Tobias Klein

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to a buffer overflow in the dynamic memory of the Win32k component (Win32k.sys) in Windows operating systems. This can be exploited by an attacker using specially crafted data to elevate their privileges. The vulnerability allows attackers to affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 64.0.3282.119 **Description** The issue is related to insufficient data validation in WebGL, allowing a remote attacker to perform an out of bounds memory read via a crafted HTML page. This could potentially enable attackers to view memory content beyond boundaries using a specially formed HTML page. **Recommendations** For Google Chrome versions prior to 64.0.3282.119, update to version 64.0.3282.119 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 54 Firefox ESR versions prior to 52.2 Thunderbird versions prior to 52.2 **Description** The issue is related to an out-of-bounds read in WebGL, which can occur when a maliciously crafted `ImageInfo` object is used during WebGL operations. This can potentially allow a remote attacker to disclose protected information. **Recommendations** For Firefox versions prior to 54, update to version 54 or later. For Firefox ESR versions prior to 52.2, update to version 52.2 or later. For Thunderbird versions prior to 52.2, update to version 52.2 or later.

**Name of the Vulnerable Software and Affected Versions** BIND versions 9.0.0 through 9.11.18 BIND versions 9.12.0 through 9.12.4-P2 BIND versions 9.14.0 through 9.14.11 BIND versions 9.16.0 through 9.16.2 BIND versions 9.17.0 through 9.17.1 BIND all releases in 9.13 and 9.15 development branches BIND versions 9.9.3-S1 through 9.11.18-S1 **Description** The issue is related to a logic error in the code that checks TSIG validity, which can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in a denial of service. An attacker may potentially cause a BIND server to reach an inconsistent state if they know or successfully guess the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. **Recommendations** For BIND versions 9.0.0 through 9.11.18, update to a version after 9.11.18 to resolve the issue. For BIND versions 9.12.0 through 9.12.4-P2, update to a version after 9.12.4-P2 to resolve the issue. For BIND versions 9.14.0 through 9.14.11, update to a version after 9.14.11 to resolve the issue. For BIND versions 9.16.0 through 9.16.2, update to a version after 9.16.2 to resolve the issue. For BIND versions 9.17.0 through 9.17.1, update to a version after 9.17.1 to resolve the issue. For BIND all releases in 9.13 and 9.15 development branches, update to a version outside of these branches to resolve the issue. For BIND versions 9.9.3-S1 through 9.11.18-S1, update to a version after 9.11.18-S1 to resolve the issue. As a temporary workaround, consider disabling the `tsig.c` function until a patch is available. Restrict access to the TSIG resource records to minimize the risk of exploitation. Avoid using the TSIG key in the affected BIND server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.8.4 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted PICT image. This is due to a buffer overflow in the QuickDraw Manager. **Recommendations** For versions prior to 10.8.4, update to version 10.8.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of crafted PICT images until the issue is resolved. Restrict access to potentially vulnerable applications that handle PICT images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.8.3 **Description** The issue is related to a use-after-free vulnerability in PDFKit, allowing remote attackers to execute arbitrary code or cause a denial of service, such as an application crash, via crafted ink annotations in a PDF document. **Recommendations** For Apple Mac OS X versions prior to 10.8.3, update to version 10.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 5 **Description** A buffer overflow issue in OfficeImport allows remote attackers to execute arbitrary code or cause a denial of service, resulting in an application crash, via a crafted Microsoft Word document. **Recommendations** For Apple iOS versions prior to 5, update to version 5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 5 **Description** A double free issue in OfficeImport allows remote attackers to execute arbitrary code or cause a denial of service, resulting in an application crash, via a crafted Excel spreadsheet. **Recommendations** For Apple iOS versions prior to 5, update to a version 5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.8 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted Microsoft Office document. **Recommendations** For versions prior to 10.6.8, update to version 10.6.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions prior to 10.6.7 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted Excel spreadsheet with a malicious formula. **Recommendations** For versions prior to 10.6.7, update to version 10.6.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.6.x through 10.6.4 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted Excel file. **Recommendations** For Apple Mac OS X versions 10.6.x through 10.6.4, update to version 10.6.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** avast! versions 4.8 through 4.8.1368.0 avast! version 5.0 before 5.0.418.0 **Description** The issue is related to the Aavmker4.sys driver in avast!, which does not properly validate input to IOCTL 0xb2d60030. This allows local users to cause a denial of service, resulting in a system crash, or execute arbitrary code to gain privileges. The exploitation is done via IOCTL requests using crafted kernel addresses that trigger memory corruption. **Recommendations** For avast! versions 4.8 through 4.8.1368.0, update to version 4.8.1368.1 or later. For avast! version 5.0 before 5.0.418.0, update to version 5.0.418.0 or later.

