Weekly Vulnerabilities Reports > December 20 to 26, 2010

Overview

55 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 52 products from 26 vendors including Microsoft, Opera, IBM, HP, and Google. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", "Improper Authentication", and "Permissions, Privileges, and Access Controls".

  • 48 reported vulnerabilities are remotely exploitables.
  • 11 reported vulnerabilities have public exploit available.
  • 16 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 52 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-23 CVE-2010-4597 Ecava Buffer Errors vulnerability in Ecava Integraxor 3.5.3900.5

Stack-based buffer overflow in the save method in the IntegraXor.Project ActiveX control in igcomm.dll in Ecava IntegraXor Human-Machine Interface (HMI) before 3.5.3900.10 allows remote attackers to execute arbitrary code via a long string in the second argument.

10.0
2010-12-23 CVE-2010-3972 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Information Services 7.5

Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData function in ftpsvc.dll in Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) 7.0, and IIS 7.5, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted FTP command, aka "IIS FTP Service Heap Buffer Overrun Vulnerability." NOTE: some of these details are obtained from third party information.

10.0
2010-12-22 CVE-2010-4586 Opera Configuration vulnerability in Opera Browser

The default configuration of Opera before 11.00 enables WebSockets functionality, which has unspecified impact and remote attack vectors, possibly a related issue to CVE-2010-4508.

10.0
2010-12-22 CVE-2010-4581 Opera Unspecified vulnerability in Opera Browser

Unspecified vulnerability in Opera before 11.00 has unknown impact and attack vectors, related to "a high severity issue."

10.0
2010-12-22 CVE-2010-4116 HP Unspecified vulnerability in HP Storageworks Storage Mirroring

Unspecified vulnerability in HP StorageWorks Storage Mirroring 5.x before 5.2.2.1771.2 allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2010-12-22 CVE-2010-1676 TOR Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in TOR

Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0.2.2.20-alpha allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via unspecified vectors.

10.0
2010-12-23 CVE-2010-4588 Microsoft Code Injection vulnerability in Microsoft WMI Administrative Tools

The WBEMSingleView.ocx ActiveX control 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier allows remote attackers to execute arbitrary code via a crafted argument to the ReleaseContext method, a different vector than CVE-2010-3973, possibly an untrusted pointer dereference.

9.3
2010-12-23 CVE-2010-3973 Microsoft Code Injection vulnerability in Microsoft WMI Administrative Tools

The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via a crafted argument to the AddContextRef method, possibly an untrusted pointer dereference, aka "Microsoft WMITools ActiveX Control Vulnerability."

9.3
2010-12-22 CVE-2010-4573 Vmware Improper Authentication vulnerability in VMWare Esxi 4.1

The Update Installer in VMware ESXi 4.1, when a modified sfcb.cfg is present, does not properly configure the SFCB authentication mode, which allows remote attackers to obtain access via an arbitrary username and password.

9.3
2010-12-22 CVE-2010-4113 HP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Power Manager

Stack-based buffer overflow in HP Power Manager (HPPM) before 4.3.2 allows remote attackers to execute arbitrary code via a long Login variable to the management web server.

9.3
2010-12-22 CVE-2010-3971 Microsoft Resource Management Errors vulnerability in Microsoft IE 7/8

Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."

9.3
2010-12-22 CVE-2010-3970 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unspecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao, aka "Windows Shell Graphics Processing Overrun Vulnerability."

9.3
2010-12-22 CVE-2010-4587 Opera
Microsoft
Unspecified vulnerability in Opera Browser

Opera before 11.00 on Windows does not properly implement the Insecure Third Party Module warning message, which might make it easier for user-assisted remote attackers to have an unspecified impact via a crafted module.

9.3
2010-12-22 CVE-2010-2590 SAP Buffer Errors vulnerability in SAP Crystal Reports 2008

Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl.1 ActiveX control in PrintControl.dll 12.3.2.753 in SAP Crystal Reports 2008 SP3 Fix Pack 3.2 allows remote attackers to execute arbitrary code via a long ServerResourceVersion property value.

9.3

7 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-22 CVE-2010-3905 Eucalyptus Improper Authentication vulnerability in Eucalyptus 2.0.0/2.0.1

The password reset feature in the administrator interface for Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which allows remote attackers to gain privileges by sending password reset requests for other users.

7.5
2010-12-22 CVE-2010-4333 Pangramsoft Improper Authentication vulnerability in Pangramsoft Pointter PHP Micro-Blogging Social Network 1.8

Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.

7.5
2010-12-22 CVE-2010-4332 Pangramsoft Improper Authentication vulnerability in Pangramsoft Pointter PHP Content Management System 1.0

Pointter PHP Content Management System 1.0 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.

7.5
2010-12-22 CVE-2010-4578 Google
Debian
Multiple Security vulnerability in Google Chrome and Chrome OS

Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 do not properly perform cursor handling, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to "stale pointers."

7.5
2010-12-22 CVE-2010-4574 Google
Linux
Deserialization of Untrusted Data vulnerability in Google Chrome

The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message deserialization validation, and cause a denial of service or possibly have unspecified other impact, via invalid pickle data.

