Reported Vulnerabilities

Cybellum Logo

Automating Vulnerability Detection

Cybellum’s propriatery technology learns from finding vulnerabilities, so we let it train on popular software. The discovered vulnerabilities are then disclosed to the vendors, who decide if and when to fix them.

The advisories that follow are Cybellum’s most recent reports to vendors, discovered by our automated engine:

CY-2017-022 - Microsoft Word 2016 | Type Confusion | Fixed, with CVE

August 21, 2017

Affected Vendors

Microsoft

Affected Products

Microsoft Word 2016 for PC, Microsoft Word 2016 for Mac. 

Analysis

Cybellum Blog: CY-2017-022 Analysis

Disclosure Timeline

August 21, 2017           – Reported to vendor

August 21, 2017           – Assigned MSRC 40327

August 23, 2017          – Vulnerability confirmed

October 10, 2017         – Vulnerability fixed

October 10, 2017         – CVE-2017-11825 issued

October 10, 2017         – Closed

CY-2017-021 - Microsoft Internet Explorer 11 | Type Confusion | Confirmed

August 21, 2017

Affected Vendors

Microsoft

Affected Products

Microsoft Internet Explorer 11

Analysis

Cybellum Blog: CY-2017-021 Analysis

Disclosure Timeline

August 21, 2017   – Reported to vendor

August 21, 2017   – Assigned MSRC 40325

August 22, 2017  – Vulnerability confirmed

 

CY-2017-020 - Microsoft Internet Explorer 11 | Null Dereference | Closed after confirmation

August 21, 2017

Affected Vendors

Microsoft

Affected Products

Microsoft Internet Explorer 11

Disclosure Timeline

August 21, 2017   – Reported to vendor

August 21, 2017   – Assigned MSRC 40332

August 22, 2017  – Vulnerability confirmed

August 22, 2017  – Vulnerability might be fixed in a future build, will not receive an immediate patch

August 22, 2017  – Closed

 

CY-2017-019 - Microsoft Internet Explorer 11 | Null Dereference | Closed after confirmation

August 21, 2017

Affected Vendors

Microsoft

Affected Products

Microsoft Internet Explorer 11

Disclosure Timeline

August 21, 2017   – Reported to vendor

August 21, 2017   – Assigned MSRC 40330

August 22, 2017  – Vulnerability confirmed

August 22, 2017  – Vulnerability might be fixed in a future build, will not receive an immediate patch

August 22, 2017  – Closed

 

CY-2017-018 - Microsoft Internet Explorer 11 | Null Dereference | Closed after confirmation

August 21, 2017

Affected Vendors

Microsoft

Affected Products

Microsoft Internet Explorer 11

Disclosure Timeline

August 21, 2017   – Reported to vendor

August 21, 2017   – Assigned MSRC 40328

August 22, 2017  – Vulnerability confirmed

August 22, 2017  – Vulnerability might be fixed in a future build, will not receive an immediate patch

August 22, 2017  – Closed

 

CY-2017-017 - RARLab Winrar | Uninitialized Heap Data | Fixed

July 13, 2017

Affected Vendors

RARLab

Affected Products

WinRAR 5

Disclosure Timeline

July 13, 2017   – Reported to vendor

July 13, 2017   – Vulnerability confirmed

July 13, 2017   – Vulnerability fixed in WinRAR 5.50 beta 5

July 13, 2017   – Closed

 

CY-2017-016 - RARLab Winrar | Uninitialized Heap Data | Fixed

July 13, 2017

Affected Vendors

RARLab

Affected Products

WinRAR 5

Disclosure Timeline

July 13, 2017   – Reported to vendor

July 13, 2017   – Vulnerability confirmed

July 13, 2017   – Vulnerability fixed in WinRAR 5.50 beta 5

July 13, 2017   – Closed

 

CY-2017-015 - Apple Quicktime | Out-of-Bounds Memory Access | Closed, unsupported

July 13, 2017

Affected Vendors

Apple

Affected Products

Quicktime 7 for Windows

Disclosure Timeline

July 13, 2017   – Reported to vendor

July 13, 2017   – Assigned ID 669012924

July 29, 2017  – Product no longer supported

July 29, 2017  – Closed

 

CY-2017-014 - Microsoft Windows 10 | Uninitialized Heap Data | Fixed

July 13, 2017

Affected Vendors

Microsoft

Affected Products

Windows 10 (uxtheme.dll)

Disclosure Timeline

July 13, 2017           – Reported to vendor

July 14, 2017           – Assigned ID MSRC 39619

August 23, 2017     – Vulnerability already fixed in latest version

August 23, 2017     – Closed

 

