Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - June 12, 2009

by Marianna Schmudlach / June 11, 2009 11:58 PM PDT

Mozilla Thunderbird Multiple Vulnerabilities

Release Date: 2009-06-12

Critical:
Highly critical
Impact: Security Bypass
Spoofing
DoS
System access
Where: From remote
Solution Status: Unpatched

Software: Mozilla Thunderbird 2.x

Description:
Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, or to compromise a user's system.

http://secunia.com/advisories/35440/

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - June 12, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - June 12, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Mozilla SeaMonkey Multiple Vulnerabilities
by Marianna Schmudlach / June 11, 2009 11:59 PM PDT

Release Date: 2009-06-12

Critical:
Highly critical
Impact: Security Bypass
Spoofing
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Unpatched

Software: Mozilla SeaMonkey 1.1.x

Description:
Some vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a user's system.

http://secunia.com/advisories/35439/

Collapse -
Google Chrome WebKit Use-After-Free Vulnerability
by Marianna Schmudlach / June 12, 2009 12:00 AM PDT

Release Date: 2009-06-12

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software: Google Chrome 1.x

Description:
A vulnerability has been reported in Google Chrome, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to an error in WebKit when executing JavaScript code which sets a certain property of an HTML tag. This can be exploited to free child elements of the HTML tag and subsequently reference the freed memory when an HTML error is encountered.


http://secunia.com/advisories/35438/

Collapse -
Git git-daemon Parameter Parsing Infinite Loop Denial of Ser
by Marianna Schmudlach / June 12, 2009 12:01 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Workaround

Software: GIT 1.x

Description:
A vulnerability has been reported in Git, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite loop when parsing certain additional request parameters. This can be exploited to cause a high CPU load by sending specially crafted requests to an affected git-daemon.

The vulnerability is reported in versions 1.4.4.5 through 1.6.3.2. Other versions may also be affected.

http://secunia.com/advisories/35437/

Collapse -
Teiid LDAP Anonymous Bind Security Bypass
by Marianna Schmudlach / June 12, 2009 12:02 AM PDT

Release Date: 2009-06-12

Critical:
Less critical
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch

Software: Teeid 6.x

Description:
A security issue has been reported in Teiid, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the LDAP authentication support, which can be exploited to bypass the authentication by entering an empty password.

Successful exploitation requires that the LDAP server allows anonymous binds.

The security issue is reported in version 6.0.0. Other versions may also be affected.

http://secunia.com/advisories/35432/

Collapse -
Red Hat update for firefox
by Marianna Schmudlach / June 12, 2009 12:03 AM PDT

Release Date: 2009-06-12

Critical:
Highly critical
Impact: Security Bypass
Spoofing
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: Red Hat Enterprise Linux 5 (Server)
Red Hat Enterprise Linux Desktop 5
Red Hat Enterprise Linux Desktop Workstation 5
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a vulnerable system.

http://secunia.com/advisories/35431/

Collapse -
Red Hat update for seamonkey
by Marianna Schmudlach / June 12, 2009 12:04 AM PDT

Release Date: 2009-06-12

Critical:
Highly critical
Impact: Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

OS: RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information or to compromise a user's system.

http://secunia.com/advisories/35428/

Collapse -
Sniggabo CMS "id" SQL Injection Vulnerability
by Marianna Schmudlach / June 12, 2009 12:04 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: Manipulation of data
Where: From remote
Solution Status: Unpatched

Software: Sniggabo CMS


Description:
A vulnerability has been reported in Sniggabo CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in article.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


http://secunia.com/advisories/35420/

Collapse -
phpWebThings "module" Local File Inclusion Vulnerability
by Marianna Schmudlach / June 12, 2009 12:06 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information
Where: From remote
Solution Status: Unpatched

Software: phpWebThings 1.x

Description:
br0ly has discovered a vulnerability in phpWebThings, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "module" parameter in help.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 1.5.2 with the latest patch applied. Other versions may also be affected.

http://secunia.com/advisories/35396/

Collapse -
Ubuntu update for apache2
by Marianna Schmudlach / June 12, 2009 12:06 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: Security Bypass
Exposure of sensitive information
DoS
Where: From remote
Solution Status: Vendor Patch

OS: Ubuntu Linux 6.06
Ubuntu Linux 8.04
Ubuntu Linux 8.10
Ubuntu Linux 9.04

Description:
Ubuntu has issued an update for apache2. This fixes a security issue and some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious users and malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service).

http://secunia.com/advisories/35395/

Collapse -
Grestul "admin/options.php" Security Bypass Vulnerability
by Marianna Schmudlach / June 12, 2009 12:07 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Unpatched

Software: Grestul 1.x

Description:
A vulnerability has been reported in Grestul, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application not properly restricting access to certain functions of the admin/options.php script. This can be exploited to e.g. add administrative users by sending specially crafted requests to the script.

