Bug Briefs: OpenOffice vulnerable to attack

OpenOffice vulnerable to attack
OpenOffice, an open source office suite widely used as an alternative to Microsoft Office, is susceptible to a Windows Metafile (WMF) code-execution flaw attackers could exploit to cause a heap-based buffer overflow and launch malicious code.

According to an advisory from OpenOffice, the first problem is a truncation error within the handling of the META_ESCAPE record. An attacker could exploit this to cause a heap-based buffer overflow via a specially crafted WMF/EMF file. The second problem is an integer overflow within the handling of EMR_POLYPOLYGON and EMR_POLYPOLYGON16 records. Attackers could also exploit this to cause a heap-based buffer overflow via a specially crafted WMF/EMF file.

Attackers could then run malicious code on targeted machines. OpenOffice versions prior to version 2.1.0 are affected. Users can fix the problem by downloading patches or updating to version 2.1.0.

Kaspersky fixes DoS flaw
Kaspersky Lab has fixed a flaw attackers could have exploited in its popular client and gateway virus scanner to cause a denial of service (DoS). The flaw was discovered by Reston, Va.-based iDefense Labs, a division of VeriSign Inc.

"Kaspersky is vulnerable to a DoS condition when processing a specially crafted .pe (portable executable) file," iDefense said in an advisory. "One of the headers in a .pe file is the Optional Windows Header section. This section of the .pe header contains information needed by the Windows linker and loader. An invalid value for the 'NumberOfRvaAndSizes' field will cause Kaspersky to repeatedly seek and read from the same section of the file in an endless loop."

iDefense said Kaspersky Lab fixed the flaw Jan. 2. "There is no need to download any special patches," the Russian antivirus vendor said in a message to iDefense. "All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."

New flaw in Apple Mac OS X
Researchers LMH and Kevin Finisterre have reported a new security flaw in Apple Computer Inc.'s Mac OS X operating system as part of their Month of Apple Bugs project.

The problem is an error in the DiskManagement framework that surfaces when Mac OS X processes certain .bom files, the researchers said. Attackers could exploit this to run malicious commands with elevated privileges via the "diskutil" tool on targeted machines.

Cisco fixes multiple Secure Access Control Server flaws
Networking giant Cisco Systems has fixed multiple Secure Access Control Server (ACS) flaws attackers could exploit to cause a denial of service or run malicious code on targeted machines.

One of the problems is a stack overflow error in the CSAdmin service when processing malformed HTTP GET requests. Attackers could exploit this to run malicious commands or cause the Web administrative interface to crash, Cisco said. Another stack overflow error in the CSRadius service occurs when specially crafted RADIUS Accounting-Request packets are processed. Attackers could exploit this to crash a vulnerable service or execute arbitrary commands. In a third problem, there are errors in the CSRadius service when handling specially crafted RADIUS Access-Request packets. Attackers could exploit this to crash a vulnerable service.

The flaws affect Cisco Secure Access Control Server for Windows versions prior to 4.1 and Cisco Secure Access Control Server Solution Engine versions prior to 4.1. Cisco recommends users apply patches it has made available or upgrade to Cisco Secure ACS version 3.3(3) Build 11 or 4.0(1) Build 27.

Apple QuickTime flaw could enable botnets
The vulnerability researcher known as LMH kicked off what he calls a "Month of Apple Bugs" Monday by detailing a new flaw in Apple Computer Inc.'s widely used QuickTime media player. Attackers could exploit the issue to draft new machines into their botnets.

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

The flaw affects Apple QuickTime version 7.1.3 as well as earlier versions. The French Security Incident Response Team (FrSIRT), which deemed the issue critical, recommended in an advisory that users disable Real Time Streaming Protocol support to mitigate the threat. Calling the security hole highly critical, Danish vulnerability clearinghouse Secunia recommended in its advisory that users refrain from opening untrusted .qtl files.

Adobe Flash Player users urged to upgrade
Adobe confirmed reports of serious flaws in its popular .pdf viewer Thursday and urged users to upgrade to version 8.0 without delay. While the latest version fixes the flaws, Adobe said it would also release patches next week for the older, vulnerable versions.

Security experts have expressed alarm over the flaws, discovered by vulnerability researchers Stefano Di Paola and Giorgio Fedon. They warned that attackers could easily exploit the vulnerabilities to launch cross-site scripting attacks and do a variety of damage. Experts are particularly concerned because Adobe Reader is used by a huge segment of the computing population.

According to the researchers' analysis, the trouble is in how Adobe tells the browser to handle .pdf files. Firefox and Internet Explorer are particularly vulnerable. The flaws affect Adobe Reader 6.0.1 for Windows via Internet Explorer 6 and version 7.0.8 for Windows via Firefox 2.0.0.1. Other versions may also be affected, warned Danish vulnerability clearinghouse Secunia. Though Adobe has fixed the security holes in version 8.0.0, experts worry that many users will be slow to upgrade, leaving themselves open to an easy attack.

VideoLAN VLC vulnerable to attack
Attackers who successfully lure users to malicious Web pages or M3U playlists could take control of their machines by exploiting several flaws in the popular VideoLAN VLC media player freeware. VideoLAN said in an advisory that there are format string errors in the "cdio_log_handler()" and "vcd_log_handler()" functions that call "msg_Dbg()", "msg_Warn()", and "msg_Err()" in an insecure manner. Remote attackers could exploit this to execute arbitrary commands on the victim's computer. But first, the user must be lured to a specially crafted Web page or M3U playlist.

The flaws affect VideoLAN VLC versions 0.7.0 through 0.8.6. Users can fix the issue by upgrading to VLC version 0.8.6a or by applying the patch.

Two flaws fixed in Opera browser
Attackers could run malicious code on victims' machines by exploiting two flaws in the Opera Web browser, Danish vulnerability clearinghouse Secunia said in an advisory.

The first problem is an unspecified error that surfaces when certain .jpg files are processed. Attackers could exploit this to cause a heap-based buffer overflow via a .jpg file with a specially crafted DHT marker, Secunia said. The second problem is an error within the "createSVGTransformFromMatrix()" function attackers could exploit by passing an incorrect object to the said function. Successful exploitation of the vulnerabilities allows execution of arbitrary code, Secunia said.

Opera has released version 9.10 of the browser to fix the problems.