====================================================================== Secunia Research (now part of Flexera Software) 09/10/2015 Google Picasa Phase One Tags Processing Integer Overflow Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * Google Picasa version 3.9.140 Build 239 * Google Picasa version 3.9.140 Build 248 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System Access Where: From remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Google Picasa, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow error when processing data related to phase one 0x412 tag and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in versions 3.9.140 Build 239 and 3.9.140 Build 248 running on Windows. ====================================================================== 4) Solution The vendor has released a fix in version 3.9.140 Build 248, however, the fix is ineffective. No official solution is currently available. The vendor is currently planning to release a fix on 30th October, 2015. ====================================================================== 5) Time Table 04/08/2015 - Vendor notified of vulnerability. 04/08/2015 - Vendor acknowledges report. 10/08/2015 - Vendor requests PoC. 10/08/2015 - Provision of PoC. 19/08/2015 - Vendor acknowledges receipt. 08/09/2015 - Request of status update. 11/09/2015 - Vendor states fixed in code. ETA not yet available. 19/09/2015 - Vendor states update has been pushed. 25/09/2015 - Vendor notified of incomplete fix. 26/09/2015 - Vendor acknowledges receipt. 05/10/2015 - Request ETA of fix. Vendor notified that due to public availability of improper fix release an advisory release deadline on 09/10/2015 is established. 06/10/2015 - Vendor acknowledges and estimates 30/10/2015 release of fix. 06/10/2015 - Vendor notified that advisory deadline will still be applicable. 06/10/2015 - Vendor acknowledges and states to send notification once properly fixed. 09/10/2015 - Public disclosure of advisory. 12/10/2015 - Public disclosure of research advisory. ====================================================================== 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). ====================================================================== 7) References Currently no CVE identifier is assigned. ====================================================================== 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-03/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================