Latest vulnerabilities reported by Secunia PSI

Anupam · 26. Aug 2010, 04:54 PM

I ran Secunia PSI today. I came across vulnerabilities in Firefox, QuickTime, and VLC which are installed on my system. All the vulnerabilities are reported to be "highly critical". Except QuickTime, latest versions of Firefox, and VLC are affected.

Firefox 3.6.8 :

Description
A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the application loading libraries (e.g. dwmapi.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening an HTML file located on a remote WebDAV or SMB share.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 3.6.8 for Windows. Other versions may also be affected.

Solution
Do not open untrusted files.

VLC 1.1.3 :

Description
A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the application loading libraries (e.g. wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening an MP3 file located on a remote WebDAV or SMB share.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 1.1.3 for Windows. Other versions may also be affected.

Solution
Fixed in the GIT repository.

QuickTime 7.6.6 :

Description
Krystian Kloskowski has discovered a vulnerability in QuickTime Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 7.6.6 (1671) for Windows. Other versions may also be affected.

Solution
Update to version 7.6.7.

I would not be using QuickTime, but I got the old iPod from my brother. So I have to use iTunes and QuickTime with it, even if I hate both products. I actually dislike products from Apple because they install extra things on the computer like bonjor, Apple mobile device support, and what-not. If anyone is having iPod, and using iTunes, and QuickTime, please share with me, if any of these extra things can be removed, without affecting the operation of these software. Also, should I upgrade to the latest version of QuickTime 7.6.7? Will it affect iTunes? 7.6.6 has come bundled with latest version of iTunes.

Sope · 26. Aug 2010, 05:15 PM

Anupam,
"Apple Software Update" is a utility that usually gets installed with iTunes. If you run that it will automatically update Quicktime as necessary (or for that matter, iTunes, or offer Safari

at the same time).

I feel the same way about iTunes but I've come to accept it's easier to just allow it to install what's necessary and ignore it. I too keep meaning to find out what needs to be installed and what doesn't but it's not a priority as it's never caused me any problems (maybe I'm too trusting of Apple

)

Anupam · 26. Aug 2010, 05:22 PM

Yea, I too have not messed with any of the extra things that have got installed with iTunes. I may leave them alone. But still, all these extra things bother me. Why would I want bonjour, and mobile device support. They should ask these before installing them. Further, some processes like iPodService, and iTunes helper, mDNSResponder startup with Windows, and these bother me too. If I knew any of these were not important, I would remove them from running on startup.

What about upgrading QuickTime to 7.6.7? Should I do it? The latest version does not have the vulnerability it seems.

Sope · 26. Aug 2010, 05:34 PM

Quote:

Originally Posted by Anupam

Yea, I too have not messed with any of the extra things that have got installed with iTunes. I may leave them alone. But still, all these extra things bother me. Why would I want bonjour, and mobile device support. They should ask these before installing them. Further, some processes like iPodService, and iTunes helper, mDNSResponder startup with Windows, and these bother me too. If I knew any of these were not important, I would remove them from running on startup.

What about upgrading QuickTime to 7.6.7? Should I do it? The latest version does not have the vulnerability it seems.

I can't see the harm in updating QuickTime, I haven't done it yet though (not installed on the PC I'm currently using).

I haven't checked out those processes either, have you tried looking them up at http://www.sysinfo.org/?

Anupam · 26. Aug 2010, 06:06 PM

Sope, the processes I mentioned are all from iTunes. The first two are obvious from their names. mDNSResponder is process of Bonjour, which comes with iTunes.

Sope · 26. Aug 2010, 06:28 PM

Quote:

Originally Posted by Anupam

Sope, the processes I mentioned are all from iTunes. The first two are obvious from their names. mDNSResponder is process of Bonjour, which comes with iTunes.

Yes, but sysinfo usually also gives advice on whether they are necessary or can be safely disabled without loss of functionality?

Incidently, I notice Secunia is flagging the latest versions of Firefox, IE8 and Opera as having vulnerabilites with no current solutions available for any of them.

Anupam · 26. Aug 2010, 07:23 PM

Quote:

Originally Posted by Sope

Yes, but sysinfo usually also gives advice on whether they are necessary or can be safely disabled without loss of functionality?

Ah OK, thanks for that information. I will check out

.

Quote:

Originally Posted by Sope

Incidently, I notice Secunia is flagging the latest versions of Firefox, IE8 and Opera as having vulnerabilites with no current solutions available for any of them.

I don't have IE8, or Opera installed on my PC, so I did not report about them. Hope a patch for Firefox is released soon.

Older versions of Flash Player always have vulnerabilities usually. The last version of flash player has vulnerabilities too. So, if anyone has not upgraded flash player yet, then please do so.

I think Adobe Reader 9.3.3 also has vulnerability, and recently 9.3.4 was released, and its on the blogs too... but I cannot find the update on the Adobe Reader site yet.

