Vulnerability Note VU#880916
BitZipper 2013 memory-corruption vulnerability
Overview
BitZipper 2013 contains a memory-corruption vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
BitZipper 2013 contains a memory-corruption vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system. |
Impact
By convincing a user to view a specially crafted ZIP document, an attacker may be able to execute arbitrary code on a vulnerable system. |
Solution
Update The vendor has stated that this vulnerability has been addressed in BitZipper 2013 Update 1. Users are advised to update to BitZipper 2013 Update 1 or later. |
Use the Microsoft Enhanced Mitigation Experience Toolkit |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
BitZipper | Affected | 04 Mar 2013 | 16 Apr 2013 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 4.0 | AV:L/AC:H/Au:N/C:N/I:N/A:C |
Temporal | 2.9 | E:U/RL:W/RC:UC |
Environmental | 0.9 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://support.microsoft.com/kb/2458544
- http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
- http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
- http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
- http://www.bitzipper.com/
Credit
Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2013-0138
- Date Public: 16 Apr 2013
- Date First Published: 19 Apr 2013
- Date Last Updated: 19 Apr 2013
- Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.