Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 13, 2013

by: Carol~ February 13, 2013 8:53 AM PST

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - February 13, 2013

by Carol~ Moderator - 2/13/13 8:53 AM

Microsoft Windows OLE Automation File Parsing Vulnerability

Release Date : 2013-02-13

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error within Object Linking and Embedding (OLE) Automation when parsing certain files, which can be exploited via e.g. a specially crafted RTF file.

Successful exploitation allows execution of arbitrary code.

Solution:
Apply updates.

Provided and/or discovered by:
The vendor credits an anonymous person via ZDI.

Original Advisory:
MS13-020 (KB2802968):
http://technet.microsoft.com/en-us/security/bulletin/ms13-020

http://secunia.com/advisories/52184/


Reply
Report offensive post
Email to friend

BlackBerry Enterprise Server LibTIFF Two Vulnerabilities

by Carol~ Moderator - 2/13/13 8:58 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software:
BlackBerry Enterprise Server 5.x
BlackBerry Enterprise Server Express for Domino 5.x
Blackberry Enterprise Server Express for Exchange 5.x
BlackBerry Enterprise Server for Domino 5.x
Blackberry Enterprise Server for Exchange 5.x
BlackBerry Enterprise Server for Novell GroupWise 5.x

Description:
Research In Motion has acknowledged two vulnerabilities in BlackBerry Enterprise Server, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities exist in the bundled version of LibTIFF, which is used by the BlackBerry Mobile Data System Connection Service and the BlackBerry Messaging Agent.

The vulnerabilities are reported in the following products:
* BlackBerry Enterprise Server Express versions 5.0.4 and prior for Microsoft Exchange and IBM Lotus Domino
* BlackBerry Enterprise Server versions 5.0.4 and prior for Microsoft Exchange, IBM Lotus Domino, and Novell Groupwise

Solution:
Update to a fixed version or apply interim security update.

Original Advisory:
BSRT-2013-003:
http://www.blackberry.com/btsc/KB33425

http://secunia.com/advisories/52168/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for kernel

by Carol~ Moderator - 2/13/13 8:58 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status : Vendor Patch

Operating System:
Ubuntu Linux 10.04

Description:
Ubuntu has issued an update for kernel. This fixes a weakness, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1719-1:
http://www.ubuntu.com/usn/usn-1719-1/

http://secunia.com/advisories/52172/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for postgresql

by Carol~ Moderator - 2/13/13 8:58 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System:
Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1717-1:
http://www.ubuntu.com/usn/usn-1717-1/

http://secunia.com/advisories/52174/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Debian update for rails

by Carol~ Moderator - 2/13/13 8:58 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Moderately critical
Impact : Security Bypass
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : Debian GNU/Linux 6.0

Description:
Debian has issued an update for rails. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2620-1:
http://www.debian.org/security/2013/dsa-2620

http://secunia.com/advisories/52180/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Red Hat update for flash-plugin

by Carol~ Moderator - 2/13/13 8:58 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Highly critical
Impact : Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Software:
Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for flash-plugin. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0254-01:
https://rhn.redhat.com/errata/RHSA-2013-0254.html

http://secunia.com/advisories/52203/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Ubuntu update for kernel

by Carol~ Moderator - 2/13/13 9:00 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status : Vendor Patch

Operating System: Ubuntu Linux 11.10

Description:
Ubuntu has issued an update for kernel. This fixes a weakness, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

http://secunia.com/advisories/52205/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM WebSphere Cast Iron Cloud Integration Unspecified

by Carol~ Moderator - 2/13/13 9:00 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

IBM WebSphere Cast Iron Cloud Integration Unspecified Vulnerability

Release Date : 2013-02-13

Criticality level : Moderately critical
Impact : Unknown
Where : From local network
Solution Status : Vendor Patch

Software: IBM WebSphere Cast Iron Cloud Integration 6.x

Description:
A vulnerability with an unknown impact has been reported in WebSphere Cast Iron Cloud Integration.

The vulnerability is caused due to an unspecified error when using LDAP authentication. No further information is currently available.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply updates (please see the vendor's advisory for details).

Original Advisory:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21623324

http://secunia.com/advisories/52191/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Cisco Unified MeetingPlace Cross-Site Request Forgery

by Carol~ Moderator - 2/13/13 10:23 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Cisco Unified MeetingPlace Cross-Site Request Forgery Vulnerability

Release Date : 2013-02-13

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Cisco Unified MeetingPlace 7.x

Description:
A vulnerability has been reported in Cisco Unified MeetingPlace, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform certain unspecified actions when a logged-in user visits a specially crafted web page.