Anupam · 27. Aug 2010, 03:20 PM

VLC 1.1.4 has been released, which addresses the security issue.

Anupam · 11. Sep 2010, 05:28 PM

Secunia's latest security advisory still reports Firefox 3.6.9 as having a security vulnerability.

Firefox 3.6.9 :

Description
A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks.

The vulnerability is caused due to the use of vulnerable Network Security Services (NSS) code.

For more information:
SA41237

Solution
Reportedly, this will be fixed in the Firefox versions after 3.6.9 and 3.5.12.

Provided and/or discovered by
Richard Moore and Simon Ward, Westpoint Limited

The latest version of QuickTime 7.6.7 is also reported as having security vulnerability.

Latest versions of KeePass Password Manager are also vulnerable.

Other software might be having vulnerabilities too. I am having the above on my PC, so these were reported. If there are others in the list, please share here.

26Dolphins · 13. Sep 2010, 12:42 PM

Hi Anupam,

Did you check with Secunia PSI latest stable or the beta version?

26. Aug 2010, 04:54 PM	#1 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Latest vulnerabilities reported by Secunia PSI I ran Secunia PSI today. I came across vulnerabilities in Firefox, QuickTime, and VLC which are installed on my system. All the vulnerabilities are reported to be "highly critical". Except QuickTime, latest versions of Firefox, and VLC are affected. Firefox 3.6.8 : Description A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading libraries (e.g. dwmapi.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening an HTML file located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 3.6.8 for Windows. Other versions may also be affected. Solution Do not open untrusted files. VLC 1.1.3 : Description A vulnerability has been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading libraries (e.g. wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening an MP3 file located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 1.1.3 for Windows. Other versions may also be affected. Solution Fixed in the GIT repository. QuickTime 7.6.6 : Description Krystian Kloskowski has discovered a vulnerability in QuickTime Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 7.6.6 (1671) for Windows. Other versions may also be affected. Solution Update to version 7.6.7. I would not be using QuickTime, but I got the old iPod from my brother. So I have to use iTunes and QuickTime with it, even if I hate both products. I actually dislike products from Apple because they install extra things on the computer like bonjor, Apple mobile device support, and what-not. If anyone is having iPod, and using iTunes, and QuickTime, please share with me, if any of these extra things can be removed, without affecting the operation of these software. Also, should I upgrade to the latest version of QuickTime 7.6.7? Will it affect iTunes? 7.6.6 has come bundled with latest version of iTunes. __________________ Anupam

26. Aug 2010, 05:22 PM	#3 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Yea, I too have not messed with any of the extra things that have got installed with iTunes. I may leave them alone. But still, all these extra things bother me. Why would I want bonjour, and mobile device support. They should ask these before installing them. Further, some processes like iPodService, and iTunes helper, mDNSResponder startup with Windows, and these bother me too. If I knew any of these were not important, I would remove them from running on startup. What about upgrading QuickTime to 7.6.7? Should I do it? The latest version does not have the vulnerability it seems. __________________ Anupam

26. Aug 2010, 06:06 PM	#5 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Sope, the processes I mentioned are all from iTunes. The first two are obvious from their names. mDNSResponder is process of Bonjour, which comes with iTunes. __________________ Anupam

27. Aug 2010, 03:20 PM	#8 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	VLC 1.1.4 has been released, which addresses the security issue. __________________ Anupam

11. Sep 2010, 05:28 PM	#9 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Secunia's latest security advisory still reports Firefox 3.6.9 as having a security vulnerability. Firefox 3.6.9 : Description A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to the use of vulnerable Network Security Services (NSS) code. For more information: SA41237 Solution Reportedly, this will be fixed in the Firefox versions after 3.6.9 and 3.5.12. Provided and/or discovered by Richard Moore and Simon Ward, Westpoint Limited The latest version of QuickTime 7.6.7 is also reported as having security vulnerability. Latest versions of KeePass Password Manager are also vulnerable. Other software might be having vulnerabilities too. I am having the above on my PC, so these were reported. If there are others in the list, please share here. __________________ Anupam

26. Aug 2010, 05:15 PM	#2 (permalink)
Sope Senior Member Join Date: Feb 2009 Location: Wales, UK Posts: 809	Anupam, "Apple Software Update" is a utility that usually gets installed with iTunes. If you run that it will automatically update Quicktime as necessary (or for that matter, iTunes, or offer Safari at the same time). I feel the same way about iTunes but I've come to accept it's easier to just allow it to install what's necessary and ignore it. I too keep meaning to find out what needs to be installed and what doesn't but it's not a priority as it's never caused me any problems (maybe I'm too trusting of Apple )

13. Sep 2010, 12:42 PM	#10 (permalink)
26Dolphins Senior Member Join Date: Nov 2009 Posts: 440	Hi Anupam, Did you check with Secunia PSI latest stable or the beta version? __________________ 26Dolphins

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode