Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Sumit Soni (Vulnerability Research)

    Oracle has just released its security update for June 2013 — a release that comprises of 40 security updates, with 37 of them addressing vulnerabilities that lead to malware execution. Also among the updates is one that fixes a vulnerability found in Javadoc tool — a documentation generator and is commonly used in websites.

    The said vulnerability, also identified as CVE-2013-1571, can be used to steal important user data by injecting an attacker controlled frame in generated Javadoc HTML page. This vulnerability is also known as Frame Injection vulnerability.

    Javadoc is a tool that generates .HTML documentation from Javadoc comments in the code. The vulnerability is due to a defect in the JavaScript code that is included as part of the HTML pages generated by the Javadoc tool. Hence all the websites using such HTML pages can be used by an attacker to steal their user data or to install malware by redirecting an unsuspecting user to attacker-controlled website.

    Oracle released two fixes in their June 2013 Oracle Java SE Critical Patch Update to address this vulnerability. The first is an updated Javadoc tool, while the second is a fix-in-place tool that patches the vulnerability from pages generated by Javadoc without having to regenerate existing JavaDocs. Needless to say, we strongly advise customers to apply the fixes the soonest possible.

    Trend Micro Deep Security customers are advised to update to the latest update DSRU13-020. The following Deep Security rule 1005553 – Oracle JavaDoc Frame Injection Vulnerability addresses the said issue.

    Hat tip to CERT for sharing the necessary information with us.

    Posted in Vulnerabilities | Comments Off on Oracle Update Includes Javadoc Frame Injection Vulnerability

    PostgreSQL is a fully featured object-relational database management system. It supports a large part of the SQL standard and is designed to be extensible by users in many aspects.  Graphical user interfaces and bindings for many programming languages are available as well.

    Earlier this month, I discovered a denial of service vulnerability in versions of PostgreSQL that caused a crash if a function was called with invalid arguments in a SQL query. In theory, one could examine the contents of the server’s memory after the crash using this vulnerability. Currently, no threats in the wild are exploiting this vulnerability.

    The following versions of PostgreSQL are vulnerable:

    • 8.3.x before 8.3.23
    • 8.4.x before 8.4.16
    • 9.0.x before 9.0.12
    • 9.1.x before 9.1.8
    • 9.2.x before 9.2.3

    The function in question is the  enum_recv function, which is not properly declared in backend/utils/adt/enum.c. The current fix bars calling the function from SQL; the declaration of the function will be fixed in a future release by PostgreSQL. The function should accept inputs of the type “internal” not as “cstring”.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on PostgreSQL Denial of Service Vulnerability Found and Patched

    Oracle recently released a security advisory for a critical patch for Java, which updates Java 7 to Update 13. (Users of the older Java 6 also received an update, taking them to Update 39.) Accordingly, this advisory addresses several vulnerabilities for the following affected products:

    • JDK and JRE 7 Update 11 and earlier
    • JDK and JRE 6 Update 38 and earlier
    • JDK and JRE 5.0 Update 38 and earlier
    • SDK and JRE 1.4.2_40 and earlier
    • JavaFX 2.2.4 and earlier

    Fifty vulnerabilities were patched in this update. According to Oracle, one of these vulnerabilities is already being exploited in the wild, which is why the update was released early (instead of February 19 as originally scheduled).

    We believe that the targeted vulnerability is a Java Security Slider vulnerability, which is covered in CVE-2013-1489. It does not necessarily lead to exploitation but when combined with other vulnerabilities can actually lead to a ‘blind’ exploitation. For instance, when the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused “silently” without the authorization dialog box.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on New Java Update Released To Patch In-the-Wild Flaw

    Users of Wing FTP Server versions v3.1.2 or earlier are strongly advised to update their software. In recent investigations, TrendLabs’ vulnerability research group found a vulnerability in the said versions that can be used to crash users’ FTP servers.

    The bug is a denial-of-service (DoS) vulnerability, which can be exploited by using an invalid parameter for the PORT command. It affects version 3.1.2 for Windows although Wing FTP Server states that other versions may also be affected.

    After we contacted them regarding this discovery, Wing FTP Server already released updates to address this vulnerability. Users of Wing FTP Server should update to version 3.2.0 or later.

    Information on this can also be found in our security advisory found here.

    Trend Micro reminds users to ensure that they keep applications up-to-date in order to help mitigate the risk of cybercrime.

    Posted in Bad Sites | Comments Off on Trend Micro Discovers Wing FTP Server PORT Command DoS Bug


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice