US-CERT has reported some vulnerabilities in Groove Virtual Office and Grove Workspace, which can be exploited by malicious, local users to disclose various information and by malicious people to conduct script insertion attacks, bypass certain security restrictions, and trick users into executing malicious files.

1) Files in the installation directory have improper permissions, which can be exploited to disclose authentication information and user data.

2) Input passed to the picture column and drop-down list of a SharePoint list is not properly sanitised before being used. This can be exploited inject arbitrary script code, which will be executed in context of a user's environment.

3) An error in the access restrictions on COM objects can be exploited to use the services of COM objects (e.g. for script execution).

4) The file extension for files attached to or embedded in a document via Microsoft Windows OLE (Object Linking and Embedding) is not properly displayed for users. This can be exploited to trick users into opening malicious executable files.

Solution
Groove Virtual Office:
Further details available in Customer Area

Provided and/or discovered by
US-CERT

Changelog
Further details available in Customer Area

Original Advisory
US-CERT:
http://www.kb.cert.org/vuls/id/443370
http://www.kb.cert.org/vuls/id/372618
http://www.kb.cert.org/vuls/id/155610
http://www.kb.cert.org/vuls/id/514386
http://www.kb.cert.org/vuls/id/232232

Deep Links
Links available in Customer Area