CY-2017-013 - Microsoft Windows 10 | Out-of-Bounds Memory Access | Closed after confirmation

July 13, 2017

Affected Vendors

Microsoft

Affected Products

Windows 10 (msxml3.dll)

Disclosure Timeline

July 13, 2017            – Reported to vendor

July 14, 2017            – Assigned ID MSRC 39617

August 21, 2017       – Vulnerability confirmed

August 21, 2017       – Vulnerability might be fixed in a future build, will not receive an immediate patch

August 21, 2017       – Closed

CY-2017-012 - Microsoft Windows 10 | Out-of-Bounds Memory Access | Closed after confirmation

July 13, 2017

Affected Vendors

Microsoft

Affected Products

Windows 10 (comdlg32.dll)

Disclosure Timeline

July 13, 2017           – Reported to vendor

July 16, 2017           – Assigned ID MSRC 39660

August 16, 2017      – Vulnerability confirmed

August 16, 2017      – Vulnerability might be fixed in a future build, will not receive an immediate patch

August 16, 2017      – Closed

CY-2017-011 - Adobe Acrobat | Type Confusion | Pending

July 13, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

July 13, 2017     – Reported to vendor

July 14, 2017     – Assigned PSIRT-7074

CY-2017-010 - Adobe Acrobat | Uninitialized Heap Data | Pending

July 13, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

July 13, 2017     – Reported to vendor

July 14, 2017     – Assigned PSIRT-7073

CY-2017-009 - Adobe Acrobat | Uninitialized Heap Data | Pending

July 13, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

July 13, 2017     – Reported to vendor

July 14, 2017     – Assigned PSIRT-7072

CY-2017-008 - Adobe Acrobat | Out-of-Bounds Memory Access | Pending

July 13, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

July 13, 2017     – Reported to vendor

July 14, 2017     – Assigned PSIRT-7071

CY-2017-007 - Adobe Acrobat | Heap Overflow | Fixed, with CVE

January 22, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

January 22, 2017     – Reported to vendor

January 23, 2017     – Assigned PSIRT-6325

March 20, 2017        – Vulnerability confirmed

August 8, 2017         – Vulnerability fixed

August 8, 2017         – CVE-2017-3117 issued

August 8, 2017         – Closed

CY-2017-006 - Adobe Acrobat | Use After Free | Unable to Reproduce

January 22, 2017

Affected Vendors

Adobe

Affected Products

Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI

Disclosure Timeline

January 22, 2017     – Reported to vendor

January 23, 2017     – Assigned PSIRT-6324

June 13, 2017           – Unable to reproduce vulnerability

June 13, 2017           – Closed

CY-2017-005 - Quick Heal | Code Injection | Fixed, with CVE

January 20, 2017

Affected Vendors

Quick Heal

Affected Products

Quick Heal Total Security, Quick Heal Internet Security, Quick Heal AntiVirus Pro

Disclosure Timeline

January 20, 2017     – Reported to vendor

January 30, 2017     – Vulnerability confirmed

February                   – Vulnerability fixed

Unknown                  – CVE-2017-5935 issued

March 22, 2017        – Closed

 

CY-2017-004 - Panda | Code Injection | Fixed

January 20, 2017

Affected Vendors

Panda

Affected Products

Panda Global Protection, Panda Internet Security, Panda Antivirus Pro

Disclosure Timeline

January 20, 2017   – Reported to vendor

May 2, 2017           – Vulnerability fixed

May 2, 2017           – Closed

 

CY-2017-003 - Malwarebytes | Code Injection | Fixed

January 20, 2017

Affected Vendors

Malwarebytes

Affected Products

Malwarebytes 3.0, Malwarebytes Endpoint Security, Malwarebytes Anti-Malware for Business, Malrwarebytes Anti-Exploit for Business

Disclosure Timeline

January 20, 2017     – Reported to vendor

February 16, 2017    – Vulnerability confirmed

March 2, 2017          – Vulnerability fixed

March 2, 2017          – Closed

 

CY-2017-002 - F-Secure | Code Injection | Rejected by Vendor

January 20, 2017

Affected Vendors

F-Secure

Affected Products

F-Secure Total Security and Privacy, F-Secure Internet Security, F-Secure Anti-Virus

