Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0079 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows NT Windows Shell Matthew Burton 2002-0070 Completing an initial submission. done DRAFT INTERIM ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2002-0189 Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability ACCEPTED 3 Microsoft Windows 2000 Christine Walzer 2003-0715 DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Andrew Buttner Andrew Buttner 2002-0147 ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun. ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows NT FTP Tiffany Bergeron Tiffany Bergeron 2002-0073 The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0079 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code ACCEPTED 3 Microsoft Windows 2000 Network Connection Manager (NCM) Christine Walzer Christine Walzer 2002-0720 modified wrt-222 - changed pattern match INTERIM A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code INTERIM 1 Microsoft Windows 2000 Internet Explorer 5.01 Tiffany Bergeron Tiffany Bergeron Christine Walzer 2002-0193 modified wrt-222 - changed pattern match INTERIM Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability INTERIM 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0364 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise. ACCEPTED 4 Microsoft Windows 2000 SMTP Tiffany Bergeron Andrew Buttner 2002-0055 Changed the registry key in question for the SMTP enabled check to SMTPSVC from SMTP. SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows 2000 FTP Tiffany Bergeron Tiffany Bergeron 2002-0073 The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters ACCEPTED 4 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2001-0333 Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0051 Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0150 ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2000-0884 IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0071 ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0074 Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01 David Proulx David Proulx 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2003-1328 The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality. ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0075 Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron Tiffany Bergeron Christine Walzer 2002-1561 modified wrt-222 - changed pattern match INTERIM The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference INTERIM 1 Microsoft Windows NT Remote Access Service (RAS) Tiffany Bergeron 2002-0366 Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry ACCEPTED 1 Microsoft Windows 2000 Remote Access Service (RAS) Tiffany Bergeron 2002-0366 Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0018 ACCEPTED INTERIM ACCEPTED In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 David Proulx David Proulx Christine Walzer 2003-0223 modified wrt-222 - changed pattern match INTERIM Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message INTERIM 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh 2001-0344 ACCEPTED An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0147 ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun. ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0367 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2001-0333 ACCEPTED INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0148 Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Tiffany Bergeron 2001-0509 Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server Yi-Fang Koh Yi-Fang Koh 2001-0542 Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CAN-2001-0879 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0013 Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 Multiple UNC Provider (MUP) Tiffany Bergeron 2002-0151 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron Ingrid Skoog 2001-0151 corrected configuration criterion INTERIM ACCEPTED IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Harvey Rubinovitz 2002-0148 Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0149 ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2002-0078 Added the configuration check to see if cookies are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0371 Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner Christine Walzer 2002-0193 modified wrt-222 - changed pattern match INTERIM Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability INTERIM 3 Microsoft Windows NT Locator service Tiffany Bergeron 2003-0003 Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron 2003-0109 Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron 2003-0526 ACCEPTED Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found. ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Tiffany Bergeron Tiffany Bergeron 2003-0345 ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh 2002-0154 Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron 2003-0809 Added the configuration check to see if ActiveX controls are enabled by the current user when local machine settings are not in use. ACCEPTED Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron 2003-0528 ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0071 ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0149 ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names ACCEPTED 3 Microsoft Windows 2000 Christine Walzer 2003-0010 DRAFT INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Virtual Machine (VM) Tiffany Bergeron 2003-0111 INTERIM ACCEPTED The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise. ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0150 ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values ACCEPTED 3 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby 2001-0046 INTERIM ACCEPTED The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities ACCEPTED 1 Microsoft Windows NT Microsoft Transaction Server (MTS) Matt Busby 2001-0047 INTERIM ACCEPTED The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1 Tiffany Bergeron Andrew Buttner 2001-0154 Added the configuration check to see if file downloads are enabled by the current user when local machine settings are not in use. Changed the status from ACCEPTED to INTERIM ACCEPTED HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly ACCEPTED 2 Microsoft Windows NT Christine Walzer 2003-0112 DRAFT INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1186 Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure. ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0012 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows NT Multiple UNC Provider (MUP) Tiffany Bergeron 2002-0151 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request ACCEPTED 1 Microsoft Windows NT Christine Walzer 2003-0345 DRAFT INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required ACCEPTED 1 Microsoft Windows 2000 Windows Shell Christine Walzer Christine Walzer 2002-0070 Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron 2002-0367 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron 2002-0018 In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0012 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Andrew Buttner Andrew Buttner 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0364 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise. ACCEPTED 3 Microsoft Windows XP Authenticode Tiffany Bergeron Andrew Buttner Christine Walzer 2003-0660 Added the configuration check to see if downloading of signed ActiveX controls are enabled by the current user when local machine settings are not in use. Fixed the logic that checks for one version of the file if no sp is installed and a different version if sp1 is installed. The compound test that includes SP1 or earlier has been added ACCEPTED INTERIM ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Christine Walzer 2003-0664 Added word 2000 and winword.exe information changed to word 2000 DRAFT INTERIM ACCEPTED Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Christine Walzer Christine Walzer 2002-0724 modified wrt-222 - changed pattern match INTERIM Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service" INTERIM 1 Microsoft Windows 2000 Certificate Enrollment Control Christine Walzer Christine Walzer 2002-0699 modified wrt-222 - changed pattern match ACCEPTED INTERIM Unknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML INTERIM 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2000-0886 IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability ACCEPTED 3 Microsoft Windows NT Christine Walzer 2003-0352 DRAFT INTERIM ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2001-0500 ACCEPTED Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron 2003-0660 Added the configuration check to see if downloading of signed ActiveX controls are enabled by the current user when local machine settings are not in use. ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval ACCEPTED 1 Microsoft Windows 2000 Remote Data Protocol (RDP) Tiffany Bergeron Tiffany Bergeron Christine Walzer 2002-0863 modified wrt-222 - changed pattern match INTERIM Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol. INTERIM 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Windows Script Engine for JScript v5.6 Tiffany Bergeron David Proulx Christine Walzer 2003-0010 Corrected to reflect the unification of the Windows Schema Added the configuration check to see if active scripting is enabled by the current user when local machine settings are not in use. Added Patch to Definition negated patch ACCEPTED INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack ACCEPTED 3 Microsoft Windows XP Windows XP Tiffany Bergeron Tiffany Bergeron Andrew Buttner Christine Walzer 2003-0659 Fixed the logic that checks for one version of the file if no sp is installed and a different version if sp1 is installed. The compound test that includes a check for SP1 or earlier has been added Added patch KB891711 (from MS05-002) which supercedes the previous patch ACCEPTED INTERIM ACCEPTED INTERIM INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application ACCEPTED 3 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog 2002-1143 DRAFT INTERIM ACCEPTED Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure. ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1187 ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0838 Added the configuration check to see if ActiveX controls are enabled by the current user when local machine settings are not in use. ACCEPTED Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CAN-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe) ACCEPTED 1 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog 2002-1056 made into a real definition DRAFT INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-1048 DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Tiffany Bergeron Tiffany Bergeron 2004-0549 DRAFT INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Tiffany Bergeron 2002-0053 Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CAN-2002-0012 and CAN-2002-0013, will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Harvey Rubinovitz 2002-0075 Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-1048 DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image ACCEPTED 1 Microsoft Windows 2000 Messenger Service Christine Walzer Christine Walzer Andrew Buttner 2003-0717 Fixed an error in the configuration section, now correctly testing that messenger service is enabled. Before it was testing that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start=2, now it is testing that it does not equal 4. ACCEPTED ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Ingrid Skoog Ingrid Skoog 2004-0566 DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value ACCEPTED 1 Microsoft Windows 2000 Help and Support Center (HSC) Christine Walzer Christine Walzer 2003-0711 Windows 2000 replaced by check for Windows 2000 SP4 or earlier ACCEPTED INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL ACCEPTED 2 Microsoft Windows NT Christine Walzer 2003-0346 DRAFT INTERIM ACCEPTED Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1187 ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server Tiffany Bergeron 2000-1081 The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh Jonathan Baker 2003-0230 modified wft-62 - Added "80" to the registry component. So that new component value is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\SharedCode. This key specifes the location of the file that should be tested. INTERIM INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-1048 DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Andrew Buttner 2003-0662 Added the configuration check to see if ActiveX controls are enabled by the current user when local machine settings are not in use. ACCEPTED Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML formatter e-mail or web page ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Tiffany Bergeron Tiffany Bergeron 2004-0549 DRAFT INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object ACCEPTED 1 Microsoft Windows Server 2003 Network News Transport Protocol (NNTP) Christine Walzer 2004-0574 DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Yi-Fang Koh Yi-Fang Koh 2001-0879 Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service ACCEPTED 1 Microsoft Windows 2000 Christine Walzer 2003-0112 DRAFT INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2003-0715 ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528 ACCEPTED 1 Microsoft Windows XP Windows XP Tiffany Bergeron Tiffany Bergeron Andrew Buttner Christine Walzer 2003-0717 Fixed the logic that checks for one version of the file if no sp is installed and a different version if sp1 is installed. CMP-66 has been added ACCEPTED INTERIM ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh Yi-Fang Koh 2002-0056 Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1217 ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions ACCEPTED 1 Microsoft Windows 2000 SMB Signing (Server Message Block) Christine Walzer 2002-1256 ACCEPTED The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller ACCEPTED 1 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron 2002-0372 ACCEPTED Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player" ACCEPTED 1 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron 2001-0719 ACCEPTED Buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh 2002-0624 Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure. ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.6 Ingrid Skoog Andrew Buttner 2002-1142 removed the test for windows NT and added a test for MDAC 2.6 since this definition is dependent on the MDAC version and not the platform DRAFT INTERIM ACCEPTED INTERIM ACCEPTED Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron 2003-0352 ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0013 Changed CAN-2002-0012 to CAN-2002-0013. INTERIM ACCEPTED Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 2 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh Jonathan Baker 2003-0231 modified wft-55 - Added "80" to the registry component. So that new component value is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\SharedCode. This key specifes the location of the file that should be tested. INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe ACCEPTED 2 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh Jonathan Baker 2003-0232 modified wft-55 - Added "80" to the registry component. So that new component value is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\SharedCode. This key specifes the location of the file that should be tested. INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Ingrid Skoog Ingrid Skoog 2004-0566 DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value ACCEPTED 1 Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Tiffany Bergeron Tiffany Bergeron 2003-0824 Changed the definition to look at the file shtml.dll instead of fp4awel.dll. It was determined that this is where the vulnerability (a buffer overflow) actually existed. Also added the configuration test saying you are vulnerable if the SmartHTML interpreter is enabled. INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh 2002-0641 Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron Tiffany Bergeron 2003-0525 INTERIM ACCEPTED The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method ACCEPTED 2 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron 2003-0228 ACCEPTED Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Ingrid Skoog Ingrid Skoog 2004-0566 DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value ACCEPTED 1 Microsoft Windows XP Microsoft Windows Workstation Service Andrew Buttner Andrew Buttner Christine Walzer 2003-0812 Added 64-bit edition support to this definition allowing us to deprecated OVAL332 INTERIM ACCEPTED INTERIM ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1217 ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions ACCEPTED 1 Microsoft Windows 2000 Network News Transport Protocol (NNTP) Christine Walzer 2001-0543 ACCEPTED Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for Windows 2000 sp2 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Christine Walzer Christine Walzer 2003-0820 ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron Christine Walzer 2003-0659 Added the patch KB891711 (from MS05-002) which supercedes the previous patch ACCEPTED INTERIM INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for Windows 2000 sp3 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp3 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for Windows 2000 sp4 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp4 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.5 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-0814 Removed the test for Windows Server 2003. