283 software vendors have fixed 921 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
Patch Available Upon Disclosure
|2013 Q4: 67%||2013 Q1: 100%|
|2013 Q3: 77%||2012 Q4: 68%|
|2013 Q2: 92%||2012 Q3: 69%|
Vendor Average Time to Patch
|2013 Q4: 8 days||2013 Q1: 13 days|
|2013 Q3: 13 days||2012 Q4: 26 days|
|2013 Q2: 30 days||2012 Q3: 22 days|
Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6
|Product:||Corel Quattro Pro X6 Standard Edition|
|Vulnerable Versions:||220.127.116.118, other versions may be also affected|
|Tested Version:||18.104.22.1688 on Windows 7 SP1 32 bits|
|Advisory Publication:||August 27, 2012 [without technical details]|
|Vendor Notification:||August 27, 2012|
|Public Disclosure:||March 7, 2013|
|Latest Update:||March 7, 2013|
|Vulnerability Type:||NULL Pointer Dereference [CWE-476]|
|CVSSv2 Base Score:||2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.
1.1 The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer. Due to the malformed QPW file the EDX register will contain a null value. This destination pointer used to store the value of the AX register will be therefore invalid, which causes the application to crash instantly.
Crash details: QPW160!QProGetNotebookWindowHandle+0x23cb85:
Crash details: QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
QPW160!Ordinal132+0x5a7d: 20005a7d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
As a PoC (Proof of Concept) two files "1.qpw" and "2.qpw" are provided, which cause immediate application crash. Password for archive: ph77=!3=L
|Currently we are not aware of any solutions from the Vendor.|
2012-08-27: Vendor Notified.
2012-09-10: Request for security fix date.
2012-09-27: Vendor says that the "vulnerabilities will be fixed with the next Service Pack".
2012-10-16: Vendor re-requested to provide a date of security fix.
2012-11-20: WordPerfect Office X6 Service Pack 2 release, vulnerability is not fixed.
2012-11-26: Vendor re-requested to provide a date of security fix.
2013-02-04: WordPerfect Office X6 Hot Patch 1 release, vulnerability is not fixed.
2013-02-26: Vendor re-requested to provide a date of security fix.
2013-03-07: Public Disclosure [Disclosure Policy].
| High-Tech Bridge Advisory HTB23112 - https://www.htbridge.com/advisory/HTB23112 - Multiple NULL Pointer Dereference Vulnerabilities in Corel Quattro Pro X6.|
 Corel Corporation - http://www.corel.com - Quattro Pro is a spreadsheet processing application of Corel's WordPerfect Office suite.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.