Spyware, viruses, & security forum: VULNERABILITIES / FIXES - January 23, 2013

Release Date : 2013-01-23

Criticality level : Highly critical
Impact : Unknown
System access
Where : From remote
Solution Status : Vendor Patch

Software: Google Chrome 24.x

Description:
Multiple vulnerabilities have been reported in Google Chrome, where some have unknown impacts and others can be exploited by malicious people to compromise a user's system.

1) A use-after-free error exists when handling canvas font.

2) An error exists when validating the URL when opening new windows.

3) An array indexing error exists when blocking certain contents.

4) An error exists when handling NULL characters embedded in paths.

5) An error exists when handling unsupported RTC sampling rate.

NOTE: This vulnerability affects Mac only.

The vulnerabilities are reported in versions prior to 24.0.1312.56.

Solution:
Update to version 24.0.1312.56.

Provided and/or discovered by:
2) Reported by the vendor.

The vendor credits:
1) Atte Kettunen, OUSPG.
3) Chris Evans, Google Chrome Security Team.
4) Juri Aedla, Google Chrome Security Team.
5) Ted Nakamura, Chromium development community.

Original Advisory:
http://googlechromereleases.blogspot.com/2013/01/stable-channel-update_22.html

http://secunia.com/advisories/51935/

Performance Co-Pilot Two Insecure Temporary Files Security Issues

Release Date: 2013-01-23

Criticality level : Less critical
Impact : Privilege escalation
Where: Local system
Solution Status : Vendor Patch

Software: Performance Co-Pilot 3.x

Description:
Two security issues have been reported in Performance Co-Pilot, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issues are caused due to the "pcmd" and "pmlogger" utilities using temporary files with insecure world-writable permissions and can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issues are reported in version 3.6.9. Prior versions may also be affected.

Solution:
Update to version 3.6.10.

Provided and/or discovered by:
Thomas Biege in a SUSE bug report.

Original Advisory:
https://bugzilla.novell.com/show_bug.cgi?id=782967

PCP:
http://oss.sgi.com/pipermail/pcp-announce/2012-November/000020.html

http://secunia.com/advisories/51932/

Cisco TelePresence Video Communication Server Policy Service Access Bypass Vulnerability

Release Date : 2013-01-23

Criticality level : Less critical
Impact: Security Bypass
Where : From local network
Solution Status : Unpatched

Software: Cisco TelePresence Video Communication Server (VCS)

Description:
A vulnerability has been reported in Cisco TelePresence Video Communication Server, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when processing certain search rules, which can be exploited to access the policy service and subsequently create a conference using Conductor.

The vulnerability is reported in version X7.0.3.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://tools.cisco.com/security/center/viewAlert.x?alertId=27940

http://secunia.com/advisories/51933/

WordPress Developer Formatter Plugin Cross-Site Request Forgery Vulnerability

Release Date : 2013-01-23

Criticality level : Less critical
Impact: Cross Site Scripting
Where: From remote
Solution Status : Unpatched

Software: WordPress Developer Formatter Plugin 2012.x

Description:
A vulnerability has been discovered in the Developer Formatter plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change plugin configuration settings and subsequently conduct script insertion attacks when a logged-in administrative user visits a specially crafted web page.

The vulnerability is confirmed in version 2012.0.1.39. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Junaid Hussain

Original Advisory:
http://packetstormsecurity.com/files/119731/WordPress-Developer-Formatter-Cross-Site-Request-Forgery.html

http://secunia.com/advisories/51912/

Release Date : 2013-01-23

Criticality level : Highly critical
Impact: System access
Where: From remote
Solution Status : Vendor Patch

Operating System : openSUSE 12.2

Description:
SUSE has issued an update for freetype2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0165-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00056.html

http://secunia.com/advisories/51900/

Release Date : 2013-01-23

Criticality level : Moderately critical
Impact: Cross Site Scripting
System access
Where: From remote
Solution Status : Vendor Patch

Software: ownCloud 4.x

Description:
Multiple vulnerabilities have been reported in ownCloud, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.

