5.12007-01-29T13:01:55.549-05:00The MITRE CorporationIE6 Script Execution Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE .chm Directory Traversal Windows NT VulnerabilityMicrosoft Windows NTHTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisINTERIMMicrosoft Client Service for NetWare Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.Robert L. HollisDRAFTINTERIMINTERIMIE5.01,SP4 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMMS Outlook Argument Injection Local VulnerabilityMicrosoft Windows 95Microsoft OutlookArgument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.Andrew ButtnerINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMMS Windows Media Service Denial of ServiceMicrosoft Windows 2000Windows Media ServicesUnknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets.Tiffany BergeronINTERIMJohn HoylandINTERIMJohn HoylandINTERIMAddress Bar Spoofing on Double Byte Character Set Systems VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMOutlook Express 6 (S03-Gold) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE v6.0, SP1 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Travel Log Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Double Byte Character Parsing Memory Corruption (Win2K/WinXP)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v6.0 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE6:Server 2003 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMURL Parsing Memory Corruption Vulnerability (IE6,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Install Engine Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 for Server 2003 PNG Image Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Travel Log Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE v6.0 Install Engine Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE6,SP1 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMS FrontPage Server Extensions SmartHTML Denial of Service (Test 5)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMIE v5.01,SP3 SSL Cached Content VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMScript Error Handling Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using JavaScript to cause certain errors simultaneously, which results in the access of previously freed memory, aka "Script Error Handling Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMMatthew WojcikINTERIMIE v6.0,SP2 for Server 2003 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandINTERIMRedirect Cross-Domain Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerCross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMWin2K/XP,SP1 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMCOM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 does not properly handle uninitialized COM objects, which allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code, as demonstrated by the Nth function in the DirectAnimation.DATuple ActiveX control, aka "COM Object Instantiation Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMFlash Improper Memory Access Arbitrary Code Execution VulnerabilityMicrosoft Windows XPFlash PlayerUnspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors.Robert L. HollisDRAFTINTERIMINTERIMIE v5.01,SP3 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6,SP1 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobertL. HollisINTERIMINTERIMIE v6.0,SP1 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows XPMicrosoft InternetExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSolaris 7 admintool Local Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMMS Excel 97 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 97Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMMatthew WojcikINTERIMEMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,Unpatched)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMSolaris 8 admintool Local Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMWindows Media Format ASX Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerHeap-based buffer overflow in the WMCheckURLScheme function in WMVCORE.DLL in Microsoft Windows Media Player (WMP) 10.00.00.4036 on Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long HREF attribute, using an unrecognized protocol, in a REF element in an ASX PlayList file.Robert L. HollisDRAFTINTERIMINTERIMlpsched Local System Corruption VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v5.01,SP4 Install Engine Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows (ME, NT, 2K, XP), IE v6,SP1 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 for Server 2003 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Function Pointer Drag and Drop VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMS FrontPage Server Extensions SmartHTML Denial of Service (Test 4)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMIE6 for Server 2003 File Disclosure via Redirects VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWorkstation Service Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPOperating SystemStack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.Robert L. HollisDRAFTINTERIMINTERIMIE v5.01, SP4 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSolaris 8 AdminTool Media Installation Path Buffer OverflowSun Solaris 8AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v6.0,SP1 (Server 2003) HijackClick VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMSHTA Code Execution Vulnerability (64-bit Server 2003 and XP Version 2003)Microsoft Windows Server 2003Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMMS Word 98 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 98Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMINTERIMMS Word 97 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 97Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMIngrid SkoogINTERIMSource Element Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 does not properly identify the originating domain zone when handling redirects, which allows remote attackers to read cross-domain web pages and possibly execute code via unspecified vectors involving a crafted web page, aka "Source Element Cross-Domain Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v6.0,SP1 SSL Cached Content VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0 for 2003, SP3 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMFile Manifest Corruption VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemThe Client-Server Run-time Subsystem in Microsoft Windows XP SP2 and Server 2003 allows local users to gain privileges via a crafted file manifest within an application, aka "File Manifest Corruption Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMIE v6.0,SP1 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMExcel-Flash Arbitrary Code Execution VulnerabilityMicrosoft Windows XPFlash PlayerMicrosoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet.Robert L. HollisDRAFTINTERIMINTERIMWindows Media Format ASF Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerBuffer overflow in the Windows Media Format Runtime in Microsoft Windows Media Player (WMP) 6.4 and Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file.Robert L. HollisDRAFTINTERIMINTERIMIE v6.0,SP1 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Install Engine Buffer OverflowMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Install Engine Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers todirect drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Improper URL Canonicalization VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Malformed GIF Image Double-free VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01, SP4 SSL Cached Content VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Improper URL Canonicalization VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMVulnerability in NNTP Could Allow Remote Code ExecutionMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMHTML Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 does not properly handle various HTML layout component combinations, which allows user-assisted remote attackers to execute arbitrary code via a crafted HTML file that leads to memory corruption, aka "HTML Rendering Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v5.01 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxRobert L. HollisINTERIMRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisINTERIMCSS Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5 SP4 and 6 do not properly garbage collect when "multiple imports are used on a styleSheets collection" to construct a chain of Cascading Style Sheets (CSS), which allows remote attackers to execute arbitrary code via unspecified vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIM.NET Framework v1.0 Security BypassMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003.NET FrameworkThe Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMMatthew WojcikDaniel TarnuINTERIMDHTML Object Memory Corruption Vulnerability (IE5.01,SP4)Microsoft Windows 2000Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."David ProulxRobert L. HollisINTERIMRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisINTERIMDHTML Object Memory Corruption Vulnerability (IE5.01,SP3)Microsoft Windows 2000Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMSolaris 7 AdminTool Media Installation Path Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMMS Internet Security and Acceleration Server H.323 Buffer OverflowMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Internet Security and Acceleration Server 2000Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.David ProulxINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMMS Exchange / OWA NTLM Authentication VulnerabilityMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange ServerMicrosoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed.Andrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE AbusiveParent Vulnerability (64-bit Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMHyperTerminal Session File Vulnerability (Windows 2000)Microsoft Windows 2000HyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDJohn HoylandINTERIMDaniel TarnuINTERIMIE v5.01 Encoded Characters Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzACCEPTEDRobert L. HollisINTERIMRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisINTERIMIE v5.01,SP4 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSolaris 8 whodo Buffer Overflow VulnerabilitySun Solaris 8whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMIE6 (for Server 2003) Content Advisor Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandINTERIMFTP Server Command Injection VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE v6.0,SP1 (Server 2003) Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMHTML Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via crafted layout combinations involving DIV tags and HTML CSS float properties that trigger memory corruption, aka "HTML Rendering Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMHyperTerminal Session File Vulnerability (Terminal Server)Microsoft Windows NTHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDJohn HoylandINTERIMDaniel TarnuINTERIMWindows XP Message Queuing Buffer OverflowMicrosoft Windows XPMessage QueuingBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMDirectAnimation ActiveX Controls Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerHeap-based buffer overflow in DirectAnimation.PathControl COM object (daxctle.ocx) in Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a Spline function call whose first argument specifies a large number of points.Robert L. HollisDRAFTINTERIMINTERIMIE v5.01, SP3 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMHTML Layout and Positioning Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using the document.getElementByID Javascript function to access crafted Cascading Style Sheet (CSS) elements, and possibly other unspecified vectors involving certain layout positioning combinations in an HTML file.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMMalformed, Compressed .swf File Arbitrary Code Execution VulnerabilityMicrosoft Windows XPFlash PlayerUnspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to cause a denial of service (browser crash) via a malformed, compressed .swf file, a different issue than CVE-2006-3587.Robert L. HollisDRAFTINTERIMINTERIMGDI+ JPEG Parsing Engine Buffer Overflow (VS.NET 2002)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMINTERIMMS Outlook (Word 2002) RTF/HTML Script Execution VulnerabilityMicrosoft Windows 2000Microsoft Word 2002Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.Ingrid SkoogDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMGDI+ JPEG Parsing Engine Buffer Overflow (IE6)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIM.NET 2.0 Application Folder Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003.NET FrameworkMicrosoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to bypass access restrictions via unspecified "URL paths" that can access Application Folder objects "explicitly by name."Robert L. HollisINTERIMACCEPTEDJohn HoylandINTERIMINTERIMWindows XP, IE v6.0 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE v6.0,SP1 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMicrosoft Client Service for NetWare Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003NetWareUnspecified vulnerability in the driver for the Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to cause a denial of service (hang and reboot) via has unknown attack vectors, aka "NetWare Driver Denial of Service Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMMSHTA Code Execution Vulnerability (32-bit Server 2003)Microsoft Windows Server 2003Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMMicrosoft Client Service for NetWare Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003NetWareBuffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMHyperTerminal Session File Vulnerability (NT 4.0)Microsoft Windows NTHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMDaniel TarnuINTERIMIE v5.01, SP3 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSWF Movie Arbitrary Code Execution VulnerabilityMicrosoft Windows XPFlash PlayerBuffer overflow in Adobe Flash Player 8.0.24.0 and earlier, Flash Professional 8, Flash MX 2004, and Flex 1.5 allows user-assisted remote attackers to execute arbitrary code via a long, dynamically created string in a SWF movie.Robert L. HollisDRAFTINTERIMINTERIMIE6,SP1 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) SSL Cached Content VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE AbusiveParent Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMAndrew ButtnerACCEPTEDJohn HoylandINTERIMINTERIMURL Parsing Memory Corruption Vulnerability (IE6 for XP,SP2)Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMDHTML Object Memory Corruption Vulnerability (IE6,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMRIS Writable Path VulnerabilityMicrosoft Windows 2000Operating SystemThe Remote Installation Service (RIS) in Microsoft Windows 2000 SP4 uses a TFTP server that allows anonymous access, which allows remote attackers to upload and overwrite arbitrary files to gain privileges on systems that use RIS.Robert L. HollisDRAFTINTERIMINTERIMIE v6.0,SP1 HijackClick VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability thanCVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6.0,SP1 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIM.NET Framework v1.1 Security BypassMicrosoft Windows XPMicrosoft Windows Server 2003MDAC 2.7The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE v5.01,SP4 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP2 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 (Server 2003) ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSunOS 5.9: ufs and fsck patchSun Solaris 9Solaris Volume Manager (SVM)The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDJonathan BakerINTERIMMatthew WojcikINTERIMIE AbusiveParent Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMMSHTA Code Execution Vulnerability (32-bit XP,SP1)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE v6.0,SP1 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP4 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSolaris 7 whodo Buffer Overflow VulnerabilitySun Solaris 7whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMOutlook Express v6.0 (WinXP) Malformed Email Header Denial of ServiceMicrosoft Windows XPMicrosoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMChristine WalzerACCEPTEDDaniel TarnuINTERIMINTERIMWindows Server 2003, IE v6,SP1 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMTIF Folder Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6 and earlier allows remote attackers to read Temporary Internet Files (TIF) and obtain sensitive information via unspecified vectors involving certain drag and drop operations, aka "TIF Folder Information Disclosure Vulnerability," and a different issue than CVE-2006-5577.Robert L. HollisDRAFTINTERIMMatthew WojcikINTERIMIE v5.01,SP2 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6,SP1 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows Server 2003Hyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMAndrew ButtnerINTERIMWindows NT HtmlHelp Heap OverflowMicrosoft Windows NTHTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisINTERIMIE6 (for XP,SP2) Content Advisor Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMHyperTerminal Session File Vulnerability (Server 2003)Microsoft Windows Server 2003HyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE6 DHTML Method Heap Memory Corruption Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMTIF Folder Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6 and earlier allows remote attackers to obtain sensitive information via unspecified uses of the OBJECT HTML tag, which discloses the absolute path of the corresponding TIF folder, aka "TIF Folder Information Disclosure Vulnerability," and a different issue than CVE-2006-5578.Robert L. HollisDRAFTINTERIMMatthew WojcikINTERIMDHTML Object Memory Corruption Vulnerability (IE6 for Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandINTERIMIE6 for Server 2003 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSQL Server LPC Port Buffer OverflowMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow.Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMIE5.01,SP3 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMSQL Server Named Pipe Denial of ServiceMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikINTERIMWindows 2000, IE v5.01 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMicrosoft Visual Studio 2005 is installed.Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Visual Studio 2005 is installed.Robert L. HollisDRAFTINTERIMINTERIMWMI Object Broker VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Visual StudioCross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka "WMI Object Broker Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMIE for Server 2003 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMGDI+ JPEG Parsing Engine Buffer Overflow (Office 2003)Microsoft Windows 2000Microsoft Windows XPMicrosoft Office 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01 Content Disposition/Type Arbitrary Code ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.Tiffany BergeronChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisINTERIMIE5.01,SP3 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMOutlook Express v6.0 for Server 2003 Malformed Email Header Denial of ServiceMicrosoft Windows Server 2003Microsoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDDaniel TarnuINTERIMINTERIMIE v6.0 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE5.01,SP3 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMURL Parsing Memory Corruption Vulnerability (IE6 for Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandINTERIMHyperTerminal Session File Vulnerability (Windows XP,SP2)Microsoft Windows XPHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDChristine WalzerDavid ProulxINTERIMACCEPTEDDaniel TarnuINTERIMINTERIMIE v5.01,SP4 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Utility Manager Shatter Message Vulnerability IIMicrosoft Windows 2000Utility ManagerUtility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.Jonathan BakerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE v6.0 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMAddress Bar Spoofing on Double Byte Character Set Systems Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP3 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMWindows 2000 Media Player PNG Processing VulnerabilityMicrosoft Windows 2000Windows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSQL Server Named Pipe HijackingMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability.Yi-Fang KohJonathan BakerINTERIMACCEPTEDINTERIMIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMWindows Project Professional URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMINTERIMWindows Messenger 5 libpng Buffer OverflowMicrosoft Windows 2000MDAC 2.8Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Christine WalzerDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDJason SpashettINTERIMJohn HoylandINTERIMURL Parsing Memory Corruption Vulnerability (IE5.01,SP4)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0 SSL Cached Content VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIIS4.0 Redirect Function Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.David ProulxINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE v5.01,SP4 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMOutlook Express v5.5,SP2 Malformed Email Header Denial of ServiceMicrosoft Windows 2000Microsoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDDaniel TarnuINTERIMINTERIMIE v5.01,SP3 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP3 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v5.01,SP3 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMScob and Toofer Internet Explorer v6.0,SP1 for Server 2003 VulnerabilitiesMicrosoft Windows Server 2003Microsoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSMB Invalid Handle Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE v5.01,SP2 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE ActiveX Popup Zone Restriction BypassMicrosoft Windows 2000Windows 2000Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe).Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMCOM Object Instantiation Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMS Exchange Server Cross-site Scripting VulnerabilityMicrosoft Windows NTOutlook Web AccessCross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCSS Cross-Domain Information Disclosure Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMicrosoft PowerPoint 2000 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMRASMAN Registry Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCOM Object Instantiation Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMOutlook Express v6,SP1 Malformed Email Header Denial of ServiceMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDDaniel TarnuINTERIMINTERIMActiveX Control Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMActiveX Control Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMActiveX Control Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMCSS Cross-Domain Information Disclosure Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMMHT Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMFlash Address Bar Spoofing Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMException Handling Memory Corruption Vulnerability (Win2k)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Media Player PNG Vulnerability (v9.0)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Media Player PNG Vulnerability (v8.0)Microsoft Windows XPMedia PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMFlash Address Bar Spoofing Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCSS Cross-Domain Information Disclosure Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSMB Driver Elevation of Privilege Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6 Script Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMSDTC Denial of Service Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIP Source Route Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMAddress Bar Spoofing Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5 HTA Execution Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMOutlook Express 6 (S03-Gold, Itanium) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCOM Object Instantiation Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMException Handling Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 COM object Remote Code Execution VulnerabilityMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMART Image Rendering Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMHTML Decoding Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE5 Address Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP3 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMException Handling Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6 HTA Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMGDI+ JPEG Parsing Engine Buffer Overflow (VS.NET 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMINTERIMRRAS Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE5 HTML Parsing Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindow Location Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 allows certain script to persist across navigations between pages, which allows remote attackers to obtain the window location of visited web pages in other domains or zones, aka "Window Location Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE6 DHTML Method Call Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE AbusiveParent Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMDHTML Object Memory Corruption Vulnerability (IE6 for XP,SP2)Microsoft Windows XPMicrosoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMINTERIMIE 5.01 DHTML Method Call Memory CorruptionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 Insecure Default ACLsMicrosoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMHT Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Media Player 9 Bitmap Remote Code ExecutionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 COM Object Instantiation Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMKorean IME Privilege Elevation Vulnerability in Server 2003Microsoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6 HTA Execution Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMRemote Code Execution Vulnerability in IE5.01Microsoft Windows 2000Microsoft Internet ExplorerAn unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Multiple Event Handler Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMHTML Decoding Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 Graphics Rendering Engine VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMOutlook Express 6 (XP,SP2) WAB Remote Code Execution VulnerabilityMicrosoft Windows XPOutlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMHyperTerminal Session File Vulnerability (Windows XP,SP1)Microsoft Windows XPHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMChristine WalzerDavid ProulxACCEPTEDDaniel TarnuINTERIMINTERIMFlash Address Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWin2K/XP,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMART Image Rendering Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 COM Object Instantiation Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMWin2K Kernel Privilege Escalation VulnerabilityMicrosoft Windows 2000Operating SystemThe thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWindows Media Player 7.10 Bitmap Remote Code ExecutionMicrosoft Windows 2000Windows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6 Multiple Event Handler Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMServer 2003 Media Player PNG Processing VulnerabilityMicrosoft Windows Server 2003Windows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMAddress Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE v6.0,SP1 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWin2K,SP4 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMPowerpoint TIFF Information DisclosureMicrosoft Windows 2000PowerPointMicrosoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF).Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMTIP Request Validation Process Permits Denial of Service (Server 2003)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWebClient Service Unchecked Buffer Remote Code Execution (Server 2003)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCSNW Remote Buffer Overflow via Network Messages (Server 2003)Microsoft Windows Server 2003NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMicrosoft Agent Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Agent on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via a crafted .ACF file that triggers memory corruption.Robert L. HollisDRAFTINTERIMINTERIM.lnk File-Open Remote Code Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMUnsupported Version of WindowsMicrosoft Windows 2000Microsoft Windows XPOperating System'As Service Packs released by Microsft mature, earlier versions and releases become unspported. This equates to a cessation in software and security patches for that baseline. Using an unsupported version of Windows represents a severe security risk.'Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWin2K,SP4 HTTPS Proxy VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWinXP,SP1 (64-bit) COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6:S03 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Virtual DOS Machine Local Privilege Escalation Vulnerability (Test 1)Microsoft Windows NTMicrosoft Windows 2000VDMThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.Ingrid SkoogIngrid SkoogACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003,SP1 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWinXP,SP2 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6,SP1 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWin2K/XP,SP1 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Address Bar Spoofing Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWin2K,SP4 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWin2k,SP4 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMOutlook 2000 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Double Byte Character Parsing Memory Corruption(Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMAddress Bar Spoofing Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMSDTC Invalid Memory Access Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMCOM+ Memory Structures Process Permits Remote Code Execution (Server 2003)Microsoft Windows Server 2003Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMOutlook 2003 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 DDS Library Shape Control Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (Server 2003)Microsoft Windows Server 2003MSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE5 Multiple Event Handler Memory Corruption (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE5 COM Object Instantiation Memory Corruption (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMSolaris CDE DTLogin XDMCP Parser Remote Double Free VulnerabilitySun Solaris 7CDEDouble-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerINTERIMWinXP,SP2 HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWinXP,SP2 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMHT Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMHTML Decoding Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMDistributed TIP Request Validation Process Permits Denial of Service (Server 2003)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMicrosoft Internet Explorer MIME HackMicrosoft Windows 2000Microsoft Internet ExplorerHTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.Tiffany BergeronAndrew ButtnerACCEPTEDRobert L. HollisINTERIMRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisRobert L. HollisINTERIMWinXP,SP1 (64-bit) File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE5.01,SP4 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Address Bar Spoofing Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMIE6 for Server 2003 Drag-and-Drop VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE5.01,SP4 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Harvey RubinovitzDRAFTJonathan BakerINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows Server 2003MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003 HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxyserver that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMTCP/IP IGMP v3 Denial of Service (Server 2003)Microsoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE5.01,SP4 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMWindows XP Media Player PNG Processing VulnerabilityMicrosoft Windows XPWindows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWinXP,SP1 (64-bit) IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWinXP,SP2 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6 HTML Tag Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIFRAME VulnerabilityMicrosoft Windows 98Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerHeap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisINTERIMIE6 HTML Tag Memory Corruption (Win2K/WinXP)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMSolaris SAdmin Client Credentials Remote Administrative Access VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9SadminThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWindows XP Kernel Debugger-based Buffer Overflow (Test 1)Microsoft Windows XPWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,Unpatched)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWindows Media Player 8 Bitmap Remote Code ExecutionMicrosoft Windows XPWindows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMNetwork Connection Manager Interruption of Service (Server 2003)Microsoft Windows Server 2003Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMgedit Format String VulnerabilityRed Hat Enterprise Linux 3geditFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.Jay BealeDRAFTINTERIMACCEPTEDBob TowbesINTERIMINTERIMIE5.01,SP4 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTINTERIMACCEPTEDAnna MinINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows Media Player PNG Vulnerability (v7.1)Microsoft Windows 2000Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE Improper Object Tag HandlingMicrosoft Windows 2000Windows 2000Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page.Tiffany BergeronTiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6:S03 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption,aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMIE6 Server 2003 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003,SP1 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6,SP1 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMURL Parsing Memory Corruption Vulnerability (IE5.01,SP3)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6 DHTML Method Call Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMOutlook 2002 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMDHTML Script Function Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code via certain DHTML script functions, such as normalize, and "incorrectly created elements" that trigger memory corruption, aka "DHTML Script Function Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMMatthew WojcikINTERIMFTP Download Destination Tampering Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003,SP1 HTTPS Proxy VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE6,SP1 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMScob and Toofer Internet Explorer v6.0,SP1 VulnerabilitiesMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMWindows XP Telnet Environment Disclosure VulnerabilityMicrosoft Windows XPServices for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMBuffer Overflow in CDOSYS Message Processing (Server 2003)Microsoft Windows Server 2003Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003 Embedded Web Font VulnerabilityMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMIE AbusiveParent Vulnerability (32-bit Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMDirectAnimation ActiveX Controls Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerHeap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.Robert L. HollisDRAFTINTERIMINTERIMWinXP,SP1 (64-bit) HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJonathan BakerINTERIMINTERIMWin2K/XP,SP1 HTTPS Proxy VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMServer 2003 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMOutlook Express 5.5 SP2 is installed.Microsoft Windows 2000Outlook Express 5.5 SP2 is installed.Robert L. HollisDRAFTINTERIMINTERIMOutlook Express 6 SP1 is installed.Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Outlook Express 6 SP1 is installed.Robert L. HollisDRAFTINTERIMINTERIMOutlook Express 6 is installed.Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Outlook Express 6 is installed.Robert L. HollisDRAFTINTERIMINTERIMWindows Address Book Contact Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Outlook ExpressUnspecified vulnerability in Microsoft Outlook Express 6 and earlier allows remote attackers to execute arbitrary code via a crafted contact record in a Windows Address Book (WAB) file.Robert L. HollisDRAFTINTERIMINTERIMFlash Arbitrary Code Execution VulnerabilityMicrosoft Windows XPFlash PlayerUnspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors.Robert L. HollisDRAFTINTERIMINTERIMSNMP Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the SNMP Service in Microsoft Windows 2000 SP4, XP SP2, Server 2003, Server 2003 SP1, and possibly other versions allows remote attackers to execute arbitrary code via a crafted SNMP packet, aka "SNMP Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core ServicesUnspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information.Robert L. HollisDRAFTINTERIMINTERIMVeritas Backup Exec RestrictAnonymous Forced Misconfiguration VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Veritas Backup Exec 8.5Veritas Backup Exec 8.5 and earlier requires that the "RestrictAnonymous" registry key for Microsoft Exchange 2000 must be set to 0, which enables anonymous listing of the SAM database and shares.Tiffany BergeronINTERIMIngrid SkoogINTERIMWindows Server 2003 COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows Server 2003COM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMAndrew ButtnerINTERIMIE5.01,SP3 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMIE6,SP1 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDRobert L. HollisINTERIMINTERIMFirefox and Mozilla top.focus() Cross-Site Scripting VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Robert L. HollisChristine WalzerJonathan BakerINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMServer 2003 PKINIT Information Disclosure VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMServer 2003 Kerberos Message DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDJonathan BakerINTERIMINTERIMMozilla Malicious news: VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThunderbirdHeap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerINTERIMMozilla Thunderbird Subject to IE Vulnerabilities via javascriptMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003ThunderbirdThunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerINTERIMMozilla Mail News Cookie Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerINTERIMMozilla Suite InstallTrigger Callback VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Robert L. HollisChristine WalzerJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMINTERIMImproper Handling of Synthetic Events in MozillaMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMXBL Script Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMFirefox Wallpaper VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling."Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDMatthew WojcikACCEPTEDJohn HoylandINTERIMINTERIMFirefox InstallTrigger Callback VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMINTERIMFirefox Sidebar Script Injection via _search TargetMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMINTERIMInstallVersion.compareTo() DoS and Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMFirefox and Mozilla Framed Site Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Robert L. HollisJonathan BakerChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMFirefox External App Code Acceptance VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Robert L. HollisChristine WalzerJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMINTERIMFirefox and Mozilla Javascript Dialog Box SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Robert L. HollisChristine WalzerJonathan BakerMatthew WojcikINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMFirefox and Mozilla DOM Node SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMFirefox and Mozilla Shared Object Code ExecutionMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMJohn HoylandINTERIMVML Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerStack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMServer 2003 RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows Server 2003Remote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerChristine WalzerDRAFTServer 2003 RPCSS DCOM Buffer OverflowMicrosoft Windows Server 2003Remote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerDRAFTExcel Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0027 should be used.Robert L. HollisDRAFTDRAFTExcel Malformed Palette Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelHeap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries.Robert L. HollisDRAFTDRAFTMicrosoft Outlook VEVENT VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookMicrosoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file.Robert L. HollisDRAFTDRAFTExcel 2002 File Handler Code Execution VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.Matthew BurtonDRAFTJohn HoylandDRAFTSendmail Ruleset Parsing Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Brian SobyDRAFTDRAFTExcel Malformed Column Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory.Robert L. HollisDRAFTDRAFTData Leak in NICSun Solaris 7Sun Am7990 Ethernet DriverMultiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.Brian SobyDRAFTMatthew WojcikDRAFTBSM Audit Kernel PanicSun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Brian SobyDRAFTDRAFTMicrosoft Outlook Advanced Find VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookBuffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability."Robert L. HollisDRAFTDRAFTMicrosoft Outlook Denial of Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookMicrosoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to cause a denial of service (memory exhaustion and interrupted mail recovery) via malformed e-mail header information, possibly related to (1) long subject lines or (2) large numbers of recipients in To or CC headers.Robert L. HollisDRAFTDRAFTExcel Malformed IMDATA Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption.Robert L. HollisDRAFTDRAFTCrystal Reports Business Objects Directory TraversalMicrosoft Windows 2000Crystal EnterpriseCrystal ReportsDirectory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.Andrew ButtnerJonathan BakerDRAFTExcel Malformed String VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability."Robert L. HollisDRAFTDRAFTMicrosoft Internet Explorer 7 is installedMicrosoft Windows XPMicrosoft Windows Server 2003The application Microsoft Internet Explorer 7 is installed.Sudhir GandheDRAFTDRAFTInternet Explorer 6 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Internet Explorer 6 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMInternet Explorer 5.01,SP4 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Internet Explorer 5.01,SP4 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMINTERIMVulnerability in Vector Markup Language (VML) Could Allow Remote Code ExecutionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerInteger overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability."Sudhir GandheDRAFTDRAFTHyperlink Object Buffer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xorg Privilege Escalation via Pixmaps VulnerabilitySun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Enterprise Linux 3 Kernel Serial Link Information Disclosure VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMINTERIMACCEPTEDACCEPTEDMicrosoft Share Level Password VulnerabilityMicrosoft Windows 98File and Print SharingFile and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows 2000COM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDACCEPTEDCVS error_prog_name Double-free VulnerabilityRed Hat Enterprise Linux 3CVSDouble-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDCVS Improper Handling of Malformed Entry LinesRed Hat Enterprise Linux 3CVSCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.Jay BealeINTERIMACCEPTEDACCEPTEDHP-UX Core Stack Size DoS Vulnerability (B.11.23)HP-UX 11Operating SystemUnspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size."Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMutliple BO Vulnerabilities in MIT Kerberos 5Red Hat Enterprise Linux 3MIT Kerberos 5 (krb5)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Jay BealeINTERIMACCEPTEDACCEPTEDOutlook Express v6.0 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0 Content Disposition/Type Arbitrary Code ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.Andrew ButtnerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDOutlook Express 6,SP1 News Reading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDEthereal MMSE Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.Jay BealeINTERIMACCEPTEDACCEPTEDEthereal AIM Dissector VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.Jay BealeINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRacoon Denial of Service via Large Length FieldRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.Jay BealeINTERIMACCEPTEDACCEPTEDWindows XP IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows XPMicrosoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDACCEPTEDEthereal Denial of Service via SIP MessagesRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.Jay BealeINTERIMACCEPTEDACCEPTEDNTLM Authentication BO in Squid Web Proxy CacheRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).Jay BealeINTERIMACCEPTEDACCEPTEDGopher Client Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDUtempter Directory Traversal VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.Jay BealeINTERIMACCEPTEDACCEPTEDMultiple Directory Traversal Vulnerabilities in LHARed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").Jay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in LHA get_header FunctionRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.Jay BealeINTERIMACCEPTEDACCEPTEDtcpdump Identification Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Linux 9OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDIE Frame Domain Verification VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDtcpdump Delete Payload in ISAKMP Packets VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.Jay BealeINTERIMACCEPTEDACCEPTEDlibpng Malformed PNG Image VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.Jay BealeINTERIMACCEPTEDACCEPTEDCVS pserver BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.Jay BealeINTERIMACCEPTEDACCEPTEDSolaris cachefsd Buffer Overrun VulnerabilitySun Solaris 8cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDWindows NT COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows NTCOM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Jet Database Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Jet Database EngineBuffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.Andrew ButtnerINTERIMACCEPTEDACCEPTEDrsync Path Sanitation VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.Jay BealeINTERIMACCEPTEDACCEPTEDWindows NT Media Services ISAPI Logging VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows XP H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows XPH.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDIE File Upload VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerThe file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDMDAC SQL-DMO Buffer Overflow (Test 2)Microsoft Windows XPMicrosoft Data Access Components 2.6Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerINTERIMACCEPTEDACCEPTEDMDAC SQL-DMO Buffer Overflow (Test 1)Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMagick XWD Decoder DoSRed Hat Enterprise Linux 3ImageMagickThe XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIE Cookie-based Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerThe zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 WMF/EMF Buffer OverflowMicrosoft Windows 2000Enhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows XPRemote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows 2000Remote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerINTERIMACCEPTEDACCEPTEDKonqueror URI Handler "-" Filter VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.Jay BealeINTERIMACCEPTEDACCEPTEDNT4.0 SNMP Denial of ServiceMicrosoft Windows NTSNMPMemory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.Christine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 SSL PCT Handshake VulnerabilityMicrosoft Windows 2000Private Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed OBJECT record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 IIS ASP Server-Side Include Function Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.Tiffany BergeronACCEPTEDACCEPTEDIE File Download Dialog VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability."Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDKAME IKE Daemon Improper Hash Value HandlingRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.Jay BealeINTERIMACCEPTEDACCEPTEDWindows Server 2003 H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows Server 2003H.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDRacoon IKE Daemon Unauthorized X.509 Certificate Connection VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.Jay BealeINTERIMACCEPTEDACCEPTEDWindows NT IIS Cross-site Scripting VulnerabilitiesMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors.Christine WalzerINTERIMACCEPTEDACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10XsunA security vulnerability in Xsun and Xprt may allow a local unprivileged user to execute arbitrary code at the privilege level of either the XSun or Xprt command.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Cross-site Scripting VulnerabilitiesMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Squid ACL Bypass VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDACCEPTEDLinux Kernel ISO9660 File System Component BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.Jay BealeINTERIMACCEPTEDACCEPTEDSolaris 8 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 8mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDLinux Kernel ip_setsockopt Integer OverflowRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.Jay BealeINTERIMACCEPTEDACCEPTEDIIS5.0 Windows Media Services Large POST VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.Christine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Zombie Document VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 Media Services ISAPI Logging VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.Christine WalzerINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.23)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIIS WebDAV Request Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS showcode.asp Sample File VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.Christine WalzerINTERIMACCEPTEDACCEPTEDIIS5.0 Script Source Access VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL Kerberos Handshake VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDIIS5.0 Specialized Header VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.Christine WalzerINTERIMACCEPTEDACCEPTEDIE URLMON Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDMS IE HTML Directive Buffer OverflowMicrosoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDACCEPTEDZone Spoofing through Malformed Web Page VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE Slash Characters in Type Property VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDIE File Execution User-prompt Bypass VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability."Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE Cached Content Command Execution VulnerabilityMicrosoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs.Tiffany BergeronINTERIMACCEPTEDACCEPTEDWindows 2000 IIS HTTP Error Page Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.Harvey RubinovitzACCEPTEDWindows Server 2003 LSASS Buffer Overflow (Sasser Worm VulnerabilityMicrosoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Andrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Office Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389.Robert L. HollisINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIIS4.0 Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.Christine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 S/MIME Protocol Denial of Service VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIIS ASP Source Code Access VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS System File Listing Privilege Elevation VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Local Descriptor Table Kernel Access VulnerabilityMicrosoft Windows NTLocal Descriptor Table (LDT)The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.Jonathan BakerINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (Server 2003,SP1)Microsoft Windows Server 2003NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 7CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxACCEPTEDWindows NT IIS System File Listing Privilege Elevation VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows 2000H.