DragonSoft Security Associates

Advisories & Alerts

Contents:
* Sort by Risk
-------------------------------------------------

Date Reported: 2012/07/05
Name: MS12-037 : Cumulative Security Update for Internet Explorer-XP
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.(CVE-2012-1858,CVE-2012-1872,CVE-2012-1874,CVE-2012-1875CVE-2012-1876,CVE-2012-18747,CVE-2012-1878,CVE-2012-1879,CVE-2012-1880,CVE-2012-1881,CVE-2012-1882)
Category: MS HOTFIX
Affect OS: Windows XP
Link: http://vdb.dragonsoft.com/detail.php?id=5007

Date Reported: 2012/07/05
Name: MS12-037 : Cumulative Security Update for Internet Explorer-2003
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.(CVE-2012-1858,CVE-2012-1872,CVE-2012-1874,CVE-2012-1875CVE-2012-1876,CVE-2012-18747,CVE-2012-1878,CVE-2012-1879,CVE-2012-1880,CVE-2012-1881,CVE-2012-1882)
Category: MS HOTFIX
Affect OS: Windows 2003
Link: http://vdb.dragonsoft.com/detail.php?id=5006

Date Reported: 2012/07/05
Name: MS12-036：Vulnerability in Remote Desktop Could Allow Remote Code Execution-WIN7,2008R2
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Category: MS HOTFIX
Affect OS: Windows 7,Windows 2008R2
Link: http://vdb.dragonsoft.com/detail.php?id=5005

Date Reported: 2012/07/05
Name: MS12-036 : Vulnerability in Remote Desktop Could Allow Remote Code Execution-Vista,2008
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Category: MS HOTFIX
Affect OS: Vista,Windows 2008
Link: http://vdb.dragonsoft.com/detail.php?id=5004

Date Reported: 2012/07/05
Name: MS12-036 : Vulnerability in Remote Desktop Could Allow Remote Code Execution-XP
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Category: MS HOTFIX
Affect OS: Windows XP
Link: http://vdb.dragonsoft.com/detail.php?id=5003

Date Reported: 2012/07/05
Name: MS12-036 : Vulnerability in Remote Desktop Could Allow Remote Code Execution
Risk: High
CVSS Base Score: 9.3
Description:
This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Category: MS HOTFIX
Affect OS: Windows 2003
Link: http://vdb.dragonsoft.com/detail.php?id=5002

Date Reported: 2012/07/06
Name: MS12-042 : Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege-XP
Risk: High
CVSS Base Score: 7.2
Description:
This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.(CVE-2012-0217, CVE-2012-1515)
Category: MS HOTFIX
Affect OS: Windows XP
Link: http://vdb.dragonsoft.com/detail.php?id=5013

Date Reported: 2012/07/06
Name: MS12-042 : Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege-2003
Risk: High
CVSS Base Score: 7.2
Description:
This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.(CVE-2012-0217, CVE-2012-1515)
Category: MS HOTFIX
Affect OS: Windows 2003
Link: http://vdb.dragonsoft.com/detail.php?id=5012

Date Reported: 2012/07/06
Name: MS12-041 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege-XP
Risk: High
CVSS Base Score: 7.2
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities.(CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, CVE-2012-18648)
Category: MS HOTFIX
Affect OS: Windows XP
Link: http://vdb.dragonsoft.com/detail.php?id=5009

Date Reported: 2012/07/06
Name: MS12-041 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege-2003
Risk: High
CVSS Base Score: 7.2
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities.(CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, CVE-2012-18648)
Category: MS HOTFIX
Affect OS: Windows 2003
Link: http://vdb.dragonsoft.com/detail.php?id=5008

Date Reported: 2012/07/09
Name: Oracle MySQL Server Optimizer Vulnerability(CVE-2012-1703)
Risk: Medium
CVSS Base Score: 6.8
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5035

Date Reported: 2012/07/06
Name: MS12-042：Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege-WIN7,2008R2
Risk: Medium
CVSS Base Score: 6.8
Description:
This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.(CVE-2012-0217,CVE-2012-1515 )
Category: MS HOTFIX
Affect OS: Windows 7,Windows 2008R2
Link: http://vdb.dragonsoft.com/detail.php?id=5014

Date Reported: 2012/07/06
Name: MS12-041 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege-WIN7,2008R2
Risk: Medium
CVSS Base Score: 6.8
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities.(CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, CVE-2012-18648)
Category: MS HOTFIX
Affect OS: Windows 7,Windows 2008R2
Link: http://vdb.dragonsoft.com/detail.php?id=5011

