# Software flaws



## mimo2005

check this thread for all Software flaws.

*Skype plugs hole in VoIP software*
November 15, 2004, 2:58 PM PST
By Robert Lemos 



Peer-to-peer phone company Skype has updated its Internet telephony software, patching a critical flaw in its client for Microsoft Windows-based systems. 

The vulnerability could allow attackers to take control of a Skype user's PC after the victim clicks on a specially created URL, security information provider Secunia said Monday. By including a long string of characters in the link, the attacker could trigger a memory error known as a buffer overflow that could then be exploited to run a program. 

"Successful exploitation may allow execution of arbitrary code," Secunia said. It has ranked the flaw as "highly critical"--its second-highest rating.

Skype acknowledged the security hole in its release notes for the update. "We became aware of a security threat late last week and moved to correct it," said Kelly Larabee, a spokeswoman for Skype. "We encourage users to download the latest version." 

Skype's software enables people to use the Internet to place voice calls. Calls to other Internet phone users are free, while calls to traditional phones and mobile phones are charged a per-minute fee. More than 34 million people have downloaded the software, and as many as 1 million people have used the service simultaneously, according to a posting on Skype's Web site. 

Skype's voice over Internet Protocol (VoIP) client runs on Windows XP, Mac OS X, Linux and Microsoft PocketPC. 

Secunia also recommended that Skype users update to the latest version of the VoIP software.


----------



## mimo2005

*Winamp Security Bulletin*

Nullsoft has issued a fix for a newly discovered security vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer.

The vulnerability takes advantage of the Winamp Skin installer mechanism coupled with a security hole within the Internet Explorer browser.

To be vulnerable, a user must navigate to a specifically crafted web page which automatically installs a malicious Winamp Skin.

This skin launches an embedded Internet Explorer browser within the Skin using a feature of the Winamp Modern Skin Engine. This malicious Winamp Skin then uses the browser to launch a malicious application bundled within the skin.

There have been reports of this exploit in use on the web to automatically install Adware or Spyware applications without the users consent. 

Winamp 5.05 resolves this exploit in two ways:

Winamp will now prompt all users with a confirmation window before installing any skins. 
Winamp will now only extract files considered low risk before loading a Winamp Skin. 
We strongly urge ALL Winamp users to upgrade to Winamp 5.05 immediately.


----------



## mimo2005

*Microsoft Internet Explorer 6*

Secunia Advisory: SA13203 
Release Date: *2004-11-17 * 


Critical: 
Moderately critical 
Impact: Security Bypass
Spoofing

Where: From remote

Solution Status: Unpatched 


Software: Microsoft Internet Explorer 6


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
cyber flash has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to bypass a security feature in Microsoft Windows XP SP2 and trick users into downloading malicious files.

1) Microsoft Windows XP SP2 has a security feature which warns users when opening downloaded files of certain types. The problem is that if the downloaded file was sent with a specially crafted "Content-Location" HTTP header in some situations, then no security warning will be given to the user when the file is opened.

2) An error when saving some documents using the Javascript function "execCommand()", can be exploited to spoof the file extension in the "Save HTML Document" dialog.

Successful exploitation requires that the option "Hide extension for known file types" is enabled (default setting).

A combination of vulnerability 1 and 2 can be exploited by a malicious website to trick a user into downloading a malicious executable file masqueraded as a HTML document.

The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

Solution:
*Disable Active Scripting support and the "Hide extension for known file types" option.*


----------



## mimo2005

*Winamp player*

*Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability * 


Secunia Advisory: SA13269 
Release Date: *2004-11-23 * 


Critical: 
Highly critical 
Impact: System access

Where: From remote

Solution Status: Vendor Patch 


Software: Winamp 5.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
Brett Moore has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the "IN_CDDA.dll" file. This can be exploited in various ways to cause a stack-based buffer overflow e.g. by tricking a user into visiting a malicious web site containing a specially crafted ".m3u" playlist.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been reported in version 5.05. Prior versions may also be affected.

