Spyware, viruses, & security forum: VULNERABILITIES / FIXES - July 11, 2012

Release Date : 2012-07-11

Criticality level : Less critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Operating System: Cyberoam UTM

Description:
A vulnerability has been reported in Cyberoam UTM, which can be exploited by malicious people to conduct spoofing attacks.

The vulnerability is caused due to the use of a single self-signed certificate across multiple devices, which can be exploited to intercept and disclose encrypted traffic by spoofing another Cyberoam UTM device.

Solution:
Apply the OTA (over the air) hotfix.

Provided and/or discovered by:
Runa A. Sandvik, Tor Project and Ben Laurie.

Original Advisory:
Cyberoam:
http://blog.cyberoam.com/2012/07/ssl-bridging-cyberoam-approach/
http://blog.cyberoam.com/2012/07/cyberoam%E2%80%99s-proactive-steps-in-https-deep-scan-inspection/

Tor Project:
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt

http://secunia.com/advisories/49799/

Release Date : 2012-07-11

Criticality level : Less critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Operating System: openSUSE 11.4
openSUSE 12.1

Description:
SUSE has issued an update for bind. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:0863-1:
http://lists.opensuse.org/opensuse-updates/2012-07/msg00024.html

openSUSE-SU-2012:0864-1:
http://lists.opensuse.org/opensuse-updates/2012-07/msg00025.html

http://secunia.com/advisories/49837/

Release Date: 2012-06-12
Last Update: 2012-07-11

Criticality level: Extremely critical
Impact: Cross Site Scripting
Exposure of sensitive information
System access
Where :From remote
Solution Status: Vendor Patch

Software: Microsoft Internet Explorer 6.x
Microsoft Internet Explorer 7.x
Microsoft Internet Explorer 8.x
Microsoft Internet Explorer 9.x

Description:
Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to disclose sensitive information, conduct cross-site scripting attacks, and compromise a user's system.

1) A use-after-free error when handling the "Center" element can be exploited via a specially crafted web page.

Successful exploitation of this vulnerability allows execution of arbitrary code.

2) Insufficient validation in the "toStaticHTML" API of specially formed CSS can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a targeted site.

3) An error when handling EUC-JP character encoding can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a targeted site.

4) An unspecified error when processing NULL bytes can be exploited to disclose content from the process memory.

5) A use-after-free error exists within jsdbgui.dll when handling reference count to the console object.

Successful exploitation of this vulnerability allows execution of arbitrary code.

6) A use-after-free error exists within mshtml.dll when handling img and div elements having the same id property.

Successful exploitation of this vulnerability allows execution of arbitrary code.

NOTE: The vulnerability is currently being actively exploited.

7) An error when handling the colspan in a table with the table-layout:fixed style can be exploited to cause a heap-based buffer overflow.

Successful exploitation of this vulnerability allows execution of arbitrary code.

8) An error when handling the "Title" element can be exploited to access an already deleted object and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

9) An error when handling the "OnBeforeDeactivate" event can be exploited to access an already deleted object and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

10) An error when handling the "insertAdjacentText" method can be exploited to access undefined memory and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

11) An error when handling the "insertRow" method can be exploited to access an already deleted object and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

12) An error when handling the "OnRowsInserted" event can be exploited to access an already deleted object and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

13) An error within the handling of the "Scrolling" event can be exploited to disclose information from another domain or Internet Explorer zone.

Solution:
Apply patches.

Provided and/or discovered by:
1) An anonymous person via iDefense
2) Adi Cohen, IBM Security Systems Application Security
5) Code Audit Labs, VulnHunt
6) Reported as a 0-day.
7) Vupen via ZDI

The vendor credits:
3) Masato Kinugawa
4) Roman Shafigullin, LinkedIn
8, 9, 10, 11, 12) An anonymous person via ZDI
13) Reported by the vendor

Original Advisory:
MS12-037 (KB2699988)
http://technet.microsoft.com/en-us/security/bulletin/ms12-037

VulnHunt:
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-093/

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=988

IBM Security Systems Application Security:
http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html

http://secunia.com/advisories/49412

Release Date : 2012-07-11

Criticality level : Less critical
Impact : Security Bypass
Spoofing
Where : From remote
Solution Status : Vendor Patch

Operating System: openSUSE 12.1

Description:
SUSE has issued an update for opera. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:0865-1:
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00005.html

http://secunia.com/advisories/49818/

Release Date: 2012-07-10
Last Update : 2012-07-11

Criticality level: Less critical
Impact : Security Bypass
Cross Site Scripting
Spoofing
Where : From remote
Solution Status: Vendor Patch

Software: Microsoft Office SharePoint Server 2007
Microsoft Office Web Apps
Microsoft SharePoint Foundation 2010
Microsoft SharePoint Server 2010
Microsoft Windows SharePoint Services 3.x

Description:
Multiple vulnerabilities have been reported in Microsoft SharePoint, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting and spoofing attacks.

1) Certain input is not properly sanitised in the "SafeHTML" API before being returned to the user.

2) Certain unspecified input is not properly sanitised in scriptresx.ashx before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) An error when validating search scope permissions can be exploited to view or modify another user's search scope.

4) Certain unspecified input associated with a username is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Certain unspecified input associated with a URL is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

6) Certain unspecified input associated with a reflected list parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Apply patches.

Provided and/or discovered by:
1) Adi Cohen, IBM Security Systems Application Security.
2, 3, 5, 6) Reported by the vendor.
4) The vendor credits Yang Yang, Salesforce.com Product Security Team.

Original Advisory:
MS12-050 (KB2596663, KB2596942, KB2553424, KB2553194, KB2596911, KB2553365, KB2598239):
http://technet.microsoft.com/en-us/security/bulletin/ms12-050

IBM Security Systems Application Security:
http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html

http://secunia.com/advisories/49875

Release Date : 2012-07-11

Criticality level : Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Vendor Patch

Operating System: openSUSE 11.4
openSUSE 12.1

Description:
SUSE has issued an update for mysql. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2012:0860-1:
http://lists.opensuse.org/opensuse-updates/2012-07/msg00021.html

http://secunia.com/advisories/49847/

Release Date : 2012-07-11

Criticality level : Less critical
Impact : Security Bypass
Manipulation of data
Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: Puppet 2.x
Puppet Enterprise 1.x
Puppet Enterprise 2.x

Description:
Multiple vulnerabilities have been reported in Puppet, which can be exploited by malicious, local users to disclose certain sensitive information, by malicious users to disclose and manipulate certain data, and by malicious people to bypass certain security restrictions.

1) Certain unspecified input is not properly verified before being used to read files. This can be exploited read to arbitrary files from local resources via a specially crafted request.

2) Certain unspecified input is not properly verified before being used to delete files. This can be exploited to delete files from local resources via a specially crafted request.

Successful exploitation of this vulnerability requires that deletion is enabled (disabled by default).

3) The application stores the last run report with world-readable permissions, which can be exploited to disclose the e.g. configuration changes of an agent.

4) An input validation error within the certificate signing mechanism does not properly verify the text order displayed on the certificate. This can be exploited to trick an administrator into signing an invalid certificate.

The vulnerabilities are reported in Puppet versions prior to 2.6.17 and 2.7.18 and Puppet Enterprise versions prior to 2.5.2.

Solution:
Update to the latest version or apply hotfixes.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://puppetlabs.com/security/cve/cve-2012-3864/
http://puppetlabs.com/security/cve/cve-2012-3865/
http://puppetlabs.com/security/cve/cve-2012-3866/
http://puppetlabs.com/security/cve/cve-2012-3867/

http://secunia.com/advisories/49863/