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Enterprise Linux 3Red Hat Enteprise Linux3Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDWindows Server 2003 Help Center Command Insertion VulnerabilityMicrosoft Windows Server 2003Help and Support Center (HSC)Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows NT SSL PCT Handshake VulnerabilityMicrosoft Windows NTPrivate Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Linux 9OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDServer 2003 COM Structured Storage VulnerabilityMicrosoft Windows Server 2003COM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPRemote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerINTERIMACCEPTEDACCEPTEDIIS Denial of Service via WebDAVMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests.Tiffany BergeronINTERIMIngrid SkoogACCEPTEDACCEPTEDSolaris 8 RPC xdr_array Buffer OverflowSun Solaris 8libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP LSASS Buffer Overflow (Sasser Worm Vulnerability)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT WMF/EMF Buffer OverflowMicrosoft Windows NTEnhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 winlogon Remote Buffer OverflowMicrosoft Windows 2000Windows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows NT winlogon Remote Buffer OverflowMicrosoft Windows NTWindows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 3)Microsoft Windows 2000Remote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 SSL Library Denial of ServiceMicrosoft Windows 2000Secure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDWindows 2000 Local Descriptor Table Kernel Access VulnerabilityMicrosoft Windows 2000Local Descriptor Table (LDT)The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows 2000 MUP UNC Request Buffer OverflowMicrosoft Windows 2000Multiple UNC Provider (MUP)Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.Tiffany BergeronACCEPTEDWindows XP SSL PCT Handshake VulnerabilityMicrosoft Windows XPPrivate Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat Enterprise 3 EtherealRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeJay BealeINTERIMACCEPTEDACCEPTEDWindows XP SSL Library Denial of ServiceMicrosoft Windows XPSecure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 SSL Library Denial of ServiceMicrosoft Windows Server 2003Secure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDACCEPTEDWindows 2000 LSASS Buffer Overflow (Sasser Worm Vulnerability)Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Tiffany BergeronINTERIMACCEPTEDACCEPTEDOutlook Express v5.5,SP2 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDBourne Shell Local-DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemThe Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via 0-Length Presentation Protocol SelectorRed Hat Linux 9Red Hat 9Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDEthereal SPNEGO Dissoector Denial of Service VulnerabilityRed Hat Linux 9EtherealThe SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRed Hat Ethereal Denial of Service via Malformed RADIUS PacketRed Hat Linux 9Red Hat 9The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDMultiple BO Vulnerabilities in Red Hat EtherealRed Hat Linux 9Red Hat 9Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Squid ACL Bypass VulnerabilityRed Hat Linux 9Red Hat 9The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.Jay BealeINTERIMACCEPTEDACCEPTEDApache 2 Denial of Service due to Memory Leak in mod_sslRed Hat Enterprise Linux 3httpdMemory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeJay BealeINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Zombie Document VulnerabilityRed Hat Linux 9mozillaMozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Mozilla Bypass Cookie Access Restrictions VulnerabilityRed Hat Linux 9mozillaMozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat S/MIME Protocol Denial of Service VulnerabilityRed Hat Linux 9mozillaMultiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL Improper Unknown Message Handling VulnerabilityRed Hat Enterprise Linux 3OpenSSLOpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 OpenSSL do_change_cipher_spec Function Denial of ServiceRed Hat Enterprise Linux 3OpenSSLThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Matt BusbyMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDSNMPv1 Request Handling DoS and Privilege EscalationMicrosoft Windows NTSimple Network Management Protocol (SNMP)Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDNet-SNMP MIB Information Disclosure VulnerabilityRed Hat Enterprise Linux 3Net-SNMPNet-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDLinux Kernel eflags Checking Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3Linux kernelUnknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 CVS Server root Directory Access VulnerabilityRed Hat Enterprise Linux 3CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 kdepim VCF File Information Reader BORed Hat Enterprise Linux 3KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 Multiple stack-based BO Vulnerabilities in ApacheRed Hat Enterprise Linux 3ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Multiple stack-based BO Vulnerabilities in ApacheRed Hat Linux 9httpdMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Enterprise Linux 3SysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDrpc.mountd Denial of Service via NFS MountRed Hat Enterprise Linux 3nfs-utils packagesrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel do_mremap Denial of Service VulnerabilityRed Hat Linux 9Linux kernelThe mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.Jay BealeMatt BusbyACCEPTEDACCEPTEDSolaris 8 LBXProxy Display Name Buffer OverflowSun Solaris 8lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDRed Hat Kernel Real Time Clock Data LeakageRed Hat Linux 9Linux kernelReal time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat kdepim VCF File Information Reader BORed Hat Linux 9KDE Personal Information Management (kdepim)Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.Jay BealeACCEPTEDACCEPTEDEthereal Malformed Q.931 Packet VulnerabilityRed Hat Linux 9TetherealThe Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.Jay BealeMatt BusbyACCEPTEDACCEPTEDEthereal Malformed SMB Packet VulnerabilityRed Hat Linux 9EtherealThe SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat CVS Server root Directory Access VulnerabilityRed Hat Linux 9CVS serverCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.Jay BealeMatt BusbyACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP Packets IIRed Hat Enterprise Linux 3tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 tcpdump Denial of Service via print_attr_string FunctionRed Hat Enterprise Linux 3tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDACCEPTEDRHE3 tcpdump DoS via ISAKMP PacketsRed Hat Enterprise Linux 3tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP Packets IIRed Hat Linux 9tcpdumpThe rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.Jay BealeACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via print_attr_string FunctionRed Hat Linux 9tcpdumpThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.Jay BealeACCEPTEDACCEPTEDRed Hat sysstat port and trigger Scripts symlink Attack VulnerabilityRed Hat Linux 9sysstatThe (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Jay BealeMatt BusbyINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (64-bit WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRed Hat tcpdump Denial of Service via ISAKMP PacketsRed Hat Linux 9tcpdumptcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057.Jay BealeACCEPTEDACCEPTEDRed Hat gdk-pixbuf Denial of ServiceRed Hat Linux 9gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 gdk-pixbuf Denial of ServiceRed Hat Enterprise Linux 3gdk-pixbufgdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Jay BealeINTERIMMatt BusbyACCEPTEDACCEPTEDMSN Messenger Remote File Access VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerMicrosoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.Christine WalzerINTERIMAndrew ButtnerACCEPTEDACCEPTEDUnhandled Exception VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1, allows remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in OSI DissectorRed Hat Linux 9EtherealThe OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 Mutt BO in Index MenuRed Hat Enterprise Linux 3MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDMatt BusbyINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Linux 9mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDACCEPTEDVicam USB Driver Data Copy VulnerabilityRed Hat Linux 9Vicam USB driverThe Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Kernel ncp_lookup Function BORed Hat Linux 9Linux kernelStack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Kernel R128 DRI Limits Checking VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeMatt BusbyACCEPTEDACCEPTEDXMLSoft Libxml2 Code Execution VulnerabilityRed Hat Enterprise Linux 3XMLSoft Libxml2Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Jay BealeMatt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDXFree86 Improper Handling of Font FilesRed Hat Enterprise Linux 3XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDACCEPTEDXFree86 Buffer Overflow in CopyISOLatin1Lowered FunctionRed Hat Enterprise Linux 3XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDACCEPTEDXFree86 Buffer Overflow in dirfileRed Hat Enterprise Linux 3XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyMatt BusbyACCEPTEDACCEPTEDMicrosoft SQL Server 3-Function Buffer OverflowMicrosoft Windows 2000MicrosoftSQL ServerBuffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879.Yi-Fang KohIngrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDmod_python Web Server Denial of ServiceRed Hat Linux 9mod_pythonUnknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string.Jay BealeMatt BusbyACCEPTEDACCEPTEDSamba mksmboasswd Disabled Account Creation VulnerabilityRed Hat Enterprise Linux 3Samba 3.0.0 and 3.0.1The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.Jay BealeMatt BusbyACCEPTEDACCEPTEDRedHat Enterprise 3 Code Execution and DoS Vulnerabilities in PWLibRed Hat Enterprise Linux 3PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat Enterprise 3 Linux Kernel do_mremap Privilege Escalation VulnerabilityRed Hat Enterprise Linux 3mremapThe do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.Jay BealeMatt BusbyACCEPTEDACCEPTEDKonqueror Cookie Access Restrictions Bypass VulnerabilityRed Hat Linux 9KDEKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.Jay BealeINTERIMACCEPTEDACCEPTEDMidnight Commander vfs_s_resolve_symlink BORed Hat Linux 9Midnight CommanderStack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion.Jay BealeMatt BusbyACCEPTEDACCEPTEDslocate Privilege Escalation VulnerabilityRed Hat Linux 9slocateHeap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used.Jay BealeMatt BusbyACCEPTEDACCEPTEDGaim / Ultramagnetic directIM Packet VulnerabilityRed Hat Linux 9GaimInteger overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.Jay BealeACCEPTEDACCEPTEDMicrosoft RPC Denial of ServiceMicrosoft Windows 2000Microsoft SQL Server 2000Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs.Tiffany BergeronJonathan BakerINTERIMIngrid SkoogACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDGaim / Ultramagnetic Extract Info Field Function BORed Hat Linux 9GaimBuffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeACCEPTEDACCEPTEDGaim / Ultramagnetic BO VulnerabilitiesRed Hat Linux 9GaimMultiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.Jay BealeACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Shared Object Code ExecutionRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (Win2k,SP4)Microsoft Windows 2000Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMailman Cross-site Scripting Vulnerability IIRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users.Jay BealeACCEPTEDACCEPTEDMailman Cross-site Scripting VulnerabilityRed Hat Linux 9MailmanCross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities.Jay BealeACCEPTEDACCEPTEDRed Hat Mutt BO in Index MenuRed Hat Linux 9MuttBuffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.Jay BealeACCEPTEDACCEPTEDRed Hat Enterprise 3 netpbm File Overwrite VulnerabilityRed Hat Enterprise Linux 3netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDACCEPTEDWindows NT IIS HTTP Error Page Cross-site ScriptingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.Tiffany BergeronACCEPTEDXFree86 Font File Handling VulnerabilityRed Hat Linux 9XFree86Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Jay BealeMatt BusbyACCEPTEDACCEPTEDRHE4 XBL Script Security Bypass VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAlias IIRed Hat Linux 9XFree86Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat XFree86 Buffer Overflow in ReadFontAliasRed Hat Linux 9XFree86Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Jay BealeMatt BusbyACCEPTEDACCEPTEDRed Hat netpbm File Overwrite VulnerabilityRed Hat Linux 9netpbmnetpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.Jay BealeMatt BusbyACCEPTEDACCEPTEDRedHat Code Execution and DoS Vulnerabilities in PWLibRed Hat Linux 9PWLibMultiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Jay BealeMatt BusbyACCEPTEDACCEPTEDWindows Server 2003 WINS Buffer OverflowMicrosoft Windows Server 2003Windows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server WINS Buffer OverflowMicrosoft Windows NTWindows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT WINS Buffer OverflowMicrosoft Windows NTWindows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Symbolic Link VulnerabilitySun Solaris 7CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxACCEPTEDSMB Rename VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows Server 2003Microsoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDOffice 2002 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows XP ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows XPMicrosoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows NTMicrosoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 3)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.5Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 2)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.1Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIE6:XP,SP2 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 RWall Daemon Syslog Format String VulnerabilitySun Solaris 8rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxACCEPTEDIE6 HTML Parsing Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Server 2003,SP1)Microsoft Windows Server 2003Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.11)HP-UX 11ApacheA security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Telnet Environment Disclosure VulnerabilityMicrosoft Windows 2000Services for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE3 InstallVersion.compareTo() DoS and Code Execution VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Path MTU Discovery Attack VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Directory Traversal Command Execution (Test 1)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDACCEPTEDWindows XP Kernel Debugger-based Buffer Overflow (Test 2)Microsoft Windows XPWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (Windows 2000)Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 CSRSS Privilege Escalation VulnerabilityMicrosoft Windows 2000Client Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDMicrosoft MDAC 2.8 Broadcast Response Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Data Access Compnents 2.8Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDRHE3 Mozilla top.focus() Cross-Site Scripting VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.00)HP-UX 11Apache'A security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user\'s home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is \'/\', this action will render the system inoperable.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxACCEPTEDServer 2003,SP1 Color Management Module Buffer OverflowMicrosoft Windows Server 2003Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.01, B.10.10)HP-UX 10ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.00)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDApache HTTP Byte-range DoS VulnerabilityHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Process Handle Duplication Privilege EscalationMicrosoft Windows 2000Windows 2000smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.Tiffany BergeronACCEPTEDRHE4 Firefox and Mozilla Framed Site Spoofing VulnerabilityRed Hat Enterprise Linux 4mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Sun Solaris 9Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed LABEL record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.7 Broadcast Response Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Data Access Compnents 2.7Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDEthereal 0.9.12 Vulnerability in DCERPC DissectorRed Hat Linux 9EtherealUnknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDbzip2 Decompression BombRed Hat Enterprise Linux 3bzip2bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWinsock Hostname VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka "Winsock Hostname Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) Travel Log Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.5,SP2 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDAndrew SimmonsINTERIMACCEPTEDACCEPTEDGaim DoS via Yahoo! MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 5)Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Tiffany BergeronAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDRHE3 Improper Handling of Synthetic Events in MozillaRed Hat Enterprise Linux 3mozillaThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Office Smart Tag Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 CDE dtspcd Buffer OverflowSun Solaris 7dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosHeap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Integer Overflow in pcre_compile.cHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) HijackClick VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDInteger Overflow Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDRHE4 Firefox and Mozilla DOM Node SpoofingRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11PerlRace condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Office 2003 and AccessoriesMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMPSource Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 9Sun Solaris 8Sun Solaris 7Operating SystemMultiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDNS Client Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response. NOTE: while MS06-041 implies that there is a single issue, there are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap-based buffer overflow in a DNS server response to the client, (2) a DNS server response with malformed ATMA records, and (3) a length miscalculation in TXT, HINFO, X25, and ISDN records.