Send e-mail to ACROS SecurityACROS Security's public PGP key  
     

ACROS Security Advisories

We occasionally discover security problems during internal learning processes or in systems that we use or test for our projects. As time allows us, we analyze these security problems and alert the vendors and the public.

If you want to receive our reports as soon as they're published, please subscribe to our Mailing List.

 

 

Title: 

VMware Movie Decoder Installer msiexec.exe Planting

Report: 

-

Vendor: 

VMware

Status: 

problem fixed

References: 

VMware Security Advisory VMSA-2012-0014

CVE: 

CVE-2012-4897

 

 

Title: 

Adobe Reader X (10.1.2) msiexec.exe Planting

Report: 

Blog post

Vendor: 

Adobe

Status: 

problem fixed, report published

References: 

Security updates available for Adobe Reader and Acrobat (APSB12-08)

CVE: 

CVE-2012-0776

 

 

Title: 

Google Chrome HTTPS Address Bar Spoofing

Report: 

Blog post

Vendor: 

Google

Status: 

problem fixed, report published

References: 

Chrome 16 Stable Channel Update

CVE: 

CVE-2011-3907

 

 

Title: 

Remote Binary Planting in Mozilla Thunderbird

Report: 

ASPR #2011-08-18-2

Vendor: 

Mozilla

Status: 

problem fixed, report published

References: 

Mozilla Foundation Security Advisory 2011-32

CVE: 

CVE-2011-2980

 

 

Title: 

Remote Binary Planting in Mozilla Firefox

Report: 

ASPR #2011-08-18-1

Vendor: 

Mozilla

Status: 

problem fixed, report published

References: 

Mozilla Foundation Security Advisory 2011-30

CVE: 

CVE-2011-2980

 

 

Title: 

Remote Binary Planting in Adobe Flash Player

Report: 

ASPR #2011-02-11-2

Vendor: 

Adobe Systems, Inc.

Status: 

problem fixed, report published

References: 

Security update available for Adobe Flash Player

CVE: 

CVE-2011-0575

 

 

Title: 

Remote Binary Planting in Adobe Reader

Report: 

ASPR #2011-02-11-1

Vendor: 

Adobe Systems, Inc.

Status: 

problem fixed, report published

References: 

Security updates available for Adobe Reader and Acrobat

CVE: 

CVE-2011-0562

 

 

Title: 

Remote Binary Planting in Multiple F-Secure Products

Report: 

ASPR #2011-01-11-1

Vendor: 

F-Secure Corp.

Status: 

problem fixed, report published

References: 

Security Advisory FSC-2010-4 - Binary planting vulnerability

CVE: 

unknown

 

 

Title: 

Remote Binary Planting in Windows Address Book

Report: 

ASPR #2010-12-14-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin MS10-096 - Important

CVE: 

CVE-2010-3147

 

 

Title: 

Remote Binary Planting in Microsoft Excel 2010

Report: 

ASPR #2010-11-10-3

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin MS10-087 - Critical

CVE: 

CVE-2010-3337

 

 

Title: 

Remote Binary Planting in Microsoft Word 2010

Report: 

ASPR #2010-11-10-2

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin MS10-087 - Critical

CVE: 

CVE-2010-3337

 

 

Title: 

Remote Binary Planting in Microsoft PowerPoint 2010

Report: 

ASPR #2010-11-10-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin MS10-087 - Critical

CVE: 

CVE-2010-3337

 

 

Title: 

Remote Binary Planting in Adobe Flash Player

Report: 

ASPR #2010-11-05-1

Vendor: 

Adobe Systems, Inc.

Status: 

problem fixed, report published

References: 

Security update available for Adobe Flash Player

CVE: 

CVE-2010-3976

 

 

Title: 

Remote Binary Planting in Apple Safari for Windows

Report: 

ASPR #2010-09-08-1

Vendor: 

Apple, Inc.

Status: 

problem fixed, report published

References: 

About the security content of Safari 5.0.2 and Safari 4.1.2

CVE: 

CVE-2010-1805

 

 

Title: 

Remote Binary Planting in Apple iTunes for Windows

Report: 

ASPR #2010-08-18-1

Vendor: 

Apple, Inc.

Status: 

problem fixed, report published

References: 

About the security content of iTunes 9.1

CVE: 

CVE-2010-1795

 

 

Title: 

Remote Binary Planting in VMware Tools for Windows

Report: 

ASPR #2010-04-12-1

Vendor: 

VMware, Inc.

Status: 

problem fixed, report published

References: 

VMware Security Advisory VMSA-2010-0007

CVE: 

CVE-2010-1141

 

 

Title: 

Local Binary Planting in VMware Tools for Windows

Report: 

ASPR #2010-04-12-2

Vendor: 

VMware, Inc.

Status: 

problem fixed, report published

References: 

VMware Security Advisory VMSA-2010-0007

CVE: 

CVE-2010-1142

 

 

Title: 

HTML Injection in Oracle WebLogic Server Console

Report: 

ASPR #2009-10-30-1

Vendor: 

Oracle Corporation

Status: 

problem fixed, report published

References: 

Oracle Critical Patch Update Advisory - October 2009

CVE: 

CVE-2009-3396

 

 

Title: 

HTML Injection in BEA WebLogic Server Console

Report: 

ASPR #2009-01-27-1

Vendor: 

Oracle Corporation

Status: 

problem fixed, report published

References: 

Oracle Critical Patch Update Advisory - January 2009

CVE: 

unknown

 

 

Title: 

XML Entity Explosion in Ruby

Report: 

ASPR #2009-01-05-1

Vendor: 

