John Heasman

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** An elevation-of-privilege issue allows attackers to affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elasticsearch versions prior to 1.4.5 Elasticsearch versions 1.5.x prior to 1.5.2 **Description** A directory traversal issue allows remote attackers to read arbitrary files when a site plugin is enabled. **Recommendations** For Elasticsearch versions prior to 1.4.5, update to version 1.4.5 or later. For Elasticsearch versions 1.5.x prior to 1.5.2, update to version 1.5.2 or later.

Name of the Vulnerable Software and Affected Versions: Castle Rock Computing SNMPc versions 7.1 and earlier Description: The issue is a stack-based buffer overflow in the Network Manager, which can be triggered by remote attackers sending a long community string in an SNMP TRAP packet. This can cause a denial of service, resulting in a crash, or potentially allow the execution of arbitrary code. Recommendations: For Castle Rock Computing SNMPc versions 7.1 and earlier, update to a version later than 7.1 to resolve the issue. As a temporary workaround, consider restricting access to the Network Manager to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sun JDK and JRE versions 6 Update 4 and earlier Sun JDK and JRE versions 5.0 Update 14 and earlier Sun SDK and JRE versions 1.4.2 16 and earlier Sun SDK and JRE versions 1.3.1 21 and earlier **Description** The issue allows remote attackers to bypass the same origin policy and execute local applications via unknown vectors. This could potentially lead to unauthorized access or execution of local resources. **Recommendations** For Sun JDK and JRE versions 6 Update 4 and earlier, update to a version later than Update 4. For Sun JDK and JRE versions 5.0 Update 14 and earlier, update to a version later than Update 14. For Sun SDK and JRE versions 1.4.2 16 and earlier, update to a version later than 1.4.2 16. For Sun SDK and JRE versions 1.3.1 21 and earlier, update to a version later than 1.3.1 21.

**Name of the Vulnerable Software and Affected Versions** Sun JDK and JRE versions 6 Update 4 and earlier Sun JDK and JRE versions 5.0 Update 14 and earlier Sun SDK/JRE version 1.4.2 16 and earlier **Description** The issue allows remote attackers to gain privileges via an untrusted application. **Recommendations** For Sun JDK and JRE versions 6 Update 4 and earlier, update to a version later than Update 4. For Sun JDK and JRE versions 5.0 Update 14 and earlier, update to a version later than Update 14. For Sun SDK/JRE version 1.4.2 16 and earlier, update to a version later than 1.4.2 16.

