---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Groove Virtual Office / Workspace Multiple Vulnerabilities SECUNIA ADVISORY ID: SA15421 VERIFY ADVISORY: http://secunia.com/advisories/15421/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information WHERE: >From local network SOFTWARE: Groove Workspace 2.x http://secunia.com/product/5133/ Groove Virtual Office 3.x http://secunia.com/product/4918/ DESCRIPTION: US-CERT has reported some vulnerabilities in Groove Virtual Office and Grove Workspace, which can be exploited by malicious, local users to disclose various information and by malicious people to conduct script insertion attacks, bypass certain security restrictions, and trick users into executing malicious files. 1) Files in the installation directory have improper permissions, which can be exploited to disclose authentication information and user data. 2) Input passed to the picture column and drop-down list of a SharePoint list is not properly sanitised before being used. This can be exploited inject arbitrary script code, which will be executed in context of a user's environment. 3) An error in the access restrictions on COM objects can be exploited to use the services of COM objects (e.g. for script execution). 4) The file extension for files attached to or embedded in a document via Microsoft Windows OLE (Object Linking and Embedding) is not properly displayed for users. This can be exploited to trick users into opening malicious executable files. SOLUTION: Groove Virtual Office: Update to version 3.1a build 2364 or 3.1 build 2338. http://www.groove.net/index.cfm/pagename/UpdateGroove/ Groove Workspace: Update to version 2.5n build 1871. http://www.groove.net/index.cfm?pagename=DownloadsArchive PROVIDED AND/OR DISCOVERED BY: US-CERT ORIGINAL ADVISORY: US-CERT: http://www.kb.cert.org/vuls/id/443370 http://www.kb.cert.org/vuls/id/372618 http://www.kb.cert.org/vuls/id/155610 http://www.kb.cert.org/vuls/id/514386 http://www.kb.cert.org/vuls/id/232232 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------