High Severity Vulnerabilities found during February, 2014
The UG-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by
the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past
week –Based in the United States.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to
severity, determined by the Common Vulnerability Scoring System (CVSS) standard.
Patch information is provided when available. Please note that some of the information in the bulletins is
compiled from external, open source reports and is not a direct result of UG-CERT analysis.
High Severity Vulnerabilities
Computer Products
affected
Description
Date
Published
CVSS
Score
The CVE
Identity
Apple Mac OS X
Multiple type confusion issues existed in
coresymbolicationd's handling of XPC messages.
These issues were addressed through improved
type checking.
A malicious application may be able to execute
arbitrary code with system privileges
2015-01-30
10.0
CVE-20148817
Symantec PGP
Universal and
Encryption
Management Server
Symantec PGP Universal Server and Encryption
2015-01-31
Management Server before 3.3.2 MP7 is susceptible
to a shell command line injection when an
authorized, but less privileged administrator, is
submitting a request for a database backup.
This could potentially result in the malicious
administrator gaining privileged access on the
server.
9.0
Link
Adobe Flash Player
Unspecified vulnerability in Adobe Flash Player
2015-02-02
through 13.0.0.264 and 14.x, 15.x, and 16.x through
16.0.0.296 on Windows and OS X and through
11.2.202.440 on Linux allows remote attackers to
execute arbitrary code via unknown vectors.
10.0
CVE-20150313
SECTRACK
(link is
external)
BID (link is
external)
SECUNIA
(link is
external)
It has been exploited in the wild since February
2015.
Uganda Communications Commission – UGCERT
Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911
Website www.ug-cert.ug Face book / Twitter: UGCERT
Huawei Quidway
switches
Huawei Quidway switches with firmware before
V200R005C00SPC300 allows remote attackers to
gain privileges via a crafted packet.
2015-02-03
7.5
CVE-20151460
Trendmicro
Vulnerability in Trend Micro Antivirus Plus, Internet
Security, and Maximum Security could allow an
attacker to elevate privileges on the system.
2015-02-06
7.2
CVE-20149641
Microsoft Windows
Server
This security update is rated Critical for all
supported editions of Windows Server 2003,
Windows Vista, Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8, Windows
Server 2012, Windows RT, Windows 8.1, Windows
Server 2012 R2, and Windows RT 8.1.
2015-02-10
8.3
CVE 2015
0008
2015-02-10
9.3
CVE-20150017
The vulnerability could allow remote code
execution if an attacker convinces a user with a
domain-configured system to connect to an
attacker-controlled network.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights.
Microsoft Internet
Explorer
Microsoft Internet Explorer 6 through 11 allows
remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via
a crafted web site.
Uganda Communications Commission – UGCERT
Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911
Website www.ug-cert.ug Face book / Twitter: UGCERT
Microsoft Office Suite
This security update is rated Important for all
supported editions of Microsoft Excel 2007,
Microsoft Word 2007, Microsoft Office 2010,
Microsoft Excel 2010, Microsoft Word 2010,
Microsoft Web Applications 2010, Microsoft Excel
2013, Microsoft Word Viewer, Microsoft Excel
Viewer, and Microsoft Office Compatibility Pack.
2015-02-10
9.3
MS15-012
2015-02-15
10.0
CVE-20151474
CONFIRM
(link is
external)
2015-02-21
10.0
CVE-20150331
The vulnerabilities could allow remote code
execution if a user opens a specially crafted
Microsoft Office file.
An attacker who successfully exploited the
vulnerabilities could gain the same user rights as
the current user.
Google Android
Vulnerabilities in Android through 5.0.
Successful exploits may allow an attacker to gain
elevated privileges on the affected application.
Failed exploit attempts may crash the application,
denying service to legitimate users.
Adobe Flash Player
Use-after-free vulnerability in Adobe Flash Player
before 13.0.0.269 and 14.x through 16.x before
16.0.0.305 on Windows and OS X and before
11.2.202.442 on Linux allows an attacker to take
control of the affected system.
Adobe is aware of reports that CVE-2015-0313 is
actively being exploited in the wild via drive-bydownload attacks against systems running Internet
Explorer and Firefox on Windows 8.1 and below.
Adobe recommends users update their product
installations to the latest versions
D-Link
D-Link DAP-1320 Rev Ax with firmware before
1.21b05 allows attackers to execute arbitrary
commands via unspecified vectors.
2015-02-23
10.0
CVE-20152050
Samba
All versions of Samba from 3.5.0 to 4.2.0rc4 are
vulnerable to an unexpected code execution
vulnerability in the smbd file server daemon.
2015-02-23
10.0
CVE-20150240
A malicious client could send packets that may set
up the stack in such a way that the freeing of
memory in a subsequent anonymous netlogon
packet could allow execution of arbitrary code.
Uganda Communications Commission – UGCERT
Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911
Website www.ug-cert.ug Face book / Twitter: UGCERT
This code would execute with root privileges.
For a full list of all of the vulnerabilities discovered throughout previous weeks go to
the reports section on our website.
Uganda Communications Commission – UGCERT
Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911
Website www.ug-cert.ug Face book / Twitter: UGCERT