**Name of the Vulnerable Software and Affected Versions** Symantec Automated Support Assistant versions used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006 **Description** A stack-based buffer overflow issue exists in an ActiveX control used by the Symantec Automated Support Assistant. This could allow user-assisted remote attackers to cause a denial of service, potentially leading to a crash, and may also enable the execution of arbitrary code. The attack vectors for this issue are not specified. **Recommendations** For Symantec Automated Support Assistant versions used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, consider disabling the affected ActiveX control as a temporary workaround until a patch is available. Restrict access to the vulnerable ActiveX control to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 10.x RealOne Player (affected versions not specified) Rhapsody version 3 Helix Player (affected versions not specified) **Description** The issue is related to a buffer overflow in the swfformat.dll component. This can be exploited by remote attackers through a crafted SWF (Flash) file, allowing them to execute arbitrary code. The exploitation can occur via a size value in the SWF file that is less than the actual size, or through other unspecified manipulations of the file. **Recommendations** For RealPlayer version 10.x, update to a version that includes a fix for the buffer overflow in swfformat.dll. For RealOne Player, Rhapsody version 3, and Helix Player, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 6.0.12.1040 through 6.0.12.1348 RealPlayer 10 RealOne Player v2 RealOne Player v1 RealPlayer 8 RealPlayer Enterprise before 20060322 **Description** A buffer overflow issue exists, allowing remote attackers to have an unknown impact via a malicious Mimio boardCast (mbc) file. **Recommendations** For RealPlayer versions 6.0.12.1040 through 6.0.12.1348, update to a version outside of this range to resolve the issue. For RealPlayer 10, consider upgrading to a newer version to mitigate the risk. For RealOne Player v2 and RealOne Player v1, restrict the use of malicious Mimio boardCast (mbc) files until a patch is available. For RealPlayer 8, avoid using the vulnerable component until a fix is provided. For RealPlayer Enterprise before 20060322, update to a version 20060322 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Outlook versions 2000 through 2003 Microsoft Exchange 5.0 Server version SP2 Microsoft Exchange 5.0 Server version SP4 Microsoft Exchange 2000 version SP3 Microsoft Office (affected versions not specified) Description: The issue is related to a remote code execution vulnerability due to improper decoding of Transport Neutral Encapsulation Format (TNEF) MIME attachments in e-mail messages. This allows remote attackers to execute arbitrary code via a crafted attachment. The vulnerability is also related to message length validation. Recommendations: For Microsoft Outlook versions 2000 through 2003, consider disabling the handling of TNEF MIME attachments until a fix is available. For Microsoft Exchange 5.0 Server versions SP2 and SP4, restrict access to TNEF encoded messages to minimize the risk of exploitation. For Microsoft Exchange 2000 version SP3, avoid processing e-mail messages with crafted TNEF attachments until the issue is resolved. For Microsoft Office, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Buffer overflow in RealNetworks RealPlayer 10 and 10.5 allows remote attackers to execute arbitrary code via a crafted image in a RealPlayer Skin (RJS) file. NOTE: due to the lack of details, it is unclear how this is different than CVE-2005-2629 and CVE-2005-2630, but the vendor advisory implies that it is different.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions 2000, XP SP1, XP SP2, and Server 2003 **Description** A buffer overflow issue exists in the font processing component, allowing local users to gain privileges through a specially-designed application. **Recommendations** For Microsoft Windows 2000, consider applying security patches or updates to fix the issue. For Microsoft Windows XP SP1 and SP2, apply the recommended security updates to resolve the problem. For Microsoft Windows Server 2003, install the available patch to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 7.2.x through 7.4.x PostgreSQL (affected versions not specified) **Description** The issue allows local users to load arbitrary shared libraries and execute code via the LOAD extension. Any database user is permitted to load arbitrary shared libraries using the LOAD command. A valid login is required to exploit this issue. **Recommendations** For versions 7.2.x through 7.4.x, consider restricting access to the LOAD command to prevent arbitrary shared library loading. As a temporary workaround, consider disabling the LOAD extension until a patch is available. Restrict database user permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AtHoc toolbar (affected versions not specified) **Description** The issue is related to a stack-based buffer overflow in the SetSkin function, which allows remote attackers to execute arbitrary code via a long skin name. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions prior to 10.5 (6.0.12.1040) **Description** The issue is related to an off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files. This could allow remote attackers to execute arbitrary code via a long tag. **Recommendations** For versions prior to 10.5 (6.0.12.1040), update to a version later than 10.5 (6.0.12.1040) to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Apple QuickTime versions prior to 6.5.2 Description: The issue is related to an integer overflow that occurs when running Apple QuickTime on Windows systems. This can be triggered by certain inputs, leading to a denial of service due to excessive memory consumption. Recommendations: For Apple QuickTime versions prior to 6.5.2, update to version 6.5.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Internet Explorer versions 5.01 through 6 Description: A heap-based buffer overflow issue exists in the Hrtbeat.ocx (Heartbeat) ActiveX control. This issue can be exploited by remote attackers to execute arbitrary code when users visit specific online gaming sites associated with MSN. The exploitation is possible via the `SetupData` parameter. Recommendations: For Internet Explorer versions 5.01 through 6, consider disabling the Hrtbeat.ocx (Heartbeat) ActiveX control as a temporary workaround until a patch is available. Restrict access to online gaming sites associated with MSN to minimize the risk of exploitation. Avoid using the `SetupData` parameter in the affected ActiveX control until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to the fixed version, including Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 **Description** The issue allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application. This is possibly due to an "unchecked buffer," which may be related to a buffer overflow. **Recommendations** For Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions prior to 10.5 (6.0.12.1040) **Description** The issue is related to a stack-based buffer overflow in the HandleAction function. This allows remote attackers to execute arbitrary code via a long `ShowPreferences` argument. **Recommendations** For versions prior to 10.5 (6.0.12.1040), consider updating to a version that is not affected by this issue. As a temporary workaround, restrict the use of the `HandleAction` function until a patch is available. Avoid using long `ShowPreferences` arguments in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AtHoc toolbar (affected versions not specified) **Description** The issue is related to a format string vulnerability in the SetBaseURL function. This vulnerability allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions prior to 10.5 (6.0.12.1040) **Description** A directory traversal issue exists in the parsing of Skin file names, allowing remote attackers to read arbitrary files by including a .. (dot dot) in an RJS filename. **Recommendations** For versions prior to 10.5 (6.0.12.1040), update to a version later than 10.5 (6.0.12.1040) to resolve the issue.