Packet Storm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Updated: 15 min 33 sec ago
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Adobe Flash suffers from a URL resource use-after-free vulnerability.
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
There is a use-after-free in CreateTextField in Adobe Flash.
A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
The proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
There is a use-after-free in MovieClip.swapDepths in Adobe Flash.
Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
Windows Kernel Win32k.sys TTF Font Processing Out-Of-Bounds Pool Memory Access In Win32k!fsc_RemoveDups
Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v188.8.131.52).
The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
Adobe Flash suffers from a heap use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
Easy File Management Web Server version 5.6 suffers from a USERID remote buffer overflow vulnerability.
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.