Date Reported: 2012/07/06
Name: MS12-041 : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege-Vista,2008
Risk: Medium
CVSS Base Score: 6.8
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities.(CVE-2012-1864, CVE-2012-1865, CVE-2012-1866, CVE-2012-1867, CVE-2012-18648)

Category: MS HOTFIX
Affect OS: Vista,Windows 2008
Link: http://vdb.dragonsoft.com/detail.php?id=5010

Date Reported: 2012/07/07
Name: Oracle MySQL User Login Security Bypass Vulnerability(CVE-2012-2122)
Risk: Medium
CVSS Base Score: 5.1
Description:
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5034

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0486)
Risk: Medium
CVSS Base Score: 5
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5026

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0113)
Risk: Medium
CVSS Base Score: 5.5
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5016

Date Reported: 2012/07/09
Name: Oracle MySQL Server Partition Vulnerability(CVE-2012-1697)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5033

Date Reported: 2012/07/08
Name: Oracle MySQL Server Optimizer Vulnerability(CVE-2012-1696)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5032

Date Reported: 2012/07/08
Name: Oracle MySQL Server Optimizer Vulnerability(CVE-2012-1690)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5031

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerbility(CVE-2012-0490)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5030

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0489)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5029

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0488)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5028

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0487)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5027

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0485)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5025

Date Reported: 2012/07/07
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0484)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5024

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0120)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5023

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0119)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5022

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0118)
Risk: Medium
CVSS Base Score: 4.9
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5021

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0116)
Risk: Medium
CVSS Base Score: 4.9
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485,and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5019

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0115)
Risk: Medium
CVSS Base Score: 4
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5018

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0117)
Risk: Low
CVSS Base Score: 3.5
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5020

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0114)
Risk: Low
CVSS Base Score: 3
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5017

Date Reported: 2012/07/06
Name: Oracle MySQL Server unspecified Vulnerability(CVE-2012-0112)
Risk: Low
CVSS Base Score: 3.5
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
Category: MySQL
Affect OS: Windows, UNIX
Link: http://vdb.dragonsoft.com/detail.php?id=5015

-------------------------------------------------

Risk:
High: Allow immediate remote, or local access or immediate execution of code or commands,
with unauthorized privileges, and bypassing security on firewalls.
Medium: Potential of granting access or allowing code execution by means of complex or
lengthy exploit procedures. Examples are cross-site scripting, man-in-the-middle
attacks, SQL injection, denial of service, information disclosure.
Low: deny service or provide non-system information that could be used to formulate
structured attacks on a target, but not directly gain unauthorized access.
-------------------------------------------------
Copyright (c) DragonSoft Security Associates, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this document.
It is not to be edited or altered in any way without the express written consent
of the DragonSoft Security Associates. If you wish to reprint the whole or any
part of this document in any other medium excluding electronic media, please email
alert@dragonsoft.com for permission.

Disclaimer: The information in the database may change without notice.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information, implied or otherwise,
with regard to this information or its use. Any use of this information is at
the user's risk. In no event shall the author/distributor be held liable for any
damages whatsoever arising out of or in connection with the use or spread of this information.

Please send suggestions, updates, and comments to: DragonSoft
vdb_adm@dragonsoft.com of DragonSoft Security Associates, Inc.

About DragonSoft Security Associates:
DragonSoft Security Associates is a leading developer in Taiwan for network security software
and an active contributor to network security education.
Founded in 2002, DragonSoft offers vulnerability management solutions, including
vulnerability assessment, System Security Management and intrusion prevention.

DragonSoft Security Associates, Inc. http://www.dragonsoft.com/
10F, No. 150, Sec. 2, Nanjing E. Road, Taipei 104 235 R.O.C
Tel. +886-2-2501-0118 Fax. +886-2-2501-0035

--------------------------------------------------------------------------------------------------

Risk:
  High: Allow immediate remote, or local access or immediate execution of code or commands,
          with unauthorized privileges, and bypassing security on firewalls.
  Medium: Potential of granting access or allowing code execution by means of complex or 
          lengthy exploit procedures. Examples are cross-site scripting, man-in-the-middle 
          attacks, SQL injection, denial of service, information disclosure.
  Low: deny service or provide non-system information that could be used to formulate 
         structured attacks on a target, but not directly gain unauthorized access.
--------------------------------------------------------------------------------------------------
Copyright (c) DragonSoft Security Associates, Inc. All rights reserved

PRODUCTS\| SOLUTIONS \| RESOURCES \| SUPPORT \| PARTNERS \| COMPANY
Copyright © DragonSoft Security Associates, Inc. All rights reserved..	Privacy statement