7.5
2010-12-22 CVE-2010-0114 Symantec Improper Input Validation vulnerability in Symantec Endpoint Protection

fw_charts.php in the reporting module in the Manager (aka SEPM) component in Symantec Endpoint Protection (SEP) 11.x before 11 RU6 MP2 allows remote attackers to bypass intended restrictions on report generation, overwrite arbitrary PHP scripts, and execute arbitrary code via a crafted request.

7.5
2010-12-22 CVE-2010-1804 Apple Unspecified vulnerability in Apple products

Unspecified vulnerability in the network bridge functionality on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 allows remote attackers to cause a denial of service (networking outage) via a crafted DHCP reply.

7.1

28 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-23 CVE-2010-4599 Ecava DLL Loading Arbitrary Code Execution vulnerability in Ecava Integraxor 3.6.4000.0

Untrusted search path vulnerability in Ecava IntegraXor 3.6.4000.0 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory.

6.9
2010-12-22 CVE-2010-4347 Linux
Opensuse
Suse
Improper Privilege Management vulnerability in multiple products

The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c.

6.9
2010-12-23 CVE-2010-4519 Earl Miles
Drupal
Cross-Site Request Forgery (CSRF) vulnerability in Earl Miles Views

Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable all Views or (2) disable all Views.

6.8
2010-12-22 CVE-2009-2189 Apple Resource Management Errors vulnerability in Apple products

The ICMPv6 implementation on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 does not limit the rate of (1) Router Advertisement and (2) Neighbor Discovery packets, which allows remote attackers to cause a denial of service (resource consumption and device restart) by sending many packets.

6.1
2010-12-22 CVE-2010-4110 HP Unspecified vulnerability in HP Openvms 8.3/8.31H1/8.4

Unspecified vulnerability in HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform on Integrity servers allows local users to gain privileges or cause a denial of service via unknown vectors.

5.7
2010-12-23 CVE-2010-4598 Ecava Path Traversal vulnerability in Ecava Integraxor 3.5.3900.10/3.5.3900.5/3.6.4000.0

Directory traversal vulnerability in Ecava IntegraXor 3.6.4000.0 and earlier allows remote attackers to read arbitrary files via a ..

5.0
2010-12-22 CVE-2010-4595 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Lotus Mobile Connect

The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 disables the http.device.stanza blacklisting functionality for HTTP Access Services (HTTP-AS), which allows remote attackers to bypass intended access restrictions via an HTTP request that contains a disallowed User-Agent header.

5.0
2010-12-22 CVE-2010-4112 HP Information Exposure vulnerability in HP Insight Management Agents

HP Insight Management Agents before 8.6 allows remote attackers to obtain sensitive information via an unspecified request that triggers disclosure of the full path.

5.0
2010-12-22 CVE-2010-3268 Intel
Symantec
Microsoft
Improper Input Validation vulnerability in multiple products

The GetStringAMSHandler function in prgxhndl.dll in hndlrsvc.exe in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (AMS), as used in Symantec Antivirus Corporate Edition 10.1.4.4010 on Windows 2000 SP4 and Symantec Endpoint Protection before 11.x, does not properly validate the CommandLine field of an AMS request, which allows remote attackers to cause a denial of service (application crash) via a crafted request.

5.0
2010-12-22 CVE-2010-2644 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Service Registry and Repository 7.0.0

IBM WebSphere Service Registry and Repository (WSRR) 7.0.0 before FP1 does not properly implement access control, which allows remote attackers to perform governance actions via unspecified API requests to an EJB interface.

5.0
2010-12-22 CVE-2010-4585 Opera Unspecified vulnerability in Opera Browser

Unspecified vulnerability in the auto-update functionality in Opera before 11.00 allows remote attackers to cause a denial of service (application crash) by triggering an Opera Unite update.

5.0
2010-12-22 CVE-2010-4582 Opera Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 11.00 does not properly handle security policies during updates to extensions, which might allow remote attackers to bypass intended access restrictions via unspecified vectors.

5.0
2010-12-22 CVE-2010-4580 Opera Information Exposure vulnerability in Opera Browser

Opera before 11.00 does not clear WAP WML form fields after manual navigation to a new web site, which allows remote attackers to obtain sensitive information via an input field that has the same name as an input field on a previously visited web site.

5.0
2010-12-22 CVE-2010-4579 Opera Unspecified vulnerability in Opera Browser

Opera before 11.00 does not properly constrain dialogs to appear on top of rendered documents, which makes it easier for remote attackers to trick users into interacting with a crafted web site that spoofs the (1) security information dialog or (2) download dialog.

5.0
2010-12-22 CVE-2010-4577 Google
Webkitgtk
Fedoraproject
Debian
Out-Of-Bounds Read vulnerability in Google Chrome

The CSSParser::parseFontFaceSrc function in WebCore/css/CSSParser.cpp in WebKit, as used in Google Chrome before 8.0.552.224, Chrome OS before 8.0.552.343, webkitgtk before 1.2.6, and other products does not properly parse Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted local font, related to "Type Confusion."

