4.2 20060614215423 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 4 Microsoft Windows NT Windows Shell Matthew Burton Matthew Burton DRAFT INTERIM Matthew Burton ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability. CVE-2002-0189 ACCEPTED 4 Microsoft Windows 2000 Distributed Component Object Model (DCOM) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Andrew Buttner ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 4 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows NT FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Network Connection Manager (NCM) Christine Walzer Christine Walzer INTERIM ACCEPTED A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code. CVE-2002-0720 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 4 Microsoft Windows 2000 SMTP Tiffany Bergeron Andrew Buttner SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request. CVE-2002-0055 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 4 Microsoft Windows 2000 FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 4 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access. CVE-2002-0051 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. CVE-2000-0884 ACCEPTED 2 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. CVE-2002-0074 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Christine Walzer INTERIM ACCEPTED The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." CVE-2003-1328 ACCEPTED 3 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. CVE-2002-0075 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. CVE-2002-1561 ACCEPTED 2 Microsoft Windows NT Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 1 Microsoft Windows 2000 Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 4 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) David Proulx Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. CVE-2003-0223 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. CVE-2001-0344 ACCEPTED 2 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 3 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Tiffany Bergeron Jonathan Baker INTERIM Ingrid Skoog ACCEPTED Christine Walzer INTERIM ACCEPTED Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. CVE-2001-0509 ACCEPTED 3 Microsoft Windows 2000 Microsoft SQL Server Yi-Fang Koh Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. CVE-2001-0542 ACCEPTED 3 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0013 ACCEPTED 1 Microsoft Windows 2000 Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. CVE-2001-0151 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Harvey Rubinovitz Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. CVE-2002-0078 ACCEPTED 5 Microsoft Windows 2000 Microsoft Internet Explorer David Proulx Christine Walzer INTERIM ACCEPTED Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. CVE-2002-0371 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 5 Microsoft Windows NT Locator service Tiffany Bergeron Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. CVE-2003-0003 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CVE-2003-0109 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron ACCEPTED Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." CVE-2003-0526 ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Tiffany Bergeron ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CVE-2003-0345 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments. CVE-2002-0154 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. CVE-2003-0809 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 3 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0528 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Microsoft Windows 2000 Windows Script Engine for Jscript DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Virtual Machine (VM) Tiffany Bergeron INTERIM ACCEPTED The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." CVE-2003-0111 ACCEPTED 1 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby INTERIM ACCEPTED The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0046 ACCEPTED 1 Microsoft Windows NT Microsoft Transaction Server (MTS) Matt Busby INTERIM ACCEPTED The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0047 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Tiffany Bergeron Andrew Buttner ACCEPTED HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. CVE-2001-0154 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 2 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Microsoft Windows NT Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 1 Microsoft Windows NT SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CVE-2003-0345 ACCEPTED 2 Microsoft Windows 2000 Windows Shell Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 2 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Outlook Express Ingrid Skoog DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. CVE-2005-1213 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows NT Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 3 Microsoft Windows XP Authenticode Tiffany Bergeron Andrew Buttner Andrew Buttner ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. CVE-2003-0660 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Christine Walzer Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. CVE-2003-0664 ACCEPTED 2 Microsoft Windows 2000 SMB (Server Message Block) Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service". CVE-2002-0724 ACCEPTED 2 Microsoft Windows 2000 Certificate Enrollment Control Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML. CVE-2002-0699 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. CVE-2000-0886 ACCEPTED 3 Microsoft Windows NT Remote Procedure Call (RPC) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. CVE-2003-0352 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron Tiffany Bergeron ACCEPTED Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. CVE-2001-0500 ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. CVE-2003-0660 ACCEPTED 1 Microsoft Windows 2000 Remote Data Protocol (RDP) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol." CVE-2002-0863 ACCEPTED 3 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Windows Script Engine for JScript v5.6 Tiffany Bergeron David Proulx David Proulx ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 3 Microsoft Windows XP Windows XP Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. CVE-2003-0659 ACCEPTED 3 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure." CVE-2002-1143 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource. CVE-2002-1187 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe). CVE-2003-0838 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to. CVE-2002-1056 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Tiffany Bergeron DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 3 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Tiffany Bergeron Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. CVE-2002-0053 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Harvey Rubinovitz Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. CVE-2002-0075 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 1 Microsoft Windows 2000 Messenger Service Christine Walzer ACCEPTED Andrew Buttner ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0717 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Ingrid Skoog DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 2 Microsoft Windows 2000 Help and Support Center (HSC) Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0711 ACCEPTED 3 Microsoft Windows NT DirectX Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CVE-2003-0346 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource. CVE-2002-1187 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server Tiffany Bergeron Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM Ingrid Skoog ACCEPTED Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1081 ACCEPTED 3 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED INTERIM Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability. CVE-2003-0230 ACCEPTED 4 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Andrew Buttner