CONFIRM
MISC
realnetworks -- realplayer
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content. 2010-08-30 9.3 CVE-2010-0120
CONFIRM
MISC
realnetworks -- realplayer
Array index error in RealNetworks RealPlayer 11.0 through 11.1 on Windows allows remote attackers to execute arbitrary code via a malformed header in a RealMedia .IVR file. 2010-08-30 9.3 CVE-2010-2996
MISC
BUGTRAQ
CONFIRM
realnetworks -- realplayer
Multiple integer overflows in the ParseKnownType function in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allow remote attackers to execute arbitrary code via crafted (1) HX_FLV_META_AMF_TYPE_MIXEDARRAY or (2) HX_FLV_META_AMF_TYPE_ARRAY data in an FLV file. 2010-08-30 9.3 CVE-2010-3000
MISC
BUGTRAQ
CONFIRM
realnetworks -- realplayer
Unspecified vulnerability in an ActiveX control in the Internet Explorer (IE) plugin in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows has unknown impact and attack vectors related to "multiple browser windows." 2010-08-30 9.3 CVE-2010-3001
CONFIRM
realnetworks -- realplayer
Unspecified vulnerability in RealNetworks RealPlayer 11.0 through 11.1 allows attackers to bypass intended access restrictions on files via unknown vectors. 2010-08-30 9.3 CVE-2010-3002
CONFIRM
trendmicro -- internet_security
The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer. 2010-08-31 9.3 CVE-2010-3189
CONFIRM
XF
MISC
VUPEN
SECTRACK
BUGTRAQ
SECUNIA
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
cisco -- ios_xr
Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers to cause a denial of service (peering reset) via a crafted prefix announcement, as demonstrated in the wild in August 2010 with attribute type code 99, aka Bug ID CSCti62211. 2010-08-30 5.0 CVE-2010-3035
CISCO
MLIST
common1 -- moobbs
Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2010-08-31 4.3 CVE-2010-2364
CONFIRM
SECUNIA
JVNDB
JVN
common1 -- moobbs2
Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2010-08-31 4.3 CVE-2010-2365
CONFIRM
SECUNIA
JVNDB
JVN
fedoraproject -- sssd
The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. 2010-08-30 5.1 CVE-2010-2940
CONFIRM
XF
SECUNIA
hp -- hp-ux
Unspecified vulnerability in Software Distributor (sd) in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors. 2010-08-30 6.8 CVE-2010-2712
HP
HP
XF
SECTRACK
SECUNIA
ibm -- db2
Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration." 2010-08-31 5.0 CVE-2010-3195
XF
VUPEN
CONFIRM
CONFIRM
AIXAPAR
AIXAPAR
AIXAPAR
SECUNIA
ibm -- db2
IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors. 2010-08-31 5.0 CVE-2010-3197
CONFIRM
AIXAPAR
iij -- seil/b1_firmware
The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the SEIL/X1, SEIL/X2, and SEIL/B1 routers with firmware 1.00 through 2.73, when strict mode is used, does not properly drop packets, which might allow remote attackers to bypass intended access restrictions via a spoofed IP address. 2010-08-30 5.8 CVE-2010-2363
CONFIRM
JVNDB
JVN
kde -- kde_sc
Heap-based buffer overflow in the RLE decompression functionality in the TranscribePalmImageToJPEG function in generators/plucker/inplug/image.cpp in Okular in KDE SC 4.3.0 through 4.5.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image in a PDB file. 2010-08-30 6.8 CVE-2010-2575
CONFIRM
CONFIRM
XF
VUPEN
VUPEN
BUGTRAQ
OSVDB
MANDRIVA
MISC
SECUNIA
FEDORA
simone_rota -- slim_simple_login_manager
The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp. 2010-08-30 6.9 CVE-2010-2945
MLIST
MLIST
CONFIRM
SECUNIA
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
ibm -- db2
IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view. 2010-08-313.5 CVE-2010-3196
CONFIRM
AIXAPAR
redhat -- spice-xpi
Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to obtain sensitive information, and conduct man-in-the-middle attacks, by providing a UNIX socket for communication between this plug-in and the client (aka qspice-client) in qspice 0.3.0, and then accessing this socket. 2010-08-303.3 CVE-2010-2792
REDHAT
REDHAT
CONFIRM
redhat -- spice-xpi
The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to overwrite arbitrary files via a symlink attack on an unspecified log file. 2010-08-303.3 CVE-2010-2794
CONFIRM
REDHAT
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top