The HTTP client functionality in Apple iPhone OS 3.1 on the iPhone 2G and 3.1.3 on the iPhone 3GS allows remote attackers to cause a denial of service (Safari, Mail, or Springboard crash) via a crafted innerHTML property of a DIV element, related to a “malformed character” issue. (CVSS:5.0) (Last Update:2010-04-02)
Monthly Archives: March 2010
CVE-2010-1179
Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a large integer in the numcolors attribute of a recolorinfo element in a VML file, possibly a related issue to CVE-2007-0024. (CVSS:9.3) (Last Update:2010-03-30)
CVE-2010-1176
Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to an array of long strings, an array of IMG elements with crafted strings in their SRC attributes, a TBODY element with no associated TABLE element, and certain calls to the delete operator and the cloneNode, clearAttributes, and CollectGarbage methods, possibly a related issue to CVE-2009-0075. (CVSS:9.3) (Last Update:2010-03-30)
CVE-2010-1131
JavaScriptCore.dll, as used in Apple Safari 4.0.5 on Windows XP SP3, allows remote attackers to cause a denial of service (application crash) via an HTML document composed of many successive occurrences of the substring. (CVSS:4.3) (Last Update:2010-06-08)
Subscription Clarification
With all the great questions I received with the first Subscription Clarification post, I thought it would be a great idea to post a NEW and IMPROVED post. I have also opened a discussion thread on the subject in each board for customers with questions about their specific situations.
Important Links:
Update Center (US):
http://updatecenter.norton.com
Purchase A Renewal:
http://shop.symantecstore.com/store/symnahho/en_US/DisplayUpgradePage/ThemeID.106300/pgm.12788100
Upgrade your Product:
To begin our discussion, Iâve provided a definition of the Symantec subscription terms that we will be using:
Upgrade – An Upgrade is an updated or more comprehensive solution that provides features and/or technologies not included in the Norton product that you are currently using. When you purchase an Upgrade, you get a new subscription for one or two years (depending upon the Upgrade you purchase) to use the more comprehensive product. Your new subscription period will begin when you activate the Upgrade product by entering the Upgrade activation key during the product installation process. Time remaining from your previous subscription is not added to the new Upgrade subscription time.
Example: You are a Norton AntiVirus 2008 user, and you purchase Norton Internet Security 2009. When you install this Upgrade, your new subscription period will begin, and any time remaining from your Norton AntiVirus 2008 subscription will not be added to your Norton Internet Security 2009 subscription.
Version Update – For certain Norton products (such as the 2006 and later versions of Norton AntiVirus, Norton Internet Security, and Norton 360), Version Updates are provided to you for no additional fee during your current product subscription. In addition to the latest Security Updates which are delivered through Symantecâs LiveUpdate⢠technology, your product subscription entitles you to download, install and use the latest version of your product through the end of your current subscription period.
Example: You are a Norton 360 v1 user, and you download the Norton 360 v2 Version Update. You will be able to use Norton 360 v2 throughout the time remaining for your Norton 360 v1 subscription.
Renewal – When you purchase a subscription Renewal, you are buying an extension to your current Norton product subscription. A Renewal adds time to your existing subscription and enables you to receive Security Updates for your Norton product. For a 2006 or later version of certain Norton products (such as Norton AntiVirus, Norton Internet Security, or Norton 360), a Renewal also makes you eligible to download, install and use Version Updates for your Norton product for the duration of your subscription period. When you purchase a subscription Renewal, the renewal time period is added to the time remaining on your existing subscription.
Example: You are a Norton Internet Security 2008 user, and you have 15 days of subscription time remaining. You purchase a Renewal to extend your subscription time for another year. Upon completing your Renewal purchase, your new subscription period will equal 380 days (which represents the sum of your remaining 15 days plus the one year Renewal period). Please note that with a current subscription to Norton Internet Security 2008, you are also eligible for the Version Update to Norton Internet Security 2009 as described above.
Multiple License Scenarios – Here are a few scenarios that might help answer any specific questions you have. Please read below before you post a question about Subscriptions:
– When you activate the software on one PC with a license to be installed on up to three PCs, the activation period for all three licenses begins when the product is installed on the first PC. All three PCs will have the same subscription expiration date, regardless of when you install and activate the product on the second and third PCs.
– If you purchased a product with a subscription for up to three PCs, and you purchase a Renewal for this subscription through one of the PCs, the Renewal will extend the subscription period for all three PCs automatically. Running LiveUpdate on the other two PCs will enable each PC to contact Symantecâs servers so that the subscription period for each PC can be updated to reflect your Renewal purchase.
– If you purchased a product with a subscription for only one PC, and you purchase a Renewal for this subscription, the Renewal will extend the subscription period for just one PC. If you have a need to install the product on more than one PC, purchasing an Upgrade to a product that offers a subscription for up to three PCs might be a better idea.
CVE-2010-1029
Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences. (CVSS:5.0) (Last Update:2012-01-26)
[Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release and immediate availability of version 2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is principally a security and bug fix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively. We consider this release to be the best version of httpd available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.15 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.15 provides the complete list of changes since 2.2.14. A summary of security vulnerabilities which were addressed in the previous 2.2.14 and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime (APR) versions 1.3 and 1.4, APR-util library version 1.3, and APR-iconv library version 1.2. The most current releases should be used to address known security and platform bugs. At the time of this httpd release, the recommended APR releases are: * Apache Portable Runtime (APR) library version 1.4.2 (bundled), or at minimum, version 1.3.12 * ARR-util library version 1.3.9 (bundled) * APR-iconv library version 1.2.1 (only bundled in win32-src.zip) Older releases of these libraries have known vulnerabilities or other defects affecting httpd. For further information and downloads, visit: http://apr.apache.org/ Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and performance enhancements over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds upon and extends the httpd 2.0 API. Modules written for httpd 2.0 will need to be recompiled in order to run with httpd 2.2, and may require minimal or no source code changes. When upgrading or installing this version of httpd, please bear in mind that if you intend to use httpd with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
SA-CORE-2010-001 – Drupal core – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2010-001
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2010-March-03
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting, Open redirect, Authorization vulnerability
Description
Multiple vulnerabilities and weaknesses were discovered in Drupal.
Installation cross site scripting
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.
This issue affects Drupal 6.x only.
Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.
This issue affects Drupal 5.x and 6.x.
Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the ‘administer languages’ permission.
This issue affects Drupal 5.x and 6.x.
Blocked user session regeneration
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
This issue affects Drupal 5.x and 6.x.
Versions affected
- Drupal 6.x before version 6.16.
- Drupal 5.x before version 5.22.
Solution
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.16.
- If you are running Drupal 5.x then upgrade to Drupal 5.22.
Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22.
- To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch.
- To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch.
Reported by
The installation cross site scripting issue was reported by David Rothstein (*).
The open redirection was reported by Martin Barbella.
The locale module cross site scripting was reported by Justin Klein Keane.
The blocked user session regeneration issue was reported by Craig A. Hancock.
(*) Member of the Drupal security team.
Fixed by
The installation cross site scripting issue was fixed by Heine Deelstra.
The open redirection was fixed by Gerhard Killesreiter and Heine Deelstra.
The locale module cross site scripting was fixed by Stéphane Corlosquet, Peter Wolanin, Heine Deelstra and Neil Drumm.
The blocked user session regeneration issue was fixed by Gerhard Killesreiter.
All the fixes were done by members of the Drupal security team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.