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit, Version 2003 and Windows Server 2003 64-Bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for Windows 2000 sp2 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of having IE 5.01 sp2 installed. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for Windows 2000 sp3 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of having IE 5.01 sp3 installed. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for Windows 2000 sp4 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of having IE 5.01 sp4 installed. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.5 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-0815 Removed the test for Windows Server 2003. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit, Version 2003 and Windows Server 2003 64-Bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for Windows 2000 sp2 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for Windows 2000 sp3 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp3 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for Windows 2000 sp4 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp4 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner 2003-0822 Changed the definition to test for fp30reg.dll and fp4areg.dll instead of fp4awel.dll. INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner Christine Walzer 2003-0822 Changed the definition to test for fp30reg.dll and fp5areg.dll instead of fp5awel.dll. XP SP2 added INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Andrew Buttner Andrew Buttner Christine Walzer 2003-0822 Changed the definition to test for fp30reg.dll and fp5areg.dll instead of fp5awel.dll. XP SP2 added INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for Windows 2000 sp2 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for Windows 2000 sp3 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp3 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for Windows 2000 sp4 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp4 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.5 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron Christine Walzer 2003-0225 modified wrt-222 - changed pattern match INTERIM The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page INTERIM 1 Microsoft Windows 2000 HTML Help ActiveX Control Christine Walzer Andrew Buttner 2002-0693 Added the configuration check to see if active scripting is enabled by the current user when local machine settings are not in use. ACCEPTED Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1254 ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods. ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0814 Removed the test for Windows XP. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 patch. Removed the IE 6 SP 1 part of this definition as the SP 1 part is defined in a different OVAL. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1185 ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure. ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby Matthew Burton 2002-0053 Filled out initial submission. Now a complete definition. DRAFT INTERIM ACCEPTED Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CAN-2002-0012 and CAN-2002-0013, will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 HTML Help Facility Christine Walzer 2002-0694 modified wrt-222 - changed pattern match ACCEPTED INTERIM The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File. INTERIM 1 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron 2003-0110 ACCEPTED The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745 ACCEPTED 0 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1254 ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.5 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Telnet protocol Christine Walzer Christine Walzer 2002-0020 Changed patch registry key value to IsInstalled INTERIM ACCEPTED Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2002 Ingrid Skoog Jonathan Baker 2002-1056 modified wft-484 - Corrected registry key in path component DRAFT INTERIM ACCEPTED INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1188 ACCEPTED Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading. ACCEPTED 1 Microsoft Windows XP Windows kernel Christine Walzer Christine Walzer 2004-0893 DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Utilities Manager/Windows Messaging Christine Walzer 2003-0350 modified wrt-222 - changed pattern match ACCEPTED INTERIM The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function INTERIM 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-0816 Removed the test for Windows Server 2003. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit, Version 2003 and Windows Server 2003 64-Bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01 Harvey Rubinovitz Harvey Rubinovitz 2002-1186 ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure. ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0815 Removed the test for Windows XP. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 patch. Removed the IE 6 SP 1 part of this definition as the SP 1 part is defined in a different OVAL. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Andrew Buttner 2003-0904 INTERIM ACCEPTED Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Internet Security and Acceleration Server 2000 David Proulx David Proulx 2003-0819 INTERIM ACCEPTED Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0816 Removed the test for Windows XP. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 patch. Removed the IE 6 SP 1 part of this definition as the SP 1 part is defined in a different OVAL. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron Christine Walzer 2003-0224 modified wrt-222 - changed pattern match ACCEPTED INTERIM Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun. INTERIM 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton 2002-0186 filling out initial submission. Added service pack 3 test DRAFT DRAFT INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension. ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton 2002-0186 Input of initial submission. DRAFT DRAFT INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron 2003-0605 ACCEPTED The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1186 ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure. ACCEPTED 1 Microsoft Windows NT Remote Access Service (RAS) Matt Busby 2001-0045 INTERIM ACCEPTED The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Ingrid Skoog Ingrid Skoog 2004-0566 DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for Windows 2000 sp2 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-1048 DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Ingrid Skoog Ingrid Skoog 2004-0566 DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-1048 DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron Tiffany Bergeron 2004-0549 DRAFT INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for Windows 2000 sp3 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp3 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.5 Christine Walzer Christine Walzer 2003-0903 INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner 2003-1025 INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer Christine Walzer 2004-0901 DRAFT INTERIM ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CAN-2004-0571 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1185 ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure. ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0817 Removed the test for Windows XP. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 patch. Removed the IE 6 SP 1 part of this definition as the SP 1 part is defined in a different OVAL. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for Windows 2000 sp4 installed. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.01 sp4 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 5.5 sp2 patch. Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.6 Christine Walzer Christine Walzer 2003-0903 INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for specific Windows operating systems. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-0817 Removed the test for Windows Server 2003. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit, Version 2003 and Windows Server 2003 64-Bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Workstation Service Tiffany Bergeron Tiffany Bergeron 2003-0812 ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Tiffany Bergeron 2002-1258 INTERIM ACCEPTED Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Andrew Buttner Andrew Buttner 2003-0820 INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Andrew Buttner Andrew Buttner 2003-0820 INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner 2003-0823 Removed the test for Windows Server 2003. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 sp1 patch. Added Windows XP 64-bit, Version 2003 and Windows Server 2003 64-Bit to the list of affected platforms Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner 2003-0824 Changed the definition to look at the file shtml.dll instead of fp4awel.dll. It was determined that this is where the vulnerability (a buffer overflow) actually existed. Also added the configuration test saying you are vulnerable if the SmartHTML interpreter is enabled. INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner 2003-0824 Changed the definition to look at the file shtml.dll instead of fp4awel.dll. It was determined that this is where the vulnerability (a buffer overflow) actually existed. Also added the configuration test saying you are vulnerable if the SmartHTML interpreter is enabled. INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner Christine Walzer 2003-0824 Changed the definition to look at the file shtml.dll instead of fp5awel.dll. It was determined that this is where the vulnerability (a buffer overflow) actually existed. Also added the configuration test saying you are vulnerable if the SmartHTML interpreter is enabled. XP SP2 added INTERIM ACCEPTED INTERIM Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request INTERIM 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner 2003-1027 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CAN-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Christine Walzer Christine Walzer 2003-0821 ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Microsoft ASN.1 Library Andrew Buttner 2003-0818 INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Andrew Buttner Andrew Buttner 2003-0820 INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Andrew Buttner Andrew Buttner 2003-0821 INTERIM ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model ACCEPTED 1 Microsoft Windows NT NetDDE Agent Ingrid Skoog 2002-1230 DRAFT INTERIM ACCEPTED NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation. ACCEPTED 1 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer Christine Walzer 2004-0571 DRAFT INTERIM ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CAN-2004-0901 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz Harvey Rubinovitz 2002-1188 ACCEPTED Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading. ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Andrew Buttner Andrew Buttner 2003-0821 INTERIM ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model ACCEPTED 1 Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner 2003-0822 Changed the definition to test for fp30reg.dll and fp4areg.dll instead of fp4awel.dll. INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request ACCEPTED 1 Microsoft Windows 2000 Windows Internet Naming Service (WINS) Andrew Buttner 2003-0825 INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code ACCEPTED 1 Microsoft Windows NT Windows Animated Cursor Christine Walzer Christine Walzer 2004-1305 DRAFT INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang ACCEPTED 1 Microsoft Windows 2000 Hyperlink Object Library Christine Walzer Christine Walzer 2005-0057 DRAFT INTERIM ACCEPTED The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0823 Removed the test for Windows XP. This is not part of the vulnerability definition. Instead, it is a pre-requisite of installing the IE 6 patch. Removed the IE 6 SP 1 part of this definition as the SP 1 part is defined in a different OVAL. INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CAN-2003-1027 ACCEPTED 1 Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Tiffany Bergeron Tiffany Bergeron Andrew Buttner 2003-0822 Changed the definition to test for fp30reg.dll and fp4areg.dll instead of fp4awel.dll. INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002 allows remote attackers to execute arbitrary code via a certain chunked encoded request ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Data Access Compnents 2.7 Christine Walzer Christine Walzer 2003-0903 INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Andrew Buttner Andrew Buttner Christine Walzer 2003-0824 Changed the definition to look at the file shtml.dll instead of fp5awel.dll. It was determined that this is where the vulnerability (a buffer overflow) actually existed. Also added the configuration test saying you are vulnerable if the SmartHTML interpreter is enabled. XP SP2 added INTERIM ACCEPTED INTERIM Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request INTERIM 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Data Access Compnents 2.8 Christine Walzer Christine Walzer 2003-0903 INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request ACCEPTED 1 Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Christine Walzer Christine Walzer 2004-0894 DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program ACCEPTED 1 Microsoft Windows XP Christine Walzer 2003-0112 DRAFT INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.1 Tiffany Bergeron Tiffany Bergeron David Proulx Christine Walzer 2003-0010 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. Added patch information to definition INTERIM ACCEPTED INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.5 Tiffany Bergeron Tiffany Bergeron David Proulx Christine Walzer 2003-0010 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. Added patch information to definition INTERIM ACCEPTED INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack ACCEPTED 2 Microsoft Windows NT Microsoft ASN.1 Library Andrew Buttner 2003-0818 INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings ACCEPTED 1 Microsoft Windows XP Microsoft ASN.1 Library Andrew Buttner Christine Walzer 2003-0818 INTERIM ACCEPTED INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings ACCEPTED 2 Microsoft Windows Server 2003 Microsoft ASN.1 Library Andrew Buttner 2003-0818 INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Andrew Buttner 2003-0825 INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Andrew Buttner 2003-0825 INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code ACCEPTED 1 Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) Andrew Buttner 2003-0825 INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner 2003-1026 Added the configuration check to see if ActiveX controls and active scripting are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Windows Media Services Tiffany Bergeron Tiffany Bergeron 2003-0905 INTERIM Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets INTERIM 0 Microsoft Windows 95 Microsoft Outlook Andrew Buttner Andrew Buttner Jonathan Baker 2004-0121 modified wft-130 - Added path to the end of the registry key specified in the first component of the file path INTERIM ACCEPTED INTERIM ACCEPTED Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Christine Walzer Christine Walzer Andrew Buttner 2004-0122 Fixed the path for both versions of the file to look at the correct registry key to determine the location of the 'Program Files' folder.. INTERIM ACCEPTED Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express Andrew Buttner Andrew Buttner 2004-0380 INTERIM ACCEPTED The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability. ACCEPTED 1 Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Tiffany Bergeron Tiffany Bergeron 2003-0533 INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm ACCEPTED 1 Microsoft Windows Server 2003 Secure Sockets Layer (SSL) David Proulx David Proulx 2004-0120 INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages ACCEPTED 1 Microsoft Windows XP Secure Sockets Layer (SSL) David Proulx David Proulx Christine Walzer 2004-0120 cmp-66 added INTERIM ACCEPTED INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages ACCEPTED 2 Microsoft Windows XP Private Communications Transport (PCT) Andrew Buttner Andrew Buttner Christine Walzer 2003-0719 added cmp-66 INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets ACCEPTED 2 Microsoft Windows 2000 Local Descriptor Table (LDT) Jonathan Baker Jonathan Baker 2003-0910 INTERIM ACCEPTED The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory ACCEPTED 1 Microsoft Windows 2000 Secure Sockets Layer (SSL) David Proulx David Proulx 2004-0120 INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Christine Walzer 2003-0813 INTERIM ACCEPTED A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CAN-2003-0352 (Blaster/Nachi), CAN-2003-0715, and CAN-2003-0528, and as demonstrated by certain