Solution:
*Update to version 5.0.6.*
http://www.winamp.com/player/


----------



## mimo2005

*Microsoft Windows WINS Replication Packet Handling Vulnerability*

*Microsoft Windows WINS Replication Packet Handling Vulnerability * 


Secunia Advisory: SA13328 
Release Date: *2004-11-29 * 


Critical: 
Moderately critical 
Impact: System access

Where: From local network

Solution Status: Vendor Workaround 


OS: Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Server
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
Nicolas Waisman has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within WINS (Windows Internet Name Service) during the handling of replication packets. This can be exploited to write 16 bytes to an arbitrary memory location by sending a specially crafted WINS replication packet to a vulnerable server.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been reported in *Windows 2000 SP2 through SP4*. However, other versions are reportedly also believed to be affected.

*Solution:*
Restrict traffic to the WINS replication service (ports 42/tcp and 42/udp).

Use IPSec to secure traffic between WINS servers.

Disable WINS.


----------



## mimo2005

*Apple releases security update to Mac OS X*

*Apple releases security update to Mac OS X*

December 2, 2004, 4:11 PM PST
By Robert Lemos 


Apple Computer published an update to its Mac OS X operating system Thursday, closing 17 security holes in open-source and proprietary components. 

The advisory and patch addressed five vulnerabilities in the Apache Web server included with the operating system, as well as two flaws in the mail servers used by Mac OS X. Apple also fixed two flaws in the company's Safari Web browser and another problem with the QuickTime media server. 

The patches come a month after Apple's last update for the Mac OS X. The advisory and patch information can be found on Apple's security site. 

Apple did not classify the risk associated with the problems the update fixes.


----------



## mimo2005

*Kerio WinRoute Firewall Unspecified DNS Cache Poisoning Vulnerability * 


Secunia Advisory: SA13374 
Release Date: *2004-12-10 * 


Critical: 
Moderately critical 
Impact: Spoofing
Manipulation of data

Where: From remote

Solution Status: Vendor Patch 


Software: Kerio WinRoute Firewall 6.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
A vulnerability has been reported in Kerio WinRoute Firewall, which can be exploited by malicious people to poison the DNS cache.

The vulnerability is caused due to an unspecified error and can be exploited to insert fake information in the DNS cache.

The vulnerability has been reported in version 6.0.8. Prior versions may also be affected.

NOTE: Other issues have also been fixed, where some may be security related.

*Solution:
Update to version 6.0.9.*http://www.kerio.com/kwf_download.html


----------



## mimo2005

*Opera Download Dialog Spoofing Vulnerability*

Opera Download Dialog Spoofing Vulnerability 


Secunia Advisory: SA12981 
Release Date: 2004-12-10 


Critical: 
Moderately critical 
Impact: Spoofing

Where: From remote

Solution Status: Vendor Patch 


Software: Opera 7.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files.

The vulnerability is caused due to the filename and the "Content-Type" header not being sufficiently validated before being displayed in the file download dialog. This can be exploited to spoof file types in the download dialog by passing specially crafted "Content-Disposition" and "Content-Type" headers containing dots and ASCII character code 160.

Successful exploitation may result in users being tricked into executing a malicious file via the download dialog.

The vulnerability has been confirmed on Opera 7.54 for Windows. Other versions may also be affected.

*Solution:
Update to version 7.54u1.*
http://www.opera.com/download/


----------



## mimo2005

*Linux Kernel IGMP and "__scm_send()" Vulnerabilities*

*Linux Kernel IGMP and "__scm_send()" Vulnerabilities * 


Secunia Advisory: SA13469 
*Release Date: 2004-12-15 * 


Critical: 
Less critical 
Impact: Exposure of sensitive information
Privilege escalation
DoS

Where: From local network

Solution Status: Unpatched 


OS: *Linux Kernel 2.4.x*
*Linux Kernel 2.6.x*




CVE reference: CAN-2004-1016
CAN-2004-1137



Description:
Paul Starzetz has reported some vulnerabilities in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service), and by malicious, local users to cause a DoS, gain knowledge of sensitive information, or potentially gain escalated privileges.