The vulnerability is reported in version 1.2. Other versions may also be affected.

http://secunia.com/advisories/35367/

Collapse -
Kloxo / HyperVM Multiple Vulnerabilities
by Marianna Schmudlach / June 12, 2009 12:08 AM PDT

Release Date: 2009-06-12

Critical:
Moderately critical
Impact: Security Bypass
Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
System access
Where: From remote
Solution Status: Partial Fix

Software: HyperVM 1.x
HyperVM 2.x
Kloxo 5.x
Kloxo 6.x

Description:
Some vulnerabilities and security issues have been reported Kloxo, which can be exploited by malicious, local users to disclose sensitive information or manipulate certain data, by malicious user to bypass certain security restrictions and potentially compromise an affected system, and by malicious people to conduct cross-site scripting and SQL injection attacks.

http://secunia.com/advisories/35337/

Collapse -
Mozilla Firefox Multiple Vulnerabilities
by Marianna Schmudlach / June 12, 2009 12:09 AM PDT

Release Date: 2009-06-12

Critical:
Highly critical
Impact: Security Bypass
Spoofing
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Mozilla Firefox 3.x

Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or to compromise a vulnerable system.

http://secunia.com/advisories/35331/

Collapse -
PDshopPro "search" Cross-Site Scripting Vulnerability
by Marianna Schmudlach / June 12, 2009 12:10 AM PDT

Release Date: 2009-06-12

Critical:
Less critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch

Software: PDshopPro 2.x

Description:
Vrs-hCk has reported a vulnerability in PDshopPro, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "search" parameter in search.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability reportedly affects versions downloaded before March 8th, 2007.

http://secunia.com/advisories/34200/

Collapse -
Google updates for Chrome
by Marianna Schmudlach / June 12, 2009 12:12 AM PDT

Published: 2009-06-12,
Last Updated: 2009-06-12 13:07:19 UTC
by Adrien de Beaupre (Version: 1)

Google has released an update for Chrome, their own web browser. From their advisory here: "Google Chrome's Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit." CVE-2009-1690 is a memory corruption which can lead to arbitrary code execution within the sandbox. CVE-2009-1718 is an information leak. Both CVE's name Apple Safari, however they also affect Google Chrome.

Cheers,
Adrien de Beaupr

Collapse -
Packed.Generic.226
by Marianna Schmudlach / June 12, 2009 12:13 AM PDT
Collapse -
Mozilla slaps band-aid on 11 Firefox flaws
by Marianna Schmudlach / June 12, 2009 1:25 AM PDT

Posted by Ryan Naraine

June 12th, 2009

Mozilla has joined this week?s patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.

Six of the 11 issues are in advisories rated ?critical? because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine. Here?s a snapshot of the critical issues:

MFSA 2009-32 JavaScript chrome privilege escalation

Mozilla security researcher moz_bug_r_a4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such a way that attacker controlled code may be executed with the object?s chrome privileges.

More: http://blogs.zdnet.com/security/?p=3593

Collapse -
Chrome update completes busy browser patch week
by Marianna Schmudlach / June 12, 2009 1:28 AM PDT

Time for an industry patch day?

By John Leyden

12th June 2009

Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser.

The most severe of the two flaws involved a "high risk" memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit.

Google's advisory can be found here.

The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on Tuesday and a Firefox update on Thursday. In addition, Apple released a beta version of its Safari 4 browser earlier this week.

More: http://www.theregister.co.uk/2009/06/12/google_chrome_update/

Collapse -
Windows 7 UAC flaw: "Pandora's box of all vulnerabilities"
by Marianna Schmudlach / June 12, 2009 2:23 AM PDT

June 12th, 2009

Posted by Zack Whittaker


The UAC flaw, a serious issue bubbling away underneath the surface of Microsoft?s next operating system, has been described as the ?Pandora?s box of security vulnerabilities?. But what is it exactly? Where did it all start from, what is the vulnerability and where do we go from here? Hopefully this will explain it a bit better.
The background

UAC, or User Account Controls, made its first appearance in Windows Vista as a precautionary measure to ensure the user doesn?t modify something which would change a setting which would effect the overall stability or usage of the computer. It also served as a preventative control to make sure programs and applications wouldn?t run without your express permission, or an application changing your settings without you being fully aware of it. This came in the form of an annoying popup box, I?m sure you won?t have any problem in remembering:

More:http://blogs.zdnet.com/igeneration/?p=1826

Collapse -
Security flaws galore: Researchers dissect China's Green Dam
by Marianna Schmudlach / June 12, 2009 2:25 AM PDT

June 12th, 2009

Posted by Larry Dignan

A team of researchers at the University of Michigan has found a bevy of exploitable vulnerabilities in Green Dam, censorship software that the Chinese government wants to bundle on every PC.

This week, the Wall Street Journal reported that China wanted to require PC makers to bundle Green Dam with each unit sold. The reason: China wanted to protect its citizens from harmful content, also known as porn. However, Green Dam can filter out other things too such as political terms such as Falun Gong. You could call Green Dam Censorship.exe.

Now Scott Wolchok, Randy Yao, and J. Alex Halderman at the University of Michigan report:

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Shocking? Hardly.

More: http://blogs.zdnet.com/BTL/?p=19688

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?