Ruby

Status: 

problem fixed, report published

References: 

Ruby news post

CVE: 

CVE-2008-3790

 

 

Title: 

HTTP Header Injection in Ruby Core library

Report: 

ASPR #2009-01-05-2

Vendor: 

Ruby

Status: 

problem fixed, report published

References: 

Ruby on Rails weblog post

CVE: 

CVE-2008-5189

 

 

Title: 

Session Fixation Vulnerability in WebLogic Administration Console

Report: 

ASPR #2008-03-11-2

Vendor: 

BEA Systems

Status: 

problem fixed, report published

References: 

BEA Systems Security Advisory BEA08-196.00

CVE: 

CVE-2008-0900

 

 

Title: 

HTML Injection in BEA WebLogic Server Console

Report: 

ASPR #2008-03-11-1

Vendor: 

BEA Systems

Status: 

problem fixed, report published

References: 

BEA Systems Security Advisory BEA08-195.00

CVE: 

CVE-2008-0899

 

 

Title: 

Session Fixation Vulnerability in HP SIM 5.0

Report: 

ASPR #2007-05-14-1

Vendor: 

Hewlett-Packard Company

Status: 

problem fixed, report published

References: 

HP Security Bulletin

CVE: 

CVE-2007-2719

 

 

Title: 

Buffer Overflow In Retroclient Service

Report: 

ASPR #2006-05-17-1

Vendor: 

EMC Corporation

Status: 

problem fixed, report published

References: 

EMC Retrospect Knowledgebase

CVE: 

CVE-2006-2391

 

 

Title: 

HTML Injection in BEA WebLogic Server Console (2)

Report: 

ASPR #2005-05-24-2

Vendor: 

BEA Systems, Inc.

Status: 

problem fixed, report published

References: 

BEA Systems Security Advisory BEA07-80.03

CVE: 

CAN-2005-1747

 

 

Title: 

HTML Injection in BEA WebLogic Server Console (1)

Report: 

ASPR #2005-05-24-1

Vendor: 

BEA Systems, Inc.

Status: 

problem fixed, report published

References: 

BEA Systems Security Advisory BEA07-80.03

CVE: 

CAN-2005-1747

 

 

Title: 

Unsanitized Session ID Cookie Allows Modifying Server Response

Report: 

ASPR #2004-10-14-3

Vendor: 

Macromedia, Inc.

Status: 

problem fixed, report published

References: 

Macromedia Security Bulletin

CVE: 

CAN-2004-1478

 

 

Title: 

Session Fixation in JRun Management Console

Report: 

ASPR #2004-10-14-2

Vendor: 

Macromedia, Inc.

Status: 

problem fixed, report published

References: 

Macromedia Security Bulletin

CVE: 

CAN-2004-1478

 

 

Title: 

HTML Injection in JRun Management Console

Report: 

ASPR #2004-10-14-1

Vendor: 

Macromedia, Inc.

Status: 

problem fixed, report published

References: 

Macromedia Security Bulletin

CVE: 

CAN-2004-1477

 

 

Title: 

Poisoning Cached HTTPS Documents in Internet Explorer

Report: 

ASPR #2004-10-13-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin

CVE: 

CAN-2004-0845

 

 

Title: 

Internet Explorer/Outlook double null character DoS

Report: 

ASPR #2004-01-20-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin

CVE: 

CAN-2004-0284

 

 

Title: 

Remote Retrieval Of IIS Session Cookies From Web Browsers

Report: 

ASPR #2000-07-22-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin

CVE: 

CVE-2000-0970

 

 

Title: 

Remote Retrieval Of Authentication Data From Internet Explorer

Report: 

ASPR #2000-07-22-2

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin

CVE: 

CVE-2000-0982

 

 

Title: 

Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator

Report: 

ASPR #2000-04-06-1

Vendor: 

Netscape Corp. (an America Online, Inc.  company)

Status: 

problem fixed, report published

References: 

Netscape Security Notes
CERT/CC Advisory
C|NET Story

CVE: 

CVE-2000-0406

 

 

Title: 

Bypassing Warnings For Invalid SSL Certificates In Internet Explorer

Report: 

ASPR #1999-12-15-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin
CERT/CC Advisory

CVE: 

CVE-2000-0518, CVE-2000-0519

 

 

Title: 

Processing Of Illegal URL Hexadecimal Encodings In IIS 4.0

Report: 

ASPR #1999-11-10-1

Vendor: 

Microsoft Corp.

Status: 

problem fixed, report published

References: 

Microsoft Security Bulletin

CVE: 

CVE-2000-0024

 

 

Title: 

A "dot-dot" Problem In WebID Agent For Microsoft IIS

Report: 

ASPR #1999-10-26-1

Vendor: 

RSA Security, Inc.

Status: 

problem fixed, report published

References: 

RSA Security Bulletin *

CVE: 

CAN-2001-1461

 

Older ASPR Reports

Title: 

A Malicious E-mail Message Can Compromise User's Mailbox In My DejaNews

Vendor: 

Deja.com

 

 

Title: 

Vulnerable Scripts Are Exposing Web And Database Server at Nasdaq

Vendor: 

Nasdaq Stock Market

 

 

Title: 

HTTP Large Denial Of Service In Lotus Domino Web Server

Vendor: 

Lotus Development Corp.

 

 

Title: 

Passphrase Keyboard Sniffing In PGPdisk

Vendor: 

Network Associates, Inc

 

 

Title: 

Proportional Font Reveals Information About Passphrases in PGP

Vendor: 

Network Associates, Inc



* Mirrored with vendor's permission.

. Subscribe to ASPR mailing list