The vulnerability is reported in versions prior to 7.1(2.2000).

Solution:
Update to version 7.1(2.2000).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1128

http://secunia.com/advisories/52194/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Accela / eAccela BizSearch Unspecified Spoofing

by Carol~ Moderator - 2/13/13 10:34 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Accela / eAccela BizSearch Unspecified Spoofing Vulnerability

Release Date : 2013-02-13

Criticality level : Less critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Software:
Accela BizSearch 3.x
eAccela BizSearch 2.x

Description:
A vulnerability has been reported in Accela / eAccela BizSearch, which can be exploited by malicious people to conduct spoofing attacks.

The vulnerability is caused due to an unspecified error and can be exploited to impersonate another user and subsequently disclose certain information.

Successful exploitation requires single sign on to be enabled in the Accela BizSearch gateway options.

Please see the vendor's advisory for a list of affected version.

Solution:
Apply patch (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Fujitsu (Japanese):
http://software.fujitsu.com/jp/security/products-fujitsu/solution/bizsearch201301.html

http://secunia.com/advisories/52200/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

IBM WebSphere Message Broker Multiple Vulnerabilities

by Carol~ Moderator - 2/13/13 10:38 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Moderately critical
Impact : Security Bypass
Manipulation of data
DoS
Where : From remote
Solution Status : Vendor Patch

Software:
IBM WebSphere Message Broker 6.x
IBM WebSphere Message Broker 7.x
IBM WebSphere Message Broker 8.x

Description:
Multiple vulnerabilities have been reported in WebSphere Message Broker, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, and cause a DoS (Denial of Service).

1) An error exists when processing WS-Addressing and WS-Security requests, which does not properly check for Basic Authentication and can be exploited to send out unauthenticated messages to remote servers.

2) An unspecified error exists within the HTTPInput nodes, which can be exploited to trigger an infinite loop.

Successful exploitation requires the "Parse Query Strings" option to be enabled.

3) An unspecified error exists within the handling of requests for WSDL files, which can be exploited to manipulate certain data.

The vulnerabilities are reported in versions 6.1, 7.0, and 8.0.

Solution:
Update to version 6.1.0.12, 7.0.0.6, or 8.0.0.2 (when it becomes available) or apply APAR.

Original Advisory:
IBM (IC89803, PM75015, IC89383):
http://www.ibm.com/support/docview.wss?uid=swg21623316

http://secunia.com/advisories/52176/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

SUSE update for opera

by Carol~ Moderator - 2/13/13 11:34 AM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Vendor Patch

Operating System: openSUSE 12.1

Description:
SUSE has issued an update for opera. This fixes a vulnerability with an unknown impact.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0289-1:
http://lists.opensuse.org/opensuse-updates/2013-02/msg00038.html

http://secunia.com/advisories/52204/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

KingView KingMess Buffer Overflow Vulnerability

by Carol~ Moderator - 2/13/13 1:56 PM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2013-02-13

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: KingView 6.x

Description:
A vulnerability has been reported in KingView, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error within KingMess and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code but requires opening a log file.

The vulnerability is reported in versions 6.52, 6.53, and 6.55. Other versions may also be affected.

Solution:
Apply patches.

Provided and/or discovered by:
CNVD credits Lucas Apa and Carlos Mario Penagos Hollman, IOActive.

Original Advisory:
http://www.cnvd.org.cn/sites/main/preview/ldgg_preview.htm?tid=61735

http://secunia.com/advisories/52190/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Roundup Multiple Cross-Site Scripting Vulnerabilities

by Carol~ Moderator - 2/13/13 1:57 PM

In Reply to: VULNERABILITIES / FIXES - February 13, 2013 by Carol~ Moderator

Release Date : 2012-11-12
Last Update : 2013-02-13

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Roundup 1.x

Description:
Multiple vulnerabilities have been reported in Roundup, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed via the username is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "@action" parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "otk" parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) Input passed via the ok and error messages is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 1.4.20.

Solution:
Update to version 1.4.20.

Provided and/or discovered by
1) The vendor credits Thomas Arendsen Hein.
2) Reported by the vendor.
3) The vendor credits Jesse Ruderman.
4) The vendor credits David Benjamin.

Original Advisory:
http://roundup.hg.sourceforge.net/hgweb/roundup/roundup/raw-file/default/CHANGES.txt

http://secunia.com/advisories/51230


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close