ACCEPTED Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method. CVE-2003-0662 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Tiffany Bergeron DRAFT INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 1 Microsoft Windows Server 2003 Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0574 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Yi-Fang Koh Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service. CVE-2001-0879 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 Microsoft Windows Server 2003 SMB (Server Message Block) Jonathan Baker DRAFT INTERIM ACCEPTED Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." CVE-2005-1206 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 1 Microsoft Windows XP Client Server Runtime System (CSRSS) Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. CVE-2005-0551 ACCEPTED 1 Microsoft Windows XP Windows XP Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0717 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection. CVE-2002-0056 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions. CVE-2002-1217 ACCEPTED 2 Microsoft Windows 2000 SMB Signing (Server Message Block) Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller. CVE-2002-1256 ACCEPTED 2 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player". CVE-2002-0372 ACCEPTED 1 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file. CVE-2001-0719 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure." CVE-2002-0624 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.6 Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. CVE-2002-1142 ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. CVE-2003-0352 ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0013 ACCEPTED 2 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe. CVE-2003-0231 ACCEPTED 4 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow. CVE-2003-0232 ACCEPTED 4 Microsoft Windows 2000 Microsoft Internet Explorer Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query. CVE-2002-0641 ACCEPTED 2 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron INTERIM ACCEPTED The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. CVE-2003-0525 ACCEPTED 2 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location. CVE-2003-0228 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Microsoft Windows XP Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Workstation Service Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. CVE-2003-0812 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions. CVE-2002-1217 ACCEPTED 1 Microsoft Windows 2000 Network News Transport Protocol (NNTP) Christine Walzer ACCEPTED Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts. CVE-2001-0543 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED INTERIM Christine Walzer INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. CVE-2003-0659 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page. CVE-2003-0225 ACCEPTED 2 Microsoft Windows 2000 HTML Help ActiveX Control Christine Walzer Andrew Buttner ACCEPTED Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function. CVE-2002-0693 ACCEPTED 1 Microsoft Windows Server 2003 HTML Help Facility Andrew Buttner DRAFT INTERIM ACCEPTED Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. CVE-2005-1208 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods." CVE-2002-1254 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". CVE-2005-1988 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." CVE-2002-1185 ACCEPTED 2 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. CVE-2002-0053 ACCEPTED 1 Microsoft Windows 2000 HTML Help Facility Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File." CVE-2002-0694 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron ACCEPTED The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745. CVE-2003-0110 ACCEPTED 0 Microsoft Windows Server 2003 Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods." CVE-2002-1254 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. CVE-2004-0963 ACCEPTED 1 Microsoft Windows 2000 Telnet protocol Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options. CVE-2002-0020 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2002 Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to. CVE-2002-1056 ACCEPTED 2 Microsoft Windows XP Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading." CVE-2002-1188 ACCEPTED 2 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 Microsoft Windows 2000 Utilities Manager/Windows Messaging Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function. CVE-2003-0350 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 2 Microsoft Windows 2000 HTML Help Facility Andrew Buttner DRAFT INTERIM ACCEPTED Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. CVE-2005-1208 ACCEPTED 1 Microsoft Windows 2000 Small Business Server 2000 Jonathan Baker DRAFT INTERIM ACCEPTED Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." CVE-2005-1206 ACCEPTED 1 Microsoft Windows 2000 ISA Server 2000 Christine Walzer DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter. CVE-2005-1216 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server Andrew Buttner INTERIM ACCEPTED Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed. CVE-2003-0904 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Internet Security and Acceleration Server 2000 David Proulx INTERIM ACCEPTED Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2003-0819 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun." CVE-2003-0224 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton Matthew Burton Matthew Burton DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." CVE-2002-0186 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton Matthew Burton DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." CVE-2002-0186 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CVE-2003-0605 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 1 Microsoft Windows NT Remote Access Service (RAS) Matt Busby INTERIM ACCEPTED The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0045 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Ingrid Skoog DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 3 Microsoft Windows XP Microsoft Internet Explorer Tiffany Bergeron DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.5 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." CVE-2002-1185 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows 2000 MSDTC Robert L. Hollis DRAFT INTERIM ACCEPTED The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. CVE-2005-2119 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.6 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 2 Microsoft Windows XP Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Workstation Service Tiffany Bergeron ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. CVE-2003-0812 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Tiffany Bergeron INTERIM ACCEPTED Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. CVE-2002-1258 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. CVE-2005-2871 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 INTERIM 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Andrew Buttner INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 ACCEPTED 1 Microsoft Windows Server 2003 Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 2 Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP MSN Messenger Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 3 Microsoft Windows Server 2003 Services for UNIX Jonathan Baker DRAFT INTERIM ACCEPTED The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. CVE-2005-1205 ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 INTERIM 1 Microsoft Windows Server 2003 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. CVE-2003-0821 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Microsoft Windows NT MDAC 2.8 Ingrid Skoog DRAFT INTERIM ACCEPTED The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." CVE-2005-0050 ACCEPTED 1 Microsoft Windows 2000 Microsoft ASN.1 Library Andrew Buttner INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0818 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Andrew Buttner