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Web Client Service Buffer OverflowMicrosoft Windows Server 2003Web Client ServiceBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Variant of Chunked Encoding Buffer OverrunMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."Tiffany BergeronACCEPTEDACCEPTEDgftp Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gftpDirectory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.Jay BealeDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (64-bit XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k Embedded Web Font VulnerabilityMicrosoft Windows 2000Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows 2000Hyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (NT 4.0)Microsoft Windows NTWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDImageMagick Buffer Overflow in ReadPNMImage()Red Hat Enterprise Linux 3ImageMagickHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDPrivilege Escalation Using Cached Admin ConnectionMicrosoft Windows 2000Microsoft SQL Server 2000An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account.Yi-Fang KohACCEPTEDJonathan BakerJonathan BakerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (64-bit XP,SP1)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 WINS Buffer OverflowMicrosoft Windows 2000Windows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSolaris Privilege Escalation/DoS Vulnerability (6293270)Sun Solaris 9Sun Solaris 10Operating SystemUnspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,SP1)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE dtspcd Buffer OverflowSun Solaris 8dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxACCEPTEDSolaris 8 kcms_configure Command-Line Buffer OverflowSun Solaris 8kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 4)Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWinXP,SP2 Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Excel 2002 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMatthew WojcikINTERIMJohn HoylandACCEPTEDACCEPTEDVisual Basic for Applications VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Visual BasicBuffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5 Temporary Internet Files folders Name Reading VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."Harvey RubinovitzACCEPTEDACCEPTEDOff-by-one Vulnerabilities in Ethereal 0.9.11Red Hat Linux 9EtherealMultiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIE v5.5,SP2 Travel Log Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL1959Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMJonathan BakerIngrid SkoogACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFlaw in Windows WM_TIMER Message Handling Could Enable Privilege ElevationMicrosoft Windows NTNetDDE AgentNetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (64-Bit) Unchecked Buffer in NetDDEMicrosoft Windows Server 2003NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla XML Parser Read Beyond Buffer BugMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPostgreSQL Character Conversion VulnerabilityRed Hat Enterprise Linux 3postgresqlPostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Elevation of Privilege VulnerabilityMicrosoft Windows 2000Operating SystemUnspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, probably a buffer overflow, allows local users to obtain privileges via unspecified vectors involving an "unchecked buffer."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-Collection Hazards in jsinterp.cMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 2002 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDypserv NIS Server Denial of ServiceRed Hat Linux 9ypservypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDCode Execution Vulnerability in XPDF PDF ViewerRed Hat Linux 9xpdfVarious PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.Jay BealeINTERIMACCEPTEDACCEPTEDIIS ASP Function Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDxinitd Memory Leak Invites Denial of Service AttackRed Hat Linux 9xinetdMemory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDWindows 2000 ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows 2000Microsoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 kcms_configure Command-Line Buffer OverflowSun Solaris 7kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.23)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDmikmod Long Filename Buffer OverflowRed Hat Enterprise Linux 3mikmodBuffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Terminal Server)Microsoft Windows NTMDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDHP-Samba DACL Remote Integer Overflow Vulnerability (CIFS A.02)HP-UX 11SambaInteger overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Trusted Domain LoopholeMicrosoft Windows 2000Windows 2000In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) DUNZIP Integer OverflowMicrosoft Windows XPCompressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMicrosoft Office Malformed String Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeMSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.Robert L. HollisINTERIMACCEPTEDACCEPTEDMMC Redirect Cross-Site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Management ConsoleCross-site scripting (XSS) vulnerability in Internet Explorer 5.01 and 6 in Microsoft Windows 2000 SP4 permits access to local "HTML-embedded resource files" in the Microsoft Management Console (MMC) library, which allows remote authenticated users to execute arbitrary commands, aka "MMC Redirect Cross-Site Scripting Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Framed Site Spoofing VulnerabilityRed Hat Enterprise Linux 3mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMS Excel 2000 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDvsftpd Fails to Integrate with TCP WrappersRed Hat Linux 9vsftpdvsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDOffice Malformed Record Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and 2003, and Microsoft PowerPoint 2000, XP, and 2003, allows remote user-assisted attackers to execute arbitrary code via a malformed record in a (1) .DOC, (2) .PPT, or (3) .XLS file that triggers memory corruption, related to an "array boundary condition" (possibly an array index overflow), a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDup2date RPM GPG Signature Verification VulnerabilityRed Hat Linux 9up2dateup2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 Remote Access Service Phonebook Buffer OverflowMicrosoft Windows 2000Remote Access Service (RAS)Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.Tiffany BergeronACCEPTEDExchange Server 5.5 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDsysreport Plaintext Password LeakRed Hat Enterprise Linux 3sysreportsysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 7mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDUnZip 5.0 Directory Traversal VulnerabilityRed Hat Linux 9unzipDirectory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows XP,SP1 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSqirrelMail Cross-site Scripting VulnerabilitiesRed Hat Linux 9SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIE v5.5,SP2 Install Engine Buffer OverflowMicrosoft Windows MEMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHP-UX 10Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Remote Access Service Phonebook Buffer OverflowMicrosoft Windows NTRemote Access Service (RAS)Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.Tiffany BergeronACCEPTEDWindows Server 2003 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 3)Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 Telnet Environment Disclosure VulnerabilityMicrosoft Windows Server 2003Services for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5, SP2 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSendmail BO in prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMailslot Heap Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SsytemHeap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages.Robert L. HollisINTERIMACCEPTEDACCEPTEDCUPS Partial Print DOSRed Hat Linux 9CUPSCUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDHP-UX xterm Local Unauthorized Access due to Bad PatchHP-UX 11remshdUnspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDenial of Service in Sendmail via the enhdnsbl FeatureRed Hat Linux 9SendmailThe DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPotential BO in Ruleset Parsing for SendmailRed Hat Linux 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows Messenger 6 libpng Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMSN MessengerMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 NNTP Component Buffer OverflowMicrosoft Windows 2000Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDrwho daemon Code Execution VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 2)Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2002 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Publisher VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003PublisherStack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts.Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Windows RPC Denial of ServiceMicrosoft Windows 2000Remote Procedure Call (RPC)The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDMozilla IDN heap overrun using soft-hyphensMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaBuffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSJava Applet CODEBASE File Access VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Virtual Machine (VM)Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error.Tiffany BergeronINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS HTTP Redirect Error Message Cross-site ScriptingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.Tiffany BergeronACCEPTEDMicrosoft Word Malformed Stack VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordUnspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors involving a crafted file resulting in a malformed stack, as exploited by malware with names including Trojan.Mdropper.Q, Mofei, and Femo.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Workstation Service Logging Function Buffer OverflowMicrosoft Windows 2000Microsoft Windows Workstation ServiceStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.Tiffany BergeronACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDSendmail BO in Prescan FunctionRed Hat Linux 9SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDExcel Malformed DATETIME Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, Excel Viewer 2003, and Microsoft Works Suite 2004 through 2006 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDImproper Cross Domain Security Validation with ShowHelp FunctionalityMicrosoft Windows 2000Microsoft Internet ExplorerThe showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality."David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDSymlink Attack Vulnerability in semi/wemi MIME LibrariesRed Hat Linux 9semi MIME libraryThe (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDBO in Samba call_trans2open FunctionRed Hat Linux 9Samba, Samba-TNGBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMultiple Buffer Overflows in SambaRed Hat Linux 9SambaMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSolaris 8 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 8rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDWindows (ME, NT, 2K), IE v5.5,SP2 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed SELECTION record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted SELECTION record that triggers memory corruption, a different vulnerability than CVE-2006-1302.Robert L. HollisINTERIMACCEPTEDACCEPTEDXsun Buffer Overflow via HOME EnvvarSun Solaris 7XsunBuffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSamba Arbitrary File Overwrite VulnerabilityRed Hat Linux 9SambaThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft MDAC 2.6 Broadcast Response Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.6Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5, SP2 SSL Cached Content VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSMB/CIFS Packet Fragment Re-assembly BORed Hat Linux 9smbdBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (Win2k,SP4)Microsoft Windows 2000MSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDExchange Server 2003 Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Firefox and Mozilla Shared Object Code ExecutionRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDEthereal NTLMSSP Buffer OverflowRed Hat Linux 9EtherealHeap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIE v5.5,SP2 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed COLINFO record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted COLINFO record, which triggers the overflow during a "data filling operation."Robert L. HollisINTERIMACCEPTEDACCEPTEDDenial of Service Vulnerability in Postfix Parser CodeRed Hat Linux 9PostfixThe address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.Jay BealeINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5 Malformed PNG Image File Failure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."Harvey RubinovitzACCEPTEDACCEPTEDEthereal SOCKS String Format VulnerabilityRed Hat Linux 9EtherealFormat string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMicrosoft Excel Malformed File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors. NOTE: this is a different vulnerability than CVE-2006-3086.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Indexing Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Indexing ServiceCross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.5,SP2 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP Long Share Names VulnerabilityMicrosoft Windows XPWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDICMP Connection Reset VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSuppressed OVAL5277Microsoft Windows NTRemote Procedure Call (RPC)The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.Matthew BurtonDRAFTINTERIMACCEPTEDMatthew BurtonINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.5 Broadcast Response Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.5Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDPostfix Bounce Scans VulnerabilityRed Hat Linux 9PostfixPostfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.Jay BealeINTERIMACCEPTEDACCEPTEDRed Hat Eye of GNOME (EOG) Packages Fix Format String VulnerabilityRed Hat Linux 9EOGFormat string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDScob and Toofer Internet Explorer v6.0 VulnerabilitiesMicrosoft Windows XPMicrosoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDCDE libDtHelp Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9CDEBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.Brian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Improper URL Canonicalization VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.5,SP2 Improper URL Canonicalization VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Word Mail Merge VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordUnspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via a crafted mail merge file, a different vulnerability than CVE-2006-3647 and CVE-2006-4693.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) Unchecked Buffer in NetDDEMicrosoft Windows XPNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT NNTP Component Buffer OverflowMicrosoft Windows NTNetwork News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Bitmap Integer Overflow VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDInteger Signedness Error in PINERed Hat Linux 9pineInteger signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDDefault Permissions on RAS Administration KeyMicrosoft Windows NTRemote Access Service (RAS)The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDPINE Buffer OverflowRed Hat Linux 9pineBuffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 Message Queuing Buffer OverflowMicrosoft Windows 2000Message QueuingBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDServer 2003 Object Management VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDObject Packager Dialogue Spoofing VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemArgument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka "Object Packager Dialogue Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5 Encoded Characters Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzACCEPTEDACCEPTEDMS Windows RPC DCOM DoS-based Privilege Escalation VulnerabilityMicrosoft Windows 2000Remote Procedure Call (RPC)The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.Tiffany BergeronACCEPTEDACCEPTEDKerberos 5 KDC ASN.1 Error Handling Double-free VulnerabilitiesSun Solaris 9Kerberos5Double-free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDMSN Messenger GIF Size Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerGIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisACCEPTEDACCEPTEDBuffer Overrun in Server Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows Kernel Local Denial of ServiceMicrosoft Windows XPMicrosoft Windows Server 2003Windows kernelThe kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDUnchecked Buffer in SQLXML ISAPI Extension (MDAC 2.7)Microsoft Windows 2000Microsoft SQL Server 2000Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."Matthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDApache Mod_Proxy Remote Negative Content-Length Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDExcel Malformed COLINFO Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted COLINFO record in an XLS file, a different vulnerability than CVE-2006-2387 and CVE-2006-3867.