Riley Hassell

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions 10.x prior to 10.0.12.36 Adobe Flash Player versions 9.x prior to 9.0.151.0 Adobe AIR versions prior to 1.5 **Description** The issue concerns the ActionScript 2 virtual machine, which fails to verify a member element's size when performing certain actions, such as DefineConstantPool, ActionJump, ActionPush, and ActionTry. This allows remote attackers to read sensitive data from process memory via a crafted file. **Recommendations** For Adobe Flash Player versions 10.x prior to 10.0.12.36, update to version 10.0.12.36 or later. For Adobe Flash Player versions 9.x prior to 9.0.151.0, update to version 9.0.151.0 or later. For Adobe AIR versions prior to 1.5, update to version 1.5 or later.

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions 10.x prior to 10.0.12.36 Adobe Flash Player versions 9.x prior to 9.0.151.0 Adobe AIR versions prior to 1.5 **Description** The issue allows remote attackers to read sensitive data from process memory via a crafted PDF file, due to the DefineConstantPool action in the ActionScript 2 virtual machine accepting an untrusted input value for a `constant count`. **Recommendations** For Adobe Flash Player versions 10.x prior to 10.0.12.36, update to version 10.0.12.36 or later. For Adobe Flash Player versions 9.x prior to 9.0.151.0, update to version 9.0.151.0 or later. For Adobe AIR versions prior to 1.5, update to version 1.5 or later.

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions 10.x prior to 10.0.12.36 Adobe Flash Player versions 9.x prior to 9.0.151.0 Adobe AIR versions prior to 1.5 **Description** The issue concerns the ActionScript 2 virtual machine, which fails to validate character elements during retrieval from the dictionary data structure. This allows remote attackers to cause a denial of service, resulting in a NULL pointer dereference and application crash, via a crafted PDF file. **Recommendations** For Adobe Flash Player versions 10.x prior to 10.0.12.36, update to version 10.0.12.36 or later. For Adobe Flash Player versions 9.x prior to 9.0.151.0, update to version 9.0.151.0 or later. For Adobe AIR versions prior to 1.5, update to version 1.5 or later.

**Name of the Vulnerable Software and Affected Versions** ZoneAlarm versions prior to 4.5.538.001 ZoneLabs Integrity client versions prior to 4.0.146.046 ZoneLabs Integrity client 4.5 versions prior to 4.5.085 **Description** The issue is a stack-based buffer overflow in the SMTP service support in vsmon.exe. This allows remote attackers to execute arbitrary code via a long RCPT TO argument. **Recommendations** For ZoneAlarm versions prior to 4.5.538.001, update to version 4.5.538.001 or later. For ZoneLabs Integrity client versions prior to 4.0.146.046, update to version 4.0.146.046 or later. For ZoneLabs Integrity client 4.5 versions prior to 4.5.085, update to version 4.5.085 or later.

**Name of the Vulnerable Software and Affected Versions** ISS Protocol Analysis Module (PAM) component versions (affected versions not specified) **Description** The issue is related to multiple stack-based buffer overflows in the ICQ parsing routines. This can be exploited by remote attackers to execute arbitrary code via a SRV MULTI response containing specific packets with long fields, such as `nickname`, `firstname`, `lastname`, or `email address`. The Witty worm is known to have exploited this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glibc versions 2.1.3 through 2.2.4 krb5-workstation versions 1.1.1 through 1.2.7 krb5-server versions 1.1.1 through 1.2.7 krb5-devel versions 1.1.1 through 1.2.7 krb5-libs versions 1.1.1 through 1.2.7 krb5 versions 1.1.1 through 1.2.7 glibc-common version 2.2.4 glibc-profile versions 2.1.3 through 2.2.4 glibc-devel versions 2.1.3 through 2.2.4 **Description** The issue is related to multiple vulnerabilities in various packages of the Red Hat Linux operating system, including glibc and krb5. These vulnerabilities can be exploited remotely, potentially leading to a breach of confidentiality, integrity, and availability of protected information. The vulnerabilities are related to integer overflows in certain functions, which can allow remote attackers to execute arbitrary code. **Recommendations** For glibc versions 2.1.3 through 2.2.4, update to a version that is not affected by the vulnerability. For krb5-workstation versions 1.1.1 through 1.2.7, update to a version that is not affected by the vulnerability. For krb5-server versions 1.1.1 through 1.2.7, update to a version that is not affected by the vulnerability. For krb5-devel versions 1.1.1 through 1.2.7, update to a version that is not affected by the vulnerability. For krb5-libs versions 1.1.1 through 1.2.7, update to a version that is not affected by the vulnerability. For krb5 versions 1.1.1 through 1.2.7, update to a version that is not affected by the vulnerability. For glibc-common version 2.2.4, update to a version that is not affected by the vulnerability. For glibc-profile versions 2.1.3 through 2.2.4, update to a version that is not affected by the vulnerability. For glibc-devel versions 2.1.3 through 2.2.4, update to a version that is not affected by the vulnerability. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available.