[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secunia Research: Google Picasa Phase One Tags Processing Integer Overflow Vulnerability



======================================================================

 

      Secunia Research (now part of Flexera Software) 09/10/2015



Google Picasa Phase One Tags Processing Integer Overflow Vulnerability



======================================================================

Table of Contents



Affected Software....................................................1

Severity.............................................................2

Description of Vulnerability.........................................3

Solution.............................................................4

Time Table...........................................................5

Credits..............................................................6

References...........................................................7

About Secunia........................................................8

Verification.........................................................9



======================================================================



1) Affected Software



* Google Picasa version 3.9.140 Build 239

* Google Picasa version 3.9.140 Build 248



NOTE: Other versions may also be affected.



======================================================================



2) Severity 



Rating: Highly critical

Impact: System Access

Where:  From remote

 

======================================================================



3) Description of Vulnerability



Secunia Research has discovered a vulnerability in Google Picasa,

which can be exploited by malicious people to compromise a user's

system.



The vulnerability is caused due to an integer overflow error when

processing data related to phase one 0x412 tag and can be exploited to

cause a heap-based buffer overflow.



Successful exploitation may allow execution of arbitrary code.



The vulnerability is confirmed in versions 3.9.140 Build 239 and

3.9.140 Build 248 running on Windows.



======================================================================



4) Solution 



The vendor has released a fix in version 3.9.140 Build 248, however,

the fix is ineffective. No official solution is currently available.

The vendor is currently planning to release a fix on 30th October,

2015.



======================================================================



5) Time Table 



04/08/2015 - Vendor notified of vulnerability.

04/08/2015 - Vendor acknowledges report.

10/08/2015 - Vendor requests PoC.

10/08/2015 - Provision of PoC.

19/08/2015 - Vendor acknowledges receipt.

08/09/2015 - Request of status update.

11/09/2015 - Vendor states fixed in code. ETA not yet available.

19/09/2015 - Vendor states update has been pushed.

25/09/2015 - Vendor notified of incomplete fix.

26/09/2015 - Vendor acknowledges receipt.

05/10/2015 - Request ETA of fix. Vendor notified that due to public

             availability of improper fix release an advisory

             release deadline on 09/10/2015 is established.

06/10/2015 - Vendor acknowledges and estimates 30/10/2015 release of

             fix.

06/10/2015 - Vendor notified that advisory deadline will still

             be applicable.

06/10/2015 - Vendor acknowledges and states to send notification once

             properly fixed.

09/10/2015 - Public disclosure of advisory.

12/10/2015 - Public disclosure of research advisory.



======================================================================



6) Credits 



Discovered by Hossein Lotfi, Secunia Research (now part of

Flexera Software).



======================================================================



7) References



Currently no CVE identifier is assigned.

 

======================================================================



8) About Secunia (now part of Flexera Software)



In September 2015, Secunia has been acquired by Flexera Software:



https://secunia.com/blog/435/



Secunia offers vulnerability management solutions to corporate

customers with verified and reliable vulnerability intelligence

relevant to their specific system configuration:



http://secunia.com/advisories/business_solutions/



Secunia also provides a publicly accessible and comprehensive advisory

database as a service to the security community and private 

individuals, who are interested in or concerned about IT-security.



http://secunia.com/advisories/



Secunia believes that it is important to support the community and to

do active vulnerability research in order to aid improving the 

security and reliability of software in general:



http://secunia.com/secunia_research/



Secunia regularly hires new skilled team members. Check the URL below

to see currently vacant positions:



http://secunia.com/corporate/jobs/



Secunia offers a FREE mailing list called Secunia Security Advisories:



http://secunia.com/advisories/mailing_lists/



======================================================================



9) Verification 



Please verify this advisory by visiting the Secunia website:

http://secunia.com/secunia_research/2015-03/



Complete list of vulnerability reports published by Secunia Research:

http://secunia.com/secunia_research/



======================================================================