Category Archives: Security

Security

Microsft

MS14-026 – Important: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (May 13, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an authenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.

Microsft

MS14-027 – Important: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (May 13, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

NVD

CVE-2014-3214 (bind)

The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes.

Microsft

MS14-021 – Critical: Security Update for Internet Explorer (2965111) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 1, 2014): Bulletin revised to specify that the latest cumulative security update for Internet Explorer must be installed prior to installing MS14-021. See the Update FAQ for details.
Summary: This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

NVD

CVE-2014-1776 (internet_explorer)

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that “VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks.”

NVD

CVE-2014-1765 (internet_explorer)

Multiple use-after-free vulnerabilities in Microsoft Internet Explorer 6 through 11 allow remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Sebastian Apelt and Andreas Schmidt during a Pwn2Own competition at CanSecWest 2014.

Python

CVE-2014-3007

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py. (CVSS:10.0) (Last Update:2014-04-28)

IBM

Apache Struts ParametersInterceptor security bypass

A vulnerability in Apache Struts, can allow an attacker to send HTTP requests and achieve remote code execution on the server, i.e. the attacker attains the privilege of running any code in the environment that the web server is running. A proof-of-concept (PoC) exploit has been found to be available in the public domain.