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDProxy Server Reverse DNS Lookup Results SpoofingMicrosoft Windows NTProxy Server 2.0 SP1Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.Christine WalzerDRAFTINTERIMChristine WalzerIngrid SkoogACCEPTEDACCEPTEDPH Cross-site Scripting VulnerabilityRed Hat Linux 9phpCross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows NT DHCP Request Code Execution Vulnerability (Terminal Server)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDUnchecked Buffer in SQLXML ISAPI Extension (MDAC 2.6)Microsoft Windows 2000Microsoft SQL Server 2000Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."Matthew BurtonMatthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDLDAP RBAC Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Object Management VulnerabilityMicrosoft Windows 2000Windows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDWINS Association Context Vulnerability (NT 4.0)Microsoft Windows NTWindows NT 4.0The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIIS Server Side Include Web Pages Buffer OverrunMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun."Tiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSpoofed Connection Request VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemWindows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Handling of Lotus 1-2-3 File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted Lotus 1-2-3 file, a different vulnerability than CVE-2006-2387 and CVE-2006-3875.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Blind Connection Reset Attack VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Font Buffer Overflow (SP1)Microsoft Windows XPWindows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWin2k Large Window Size TCP RST Denial of ServiceMicrosoft Windows 2000Windows 2000TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Windows NT)Microsoft Windows NTMDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows Server 2003 IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows Server 2003Microsoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server VDM Privilege Escalation VulnerabilityMicrosoft Windows NTVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDPowerPoint Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointPowerPoint in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac does not properly parse the slide notes field in a document, which allows remote user-assisted attackers to execute arbitrary code via crafted data in this field, which triggers an erroneous object pointer calculation that uses data from within the document. NOTE: this issue is different than other PowerPoint vulnerabilities including CVE-2006-4694.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firebird, Firefox Frame Injection VulnerabilitySun Solaris 8mozillaThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL3882Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows 2000Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSunRPC xdr_array Function Integer OverflowSun Solaris 7Sun RPCInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSpecific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating.Server 2003/64-bit XP Drag-and-Drop VulnerabilityMicrosoft Windows Server 2003Windows MessengerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v6.0 (XP) Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMAndrew ButtnerACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (Server 2003)Microsoft Windows Server 2003Help and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDCGI.pm Cross-site Scripting VulnerabilityRed Hat Linux 9CGI.pmCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Jay BealeINTERIMACCEPTEDACCEPTEDBuffer Overflow in PAM SMB ModuleRed Hat Linux 9pam_smbBuffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDISA Server NetBIOS Packet Filter Bypass VulnerabilityMicrosoft Windows 2000ISA Server 2000Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter.Christine WalzerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Windows 2000)Microsoft Windows 2000Cursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDApache Mod_Access Access Control Rule Bypass VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Unknown Vector SMB VulnerabilityMicrosoft Windows 2000Small Business Server 2000Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Multiple Double-Free VulnerabilitiesSun Solaris 9Kerberos5Double-free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL No RSA Blinding VulnerabilityRed Hat Linux 9OpenSSLOpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 HTML Help Remote Code Execution VulnerabilityMicrosoft Windows 2000HTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Netscape SOAPParameter Integer OverflowSun Solaris 8mozillaInteger overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKlima-Pokorny-Rosa Attack VulnerabilityRed Hat Linux 9OpenSSLThe SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."Jay BealeINTERIMJay BealeJay BealeACCEPTEDACCEPTEDIIS Help File Search Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session.Tiffany BergeronACCEPTEDWindows 2000 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows 2000Windows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDWindows Server 2003 (32-Bit) Unchecked Buffer in NetDDEMicrosoft Windows Server 2003NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (NT Terminal Server)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDOpenSSL ASN.1 Inputs Character Tracking VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterOpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDPGM Code Execution VulnerabilityMicrosoft Windows XPMSMQ ServiceUnspecified vulnerability in Pragmatic General Multicast (PGM) in Microsoft Windows XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted multicast message.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris Code Execution DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kernelUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 IP Validation VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDPowerPoint Malformed Data Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via a crafted Data record in a PPT file, a different vulnerability than CVE-2006-3435 and CVE-2006-4694.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSHRed Hat Linux 9OpenSSHMultiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows ListView Shatter Message VulnerabilityMicrosoft Windows 2000Utilities Manager/Windows MessagingThe control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT HTR ISAPI Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.Tiffany BergeronACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (Windows XP)Microsoft Windows XPunknownThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2003 (64-Bit) Program Group Converter Buffer OverflowMicrosoft Windows Server 2003Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDAdobe Acrobat Reader libpng Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Matthew WojcikDRAFTINTERIMACCEPTEDACCEPTEDBind OPT Resource Record DoS VulnerabilitySun Solaris 9BindBIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMutliple Buffer Management Errors in OpenSSH IIRed Hat Linux 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMemory Bugs in OpenSSHRed Hat Linux 9OpenSSH"Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (Server 2003)Microsoft Windows Server 2003Windows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDOpenSSH Indirect User Disclosure VulnerabilityRed Hat Linux 9OpenSSHOpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIE v6.0 Temporary Internet Files folders Name Reading VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Buffer Underrun in Principle Name HandlingSun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAMmountd xlog Function Off-by-One VulnerabilityRed Hat Linux 9nfs-utilsOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMYSQL Privilege Escalation Vulnerability via INFO OUTFILE SelectRed Hat Linux 9MySQLMySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDApache mod_digest Nonce Verification VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDMHTML Parsing VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Outlook ExpressBuffer overflow in INETCOMM.DLL, as used in Microsoft Internet Explorer 6.0 through 6.0 SP2, Windows Explorer, Outlook Express 6, and possibly other programs, allows remote user-assisted attackers to cause a denial of service (application crash) via a long mhtml URI in the URL value in a URL file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird XPInstall Security VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP1 Color Management Module Buffer OverflowMicrosoft Windows XPMicrosoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIIS Web Server Folder TraversalMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.Tiffany BergeronACCEPTEDWindows XP Object Management VulnerabilityMicrosoft Windows XPWindows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows Server 2003 NNTP Component Buffer OverflowMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDlpq Buffer Overflow in bsd_queue()Sun Solaris 7lpstatStack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDToolTalk Buffer Overflow via TT_SESSION EnvvarSun Solaris 7CDEBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (Terminal Server Test 2)Microsoft Windows NTWindows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (32-bit XP, SP2)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDMYSQLd Double-free VulnerabilityRed Hat Linux 9MySQLDouble-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft IIS 5.0 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 5.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDIIS 5.1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 5.1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDInternet Information Services using Malformed Active Server Pages VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003IISBuffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP).Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 Long Share Names VulnerabilityMicrosoft Windows 2000Windows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMutt BO VulnerabilityRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMACCEPTEDACCEPTEDcachefsd DoS via Invalid RPC RequestSun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (NT 4.0)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 VDM Privilege Escalation VulnerabilityMicrosoft Windows 2000VDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDExcel Malformed STYLE Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYLE record in a spreadsheet that triggers the overflow when the user attempts to repair the document or selects the "Style" option, as demonstrated by nanika.xls. NOTE: Microsoft has confirmed to CVE via e-mail that this is different than the other Excel vulnerabilities announced before 20060707, including CVE-2006-3059 and CVE-2006-3086.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultilingual File Viewer .lv File Sneak Attack VulnerabilityRed Hat Linux 9lvlv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSolaris 7 cachefsd Buffer Overrun VulnerabilitySun Solaris 7cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDDHCP Server Logging Vulnerability (Terminal Server)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDServer Service Denial of Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (64-Bit) DUNZIP Integer OverflowMicrosoft Windows Server 2003Compressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2000 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDISA Server Reverse DNS Lookup Results SpoofingMicrosoft Windows 2000ISA Server 2000Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDOpenSSL Integer Overflow VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterInteger overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows 2003 (32-Bit) Program Group Converter Buffer OverflowMicrosoft Windows Server 2003Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows Telnet Server Buffer OverflowMicrosoft Windows 2000Telnet protocolBuffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWord 2003 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003SambaBuffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDLPRng Symbolic Link Attack VulnerabilityRed Hat Linux 9LPRngpsbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows XP (32-bit) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWord 2003 (wordview) Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2003Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDChris WoodINTERIMACCEPTEDACCEPTEDSolaris 7 RPC xdr_array Buffer OverflowSun Solaris 7libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDACCEPTEDBuffer Overflow in DNS Resolver LibrarySun Solaris 7BindBuffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDRHE4 InstallVersion.compareTo() DoS and Code Execution VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Injection VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDKDE Konqueror Userid/Password Disclosure VulnerabilityRed Hat Linux 9KonquerorKDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.Jay BealeINTERIMACCEPTEDACCEPTEDHP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 RWall Daemon Syslog Format String VulnerabilitySun Solaris 7rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxACCEPTEDMultiple Vulnerabilities in lpstat and libprintSun Solaris 7lpstat, libprintUnknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE6,SP2 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v5.5 Cross Domain Verification via Cached Methods VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."Harvey RubinovitzACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL1655Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMicrosoft Winsock Proxy Service Denial of ServiceMicrosoft Windows 2000ISA Server 2000The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745.Tiffany BergeronACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDShell Redirect Symlink Attack VulnerabilitySun Solaris 7Sun Solaris 8Bourne Shell (sh)Bourne Again Shell (bash)TENEX C Shell (tcsh)C Shell (csh)Korn Shell (ksh)Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing <<redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikACCEPTEDACCEPTEDSMB Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000SMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDExchange Server SMTP Buffer OverflowMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange ServerHeap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDDtMail Local Command Line Format String VulnerabilitySun Solaris 8Sun Solaris 9DtMailFormat string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCode Execution via Compiled HTML Help FileMicrosoft Windows 2000HTML Help FacilityThe HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File."Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDOffice XP URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Office XP SP3Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenamesor (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogIngrid SkoogIngrid SkoogAnna MinDRAFTINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (NT Terminal Server)Microsoft Windows NTWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDSNMP Request Handling Buffer OverflowMicrosoft Windows NTSimple Network Management Protocol (SNMP)Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available.Matt BusbyMatthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access VulnerabilityRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDOffice XP, SP2 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office XP SP2Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Windows XP)Microsoft Windows XPGDI+Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v5.5,SP2 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxACCEPTEDMicrosoft Word 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2002 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word Viewer is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word Viewer is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2000 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordInteger overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word document, which overflows a 16-bit integer length value, aka "Memmove Code Execution," a different vulnerability than CVE-2006-3651 and CVE-2006-4693.