1) An error in the "ip_mc_source()" function of the IGMP (Internet Group Management Protocol) subsystem can be exploited by malicious, local users to overwrite kernel memory, which crashes the system and may allow users to gain escalated privileges.

This vulnerability can also be further exploited via the "ip_mc_msfget()" and "ip_mc_gsfget()" user API functions to disclose large portions of kernel memory.

2) The "igmp_marksources()" function of the IGMP networking module does not validate received IGMP message parameters properly, which may result in an out-of-bounds memory access error. This can be exploited by malicious people to cause a vulnerable system to hang or potentially crash via specially crafted IGMP_HOST_MEMBERSHIP_QUERY messages.

Successful exploitation requires that the kernel is compiled with multicasting support and is processing incoming IGMP packets. It is further required that an application has a bound multicast socket with attached source filter.

3) A deadlock condition in the "__scm_send()" scm message parsing function can be exploited by malicious, local users to cause the system to hang via a specially crafted auxiliary message sent to a socket.

The vulnerabilities have been reported in versions 2.4 through 2.4.28 and 2.6 through 2.6.9.

*Solution:
Filter IGMP traffic and grant only trusted users access to affected systems.*


----------



## mimo2005

*Adobe Reader / Adobe Acrobat Multiple Vulnerabilities*

*Adobe Reader / Adobe Acrobat Multiple Vulnerabilities * 


Release Date: *2004-12-15 * 


Critical: 
Highly critical 
Impact: Exposure of sensitive information
System access

Where: From remote

Solution Status: Vendor Patch 


Software: Adobe Acrobat 6.x
Adobe Reader 6.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


CVE reference: CAN-2004-0597
CAN-2004-1153



Description:
Some vulnerabilities have been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious people to disclose sensitive information or compromise a user's system.

1) A format string error within the eBook plug-in when parsing ".etd" files can be exploited to execute arbitrary code via a specially crafted eBook containing format specifiers in the "title" and "baseurl" fields.

2) Multiple vulnerabilities in libpng have been acknowledged, which can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA12219

3) An error within the handling of Flash files embedded in PDF documents can be exploited to read the content of files on a user's system.

For more information:
SA12809

The vulnerabilities have been reported in versions 6.0.0 through 6.0.2.

*Solution:
Update to version 6.0.3.*


----------



## mimo2005

*WinRAR Delete File Buffer Overflow Vulnerability*

*WinRAR Delete File Buffer Overflow Vulnerability * 



*Release Date: 2004-12-22 * 


Critical: 
Less critical 
Impact: System access

Where: From remote

Solution Status: Unpatched 


Software: WinRAR 2.x
WinRAR 3.x


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


CVE reference: CAN-2004-1254



Description:
Vafa Khoshaein has discovered a vulnerability in WinRAR, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the handling of filenames when deleting files in archives. This can be exploited to cause a buffer overflow by tricking a user into deleting a file in an opened, malicious archive.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been confirmed on versions 3.40 and 3.41. Other versions may also be affected.

*Solution:
Do not delete files in untrusted archives.*


----------



## mimo2005

*iTunes*

January 12, 2005

Apple on Tuesday released an update of its iTunes software to address a vulnerability that could cause earlier versions to crash and execute arbitrary code. 

With previous versions, the flaw could allow an attacker to inject more data into a particular memory location than the program could accommodate, thereby allowing the attacker to take over a computer. The new software, iTunes 4.7.1, is available at Apple's Web site. 

The update is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000. 

Apple has faced fewer security issues than Microsoft, with its prevalent Windows operating system. Still, Apple has garnered some attention from hackers.


----------