**Name of the Vulnerable Software and Affected Versions** Sun Solaris versions 10 and OpenSolaris snv 69 through snv 133 **Description** The issue allows local users to cause a denial of service, resulting in a system panic. This occurs when a request with a 0 size value is sent to the UCODE GET VERSION IOCTL, triggering a NULL pointer dereference in the `ucode get rev` function. The problem is related to the retrieval of the microcode revision and affects systems running on x86 architectures. **Recommendations** For Sun Solaris versions 10 and OpenSolaris snv 69 through snv 133, consider restricting access to the `ucode ioctl` function in intel/io/ucode drv.c as a temporary workaround to minimize the risk of exploitation. Avoid using the UCODE GET VERSION IOCTL with a 0 size value until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.5.8 through 10.6.2 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted MP4 audio file. This is due to a buffer overflow in CoreAudio. **Recommendations** For Apple Mac OS X versions 10.5.8 through 10.6.2, update to a version that contains a fix for this issue to prevent remote attackers from executing arbitrary code or causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** Apple iPhone OS versions prior to 3.1 Apple iPhone OS versions prior to 3.1.1 for iPod touch **Description** The issue is related to multiple heap-based buffer overflows in the AudioCodecs library within the CoreAudio component. This can be exploited by remote attackers through crafted AAC or MP3 files, such as a ringtone with malformed entries in the sample size table, leading to the execution of arbitrary code or a denial of service, which results in an application crash. **Recommendations** For Apple iPhone OS versions prior to 3.1, update to version 3.1 or later. For Apple iPhone OS versions prior to 3.1.1 for iPod touch, update to version 3.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** xine-lib versions 1.1.16.2 and earlier **Description** The issue is related to an integer overflow in the `parse trak atom` function, which can be triggered by a Quicktime movie file with a large count value in an STTS atom. This can lead to a heap-based buffer overflow, potentially allowing remote attackers to execute arbitrary code. **Recommendations** For xine-lib versions 1.1.16.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GStreamer Good Plug-ins versions 0.10.9 through 0.10.11 GStreamer Plug-ins version 0.8.5 **Description** The issue is related to a heap-based buffer overflow in the `qtdemux parse samples` function, which might allow remote attackers to execute arbitrary code via crafted Time-to-sample (stts) atom data in a malformed QuickTime media .mov file. Additionally, there are multiple vulnerabilities in the gstreamer0.10-plugins-bad package that can lead to disruption of confidentiality, integrity, and availability of protected information, and these can be exploited remotely. **Recommendations** For GStreamer Good Plug-ins versions 0.10.9 through 0.10.11, update to a version outside of this range to mitigate the risk. For GStreamer Plug-ins version 0.8.5, update to a newer version to resolve the issue. As a temporary workaround, consider restricting access to malformed QuickTime media .mov files until a patch is available. Avoid using the `qtdemux parse samples` function in the affected GStreamer Good Plug-ins versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GStreamer Good Plug-ins versions 0.10.9 through 0.10.11 **Description** The issue is related to multiple vulnerabilities in the gstreamer0.10-plugins-bad package in Debian GNU/Linux, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. A heap-based buffer overflow in the `qtdemux parse samples` function in `gst/qtdemux/qtdemux.c` may allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file. **Recommendations** For versions 0.10.9 through 0.10.11, consider disabling the `qtdemux parse samples` function as a temporary workaround until a patch is available. Restrict access to malformed QuickTime media .mov files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GStreamer Good Plug-ins versions 0.10.9 through 0.10.11 gstreamer0.10-plugins-bad (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the gstreamer0.10-plugins-bad package of Debian GNU/Linux and an array index error in the qtdemux parse samples function in GStreamer Good Plug-ins. This error allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Sync Sample atom data in a malformed QuickTime media .mov file. The exploitation of these vulnerabilities can lead to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** For GStreamer Good Plug-ins versions 0.10.9 through 0.10.11, consider updating to a version outside of this range to mitigate the risk. For gstreamer0.10-plugins-bad, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sun Solaris versions 8 through 10 OpenSolaris (affected versions not specified) **Description** The issue is related to an integer overflow in the `aio suspend` function when 32-bit mode is enabled. This allows local users to cause a denial of service, resulting in a system panic, by providing a large integer value in the second argument, also known as the `nent` argument. **Recommendations** For Sun Solaris versions 8 through 10, consider applying configuration changes to restrict the use of the `aio suspend` function until a fix is available. For OpenSolaris, at the moment, there is no information about a newer version that contains a fix for this issue.