Moritz Jodeit

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer 10 **Description** The issue is caused by memory corruption, allowing remote attackers to execute arbitrary code or cause a denial of service via a crafted web site. This can occur when Internet Explorer improperly accesses objects in memory, potentially corrupting memory and enabling an attacker to execute arbitrary code in the context of the current user. If the current user has administrative user rights, a successful exploitation could grant the attacker control of the affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Internet Explorer 10, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 7.0 **Description** The issue is related to a use-after-free vulnerability in the `mm answer pam free ctx` function in `monitor.c` in sshd. This vulnerability might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early `MONITOR REQ PAM FREE CTX` request. The vulnerability is associated with errors in privilege management. **Recommendations** For OpenSSH versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mm answer pam free ctx` function in `monitor.c` to minimize the risk of exploitation. Additionally, ensure that the sshd uid is properly managed to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 7.0 **Description** The issue allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR REQ PWNAM request. This is related to the monitor component in sshd accepting extraneous username data in MONITOR REQ PAM INIT CTX requests. A use-after-free vulnerability in the mm answer pam free ctx function in sshd might also allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR REQ PAM FREE CTX request. The vulnerability exists due to insufficient input validation. **Recommendations** For OpenSSH versions prior to 7.0, update to version 7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the MONITOR REQ PAM INIT CTX and MONITOR REQ PWNAM requests to minimize the risk of exploitation. Additionally, ensure that the sshd uid is properly secured to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Internet Explorer versions 8 through 11 **Description** The issue is caused by a buffer overflow. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service via a specially crafted web site. This vulnerability could corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user. If the current user has administrative rights, an attacker could take complete control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Internet Explorer versions 8 through 11, update to a version that is not affected by this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server 2010 SP1 Microsoft SharePoint Foundation 2010 SP1 **Description** The issue allows remote attackers to bypass intended read restrictions for content and hijack user accounts via a crafted URL. An elevation of privilege exists, which could allow an attacker to elevate their access to the server after obtaining sensitive system data. **Recommendations** For Microsoft SharePoint Server 2010 SP1, update to a version that includes the fix for this issue. For Microsoft SharePoint Foundation 2010 SP1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive system data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime versions prior to 7.6.9 **Description** The issue is related to a heap-based buffer overflow that can be triggered by crafted Track Header (aka tkhd) atoms, allowing remote attackers to execute arbitrary code or cause a denial of service, resulting in an application crash. **Recommendations** For Apple QuickTime versions prior to 7.6.9, update to version 7.6.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HP LaserJet MFP printers, Color LaserJet MFP printers, and LaserJet 4100, 4200, 4300, 5100, 8150, and 9000 printers (affected versions not specified) **Description** The default configuration of the PJL Access value in the File System External Access settings enables PJL commands that use the device's filesystem. This allows remote attackers to read arbitrary files via a command inside a print job, as demonstrated by a directory traversal attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows XP versions SP2 through SP3 Microsoft Windows Server 2003 version SP2 **Description** A remote code execution issue exists in the Microsoft DirectShow MP3 filter, allowing attackers to execute arbitrary code via a specially crafted audio file. This could enable an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. The impact may be less severe for users with fewer user rights on the system. **Recommendations** For Microsoft Windows XP versions SP2 through SP3, update to a newer version that contains a fix for this issue. For Microsoft Windows Server 2003 version SP2, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the MP3 filter in Microsoft DirectShow until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.3 **Description** The issue is related to a heap-based buffer overflow in QuickTime, which can be triggered by a crafted movie file with RLE encoding. This can cause memory corruption when the length of decompressed data exceeds that of the allocated heap chunk, allowing remote attackers to execute arbitrary code or cause a denial of service, resulting in an application crash. **Recommendations** For Apple Mac OS X versions prior to 10.6.3, update to version 10.6.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of RLE encoded movie files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.5.7 **Description** A heap-based buffer overflow issue allows remote web servers to execute arbitrary code or cause a denial of service via long HTTP headers. **Recommendations** For Apple Mac OS X versions prior to 10.5.7, update to version 10.5.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Clam Anti-Virus (ClamAV) versions prior to 0.94.1 **Description** The issue is caused by an off-by-one error in the get unicode name function, located in libclamav/vba extract.c, which can lead to a heap-based buffer overflow when processing a crafted VBA project file. This can result in a denial of service (crash) or potentially allow remote attackers to execute arbitrary code. **Recommendations** For versions prior to 0.94.1, update to version 0.94.1 or later to resolve the issue. As a temporary workaround, consider restricting the processing of VBA project files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MPlayer versions 1.0rc1 and earlier **Description** The issue is related to the DMO VideoDecoder Open function in loader/dmo/DMO VideoDecoder.c, which does not set the biSize before use in a memcpy. This allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. **Recommendations** For MPlayer versions 1.0rc1 and earlier, consider disabling the DMO VideoDecoder Open function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the affected function in the meantime to prevent potential buffer overflow attacks.