lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <02e201c6a50f$2e92e870$066310ac@AZNetworkSecurity.com>
Date: Tue Jul 11 18:26:55 2006
From: mnv at alumni.princeton.edu (MNV)
Subject: GraceNote CDDB ActiveX Control Vulnerability:
	Gracenote's Lack of Information is abominable

I've been research the impact of this vulnerability for one of our clients.
The amount of info out there is terrible: affected applications are
basically, some obscure stuff by Sony and Nokia.

There is a failure to mention that the ActiveX control is also bundled with
other "obscure" apps like:

WinAmp.
iTunes.
Roxio's CD Burning software.

Any of that on YOUR network?

I have *no idea* if these applications have the vulnerable version of the
ActiveX control.  I would LOVE to know this.   So I called GraceNote.

Got directed to the website: useless.

Called again.  Was promised a callback from someone, which I *did receive*
in under 24 hours. YAY!

Except: again, useless.  

Background: there are over 7,000 machines we are responsible for.  So a
little thing, can have a big ripple effect.  

GraceNote (510) 428-7200 rep:  I can't tell you if those apps are
vulnerable.  If you're worried, just update.
Me:  The only apps listed are Sony/Nokia "and others" -- you have no idea
who the others are?
Rep:  The software will tell you if it needs to be updated.
(Ya, she really said that.  Because we all KNOW that all software just
*knows* it needs to be patched)
Me: Not necessarily a possibility through our firewall.  I've identifed the
apps as using Gracenote's CDDB ActiveX Control file: can you tell me if
they're affected?
Rep: If you're worried, just do an update.

Ridiculous.  I'll now try and get in touch with the bulletin author to see
if he can test/provide more info.

Anyone else, if you can get more outta gracenote: (510) 428-7200, be my
guest.  Please.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