Home » 2010 » January » 14
[CORE-2009-1209] Google SketchUp 'lib3ds' 3DS Importer Memory Corruption
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Core Security Technologies - CoreLabs Advisory
          http://www.coresecurity.com/corelabs/

Google SketchUp 'lib3ds' 3DS Importer Memory Corruption



1. *Advisory Information*

Title: Google SketchUp 'lib3ds' 3DS Importer Memory Corruption
Advisory Id: CORE-2009-1209
Advisory URL:
http://www.coresecurity.com/content/google-sketchup-vulnerability
Date published: 2010-01-13
Date of last update: 2010-01-12
Vendors contacted: Google
Release mode: Coordinated release



2. *Vulnerability Information*

Class: Failure to Constrain Operations within the Bounds of a Memory
Buffer [CWE-119], Out-of-b ... Read more »
Views: 1429 | Added by: b1zz4rd | Date: 14 January 2010 | Comments (0)

Cross Site Identification (CSID) attack. Description and demonstration.

A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be
used to identify a user in cases where anonymity is taken for granted.

This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social
network account visits a 3rd party site, supposedly anonymously, in
another browser tab. The 3rd party site causes her browser to contact
the social network site and exploit the vulnerability resulting in her
identity being disclosed to the attacker. The 3rd party target site is
not necessarily controlled by the attacker. It could also be, for
example, any site allowing user provided content that includes an
image link (basically any forum or blog site). Other possibilities
exist.

While the information that is received by the attacker is technically
publicly available, obtain ... Read more »
Views: 8594 | Added by: b1zz4rd | Date: 14 January 2010 | Comments (0)

close