For Musicmatch Jukebox users:
Musicmatch Jukebox Two Vulnerabilities
Secunia Advisory: SA15087 Print Advisory Release Date: 2005-04-25
Critical: Moderately critical Impact: Unknown Manipulation of data Where: From remote Solution Status: Vendor Patch
Software: Musicmatch Jukebox 10 Musicmatch Jukebox 9
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
CVE reference: CAN-2005-1167 CAN-2005-1168 CAN-2005-1185 CAN-2005-1186
Description:
Two vulnerabilities have been reported in Musicmatch Jukebox, where one has an unknown impact, and the other can be exploited by malicious people to create or overwrite arbitrary files.
1) An unspecified boundary error exists, which can be exploited to cause a buffer overflow.
2) An input validation error in the "StartDiagCollection()" function in the "DiagCollectionControl" ActiveX control can be exploited to create and overwrite arbitrary files by tricking a user into visiting a malicious web site.
Some other issues have also been reported. These include improper storing of log information and temporary files, inappropriate adding of "*.musicmatch.com" to the Trusted Zone in Internet Explorer, and an insecure "CreateProcess()" call, which may allow execution of a malicious program named "c:\program.exe".
The vulnerabilities have been reported in versions 10.00.2047, 9.00.0159 and prior.
Solution: The vulnerabilities have been fixed in an updated version. http://www.musicmatch.com/download/free/security.htm
Provided and/or discovered by: 1) Reported by vendor 2) Robert Fly, Hyperdose
Original Advisory: Yahoo!: http://www.musicmatch.com/info/user_guide/faq/security_updates.htm
Hyperdose: http://www.hyperdose.com/advisories/H2005-02.txt http://www.hyperdose.com/advisories/H2005-03.txt http://www.hyperdose.com/advisories/H2005-04.txt http://www.hyperdose.com/advisories/H2005-05.txt
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
Peter Kaulback -- -- I haven't failed, I've found 10,000 ways that don't work.
Thomas Edison (1847-1931) ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
