Here are some of the most significant bugs from the past week in the BugBlog:
There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to carry out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin.
There is a bug in the way that Apple Quicktime handles RTSP (Real time streaming protocol) links. It may be possible for an attacker to construct one of these links that would trigger a buffer overflow which could be used to run hostile code on your computer. According to the Secunia website, the bug has been verified in Quicktime 7.1.3.100 for Windows. It is also supposed to affect other Windows and Mac versions as well. Secunia credits LMH for finding the bug. It comes from the "Month of Apple Bugs" website.
Two bugs have been discovered in Opera Software's Opera 9 web browser, that may allow attackers to sneak hostile code onto a computer. One bug is in the way Opera handles DHT markers in JPEG files. The other is in the matrices are handled in JavaScript and SVG. These bugs have been fixed in Opera 9.10. Opera credits iDefense Labs for finding these bugs.
.jpg?t=20120527181101)
Article comments
1 - John Dowdell
"There's no official word from Adobe...."
Actually, the detailed Adobe Security Advisory was published on Thursday of last week:
This potential cross-site snooping exploit was already detected last year, and protected against in last autumn's free download of Adobe Reader 8. Updates and intranet installers for older versions were already in the works, for those whose environments do not permit using the current version, and I believe these older versions will also be online tomorrow.
(What's the exploit? Many plugins can pass "javascript:" requests to browsers. If you're visiting evil sites or clicking fake URLs in email, they can request a PDF on a legit site, passing some JavaScript requests in the URLs. Older versions of Adobe Reader will pass this request to whichever browser is in use, and some browsers will then get confused about which domain is making the request, potentially leading to cookie-sniffing or session-hijacking. As usual, keeping your internet software updated and current is a strong way to guard against any such exploits.)
Followups news should be available tomorrow, in the Adobe Security Center, from what I currently understand.
tx, jd/adobe
2 - Bruce Kratofil
John -
You are correct. In fact, there's a bug in my bug report. I used the original version, released before Adobe's bulletin, when I should have used the revised bug report, that included the link to Adobe:
There are a number of bugs in the Adobe Acrobat Plug-In for browsers, and in the free Adobe Reader 6 and 7. A malicious website may be able to caryy out cross-site scripting attacks because the browser plug-in doesn't correctly validate URI parameters. There's no official word from Adobe, although US CERT says that it appears the bugs were fixed in Adobe Reader 8. Read their report. Stefano Di Paola, Giorgio Fedon, and Elia Florio are credited with finding these bugs. UPDATE: Adobe now has a bulletin.