Get this blog as an RSS Feed

Monthly Binary Analysis Update (April)

15:59 CET, 12th May 2009 By Carsten Eiram.

April yielded 25 issued BA reports with another 0-day vulnerability in Microsoft Office, 8 Microsoft security bulletins, and more vulnerabilities reported in various PDF viewers' JBIG2 implementations, all accompanied by other daringly sexy vulnerabilities.

* Microsoft Word 97 Converter File Parsing Integer Underflow (SA32997)
* Windows Word 97 Converter File Parsing Buffer Overflow (SA32997 / CVE-2008-4841)

Some of the most interesting vulnerabilities fixed by Microsoft in April were the vulnerabilities in the Microsoft Word 97 Converter (ignoring the fixed Excel 0-day for which a BA was issued already in March).

The converter converts older Word 97 documents into RTF and is e.g. used by WordPad. Various errors during conversion could be exploited to execute arbitrary code on a user's system if a malicious Word document was opened. While the BA named: "Windows Word 97 Converter File Parsing Buffer Overflow" was determined to most likely be related to CVE-2008-4841, the BA named: "Microsoft Word 97 Converter File Parsing Integer Underflow" could not immediately be associated with any of the reported vulnerabilities and is currently believed to be a silent fix.

* BEA WebLogic Plug-ins SSL Certificate Handling Buffer Overflow (SA34074 / CVE-2009-0190)
* BEA WebLogic Plug-ins HTTP Processing Integer Overflow (SA34074 / CVE-2009-0189)

This month, Oracle issued their quarterly security fixes for various Oracle products. Two of the vulnerabilities fixed in WebLogic Server were discovered by Secunia Research.

Specifically, the vulnerabilities (an integer overflow when parsing HTTP requests and a stack-based buffer overflow when parsing SSL certificates) were within the plug-ins bundled with WebLogic Server to allow a server to receive requests via an Apache, Sun, or IIS web server.

* PowerPoint Record Parsing Code Execution Vulnerability (SA34572 / CVE-2009-0556)

In April, another 0-day was reported in Microsoft Office - this time in PowerPoint. Naturally, a BA was issued to ensure that our customers would be able to create some efficient signatures to ensure that their IDS/IPS systems could detect malicious files.

As Microsoft has informed that they will be issuing a security bulletin for PowerPoint in May, we hope that this vulnerability will be addressed. According to Microsoft, the security bulletin will also be fixing a PowerPoint vulnerability reported by Secunia Research for which a reliable exploit has been developed in-house.

When Microsoft issues their security bulletin, this exploit along with an in-depth BA report will, naturally, be made immediately available to our BA customers to ensure that solid signatures can be created as quickly as possible.

* Adobe Reader JBIG2 Text Region Segment Buffer Overflow (SA33901 / CVE-2009-1062)
* Xpdf JBIG2 Symbol Dictionary Buffer Overflow Vulnerability (SA34291 / CVE-2009-0195)

As I mentioned last month, there have been a lot of vulnerability reports in various PDF viewers' JBIG2 parsing functionality lately. After the initial reports, Secunia Research has been spending a fair amount of time auditing various PDF viewer's JBIG2 implementations and have discovered a number of vulnerabilities in different products.

This month, it was Adobe's turn to fix more vulnerabilities in this functionality in Adobe Reader and they were kept company by the developers of the open-source viewer: Xpdf, who similarly fixed a number of vulnerabilities in the JBIG2 implementation. Secunia Research discovered and coordinated a vulnerability in each program.

That's it for this month...

Stay Secure,

Carsten Eiram,
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.

Subject: Monthly Binary Analysis Update (April)

No posts yet
You must be logged in to post a comment.