From jericho at attrition.org Fri Apr 2 21:58:33 2010 From: jericho at attrition.org (security curmudgeon) Date: Fri, 2 Apr 2010 21:58:33 +0000 (UTC) Subject: [VIM] ZDI-10-045: Apple QuickTime MPEG-1 genl Atom Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, http://seclists.org/fulldisclosure/2010/Apr/29 http://www.zerodayinitiative.com/advisories/ZDI-10-045 CVE-2010-0526 TippingPoint IPS Digital Vaccine protection filter ID 9629 2009-11-06 - Vulnerability reported to vendor -and- http://seclists.org/fulldisclosure/2010/Apr/19 http://www.zerodayinitiative.com/advisories/ZDI-10-035 CVE-2010-0526 TippingPoint IPS Digital Vaccine protection filter ID 8045 2009-03-26 - Vulnerability reported to vendor Discrepancy between advisory, DV ID and reported to vendor date. Any clarification? Brian OSVDB.org On Fri, 2 Apr 2010, ZDI Disclosures wrote: : ZDI-10-045: Apple QuickTime MPEG-1 genl Atom Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-045 : April 2, 2010 : : -- CVE ID: : CVE-2010-0526 : : -- Affected Vendors: : Apple : : -- Affected Products: : Apple OS X : : -- TippingPoint(TM) IPS Customer Protection: : TippingPoint IPS customers have been protected against this : vulnerability by Digital Vaccine protection filter ID 9629. : For further product information on the TippingPoint IPS, visit: : : http://www.tippingpoint.com : : -- Vulnerability Details: : This vulnerability allows remote attackers to execute arbitrary code on : vulnerable installations of Apple QuickTime. User interaction is : required to exploit this vulnerability in that the target must visit a : malicious page or open a malicious file. : : The specific flaw exists during the parsing of MPEG content. Upon : reading a field used for compression within a 'genl' atom in the movie : container, the application will decompress outside the boundary of an : allocated buffer. Successful exploitation can lead to code execution : under the context of the application. : : -- Vendor Response: : Apple states: : http://support.apple.com/kb/HT4104 : : http://support.apple.com/kb/HT4077 : : -- Disclosure Timeline: : 2009-11-06 - Vulnerability reported to vendor : 2010-04-02 - Coordinated public release of advisory : : -- Credit: : This vulnerability was discovered by: : * Anonymous : : -- About the Zero Day Initiative (ZDI): : Established by TippingPoint, The Zero Day Initiative (ZDI) represents : a best-of-breed model for rewarding security researchers for responsibly : disclosing discovered vulnerabilities. : : Researchers interested in getting paid for their security research : through the ZDI can find more information and sign-up at: : : http://www.zerodayinitiative.com : : The ZDI is unique in how the acquired vulnerability information is : used. TippingPoint does not re-sell the vulnerability details or any : exploit code. Instead, upon notifying the affected product vendor, : TippingPoint provides its customers with zero day protection through : its intrusion prevention technology. Explicit details regarding the : specifics of the vulnerability are not exposed to any parties until : an official vendor patch is publicly available. Furthermore, with the : altruistic aim of helping to secure a broader user base, TippingPoint : provides this vulnerability information confidentially to security : vendors (including competitors) who have a vulnerability protection or : mitigation product. : : Our vulnerability disclosure policy is available online at: : : http://www.zerodayinitiative.com/advisories/disclosure_policy/ : : Follow the ZDI on Twitter: : : http://twitter.com/thezdi : _______________________________________________ : Full-Disclosure - We believe in it. : Charter: http://lists.grok.org.uk/full-disclosure-charter.html : Hosted and sponsored by Secunia - http://secunia.com/ : From jericho at attrition.org Sat Apr 3 00:18:55 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 3 Apr 2010 00:18:55 +0000 (UTC) Subject: [VIM] VUPEN Security Research - Apple iTunes ColorSync Profile Integer Overflow Vulnerability In-Reply-To: References: Message-ID: Hi Apple, : VUPEN Security Research - Apple iTunes ColorSync Profile Integer : Overflow Vulnerability : : "iTunes is a free application for Mac or PC. It organizes and plays : digital music and video on computers. It syncs all media files with : iPod, iPhone, and Apple TV." from Apple.com The apple advisory says this is a Safari vuln, while the VUPEN advisory says iTunes: http://support.apple.com/kb/HT4070 Safari 4.0.5 ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP The VUPEN timeline says both are affected: : 2010-03-12 - Vulnerability Fixed in Safari v4.0.5 : 2010-03-31 - Vulnerability Fixed in iTunes v9.1 Can Apple confirm this affects both, and if the iTunes is a Windows only issue? Brian OSVDB.org From team at vupen.com Sat Apr 3 08:31:46 2010 From: team at vupen.com (VUPEN Security) Date: Sat, 3 Apr 2010 10:31:46 +0200 