exploits against those vulnerabilities ACCEPTED 1 Microsoft Windows NT Windows logon process (winlogon) Andrew Buttner Andrew Buttner 2003-0806 INTERIM ACCEPTED Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code ACCEPTED 1 Microsoft Windows 2000 Windows logon process (winlogon) Andrew Buttner Andrew Buttner 2003-0806 INTERIM ACCEPTED Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code ACCEPTED 1 Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Andrew Buttner Andrew Buttner 2003-0906 INTERIM ACCEPTED Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1allows remote attackers to execute arbitrary code via a malformed WNF or EMF image ACCEPTED 1 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Andrew Buttner Andrew Buttner Christine Walzer 2003-0533 cmp-66 added INTERIM ACCEPTED INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm ACCEPTED 2 Microsoft Windows XP Remote Procedure Call (RPC) Christine Walzer 2003-0813 INTERIM ACCEPTED A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CAN-2003-0352 (Blaster/Nachi), CAN-2003-0715, and CAN-2003-0528, and as demonstrated by certain exploits against those vulnerabilities ACCEPTED 1 Microsoft Windows Server 2003 COM Internet Services Christine Walzer 2005-0047 Added compound statement to include three platforms DRAFT INTERIM Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability. INTERIM 0 Microsoft Windows NT Private Communications Transport (PCT) Andrew Buttner Andrew Buttner 2003-0719 INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets ACCEPTED 1 Microsoft Windows Server 2003 Help and Support Center (HSC) Harvey Rubinovitz 2003-0907 Added a criterion to the configuration section to see if the HCP protocol is registered. INTERIM ACCEPTED Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe ACCEPTED 1 Microsoft Windows 2000 H.323 Jonathan Baker Jonathan Baker 2004-0117 INTERIM ACCEPTED Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer 2001-0507 INTERIM ACCEPTED IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability ACCEPTED 1 Microsoft Windows NT Local Descriptor Table (LDT) Jonathan Baker Jonathan Baker 2003-0910 INTERIM ACCEPTED The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer 2001-0507 modified wft-305 - changed the version of msw3prt.dll to test against from 5.5.2195.3649 to 5.0.2195.3649 INTERIM ACCEPTED INTERIM ACCEPTED IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer 1999-0278 INTERIM ACCEPTED In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer 1999-0874 INTERIM ACCEPTED Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions ACCEPTED 1 Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Andrew Buttner Andrew Buttner 2003-0533 INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm ACCEPTED 1 Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5, Internet Explorer 5.5 Service Pack 1 Tiffany Bergeron 2001-0002 INTERIM ACCEPTED Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron Harvey Rubinovitz 2001-0727 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability. ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Tiffany Bergeron Harvey Rubinovitz 2003-0344 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron Harvey Rubinovitz 2002-0190 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability ACCEPTED 2 Microsoft Windows Server 2003 Microsoft ASN.1 Library David Proulx David Proulx 2004-0123 INTERIM ACCEPTED Double-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code ACCEPTED 1 Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron Harvey Rubinovitz 2002-0022 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer 5.5 Tiffany Bergeron Harvey Rubinovitz 2003-0113 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields ACCEPTED 2 Microsoft Windows 2000 IIS 5.0 Christine Walzer 2000-0778 INTERIM ACCEPTED IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer Christine Walzer 2002-0869 INTERIM ACCEPTED Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation. ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2002-0869 modified wft-330 - changed the version of msw3prt.dll to test against from 5.5.2195.58075 to 5.0.2195.5807 INTERIM ACCEPTED INTERIM ACCEPTED Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation. ACCEPTED 2 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2002-1180 modified wft-330 - changed the version of msw3prt.dll to test against from 5.5.2195.58075 to 5.0.2195.5807 INTERIM ACCEPTED INTERIM ACCEPTED A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability. ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer Christine Walzer 1999-0736 INTERIM ACCEPTED The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2003-0226 INTERIM ACCEPTED Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2003-0227 INTERIM ACCEPTED The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2003-0349 INTERIM ACCEPTED Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer Christine Walzer 2002-1181 modified wft-330 - changed the version of msw3prt.dll to test against from 5.5.2195.58075 to 5.0.2195.5807 INTERIM ACCEPTED INTERIM ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer Christine Walzer 2002-1181 INTERIM ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors ACCEPTED 1 Microsoft Windows Server 2003 H.323 Jonathan Baker Jonathan Baker 2004-0117 INTERIM ACCEPTED Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Tiffany Bergeron Harvey Rubinovitz 2003-0309 Replaced IE cumulative patch IDs to correspond to the original IDs INTERIM ACCEPTED INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability. ACCEPTED 2 Microsoft Windows 2000 Private Communications Transport (PCT) Andrew Buttner Andrew Buttner 2003-0719 INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets ACCEPTED 1 Microsoft Windows NT SNMP Christine Walzer 1999-0815 INTERIM ACCEPTED Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries ACCEPTED 1