Subscribe to RSS feeds


Sep26
by Brian Cortes (Threats Analyst)

Only a little more than a week after September Patch Tuesday, expect to download more software patches to keep your computer updated and protected from malware threats.

Update 1: Microsoft Service Pack 3
Microsoft recently released Service Pack 3 for Microsoft Office 2003, incorporating SP1, SP2, and other Office 2003 updates up to August 2007. The new service pack also incorporates other bug fixes that affect the user experience.
Related links: Download page KB Entry

Update 2: Mozilla Firefox 2.0.0.7
Mozilla Firefox recently updated to version 2.0.0.7, preventing a vulnerability of the Apple QuickTime Plug-in from performing remote code execution.
Related Link: Download Page

Unpatched Vulnerability 1: Apple QuickTime version 7.2.0.240
The Firefox update above resolves the issue raised by Petko D. Petkov, which details how a simple quicktime file can execute arbitrary code from the said browser. In his report, a QTL file which serves as an encapsulation for loading a real media file, can contain a qtnext field which may have parameters in execution of code thru Firefox. So, users can just avoid the link from a Web site if the file in the link has an extension in .QTL, right? Wrong. The file can be renamed as .MP3 or .MOV (or any file extension supported by QT) and the file would still be processed as a QTL file. The exploit has been verified to work on Firefox 2.0.0.6 (thus necessitating the update) and the latest QuickTime version 7.2.0.240 (still unpatched).
Related Links: Mozilla Vulnerability Page Petko D. Petkov’s Blog CVE Entry

Unpatched Vulnerability 2: Microsoft MFC42 and MFC71 Heap Overflow Allows RCE
Jonathan Sarba from GoodFellas Security Research Team recently disclosed the Findfile Class implementation in the MFC42 and MFC71 library lacks checking of the buffer, allowing a heap overflow to execute arbitrary code. Any application using CFileFind::FindFile from MFC42.DLL and MFC71.dll may be susceptible to this attack. If you remember, a previous MFC vulnerability was patched last June. Considering the possibilities, could there be an upcoming Month of MFC Bugs?
Related links: Jonathan Sarba’s Disclosure MS07-12



This entry was posted on Wednesday, September 26th, 2007 at 10:16 am and is filed under Security . Responses are closed, but you can trackback from your own site.



Comments are closed.


Japanese PM Yasuo Fukuda Sends You a Message
STORM + Fools = $$$


 
TrendWatch Hijack This Security Tips for Consumers
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
Glossary of Threat Terms

 
© Copyright 2008 Trend Micro Inc. All rights reserved. Legal Notice