1) Certain unspecified input passed to core/lostpassword/templates/resetpassword.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation of this vulnerability requires the victim to use Internet Explorer 9 or prior.

2) Input passed via the "mime" parameter to apps/files/ajax/mimeicon.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation of this vulnerability requires the application to be hosted on Windows.

3) Input passed via the "token" parameter to apps/gallery/sharing.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation of this vulnerability requires the "gallery" app to be enabled (disabled by default).

4) Certain unspecified input passed to apps/calendar/ajax/event/new.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation of this vulnerability requires the "calendar" app to be enabled (disabled by default).

5) Input passed via the "url" parameter to apps/bookmarks/ajax/addBookmark.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation of this vulnerability requires the "bookmarks" app to be enabled (disabled by default).

The vulnerabilities #1 through #5 are reported in versions 4.0.10 and prior and 4.5.5 and prior.

6) Certain unspecified input passed to settings/personal.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code via mount point settings.

Successful exploitation of this vulnerability requires the "external storage" app to be enabled (disabled by default) and users to have permissions to edit mount points.

This vulnerability is reported in version 4.5.5 and prior.

Solution:
Update to version 4.0.11 or 4.5.6.

Provided and/or discovered by:
The vendor credits:
1, 2, 3) Mathias Karlsson.
4, 5) Frans Rosen.
6) Yuji Kosuga.

Original Advisory:
oC-SA-2013-001:
http://owncloud.org/about/security/advisories/oC-SA-2013-001/

oC-SA-2013-002:
http://owncloud.org/about/security/advisories/oC-SA-2013-002/

http://secunia.com/advisories/51872/

Release Date : 2013-01-23

Criticality level : Highly critical
Impact: Unknown
Security Bypass
Cross Site Scripting
Spoofing
Exposure of sensitive information
Privilege escalation
System access
Where: From remote
Solution Status : Vendor Patch

Operating System: openSUSE 11.4

Description:
SUSE has issued an update for opera. This fixes a weakness, a security issue, and multiple vulnerabilities, where some have unknown impacts and others can be exploited by malicious, local users to perform certain actions with escalated privileges and by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, disclose certain sensitive information, and compromise a user's system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0129-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00020.html

openSUSE-SU-2013:0148-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00039.html

openSUSE-SU-2013:0172-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00063.html

http://secunia.com/advisories/51929/

Release Date : 2013-01-23

Criticality level : Highly critical
Impact: Security Bypass
Privilege escalation
System access
Where: From remote
Solution Status : Vendor Patch

Operating System: openSUSE 12.1

Description:
SUSE has issued an update for acroread. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions and compromise a user's system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0138-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00028.html

http://secunia.com/advisories/51959/

Release Date : 2013-01-23

Criticality level : Highly critical
Impact: System access
Where: From remote
Solution Status : Vendor Patch

Operating System: openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0140-1:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00033.html

http://secunia.com/advisories/51958/

PDF-XChange Viewer JPEG Stream Processing Buffer Overflow Vulnerability

Release Date : 2013-01-22

Criticality level : Highly critical
Impact: System access
Where: From remote
Solution Status : Vendor Patch

Software: PDF-XChange Viewer 2.x

Description:
Fernando Munoz has discovered a vulnerability in PDF-XChange Viewer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error when processing a JPEG stream and can be exploited to cause a heap-based buffer overflow via a specially crafted JPEG stream within a PDF file.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious PDF document.

The vulnerability is confirmed in version 2.5 Build 207.0. Prior versions may also be affected.

Solution:
Update to version 2.5 Build 208.0.

Provided and/or discovered by:
Fernando Munoz via Secunia.

Original Advisory:
http://www.tracker-software.com/company/news_press_events/?ipp=50

http://secunia.com/advisories/51855/