Scarybeasts

**Name of the Vulnerable Software and Affected Versions** GStreamer versions prior to 1.10.2 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds write and crash, via a crafted series of skip and count pairs in the FLIC decoder. **Recommendations** For versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue. As a temporary workaround, consider disabling the FLIC decoder until a patch is available. Restrict access to the FLIC decoder module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 16.0.912.63 **Description** The issue is related to the improper parsing of SVG documents, which can be exploited by remote attackers to cause a denial of service through an out-of-bounds read. The estimated number of potentially affected devices and details about real-world incidents are not specified. **Recommendations** For Google Chrome versions prior to 16.0.912.63, update to version 16.0.912.63 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 15.0.874.120 **Description** The issue is related to the improper implementation of the MKV and Vorbis media handlers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. **Recommendations** For versions prior to 15.0.874.120, update to version 15.0.874.120 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer (affected versions not specified) **Description** The issue is related to Microsoft Internet Explorer's inability to properly restrict modifications to cookies established in HTTPS sessions. This allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response. The problem is connected to the lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, which is described as a "cookie forcing" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android browser (affected versions not specified) **Description** The issue is related to the Android browser's inability to properly restrict modifications to cookies established in HTTPS sessions. This allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response. The problem is connected to the lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, which is described as a "cookie forcing" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Internet Explorer 8 on Windows 7 **Description** The issue allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT `generate-id` XPath function. **Recommendations** For Internet Explorer 8 on Windows 7, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Systrace versions prior to 1.6f **Description** The issue allows local users to bypass intended access restrictions by making a 64-bit syscall with a syscall number that corresponds to a policy-compliant 32-bit syscall on the x86 64 Linux platform. **Recommendations** For versions prior to 1.6f, update to version 1.6f or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Systrace versions 1.6f and earlier **Description** The issue allows local users to bypass intended access restrictions by making a 32-bit syscall with a syscall number that corresponds to a policy-compliant 64-bit syscall. This is related to race conditions that occur in monitoring 64-bit processes on the x86 64 Linux platform. **Recommendations** For Systrace versions 1.6f and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.