VU#248449: Nuance PDF viewing products contain multiple vulnerabilities

Vulnerability Note VU#248449
Nuance PDF viewing products contain multiple vulnerabilities

Original Release date: 07 Feb 2013 | Last revised: 07 Feb 2013

Overview

Nuance PDF viewing products contain multiple memory-corruption vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Nuance provides two similar PDF viewing products called PDF Reader and PDF Viewer Plus. Both of these products contain multiple exploitable memory-corruption vulnerabilities. We have found that both Nuance PDF Reader 7.0 and PDF Viewer Plus 7.1 are affected.

Impact

By convincing a user to view a specially crafted PDF document, an attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedNuance Communications, Inc.Affected17 Dec 201205 Feb 2013If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
9.0
E:POC/RL:U/RC:C

Environmental
2.3
CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

http://www.nuance.com/products/pdf-reader/index.htm
http://support.microsoft.com/kb/2458544
http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

Credit

These vulnerabilities were reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:
CVE-2013-0113

Date Public:
07 Feb 2013

Date First Published:
07 Feb 2013

Date Last Updated:
07 Feb 2013

Document Revision:
11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#849841: Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers

VU#985625: Symantec Antivirus products fail to properly handle CAB files

Vulnerability Note VU#985625
Symantec Antivirus products fail to properly handle CAB files

Original Release date: 05 Nov 2012 | Last revised: 15 Nov 2012

Overview

Multiple Symantec Antivirus products fail to properly handle CAB files, which may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

Description

The CAB file decomposer component that is used by multiple Symantec Antivirus products fails to properly handle malformed CAB files, which can result in memory corruption. Successful exploitation may result in arbitrary code execution as the result of a file being scanned. We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected. Symantec also reports that Symantec Endpoint Endpoint Protection 12.0, AntiVirus Corporate Edition 10.x, and Symantec Scan Engine 5.2.7.x and prior are affected.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Solution

Apply an update

Symantec Endpoint Protection 11.0.5 through 11.0.7 MP3 users should apply the Decomposer Update Tool listed in Symantec Advisory SYM12-017. Symantec Endpoint Protection 12.0 and Symantec AntiVirus Corporate Edition users should update to Symantec Endpoint Protection version 12.1. Symantec Scan Engine users should update to version 5.2.8 or Symantec Protection Engine for Cloud Services 7.0.x. Please see Symantec Advisory SYM12-017 for more details.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedSymantecAffected08 Apr 201115 Nov 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
7.8
E:POC/RL:OF/RC:C

Environmental
7.8
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00
http://www.symantec.com/endpoint-protection
http://www.symantec.com/protection-engine-for-cloud-services
http://support.microsoft.com/kb/2458544

http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:
CVE-2012-4953

Date Public:
05 Nov 2012

Date First Published:
05 Nov 2012

Date Last Updated:
15 Nov 2012

Document Revision:
24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

“security” via n8xja in Google Reader 2012-11-05 15:07:41

Vulnerability Note VU#985625
Symantec Antivirus products fail to properly handle CAB files

Original Release date: 05 Nov 2012 | Last revised: 15 Nov 2012

Overview

Multiple Symantec Antivirus products fail to properly handle CAB files, which may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

Description

The CAB file decomposer component that is used by multiple Symantec Antivirus products fails to properly handle malformed CAB files, which can result in memory corruption. Successful exploitation may result in arbitrary code execution as the result of a file being scanned. We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected. Symantec also reports that Symantec Endpoint Endpoint Protection 12.0, AntiVirus Corporate Edition 10.x, and Symantec Scan Engine 5.2.7.x and prior are affected.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Solution

Apply an update

Symantec Endpoint Protection 11.0.5 through 11.0.7 MP3 users should apply the Decomposer Update Tool listed in Symantec Advisory SYM12-017. Symantec Endpoint Protection 12.0 and Symantec AntiVirus Corporate Edition users should update to Symantec Endpoint Protection version 12.1. Symantec Scan Engine users should update to version 5.2.8 or Symantec Protection Engine for Cloud Services 7.0.x. Please see Symantec Advisory SYM12-017 for more details.

Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.
Enable DEP in Microsoft Windows
Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.
Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedSymantecAffected08 Apr 201115 Nov 2012If you are a vendor and your product is affected, let
us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal
7.8
E:POC/RL:OF/RC:C
Environmental
7.8
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
References
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00
http://www.symantec.com/endpoint-protection
http://www.symantec.com/protection-engine-for-cloud-services
http://support.microsoft.com/kb/2458544

http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information
CVE IDs:
CVE-2012-4953
Date Public:
05 Nov 2012
Date First Published:
05 Nov 2012
Date Last Updated:
15 Nov 2012
Document Revision:
24
Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#872545: Adobe Shockwave 11.6.7.637 contains multiple exploitable vulnerabilities

Vulnerability Note VU#872545
Adobe Shockwave 11.6.7.637 contains multiple exploitable vulnerabilities

Original Release date: 23 Oct 2012 | Last revised: 23 Oct 2012

Overview

Adobe Shockwave Player 11.6.7.637 and earlier versions on the Windows and Macintosh operating systems contain critical vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers.

Multiple vulnerabilities have been discovered in Shockwave Player and its Xtra components that can be exploited by an attacker to execute arbitrary code on a user’s system. More details are available in Adobe Security Bulletin APSB12-23.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, or any other document that supports embedded Shockwave content, an attacker may be able to execute arbitrary code

Solution

Apply an update

These issues have been addressed in Adobe Shockwave Player 11.6.8.638. Please see Adobe Security Bulletin APSB12-23 for more details.

Limit access to Director files

Restricting the handling of untrusted Director content may help mitigate this vulnerability. See Securing Your Web Browser for more information. Consider using the NoScript extension to whitelist web sites that can run Shockwave Player in Mozilla browsers such as Firefox. See the NoScript FAQ for more information.

Disable the Shockwave Player ActiveX control in Internet Explorer

The Shockwave Player ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:
{166B1BCA-3F9C-11CF-8075-444553540000}
{233C1507-6A77-46A4-9443-F871F945D258}
Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{233C1507-6A77-46A4-9443-F871F945D258}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{233C1507-6A77-46A4-9443-F871F945D258}]
“Compatibility Flags”=dword:00000400
More information about how to set the kill bit is available in Microsoft Support Document 240797.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedAdobeAffected24 Apr 201223 Oct 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
7.8
E:POC/RL:OF/RC:C

Environmental
7.8
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://www.cert.org/tech_tips/securing_browser/

http://www.adobe.com/support/security/bulletins/apsb12-23.html

Credit

These vulnerabilities were reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:
CVE-2012-4172
CVE-2012-4173
CVE-2012-4174
CVE-2012-4175
CVE-2012-4176

Date Public:
23 Oct 2012

Date First Published:
23 Oct 2012

Date Last Updated:
23 Oct 2012

Document Revision:
11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#738961: Oracle Outside In contains an exploitable vulnerability in Lotus 123 v4 parser

Vulnerability Note VU#738961
Oracle Outside In contains an exploitable vulnerability in Lotus 123 v4 parser

Original Release date: 18 Jan 2012 | Last revised: 10 May 2012

Overview

Oracle Outside In contains an exploitable vulnerability in the Lotus 123 version 4 file parser, which can allow a remote, unauthenticated attacker to execute a…

VU#361441: Microsoft Office Publisher contains multiple exploitable vulnerabilities

VU#675073: Microsoft Windows TrueType font array indexing vulnerability

Vulnerability Note VU#675073
Microsoft Windows TrueType font array indexing vulnerability
OverviewA vulnerability in the Microsoft Windows TrueType font parsing component could allow an attacker to cause a denial-of-service condition in Microsoft Windows.
I. DescriptionThe Microsoft Windows kernel includes a driver (win32k.sys) that handles a variety of graphics processing tasks, including the processing of True…

VU#619281: Windows font library file buffer overflow

Vulnerability Note VU#619281
Windows font library file buffer overflow
OverviewMicrosoft Windows contains a buffer overflow vulnerability in the handling of font library files, which may allow a remote, unauthenticated attacker to execute arbitrary code with kernel privileges.
I. DescriptionMicrosoft Windows supports a variety of font formats. One of which is the font library file format, which have the file ext…