5.0
2010-12-22 CVE-2010-4576 Google Null Pointer Dereference vulnerability in Google Chrome and Chrome OS

browser/worker_host/message_port_dispatcher.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 does not properly handle certain postMessage calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted JavaScript code that creates a web worker.

5.0
2010-12-22 CVE-2010-4591 IBM Improper Authentication vulnerability in IBM Lotus Mobile Connect

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.

4.4
2010-12-23 CVE-2010-4521 Earl Miles
Drupal
Cross-Site Scripting vulnerability in Earl Miles Views

Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path.

4.3
2010-12-23 CVE-2010-4520 Earl Miles
Drupal
Cross-Site Scripting vulnerability in Earl Miles Views

Multiple cross-site scripting (XSS) vulnerabilities in the Views module 6.x before 6.x-2.11 for Drupal allow remote attackers to inject arbitrary web script or HTML via (1) a URL or (2) an aggregator feed title.

4.3
2010-12-22 CVE-2010-4594 IBM Resource Management Errors vulnerability in IBM Lotus Mobile Connect

The Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly process TCP connection requests, which allows remote attackers to cause a denial of service (memory consumption and HTTP-AS hang) by making many connection requests that trigger "queue size delta errors," related to a "timing hole" issue.

4.3
2010-12-22 CVE-2010-4592 IBM Resource Management Errors vulnerability in IBM Lotus Mobile Connect

The Mobile Network Connections functionality in the Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not properly handle failed attempts at establishing HTTP-TCP sessions, which allows remote attackers to cause a denial of service (memory consumption and daemon crash) by making many TCP connection attempts.

4.3
2010-12-22 CVE-2010-4590 IBM Cross-Site Scripting vulnerability in IBM Lotus Mobile Connect

Cross-site scripting (XSS) vulnerability in HTTP Access Services (HTTP-AS) in the Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-12-22 CVE-2010-4589 IBM Cross-Site Scripting vulnerability in IBM Enovia 6

Cross-site scripting (XSS) vulnerability in IBM ENOVIA 6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the emxFramework.FilterParameterPattern property.

4.3
2010-12-22 CVE-2010-4277 Jovelstefan
Wordpress
Cross-Site Scripting vulnerability in Jovelstefan Embedded-Video 4.1

Cross-site scripting (XSS) vulnerability in lembedded-video.php in the Embedded Video plugin 4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the content parameter to wp-admin/post.php.

4.3
2010-12-22 CVE-2010-4114 HP
Microsoft
Cross-Site Scripting vulnerability in HP Discovery&Dependency Mapping Inventory

Cross-site scripting (XSS) vulnerability in HP Discovery & Dependency Mapping Inventory (DDMI) 2.5x, 7.5x, and 7.6x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-12-22 CVE-2010-4111 HP
Microsoft
Linux
Cross-Site Scripting vulnerability in HP Insight Diagnostics

Cross-site scripting (XSS) vulnerability in HP Insight Diagnostics Online Edition before 8.5.1.3712 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-12-22 CVE-2010-4575 Google Improper Input Validation vulnerability in Google Chrome OS and Chrome

The ThemeInstalledInfoBarDelegate::Observe function in browser/extensions/theme_installed_infobar_delegate.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 does not properly handle incorrect tab interaction by an extension, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted extension.

4.3
2010-12-22 CVE-2010-4593 IBM Resource Management Errors vulnerability in IBM Lotus Mobile Connect

The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 does not properly maintain a certain reference count, which allows remote authenticated users to cause a denial of service (IP address exhaustion) by making invalid attempts to establish sessions with the same VPN ID from multiple devices.

4.0

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-12-22 CVE-2010-4275 Dmasoftlab Cross-Site Scripting vulnerability in Dmasoftlab Radius Manager 3.8.0

Multiple cross-site scripting (XSS) vulnerabilities in Radius Manager 3.8.0 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) name or (2) descr parameter in an (a) update_usergroup or a (b) store_nas action to admin.php.

3.5
2010-12-22 CVE-2010-4584 Opera Cryptographic Issues vulnerability in Opera Browser

Opera before 11.00, when Opera Turbo is used, does not properly present information about problematic X.509 certificates on https web sites, which might make it easier for remote attackers to spoof trusted content via a crafted web site.

2.6
2010-12-22 CVE-2010-4583 Opera Unspecified vulnerability in Opera Browser

Opera before 11.00, when Opera Turbo is enabled, does not display a page's security indication, which makes it easier for remote attackers to spoof trusted content via a crafted web site.

2.6
2010-12-22 CVE-2010-0039 Apple Permissions, Privileges, and Access Controls vulnerability in Apple products

The Application-Level Gateway (ALG) on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 modifies PORT commands in incoming FTP traffic, which allows remote attackers to use the device's IP address for arbitrary intranet TCP traffic by leveraging write access to an intranet FTP server.

2.6
2010-12-23 CVE-2010-3881 Linux
Redhat
Suse
Information Exposure vulnerability in multiple products

arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device.

2.1
2010-12-22 CVE-2010-4346 Linux Null Pointer Dereference vulnerability in Linux Kernel

The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.

2.1