Subject: [VIM] VUPEN Security Research - Apple iTunes ColorSync Profile Integer Overflow Vulnerability References: Message-ID: <012420E45B7D4000AC97943AC9B21140@Webmail> Yes, The vulnerability we discovered (CVE-2010-0040) affects both Safari and iTunes: http://support.apple.com/kb/HT4070 Safari 4.0.5 / ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution http://support.apple.com/kb/HT4105 iTunes 9.1 / ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution Regards, C.B. - VUPEN Security http://www.vupen.com ----- Original Message ----- From: "security curmudgeon" To: Cc: Sent: Saturday, April 03, 2010 2:18 AM Subject: Re: [VIM] VUPEN Security Research - Apple iTunes ColorSync Profile Integer Overflow Vulnerability > > Hi Apple, > > : VUPEN Security Research - Apple iTunes ColorSync Profile Integer > : Overflow Vulnerability > : > : "iTunes is a free application for Mac or PC. It organizes and plays > : digital music and video on computers. It syncs all media files with > : iPod, iPhone, and Apple TV." from Apple.com > > The apple advisory says this is a Safari vuln, while the VUPEN advisory > says iTunes: > > http://support.apple.com/kb/HT4070 > > Safari 4.0.5 > ColorSync > CVE-ID: CVE-2010-0040 > Available for: Windows 7, Vista, XP > > The VUPEN timeline says both are affected: > > : 2010-03-12 - Vulnerability Fixed in Safari v4.0.5 > : 2010-03-31 - Vulnerability Fixed in iTunes v9.1 > > Can Apple confirm this affects both, and if the iTunes is a Windows only > issue? > > Brian > OSVDB.org > From team at vupen.com Sat Apr 3 08:31:46 2010 From: team at vupen.com (VUPEN Security) Date: Sat, 3 Apr 2010 10:31:46 +0200 Subject: [VIM] VUPEN Security Research - Apple iTunes ColorSync Profile Integer Overflow Vulnerability References: Message-ID: <012420E45B7D4000AC97943AC9B21140@Webmail> Yes, The vulnerability we discovered (CVE-2010-0040) affects both Safari and iTunes: http://support.apple.com/kb/HT4070 Safari 4.0.5 / ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution http://support.apple.com/kb/HT4105 iTunes 9.1 / ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution Regards, C.B. - VUPEN Security http://www.vupen.com ----- Original Message ----- From: "security curmudgeon" To: Cc: Sent: Saturday, April 03, 2010 2:18 AM Subject: Re: [VIM] VUPEN Security Research - Apple iTunes ColorSync Profile Integer Overflow Vulnerability > > Hi Apple, > > : VUPEN Security Research - Apple iTunes ColorSync Profile Integer > : Overflow Vulnerability > : > : "iTunes is a free application for Mac or PC. It organizes and plays > : digital music and video on computers. It syncs all media files with > : iPod, iPhone, and Apple TV." from Apple.com > > The apple advisory says this is a Safari vuln, while the VUPEN advisory > says iTunes: > > http://support.apple.com/kb/HT4070 > > Safari 4.0.5 > ColorSync > CVE-ID: CVE-2010-0040 > Available for: Windows 7, Vista, XP > > The VUPEN timeline says both are affected: > > : 2010-03-12 - Vulnerability Fixed in Safari v4.0.5 > : 2010-03-31 - Vulnerability Fixed in iTunes v9.1 > > Can Apple confirm this affects both, and if the iTunes is a Windows only > issue? > > Brian > OSVDB.org > From jericho at attrition.org Fri Apr 16 22:15:32 2010 From: jericho at attrition.org (security curmudgeon) Date: Fri, 16 Apr 2010 22:15:32 +0000 (UTC) Subject: [VIM] another 'site specific' VDB / Site Message-ID: Via: http://www.darkreading.com/blog/archives/2010/04/new_full_disclo.html?cid=RSSfeed_DR_ALL The new site: http://www.vs-db.info/ Example: http://www.issafrica.org Institute for security studies SQLi April 16th, 2010 No comments http://www.issafrica.org/ Institute for security studies Submitted by Travar From jericho at attrition.org Sat Apr 17 09:38:28 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Apr 2010 09:38:28 +0000 (UTC) Subject: [VIM] ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, : ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-074 : CVE-2010-0897 : ZDI-10-075: Sun Microsystems Directory Server Enterprise DSML UTF-8 Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-075 : CVE-2010-0897 Can you confirm these should have the same CVE? The CVE is currently vague but specifies "Directory Service Markup Language" suggesting 075 is correct, but the CVE associated with 074 is incorrect. Brian OSVDB.org From jericho at attrition.org Sat Apr 17 09:39:41 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Apr 2010 09:39:41 +0000 (UTC) Subject: [VIM] ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: And follow-up: : ZDI-10-073: Sun Microsystems Directory Server DSML-over-HTTP Username Search Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-073 : CVE-2010-0897 A third advisory associated with the same CVE. Thanks, Brian On Sat, 17 Apr 2010, security curmudgeon wrote: : : Hi ZDI, : : : ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability : : http://www.zerodayinitiative.com/advisories/ZDI-10-074 : : CVE-2010-0897 : : : ZDI-10-075: Sun Microsystems Directory Server Enterprise DSML UTF-8 Denial of Service Vulnerability : : http://www.zerodayinitiative.com/advisories/ZDI-10-075 : : CVE-2010-0897 : : Can you confirm these should have the same CVE? The CVE is currently vague : but specifies "Directory Service Markup Language" suggesting 075 is : correct, but the CVE associated with 074 is incorrect. : : Brian : OSVDB.org : From jericho at attrition.org Sat Apr 17 19:37:39 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Apr 2010 19:37:39 +0000 (UTC) Subject: [VIM] ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, : ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-068 : April 9, 2010 : CVE-2010-0062 : 2010-04-06 - Vulnerability reported to vendor : 2010-04-09 - Coordinated public release of advisory This CVE is also associated with: http://www.zerodayinitiative.com/advisories/ZDI-10-036/ Apple QuickTime H.263 PictureHeader Remote Code Execution Vulnerability April 2nd, 2010 CVE-2010-0062 2009-08-10 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory Could you provide confirmation and/or clarification on why there are two advisories for this? Thanks, Brian OSVDB.org From jericho at attrition.org Sat Apr 17 19:55:04 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Apr 2010 19:55:04 +0000 (UTC) Subject: [VIM] ZDI-10-029: Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, : ZDI-10-029: Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-029 : March 15, 2010 : CVE-2010-0050 Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-031/ March 16th, 2010 CVE-2010-0050 Same researcher, but vulnerabilities were reported to vendor six days apart. Can you confirm both advisories should have the same CVE assigned? Brian OSVDB.org From jericho at attrition.org Sat Apr 17 20:10:07 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Apr 2010 20:10:07 +0000 (UTC) Subject: [VIM] ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, While trying to match the following advisory to OSVDB and CVE, I noticed something that I have seen a few times in the past regarding the way ZDI designates advisory IDs. I'd like to request that published ZDI advisories be enhanced in a small way to better cross-reference information released by ZDI. Example: : ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-024 : March 2, 2010 : [No CVE] : http://www.novell.com/support/viewContent.do?externalId=7005341 I am trying to determine if this is the same as CVE-2010-0666 which links to http://www.novell.com/support/viewContent.do?externalId=3426981 That vendor changelog has the following entry: EMBOX: - Security Vulnerability: embox SOAP request causes eDirectory to core [ZDI-CAN-440] (Bug 548503) Since ZDI-CAN-440 has been published, it no longer appears on your 'upcoming' advisories page. Your published advisories do not reference the previous ZDI-CAN-### designation. If ZDI could start to include that piece of information, it would help VDBs in avoiding duplicates should they create an entry based on an upcoming advisory. Thanks, Brian OSVDB.org From zdi-disclosures at tippingpoint.com Wed Apr 21 17:39:46 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Wed, 21 Apr 2010 12:39:46 -0500 Subject: [VIM] ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability In-Reply-To: References: Message-ID: Hi Brian, That's a valid point. Are you free for a phone chat perhaps tomorrow? Best, Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Saturday, April 17, 2010 3:10 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability Hi ZDI, While trying to match the following advisory to OSVDB and CVE, I noticed something that I have seen a few times in the past regarding the way ZDI designates advisory IDs. I'd like to request that published ZDI advisories be enhanced in a small way to better cross-reference information released by ZDI. Example: : ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-024 : March 2, 2010 : [No CVE] : http://www.novell.com/support/viewContent.do?externalId=7005341 I am trying to determine if this is the same as CVE-2010-0666 which links to http://www.novell.com/support/viewContent.do?externalId=3426981 That vendor changelog has the following entry: EMBOX: - Security Vulnerability: embox SOAP request causes eDirectory to core [ZDI-CAN-440] (Bug 548503) Since ZDI-CAN-440 has been published, it no longer appears on your 'upcoming' advisories page. Your published advisories do not reference the previous ZDI-CAN-### designation. If ZDI could start to include that piece of information, it would help VDBs in avoiding duplicates should they create an entry based on an upcoming advisory. Thanks, Brian OSVDB.org From deapesh at gmail.com Fri Apr 23 15:41:11 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Fri, 23 Apr 2010 11:41:11 -0400 Subject: [VIM] IBM 'REPEAT' BoF advisory - APAR IC65922 Message-ID: Hi, I am wondering if this recent IBM advisory: http://www-01.ibm.com/support/docview.wss?uid=swg1IC65922 is the fix for this vulnerability found by Intevydis: http://intevydis.blogspot.com/2010/01/ibm-db2-97-heap-overflow.html which is CVE-2010-0462. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0462) Sending this question to this list, while I figure out whom to email in IBM for details. -Deapesh. PS: If somebody on this list has an IBM email id to which I can send this question, will be glad to receive that info. From zdi-disclosures at tippingpoint.com Mon Apr 26 14:20:01 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 26 Apr 2010 09:20:01 -0500 Subject: [VIM] ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hello Brian, Yes, according to Sun they should indeed have the same CVE ID CVE-2010-0897. There is also a third case with this ID as well. All three are listed below. ZDI-10-073 ZDI-10-074 ZDI-10-075 Kind regards, Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Saturday, April 17, 2010 4:38 AM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability Hi ZDI, : ZDI-10-074: Sun Microsystems Directory Server Enterprise ASN.1 Parsing Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-074 : CVE-2010-0897 : ZDI-10-075: Sun Microsystems Directory Server Enterprise DSML UTF-8 Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-075 : CVE-2010-0897 Can you confirm these should have the same CVE? The CVE is currently vague but specifies "Directory Service Markup Language" suggesting 075 is correct, but the CVE associated with 074 is incorrect. Brian OSVDB.org From zdi-disclosures at tippingpoint.com Mon Apr 26 14:32:43 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 26 Apr 2010 09:32:43 -0500 Subject: [VIM] ZDI-10-029: Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Brian, Actually the site shows different CVE IDs for these two cases: Let me know if you have further questions on this. Perhaps it was updated after you initially saw it listed. Best, Kate CVE ID: ZDI ID --------------------- ------ CVE-ID: CVE-2010-0047 ZDI-10-029 CVE-ID: CVE-2010-0050 ZDI-10-031 -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Saturday, April 17, 2010 2:55 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-029: Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability Hi ZDI, : ZDI-10-029: Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-029 : March 15, 2010 : CVE-2010-0050 Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-031/ March 16th, 2010 CVE-2010-0050 Same researcher, but vulnerabilities were reported to vendor six days apart. Can you confirm both advisories should have the same CVE assigned? Brian OSVDB.org From zdi-disclosures at tippingpoint.com Mon Apr 26 14:41:07 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 26 Apr 2010 09:41:07 -0500 Subject: [VIM] ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability In-Reply-To: References: Message-ID: Brian, Yes, once issues are public it loses the ZDI-CAN-#. I understand how showing both would be helpful to you. I will bring up your request with the team. In this case, I am happy to confirm that it is indeed ZDI-CAN-440 and since you have provided the CVE ID for me, I went ahead and udpated the published advisories site to include it. Best, Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Saturday, April 17, 2010 3:10 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability Hi ZDI, While trying to match the following advisory to OSVDB and CVE, I noticed something that I have seen a few times in the past regarding the way ZDI designates advisory IDs. I'd like to request that published ZDI advisories be enhanced in a small way to better cross-reference information released by ZDI. Example: : ZDI-10-024: Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-024 : March 2, 2010 : [No CVE] : http://www.novell.com/support/viewContent.do?externalId=7005341 I am trying to determine if this is the same as CVE-2010-0666 which links to http://www.novell.com/support/viewContent.do?externalId=3426981 That vendor changelog has the following entry: EMBOX: - Security Vulnerability: embox SOAP request causes eDirectory to core [ZDI-CAN-440] (Bug 548503) Since ZDI-CAN-440 has been published, it no longer appears on your 'upcoming' advisories page. Your published advisories do not reference the previous ZDI-CAN-### designation. If ZDI could start to include that piece of information, it would help VDBs in avoiding duplicates should they create an entry based on an upcoming advisory. Thanks, Brian OSVDB.org From zdi-disclosures at tippingpoint.com Mon Apr 26 16:44:56 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 26 Apr 2010 11:44:56 -0500 Subject: [VIM] Misc. ZDI inquiries In-Reply-To: References: Message-ID: Hi Brian, Please let me know when you would be free for a call so we can address the remaining two unaswered questions you asked. Best, Kate Fly