Joshua J. Drake

**Name of the Vulnerable Software and Affected Versions** Microsoft Word (affected versions not specified) **Description** The issue is related to a buffer overflow in memory, allowing remote attackers to execute arbitrary code by opening a specially crafted file. This can affect the system. The vulnerability is associated with the RTF parser and can be triggered with a table of fonts containing an excessive number of entries. It has been reported that a proof-of-concept exploit is available, which can be chained with other vulnerabilities to achieve remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.2.1 Apple OS X versions prior to 10.11.3 Apple tvOS versions prior to 9.1.1 **Description** The issue is related to the syslog component in the affected operating systems, caused by a buffer overflow. This can be exploited by a local attacker to gain privileges or cause a denial of service, resulting in memory corruption. **Recommendations** For Apple iOS versions prior to 9.2.1, update to version 9.2.1 or later. For Apple OS X versions prior to 10.11.3, update to version 10.11.3 or later. For Apple tvOS versions prior to 9.1.1, update to version 9.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.3 **Description** The issue is related to an untrusted search path vulnerability in the OSA Scripts component of Apple OS X. This vulnerability allows attackers to load arbitrary script libraries via a quarantined application, potentially enabling remote attackers to exploit the system. **Recommendations** For Apple OS X versions prior to 10.11.3, update to version 10.11.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Android (affected versions not specified) **Description** The issue is related to a buffer overflow in the dynamic memory of the libstagefright library, caused by an integer overflow. This can be exploited by a remote attacker using a specially crafted MP4 file, potentially allowing the execution of arbitrary code or causing a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to the MPEG4Extractor::parse3GPPMetaData function in the libstagefright library, which does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM). This allows remote attackers to execute arbitrary code or cause a denial of service via crafted 3GPP metadata, resulting in integer underflow and memory corruption. The vulnerability can be exploited to remotely execute code in affected devices. **Recommendations** For versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the libstagefright library until a patch is available. Avoid using the `MPEG4Extractor::parse3GPPMetaData` function in the affected library to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to an off-by-one error in the `MPEG4Extractor::parseChunk` function, which can lead to an integer overflow and memory corruption. This can be exploited by remote attackers using crafted MPEG-4 covr atoms with a size equal to `SIZE MAX`. The exploitation may result in the execution of arbitrary code or a denial of service. The vulnerability is associated with an integer overflow in the `libstagefright` library of the Android operating system. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the `MPEG4Extractor::parseChunk` function until a patch is available. Avoid using specially crafted MPEG-4 data that could trigger the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to an integer underflow in the `MPEG4Extractor::parseChunk` function of the libstagefright library in Android. This can be exploited by a remote attacker using specially crafted MPEG-4 data, potentially allowing the execution of arbitrary code or causing a denial of service due to memory corruption. The vulnerability can be triggered via crafted MPEG-4 covr atoms. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the `MPEG4Extractor::parseChunk` function until a patch is available. Avoid using the libstagefright library to parse untrusted MPEG-4 data until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to the MPEG4Extractor::parse3GPPMetaData function in the libstagefright library, which does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM). This allows remote attackers to cause a denial of service, including integer underflow, buffer over-read, and mediaserver process crash, via crafted 3GPP metadata. The vulnerability is also associated with an integer overflow. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the libstagefright library until a patch is available. Avoid using crafted 3GPP metadata to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to the MPEG4Extractor::parseChunk function in the libstagefright library, which does not properly restrict size addition. This allows remote attackers to execute arbitrary code or cause a denial of service due to integer overflow and memory corruption via a crafted MPEG-4 tx3g atom. The vulnerability can be exploited by sending specially crafted data in the MPEG-4 format, potentially leading to remote code execution or a denial of service. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the libstagefright library until a patch is available. Avoid using the `MPEG4Extractor::parseChunk` function in the affected library to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I libstagefright (affected versions not specified) **Description** The issue is related to multiple integer underflows in the ESDS::parseESDescriptor function of the libstagefright library in the Android operating system. This can be exploited by a remote attacker to execute arbitrary code using specially crafted ESDS data. The vulnerability allows for the execution of code via crafted ESDS atoms. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting access to the ESDS::parseESDescriptor function in the libstagefright library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY48I **Description** The issue is related to an integer overflow in the `SampleTable::setSampleToChunkParams` function in `libstagefright` in Android. This allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication. The vulnerability can be exploited to remotely execute code in affected devices. **Recommendations** For Android versions prior to 5.1.1 LMY48I, update to version 5.1.1 LMY48I or later to resolve the issue. As a temporary workaround, consider restricting the use of the `libstagefright` library to minimize the risk of exploitation. Avoid using the `SampleTable::setSampleToChunkParams` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 38.0 **Description** The issue is related to multiple integer overflows in the libstagefright library, which can be exploited by remote attackers to execute arbitrary code. This can be achieved through crafted sample metadata in an MPEG-4 video file. **Recommendations** For versions prior to 38.0, update to version 38.0 or later to resolve the issue. As a temporary workaround, consider avoiding the playback of MPEG-4 video files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Windows XP version SP2 Windows Server 2003 version SP2 Windows Vista version SP2 Windows Server 2008 version SP2, R2, and R2 SP1 Windows 7 versions Gold and SP1 **Description** A security feature bypass issue exists due to the improper loading of structured exception handling tables by the kernel. This allows attackers to bypass the SafeSEH security feature, potentially facilitating the exploitation of other vulnerabilities. **Recommendations** For Windows XP SP2, update to a newer version to mitigate the risk. For Windows Server 2003 SP2, update to a newer version to mitigate the risk. For Windows Vista SP2, update to a newer version to mitigate the risk. For Windows Server 2008 SP2, R2, and R2 SP1, update to a newer version to mitigate the risk. For Windows 7 Gold and SP1, update to a newer version to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows 2000 SP4 **Description** The issue is related to the LDAP service in Active Directory, which does not properly free memory for LDAP and LDAPS requests. This allows remote attackers to execute arbitrary code via a request that uses hexadecimal encoding, whose associated memory is not released. The problem is associated with a "DN AttributeValue" and is probably a memory leak. **Recommendations** For Microsoft Windows 2000 SP4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Excel versions 2000 SP3, 2002 SP3, and 2003 SP2 and SP3 **Description** The issue arises from improper validation of data in the VBA Performance Cache when processing an Office document with an embedded object. This allows remote attackers to execute arbitrary code via a crafted Excel file, leading to heap-based buffer overflows, integer overflows, array index errors, and memory corruption. A remote code execution vulnerability exists in the way Excel processes a VBA Performance Cache, which could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file. **Recommendations** For Microsoft Excel 2000 SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. For Microsoft Excel 2002 SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. For Microsoft Excel 2003 SP2 and SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 UDB versions 8.0 through 8.0 before Fixpak 15 IBM DB2 UDB versions 9.1 through 9.1 before Fixpak 3 **Description** The issue allows local users to create arbitrary files via unspecified vectors, including scenarios where an attacker's umask is honored. Additionally, it involves the `/etc/ld.so.preload` file, certain cron data file locations, and possibly the `OSSEMEMDBG` or `TRC LOG FILE` environment variables in `db2licd` (`db2licm`). **Recommendations** For IBM DB2 UDB versions 8.0 through 8.0 before Fixpak 15, apply Fixpak 15 to resolve the issue. For IBM DB2 UDB versions 9.1 through 9.1 before Fixpak 3, apply Fixpak 3 to resolve the issue. As a temporary workaround, consider restricting access to the `db2licd` (`db2licm`) and limiting the ability to modify cron data file locations until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 versions 8.x before 8.1 FixPak 15 IBM DB2 versions 9.1 before Fix Pack 2 **Description** The issue is related to improper termination of certain input strings, which can lead to a heap-based buffer overflow. This allows local users to execute arbitrary code via unspecified environment variables. **Recommendations** For IBM DB2 versions 8.x before 8.1 FixPak 15, apply FixPak 15 to resolve the issue. For IBM DB2 versions 9.1 before Fix Pack 2, apply Fix Pack 2 to resolve the issue.