Pentest Security Advisory : PTL-2006-01
Sony SonicStage Mastering Studio Project File Import Buffer Overflow
|Title:||Sony SonicStage Mastering Studio Project File Import Buffer Overflow|
|Announcement date:||16 August 2006|
|Products:||SonicStage Mastering Studio (Sony)|
|Vulnerability Type:||Buffer Overflow|
|Remotely Exploitable:||Yes (User Complicit)|
|Advisory URL (Japan):||http://vcl.vaio.sony.co.jp/notices/security/info196.html|
A remotely exploitable buffer overflow vulnerability exists within the project file (.smp file) importation functionality of Sony's SonicStage Mastering Studio Software. It is possible to make the SonicStage Mastering Studio software execute arbitrary code in the context of the current user.
The following versions are affected by this vulnerability:
SonicStage Mastering Studio 1.1.00, 1.2.00, 1.2.01, 1.2.02, 1.3.00, 1.4.00, 1.4.01, 1.4.02, 1.4.03, 2.0.00, 2.1.00, 2.1.01, 2.2.01
|11-04-2006 -||Initial Pentest Limited Notification to Sony, without response|
|13-04-2006 -||Vulnerablities reported to JPCERT/CC|
|04-05-2006 -||Response from JPCERT/CC, indicating that Sony have confirmed the existence of the vulnerabilities|
|26-06-2006 -||Sony begin distribution of patches to Japan, Asia, USA and Europe Locales|
Official fixes to the issues covered by this security advisory have been released. To implement the fix, install the relevant update for the version of SonicStage Mastering Studio in use by visiting the advisory URLs referenced above.
As a workaround prior to updating the SonicStage Mastering Studio software, project files from an untrusted source should not be imported.
These vulnerabilities were discovered by Joe Moore from Pentest Limited.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.