Spyware, Viruses, & Security forum

General discussion

Vulnerabilties - September 17, 3004

by Donna Buenaventura / September 17, 2004 12:14 AM PDT

Apple Mac OS X Security Update Fixes iChat Vulnerability

Release Date: 2004-09-17

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X

Apple has issued a security update for Mac OS X iChat client. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.

The problem is that links aren't properly validated before being opened. This can be exploited to launch programs by embedding references to local resources.

The vulnerability has been reported in iChat 1 and 2.

Solution: Apply Security Update 2004-09-16.

http://secunia.com/advisories/12575/

Discussion is locked
You are posting a reply to: Vulnerabilties - September 17, 3004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Vulnerabilties - September 17, 3004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
F-Secure Internet Gatekeeper MIME Decoding Weakness
by Donna Buenaventura / September 17, 2004 12:16 AM PDT

Release Date: 2004-09-17

Critical: Not critical
Impact: Security Bypass
Where: From remote
Solution Status: Unpatched
Software: F-Secure Internet Gatekeeper 6.x

The vendor has acknowledged a weakness in Internet Gatekeeper, which potentially can be exploited by malicious people to bypass filters.

The problem is that Internet Gatekeeper is not able to decode certain specially crafted messages when encountering malformed "Content-Transfer-Encoding" headers.

Successful exploitation causes the product to not block the messages.

This may present a security issue if an email client is able to decode the content and makes it possible to execute an enclosed file.

The weakness was reportedly discovered using a test suite developed by Martin O'Neal of Corsaire and affects version 6.40 and prior.

Solution: The vendor reports that the issue will be fixed in release 6.41, which will be released by the end of October.

http://secunia.com/advisories/12514/

Collapse -
IE6 + XP SP2 Vulnerability
by Donna Buenaventura / September 17, 2004 12:57 AM PDT

Background information
======================

Windows XP Service Pack 2 has introduced new features that improve browsing security in Internet Explorer. Most of them are additional messages that force the user to validate everything that is done by the browser. Most of these messages are displayed in the new Information Bar. For example if you try to open a web page that contains Javascript code or ActiveX objects, it is likely that they will be blocked, the Information Bar will appear and offer you to reload the page with the untrustworthy components enabled.

More information can be found at:
http://www.microsoft.com/technet/prodtechnol/
winxppro/maintain/sp2brows.mspx

The side effect of these features is that some web sites can't be used as easily as before because the user has to respond to an increasing number of notifications and questions.

Vulnerability Explained
=======================

As an example I created a simple XHTML document containing MathML and installed the MathPlayer ActiveX plugin from DesignScience (http://www.dessci.com/en).
This type of document used to render correctly in IE6 but since SP2 was installed the new features interfere with the loading of the component : the page is first loaded without MathPlayer which has to be enabled via the Information Bar.

But there seems to be a vulnerability in Internet Explorer that allows this protection to be bypassed. All that needs to be done is to add a fake comment between the DOCTYPE declaration and the <html> tag that mimics those added by IE when a page is saved to disk.

http://www.net-security.org/vuln.php?id=3712

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?