>> ARCHIVE: 2015-12

Kaspersky Virtual Keyboard suffers from a path traversal vulnerability.

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a…

If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. The researcher observed this crash…

The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.

Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITYSYSTEM.

The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. The attached testcase has the password “infected” to avoid disrupting your mail server.

It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works…