Disclosure Timeline

January 20, 2017    – Reported to vendor

February 14, 2017   – Vulnerability rejected by vendor 

February 14, 2017   – Closed

CY-2017-001 - Comodo | Code Injection | Closed after partial confirmation

January 20, 2017

Affected Vendors

Comodo

Affected Products

Comodo Internet Security Complete 10, Comodo Internet Security Pro 10, Comodo Internet Security Free 10, Comodo Antivirus Advanced 10

Disclosure Timeline

January 20, 2017   – Reported to vendor

March 22, 2017      – Vulnerability partially confirmed by vendor

March 22, 2017      – Closed

CY-2016-009 - Trend Micro | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

Trend Micro

Affected Products

Trend Micro Maximum Security, Trend Micro Internet Security, Trend Micro Antivirus+ Security

Disclosure Timeline

November 26, 2016    – Reported to vendor

November 30, 2016    – Assigned SR1-1-1080771371

December 29, 2016    – Vulnerability confirmed

March 22, 2017           – Vulnerability fixed

March 22, 2017           – CVE-2017-5565 issued

March 22, 2017           – Closed

CY-2016-008 - Symantec | Code Injection | Rejected by Vendor

November 26, 2016

Affected Vendors

Symantec

Affected Products

Norton 360, Norton Internet Security, Norton AntiVirus

Disclosure Timeline

November 26, 2016    – Reported to vendor

March 11, 2017              – Rejected by vendor

March 11, 2017              – Closed

CY-2016-007 - McAfee | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

McAfee

Affected Products

McAfee LiveSafe, McAfee Total Protection, McAfee Internet Security, McAfee AntiVirus Plus, McAfee AntiVirus

Disclosure Timeline

November 26, 2016    – Reported to vendor

December 12, 2016     – Assigned SBC1612122

March 29, 2017            – Vulnerability fixed

March 29, 2017            – CVE-2017-4028 issued

March 29, 2017            – Closed

CY-2016-006 - Kaspersky | Code Injection | Fixed

November 26, 2016

Affected Vendors

Kaspersky

Affected Products

Kaspersky Total Security, Kaspersky Internet Security, Kaspersky Anti-Virus

Disclosure Timeline

November 26, 2016   – Reported to vendor

March 23, 2017           – Vulnerability fixed

March 23, 2017           – Closed

CY-2016-005 - ESET | Code Injection | Fixed

November 26, 2016

Affected Vendors

ESET

Affected Products

ESET Multi-Device Security Pack, ESET Smart Security Premium, ESET Internet Security, ESET NOD32 Antivirus

Disclosure Timeline

November 26, 2016     – Reported to vendor

November 26, 2016     – Assigned WH #4813

February 9, 2017           – Vulnerability confirmed

March 23, 2017             – Vulnerability fixed

March 23, 2017             – Closed

CY-2016-004 - Bitdefender | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

BITDEFENDER

Affected Products

Bitdefender Total Security Multi-Device 2017, Bitdefender Family Pack 2017, Bitdefender Internet Security 2017, Bitdefender Antivirus Plus 2017

Disclosure Timeline

November 26, 2016    – Reported to vendor

February 21, 2017        – Vulnerability confirmed

March 29, 2017            – Vulnerability fixed

March 29, 2017            – CVE-2017-6186 issued

March 29, 2017            – Closed

CY-2016-003 - Avira | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

AVIRA

Affected Products

Avira Total Security Suite, Avira Optimization Suite, Avira Internet Security Suite, Avira Free Security Suite

Disclosure Timeline

November 26, 2016    – Reported to vendor

Unknown                      – Vulnerability fixed

March 15, 2017             – CVE-2017-6417 issued

March 15, 2017             – Closed

CY-2016-002 - AVG | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

AVG

Affected Products

AVG Ultimate, AVG Internet Security, AVG AntiVirus FREE

Disclosure Timeline

November 26, 2016    – Reported to vendor

December 14, 2016     – Vulnerability confirmed

March 15, 2017             – Vulnerability fixed

March 15, 2017             – CVE-2017-5566 issued

March 15, 2017             – Closed

CY-2016-001 - Avast | Code Injection | Fixed, with CVE

November 26, 2016

Affected Vendors

AVAST

Affected Products

Avast Premier, Avast Internet Security, Avast Pro Antivirus, Avast Free Antivirus

Disclosure Timeline

November 26, 2016    – Reported to vendor

November 28, 2016    – Assigned MTH-214-69306

December 23, 2016    – Vulnerability confirmed

Unknown                     – Vulnerability fixed CVE-2017-5567

March 23, 2017           – Closed

See How Cybellum Detects Vulnerabilities and Assesses Software Risk

See How Cybellum Detects Vulnerabilities and Assesses Software Risk