Spyware, viruses, & security forum: VULNERABILITIES / FIXES - December 18, 2012

Release Date : 2012-12-17

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: RealPlayer 15.x

Description:
Two vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system.

1) An error when handling RealAudio files may result in dereferencing an invalid pointer.

2) An error when handling RealMedia files can be exploited to cause a buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in version 15.0.6.14 and prior.

Solution:
Upgrade to version 16.0.0.282.

Provided and/or discovered by:
The vendor credits:
1) Senator of Pirates
2) Suto

Original Advisory:
http://service.real.com/realplayer/security/12142012_player/en/

http://secunia.com/advisories/51589/

MyBB User Profile Skype ID Plugin "skype" Script Insertion Vulnerability

Release Date : 2012-12-18

Criticality level: Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: User Profile Skype ID 1.x (plugin for MyBB)

Description:
A vulnerability has been discovered in the User Profile Skype ID plugin for MyBB, which can be exploited by malicious users to conduct script insertion attacks.

Input passed via the "skype" POST parameter to usercp.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

The vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
limb0

Original Advisory:
http://www.exploit-db.com/exploits/23425/

http://secunia.com/advisories/51612/

Release Date : 2012-12-17

Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
System access
Where: From remote
Solution Status : Vendor Patch

Operating System : Debian GNU/Linux 6.0

Description:
Debian has issued an update for icedove. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and compromise a user's system.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2588-1:
http://www.debian.org/security/2012/dsa-2588

http://secunia.com/advisories/51514/

Release Date : 2012-12-18

Criticality level : Not critical
Impact : Manipulation of data
Where : Local system
Solution Status : Unpatched

Software: SANLock 2.x

Description:
A weakness has been discovered in SANLock, which can be exploited by malicious, local users to manipulate certain data.

The weakness is caused due to the application creating the /var/log/sanlock.log file with insecure world-writable permissions and can be exploited to disclose, modify, or delete logs.

The weakness is confirmed in version 2.4. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Kurt Seifried

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=887010

http://secunia.com/advisories/51603/