An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.
Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix.
Vulnerability CVE-2012-1889 is simple to exploit in all known versions of Internet Explorer. An attacker can make a CLSID-identification request by calling MSXML library methods and create an object identifier in order to try to access a non-existent object. Proof of Concept code for causing a crash looks like this:
This code looks simple, but generates memory corruption and crashes Internet Explorer. The exploitation code tries to request a non-initialized object, but reference to memory region already exists. Memory corruption takes place in the helper function _dispatchImpl :: InvokeHelper() in the MSXML library.
Currently, this vulnerability has no patch available but Microsoft has released a Fix it solution. We strongly suggest that you consider this workaround – for now.
Multiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.
Multiple vulnerabilities have been discovered in Tor:
When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.
There is no known workaround at this time.
All Tor users should upgrade to the latest version:
Vulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, which could be exploited by attackers to crash the complete software process.
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.
[+] CFG IMPORT
– Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
– KIS 2012 v184.108.40.2064
– KAV 2012 v12.x
– Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
– KIS 2011 v220.127.116.11 (a.b)
– KAV 18.104.22.1680
– KIS 2011 v22.214.171.1244
– Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010
Vulnerability Research Laboratory – Benjamin K.M. (Rem0ve)
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user’s system.
The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser.
Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.
The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit.
Other versions may also be affected.
No effective solution is currently available.
When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”
When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line: