Category Archives: Vulnerability Management

VMware Security Advisory VMSA-2012-0016 Review

Vulnerability Management

VMware has release,the 15 November 2012, one security advisory VMSA-2012-0016 concerning VMware vSphere API and ESX service console.

VMware vSphere API denial of service vulnerability

The VMware vSphere API is affected by one vulnerability, CVE-2012-5703, with a 5.0 CVSS base score. The vulnerability was discovered and privately reported by Sebastián Tullo of Core Security Technologies. ESXi and ESX 4.1 are affected by this vulnerability.

VMware vSphere API denial of service vulnerability

ESX 4.1 bind-libs and bind-utils packages have been updated in order to fix multiples vulnerabilities. CVE-2012-1033 has a 5.0 CVSS base score  , CVE-2012-1667 has a 8.5 CVSS base score and CVE-2012-3817 has a 7.8 CVSS base score. ESX 4.0 is affected and the patch will be released further.

Update to ESX service console python packages

ESX 4.1 python and python-libs packages have been updated in order to fix multiples vulnerabilities. CVE-2011-4940 has a 2.6 CVSS base score, CVE-2011-4944 has a 1.9 CVSS base score and CVE-2012-1150 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console expat package

ESX 4.1 expat package has been updated in order to fix two vulnerabilities. CVE-2012-0876 has a 4.3 CVSS base score and CVE-2012-1148 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console nspr and nss packages

ESX 4.1 nspr and nss packages have been updated in order to fix two vulnerabilities. CVE-2012-0441 has a 5.0 CVSS base score and this patch also resolves a certificate trust issue caused by a fraudulent DigiNotar root certificate. ESX 4.0 is affected and the patch will be released further.

Microsoft November 2012 Patch Tuesday Review

Vulnerability Management

Microsoft has release, the 13 November 2012, during his November Patch Tuesday, two updated security advisories and six security bulletins. On the six security bulletins four of them has a Critical security rating.

Microsoft Security Advisory 2269637

MSA-2269637, released during August 2010, has been updated. The security advisory is regarding “Insecure Library Loading” and the update has add the reference to MS12-074 “Vulnerabilities in .NET Framework Could Allow Remote Code Execution“.

Microsoft Security Advisory 2749655

MSA-2749655, release during October 2012, has been updated. The security advisory is regarding “Compatibility Issues Affecting Signed Microsoft Binaries” and the update has modify the reference to KBs of “Microsoft Office 2003 Service Pack 3” updates.

MS12-071 – Cumulative Security Update for Internet Explorer

MS12-071 security update, classified as Critical, allowing remote code execution, is the fix for three privately reported vulnerabilities. CVE-2012-1538 has a 9.3 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-1539 has a 10.0 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-4775 has a 9.3 CVSS base score and was discovered and privately reported by Cheng-da Tsai (Orange), Sung-ting Tsai, and Ming-chieh Pan (Nanika) of Trend Micro.

Affected software is:

  • Internet Explorer 9

MS12-072 – Vulnerabilities in Windows Shell Could Allow Remote Code Execution

MS12-072 security update, classified as Critical, allowing remote code execution, is fixing two privately reported vulnerabilities. CVE-2012-1527 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense LabsCVE-2012-1528 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-074 – Vulnerabilities in .NET Framework Could Allow Remote Code Execution

MS12-074 security update, classified as Critical, allowing remote code execution, is fixing five privately vulnerabilities. CVE-2012-1895 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-1896 has a 5.0 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-2519 has a 7.9 CVSS base score and was discovered and privately reported. CVE-2012-4776 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-4777 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security.

Affected softwares are:

  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5

MS12-075 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS12-075 security update, classified as Important, allowing remote code execution, is fixing three privately reported vulnerabilities. CVE-2012-2530 has a 7.2 CVSS base score and was discovered and privately reported. CVE-2012-2553 has a 7.2 CVSS base score and was discovered and privately reported by Matthew Jurczyk of Google IncCVE-2012-2897 has a 10.0 CVSS base score and was discovered and privately reported by Eetu Luodemaa and Joni Vähämäki of Documill, working with the Chromium Security Rewards Program.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-076 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

MS12-076 security update, classified as Important, allowing remote code execution, is fixing four privately reported vulnerabilities. CVE-2012-1885 has a 9.3 CVSS base score and was discovered and privately reported by Sean Larsson, working with the iDefense VCPCVE-2012-1886 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-1887 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-2543 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with HP TippingPoint’s Zero Day Initiative.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit editions)
  • Microsoft Office 2010 Service Pack 1 (64-bit editions)
  • Microsoft Office 2008 for Mac
  • Microsoft Office for Mac 2011
  • Microsoft Excel Viewer
  • Microsoft Office Compatibility Pack Service Pack 2
  • Microsoft Office Compatibility Pack Service Pack 3

MS12-073- Vulnerability in Kerberos Could Allow Denial of Service

MS12-073 security update, classified as Moderate, allowing information disclosure, is fixing two vulnerabilities. CVE-2012-2531 has a 2.1 CVSS base score and was discovered and privately reported by Justin Royce of ProDX. CVE-2012-2532 has a 5.0 CVSS base score and was discovered and publicly reported.

Affected softwares are:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

APSB12-24 – Adobe November 2012 Patch Tuesday Review

Vulnerability Management,

Adobe has release, the 6 November 2012, during his November Patch Tuesday, one security bulletin dealing with 7 vulnerabilities. All these security bulletins have a Critical severity rating. All of these vulnerabilities have a CVSS base score of 10.0.

APSB12-24 – Security updates available for Adobe Flash Player

APSB12-24 is concerning :

  • Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.243 and earlier versions for Linux
  • Adobe Flash Player 11.2.202.238 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android

CVE-2012-5274 (CVSS base score of 10.0), CVE-2012-5275 (CVSS base score of 10.0), CVE-2012-5276 (CVSS base score of 10.0), CVE-2012-5277 (CVSS base score of 10.0), CVE-2012-5279 (CVSS base score of 10.0), CVE-2012-5280 (CVSS base score of 10.0) have been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

CVE-2012-5278 (CVSS base score of 10.0) has been discovered and reported by Eduardo Vela Nava of the Google Security Team.

I advise you to update asap your Adobe Flash Player.

Oracle Java Critical Patch Update October 2012 Review

Vulnerability Management,

Oracle has provide his Java Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 30 security vulnerability fixes and concern “Java Runtime Environment” and “JavaFX” components. On the 30 security vulnerabilities all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 15 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 7 and earlier
  • JDK and JRE 6 Update 35 and earlier
  • JDK and JRE 5.0 Update 36 and earlier
  • SDK and JRE 1.4.2_38 and earlier
  • JavaFX 2.2 and earlier

CVE-2012-5083CVE-2012-1531CVE-2012-5086CVE-2012-5087CVE-2012-1533CVE-2012-1532CVE-2012-5076CVE-2012-3143CVE-2012-5088 and CVE-2012-5078 have a CVSS base score of 10.0CVE-2012-5089CVE-2012-5084 and CVE-2012-5080 have a CVSS base score of 7.6CVE-2012-3159 and CVE-2012-5068 have a CVSS base score of 7.5CVE-2012-4416CVE-2012-5074 and CVE-2012-5071 have a CVSS base score of 6.4CVE-2012-5069 has a CVSS base score of 5.8CVE-2012-5067CVE-2012-5070CVE-2012-5075CVE-2012-5073CVE-2012-5079CVE-2012-5072CVE-2012-5081 and CVE-2012-5082 have a CVSS base score of 5.0CVE-2012-3216 and CVE-2012-5077 have a CVSS base score of 2.6CVE-2012-5085 has a CVSS base score of 0.0.