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Access Requests Privilege Escalation VulnerabilityMicrosoft Windows XPWindows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDMicrosoft PowerPoint Mso.dll VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating Systemmso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Firefox Certificate Spoofing VulnerabilitySun Solaris 8mozillaMozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosMIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (Server 2003)Microsoft Windows Server 2003Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDin.named Process Crash VulnerabilitySun Solaris 8BindUnknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (NT 4.0 Terminal Server)Microsoft Windows NTWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT VDM Privilege Escalation VulnerabilityMicrosoft Windows NTVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Font Buffer Overflow (SP2)Microsoft Windows XPWindows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIE v6.0 Malformed PNG Image File Failure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 (32-Bit) DUNZIP Integer OverflowMicrosoft Windows Server 2003Compressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows 2000 IIS HTTP Header Field Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.Tiffany BergeronACCEPTEDACCEPTEDOffice Improper Memory Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (32-bit XP)Microsoft Windows XPWindows Help and Support CenterStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Office XP,SP2)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Office XP SP2Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v6.0 Cross Domain Verification via Cached Methods VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDC-Media Sound Driver Userspace Access Vulnerability IIRed Hat Linux 9Linux kernelThe C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLunix Kernel NFSv3 Procedure Kernel Panic VulnerabilityRed Hat Linux 9Linux kernelInteger signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel Bridge Forwarding Table Spoof VulnerabilityRed Hat Linux 9Linux kernelLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSTP Protocol Length Verification VulnerabilityRed Hat Linux 9Linux kernelThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDBuffer Overflow in ntp Daemon via readvarSun Solaris 7Sun Solaris 8sendfilev()Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWinXP Path MTU Discovery Attack VulnerabilityMicrosoft Windows XPWindows XPMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWin2k IP Validation VulnerabilityMicrosoft Windows 2000Windows 2000Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Program Group Converter Buffer Overflow in shell32.dllMicrosoft Windows XPWindows ShellBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDgzip Directory Traversal VulnerabilityRed Hat Enterprise Linux 3gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Project 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDServer 2003 HTML Help Remote Code Execution VulnerabilityMicrosoft Windows Server 2003HTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDInsecure Design of the STP ProtocolRed Hat Linux 9Linux kernelThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 Group Policy BypassMicrosoft Windows 2000Windows 2000Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access.Tiffany BergeronChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDApache Web Server Multiple Module Local Buffer OverflowSun Solaris 8Sun Solaris 9ApacheMultiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed SELECTION record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with certain crafted fields in a SELECTION record, which triggers memory corruption, aka "Malformed SELECTION record Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTED.NET Framework 2.0 Cross-Site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003.NET FrameworkCross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true".Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows ME Program Group Converter Buffer OverflowMicrosoft Windows MEProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDHTML Help ActiveX Control Buffer OverflowMicrosoft Windows 2000HTML Help ActiveX ControlBuffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.Christine WalzerAndrew ButtnerACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIIS AddHeader Large Header Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 HijackClick VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT IIS Directory Traversal Command Execution (Test 1)Microsoft Windows NTMicrosoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Tiffany BergeronACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (64-bit XP)Microsoft Windows XPHelp and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (64-bit Server 2003, Test 2)Microsoft Windows Server 2003Windows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 3)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 2)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDPortable Network Graphics Library Offset Calculation VulnerabilityRed Hat Enterprise Linux 3libpngPortable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 1)Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDpriocntl Directory Traversal VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows NTMicrosoft Internet ExplorerThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird Security Lock Icon Spoof VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDRuntime linker, ld.so.1 LD_PRELOAD Envvar Buffer OverflowSun Solaris 7Solaris Runtime LinkerStack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Sun Solaris 9Sun Solaris 8Access ManagerUnspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows NT is installedMicrosoft Windows NTThe operating system installed on the system is Microsoft Windows NT.Andrew ButtnerACCEPTEDACCEPTEDWeb View Remote Code Execution VulnerabilityMicrosoft Windows 2000Windows ExplorerThe Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file.Ingrid SkoogDRAFTAndrew ButtnerINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Server 2003)Microsoft Windows Server 2003MDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDcpio Race ConditionRed Hat Enterprise Linux 3cpioRace condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows NT DHCP Request Code Execution VulnerabilityMicrosoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the"DHCP Request Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSuppressed OVAL3573Microsoft Windows 95Microsoft Windows 98Microsoft Windows NTMDAC 2.1Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (Server / XP 2003)Microsoft Windows Server 2003OLEThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDPatches Disable Basic Security Module Auditing FunctionalitySun Solaris 9Basic Security ModuleThe patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP CSRSS Privilege Escalation VulnerabilityMicrosoft Windows XPClient Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDHP-UX 11Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows Server 2003 VulnerabilityMicrosoft Windows Server 2003HTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWinXP Large Window Size TCP RST Denial of ServiceMicrosoft Windows XPWindows XPTCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDsshd Log Bypass VulnerabilitySun Solaris 9sshdThe Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDPEAR XML_RPC PHP Code Execution VulnerabilityRed Hat Enterprise Linux 3phpEval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS FTP Connection Status Request Denial of ServiceMicrosoft Windows 2000FTPThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.Tiffany BergeronACCEPTEDWindows NT IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows NTHTML Help ActiveX ControlInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDNetBT Name Service Information Access VulnerabilityMicrosoft Windows XPNetBT Name ServiceThe NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.Ingrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint Malformed Records VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbitrary commands via a malformed record in the BIFF file format used in a PPT file, a different issue than CVE-2006-1540, aka "Microsoft PowerPoint Malformed Record Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2003 (Windows Server 2003, 64-Bit Edition) Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003,SP1 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k Blind Connection Reset Attack VulnerabilityMicrosoft Windows 2000Windows 2000Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDshtool Race ConditionRed Hat Enterprise Linux 3phpRace condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 Task Scheduler Stack OverflowMicrosoft Windows 2000Task SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDBuffer Overflow in Solaris ping DaemonSun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 ComboBox/ListBox GUI Widget User32.dll Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.Tiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDINTERIMChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP SMB Buffer OverflowMicrosoft Windows XPSMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Ingrid SkoogINTERIMACCEPTEDACCEPTEDWindows Shell Remote Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemInteger overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows 2000Operating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Word 2000 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (NT 4.0)Microsoft Windows NTCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows NNTP Memory LeakMicrosoft Windows 2000Network News Transport Protocol (NNTP)Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts.Christine WalzerACCEPTEDACCEPTEDOffice XP, SP3 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office XP SP3Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDIE v5.5 Domain Restriction Bypass Cross-Frame ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.Harvey RubinovitzACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (32-bit XP, SP1)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 Double-free Vulnerability in krb5_rd_cred FunctionSun Solaris 9Kerberos5Double-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Visio Pro 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (Server 2003/64-bit XP)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDOffice 2003 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office 2003Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (NT 4.0)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Workstation Service Logging Function Buffer OverflowMicrosoft Windows XPMicrosoft Windows Workstation ServiceStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Color Management Module Buffer OverflowMicrosoft Windows XPMicrosoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 7 XSun Color Database File Heap OverflowSun Solaris 7XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDLinux Kernel /proc/self setuid VulnerabilityRed Hat Linux 9Linux kernelThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDLinux Kernel execve Read Acces to Restricted File DescriptorsRed Hat Linux 9Linux kernelThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird POP3 SendUidl Buffer OverflowSun Solaris 8mozillaHeap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Unchecked Buffer in NetDDEMicrosoft Windows XPNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Server 2003)Microsoft Windows Server 2003Cursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Bitmap Integer Overflow VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (Windows 2000)Microsoft Windows 2000Windows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows Media Player Directory TraversalMicrosoft Windows XPWindows Media Player for Windows XPDirectory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.Tiffany BergeronACCEPTEDACCEPTEDIE v6.0 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDIE6.0,SP2 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows NT getCanonicalPath Heap Corruption Denial of ServiceMicrosoft Windows NTWindows NT 4.0The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method.Tiffany BergeronINTERIMACCEPTEDACCEPTEDFolder GUID Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMicrosoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP VDM Privilege Escalation VulnerabilityMicrosoft Windows XPVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDMS SQL Server Bulk Insert Procedure Buffer OverflowMicrosoft Windows 2000SQL Server 2000Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query.Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Debugger-based Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMozilla CA Certificate DoSSun Solaris 8mozillaMozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Unchecked Buffer in NetDDE (Test 1)Microsoft Windows 2000NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel Reuse Flag VulnerabilityRed Hat Linux 9Linux kernelThe RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft .NET Framework 2.0 is installedMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft .NET Framework 2.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDSolaris 8/9 cachefsd Heap Overflow VulnerabilitySun Solaris 8cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Terminal Server)Microsoft Windows NTCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWinXP Explorer Buffer OverflowMicrosoft Windows XPExplorer.exeBuffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter.Ingrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDLinux Kernel execve Race Condition VulnerabilityRed Hat Linux 9Linux kernelA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Visio Pro 2002)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 1)Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Tiffany BergeronTiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDCDE AddSuLog Function Buffer OverflowSun Solaris 7CDEBuffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Program Group Converter Buffer OverflowMicrosoft Windows NTProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9PerlCross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Named Pipe Vulnerability (64-bit architecture)Microsoft Windows XPThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Linux Kernel Serial Link Information Disclosure VulnerabilityRed Hat Linux 9/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Project 2002,SP1)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMicrosoft SMTP Malformed BDAT Request Denial of ServiceMicrosoft Windows 2000SMTPSMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request.Tiffany BergeronAndrew ButtnerACCEPTEDSMB Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to obtain sensitive information via crafted requests that leak information in SMB buffers, which are not properly initialized, aka "SMB Information Disclosure Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 2)Microsoft Windows 2000Simple Network Management Protocol (SNMP)Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDACCEPTEDSendmail prescan function Buffer OverflowSun Solaris 7SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris TCP/IP Stack System Panic VulnerabilitySun Solaris 8Sun Solaris 9TCP/IPUnknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10patchaddThe patchadd facility for Solaris 10 fails to install T-patches. Sun sometimes releases a T-patch as a temporary version of a patch prior to the final release of that patch. While this flaw does not directly represent a vulnerability, it does prevent the timely application of some (possibly critical) updates.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (XP)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDMultiple Privilege Escalation Vulnerabilities in Linux KernelRed Hat Enterprise Linux 3Linux kernelMultiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows 2000Remote Procedure Call (RPC)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Tiffany BergeronACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (XP)Microsoft Windows XPCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 IE6.0 Drag-and-Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDLinux Kernel TCP/IP Fragment Reassembly Denial of ServiceRed Hat Linux 9Linux kernelThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMS MDAC RDS Buffer Overflow (Test 1)Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.6Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDLinux Kernel mxcsr Code VulnerabilityRed Hat Linux 9Linux kernelThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDAdobe Acrobat Reader .ETD Document Code Execution VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderFormat string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields.Matthew WojcikDRAFTINTERIMACCEPTEDACCEPTEDiDEFENSE reports that deleting eBook.api from the plug_ins directory is a workaround. See http://www.idefense.com/application/poi/display?id=163&type=vulnerabilitiesOLE Component Input Validation Vulnerability (Windows 2000)Microsoft Windows 2000Windows Media Player 9The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDLinux Kernel Denial of Service Vulnerability via fsave and frstor InstructionsRed Hat Enterprise Linux 3Linux kernelLinux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDUnchecked Buffer in Password Encryption ProcedureMicrosoft Windows 2000SQL Server 2000Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure."Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Heap Overrun in HTR Chunked EncodingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."Tiffany BergeronACCEPTEDACCEPTEDWindows XP (64-bit Gold) Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP,SP1 COM Structured Storage VulnerabilityMicrosoft Windows XPCOM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (XP, SP1)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player Buffer Overflow via ASFMicrosoft Windows XPWindows Media Player for Windows XPBuffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file.Tiffany BergeronACCEPTEDACCEPTEDXSLT Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core ServicesBuffer overflow in the Extensible Stylesheet Language Transformations (XSLT) processing in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted Web page.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Windows POSIX Buffer OverflowMicrosoft Windows 2000POSIXThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Ingrid SkoogINTERIMACCEPTEDJohn HoylandMatthew WojcikINTERIMACCEPTEDACCEPTEDLinux Kernel TTY VulnerabilityRed Hat Linux 9Linux kernelUnknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows 2000Windows 2000Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTMatthew BurtonMatthew BurtonINTERIMACCEPTEDACCEPTEDDenial of Service Vulnerability in Linux Kernel do_fork Function via CLONE_VMRed Hat Enterprise Linux 3Linux kernelThe do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDXFS Dispatch() Buffer OverflowSun Solaris 9fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCache Path Disclosure via Windows Media PlayerMicrosoft Windows XPWindows Media Player for Windows XPMicrosoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player".Tiffany BergeronACCEPTEDACCEPTEDSKK/DDSKK Insecure Temporary File VulnerabilityRed Hat Linux 9skkskk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft Visio 2002, SP2 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Visio 2002, SP2 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office Property VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316.Robert L. HollisMatthew WojcikINTERIMACCEPTEDACCEPTEDLinux ioperm Privilege Restriction VulnerabilityRed Hat Linux 9Linux kernelThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSolaris 9 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 9CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDSMB Session Digital Signature SidestepMicrosoft Windows 2000SMB Signing (Server Message Block)The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Program Group Converter Buffer OverflowMicrosoft Windows 2000Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDVisio Professional URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (Terminal Server Test 1)Microsoft Windows NTWindows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 Font Buffer OverflowMicrosoft Windows Server 2003Windows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDSuppressed OVAL2730Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0 Domain Restriction Bypass Cross-Frame ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDBuffer Management Error in OpenSSHSun Solaris 9OpenSSHA "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSQL Server OpenDataSource/OpenRowset Buffer OverflowMicrosoft Windows 2000Microsoft SQL Server 2000Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection.Yi-Fang KohIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 DirectPlay Denial of Service (Test 2)Microsoft Windows XPMicrosoft Windows Server 2003DirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDACCEPTEDTCP Connection Reset VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemTCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPowerPoint Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office XP and Office 2003 allows user-assisted attackers to execute arbitrary code via a crafted record in a PPT file, as exploited by malware such as Exploit:Win32/Controlppt.W, Exploit:Win32/Controlppt.X, and Exploit-PPT.d/Trojan.PPDropper.F. NOTE: it has been reported that the attack vector involves SlideShowWindows.View.GotoNamedShow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Large Window Size TCP RST Denial of ServiceMicrosoft Windows Server 2003Microsoft Word 2003TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWord 2000 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Messenger Service Buffer OverflowMicrosoft Windows XPWindows XPThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDExcel 2000 File Handler Code Execution VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 2)Microsoft Windows 2000Certificate ValidationThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDOffice 2000 WordPerfect Converter Buffer OverflowMicrosoft Windows 2000Microsoft Office 2000 SP3Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (SP2) CSRSS Privilege Escalation VulnerabilityMicrosoft Windows XPClient Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 1)Microsoft Windows 2000Windows 2000Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Tiffany BergeronACCEPTEDACCEPTEDWindows 98 Long Share Names VulnerabilityMicrosoft Windows 98Windows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDGaim DoS via Malformed MSN MessageRed Hat Enterprise Linux 3GaimGaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Denial of Service VulnerabilitiesSun Solaris 8Sun Crypto Accelerator 4000The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Debugger-based Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDLinux Route Cache / Netfilter Denial of ServiceRed Hat Linux 9NetfilterThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDNetfilter Denial of ServiceRed Hat Linux 9NetfilterThe connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 Network Connection Manager Privilege EscalationMicrosoft Windows 2000Network Connection Manager (NCM)A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDKCMS KCS_OPEN_PROFILE File Disclosure VulnerabilitySun Solaris 7kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOpenSSL Double-free VulnerabilitySun Solaris 8Sun Solaris 9Sun ClusterDouble-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Unknown Vector SMB VulnerabilityMicrosoft Windows Server 2003SMB (Server Message Block)Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (Server 2003)Microsoft Windows Server 2003Windows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDDoS Vulnerability in libpng function png_handle_iCCP()Sun Solaris 7libpngThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows XPHyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Windows 2000)Microsoft Windows 2000MDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Font Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDWindows XP,SP2 Print Spooler Service Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 9Operating SystemSolaris 9 patches 112908-12 and 115168-03 introduced a logging flaw that can log passwords in clear text. This can lead to privilege escalation for a local user. It can also lead to the compromise of other systems if passwords are reuse introduced a logging flaw that can log passwords in clear text. This can lead to privilege escalation for a local user. It can also lead to the compromise of other systems if passwords are reused.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (Windows 2000)Microsoft Windows 2000Windows 2000The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDLinux Kernel ptrace Privilege Escalation VulnerabilityRed Hat Linux 9Linux kernelThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDBIND SIG Resource Records Buffer OverflowSun Solaris 7BindBuffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Heap Corruption VulnerabilitySun Solaris 8Kerberos5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberosSQL Server Format String VulnerabilityMicrosoft Windows 2000Windows 2000Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service.Yi-Fang KohACCEPTEDWindows Server 2003 (32-Bit) DirectPlay Denial of ServiceMicrosoft Windows Server 2003DirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDACCEPTEDRPC Runtime Library Denial of Service and Information Disclosure VulnerabilityMicrosoft Windows NTRemote Procedure Call (RPC)The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDKerberos krb4 Ticket Splicing VulnerabilityRed Hat Linux 9krb5Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows 2000 IIS Chunked Encoding Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.Tiffany BergeronACCEPTEDACCEPTEDKerberos krb4 Plaintext Attack VulnerabilityRed Hat Linux 9krb5Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDNetwork News Transfer Protocol Buffer OverflowMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Indexing Service Code Execution VulnerabilityMicrosoft Windows XPIndexing ServiceThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDKerberos KDC Heap Corruption Denial of ServiceRed Hat Linux 9krb5The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft Excel Malformed FNGROUPCOUNT value VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted FNGROUPCOUNT value.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 (64-Bit) Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows XPMicrosoft Windows Server 2003Enhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDypxfrd File Disclosure VulnerabilitySun Solaris 7NISThe getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla, Firefox, Thunderbird User Interface Hijacking VulnerabilitySun Solaris 8mozillaMozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWord 2002 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) DirectPlay Denial of ServiceMicrosoft Windows XPDirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDScob and Toofer Internet Explorer v5.5,SP2 VulnerabilitiesMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS FTP Connection Status Request Denial of ServiceMicrosoft Windows NTFTPThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.Tiffany BergeronACCEPTEDWindows NT Unchecked Buffer in NetDDEMicrosoft Windows NTNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2003 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMultiple Buffer Overflows in libpngSun Solaris 7libpngMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDTroubleshooter ActiveX Control Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method.Tiffany BergeronAndrew ButtnerACCEPTEDACCEPTEDWindows XP,SP2 COM Structured Storage VulnerabilityMicrosoft Windows XPCOM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows XPDistributed Component Object Model (DCOM)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDThis bulletin has been superceded by MS03-039. Definition reflects updated information.Microsoft Excel 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2000 is installed.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft Excel 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2002 is installed.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft Excel Viewer is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel Viewer is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Office Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via malformed cell comments, which lead to modification of "critical data offsets" during the rebuilding process.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDBuffer Overrun in DHCP Client Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003DHCP ClientBuffer overflow in the DHCP Client service for Microsoft Windows 2000 SP4, Windows XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via a crafted DHCP response.Robert L. HollisINTERIMACCEPTEDACCEPTEDSQL Server Extended Stored Procedure Parameter ParsingMicrosoft Windows 2000Microsoft SQL ServerThe xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.Tiffany BergeronIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMIngrid SkoogACCEPTEDChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDExchange Server 2003 (INTERIM) Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTChristine WalzerINTERIMACCEPTEDACCEPTEDxdrmem_bytes() Integer Overflow VulnerabilityRed Hat Linux 9krb5Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDIE v5.5 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxACCEPTEDWindows XP Named Pipe Vulnerability (32-bit architecture)Microsoft Windows XPThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDDHCP Server Logging Vulnerability (NT 4.0)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."Ingrid SkoogDRAFTIngrid SkoogIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft IIS 6.0 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 6.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server Kernel Debugger-based Buffer OverflowMicrosoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5 Frames Cross-site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.Harvey RubinovitzACCEPTEDACCEPTEDSun RPC No Timeout Denial of Service on TCP PortsSun Solaris 7libcThe Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-bit,SP2/64-bit,SP1) Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDSendmail Address Processor Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDOffice Malformed Chart Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeMicrosoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac do not properly parse the length of a chart record, which allows remote user-assisted attackers to execute arbitrary code via a Word document with an embedded malformed chart record that triggers an overwrite of pointer values with values from the document, a different vulnerability than CVE-2006-3434, CVE-2006-3864, and CVE-2006-3868.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWord 2000 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft XML Core Services 5 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 5 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft XML Core Services 6 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 6 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft XML Core Services 3 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 3 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft XML Core Services VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core ServicesThe XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 does not properly handle HTTP server-side redirects, which allows remote user-assisted attackers to access content from other domains.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2000 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2003 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2002 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPowerPoint Malformed Record Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Variant of Chunked Encoding Buffer OverrunMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."Andrew ButtnerACCEPTEDACCEPTEDWindows XP (32-Bit) DirectPlay Denial of ServiceMicrosoft Windows XPDirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDSun Solaris 10Operating SystemUnspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k Path MTU Discovery Attack VulnerabilityMicrosoft Windows 2000Windows 2000Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (64-bit XP,SP1)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDSendmail Custom DNS Map Buffer OverflowSun Solaris 9SendmailBuffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDInteger Overflows in Windows NT DirectX MIDI Library (QUARTZ.DLL)Microsoft Windows NTDirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (Windows 2000)Microsoft Windows 2000Help and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows NT Windows POSIX Buffer OverflowMicrosoft Windows NTPOSIXThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Ingrid SkoogIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSamba call_trans2open() Buffer OverflowSun Solaris 9SambaBuffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 HtmlHelp Heap OverflowMicrosoft Windows Server 2003HTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDACCEPTEDKDM Weak Cookie VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.Jay BealeINTERIMACCEPTEDACCEPTEDKerberos 5 ASN.1 Library DoSSun Solaris 9Kerberos5The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDWindows 2000 Messenger Service Buffer OverflowMicrosoft Windows 2000Messenger ServiceThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Christine WalzerACCEPTEDAndrew ButtnerACCEPTEDACCEPTEDWindows 2003/64-bit XP Indexing Service Code Execution VulnerabilityMicrosoft Windows Server 2003Indexing ServiceThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows 2000Enhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Certificate Validation Identity Spoofing Vulnerability (Test 2)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWord 2002 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS HTTP Redirect Error Message Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.Harvey RubinovitzACCEPTEDMicrosoft Project 2000, SP1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Project 2000, SP1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office Remote Code Execution Using a Malformed GIF VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed.Robert L. HollisINTERIMACCEPTEDACCEPTEDBIND DoS via SIG RR ElementsSun Solaris 7BindBIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSNMP Agent Service Buffer OverflowMicrosoft Windows 2000Simple Network Management Protocol (SNMP)Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available.Tiffany BergeronACCEPTEDMicrosoft Word2000 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDKerberos Client Plaintext Password VulnerabilitySun Solaris 9pam_krb5Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (64-bit XP, SP1)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Outlook (Word 2000) RTF/HTML Script Execution VulnerabilityMicrosoft Windows 2000Microsoft Word 2000Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Windows 2000Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP,SP2 Object Management VulnerabilityMicrosoft Windows XPWindows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDExchange 2003,SP1 Calendar VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Frames Cross-site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSystem V login Buffer OverflowSun Solaris 7loginBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Execution in Mail When Forwarding In-lineMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1531)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Kernel Debugger-based Buffer OverflowMicrosoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMozilla Accessing XBL Compilation Scope via valueOf.call()Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlaw in Word Fields and Excel External Updates Could Lead to Information DisclosureMicrosoft Windows 2000Microsoft Word 2000Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDISC BIND Cache Poison Denial Of ServiceSun Solaris 7BindISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDWindows XP ComboBox/ListBox GUI Widget User32.dll Buffer OverflowMicrosoft Windows XPWindows XPBuffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (64-bit XP)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (WinXP)Microsoft Windows XPOperating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in Kerberos 5 (krb5_aname_to_localname)Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 1)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPWindows Script Engine for JScript v5.6Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxDavid ProulxACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSuppressed OVAL20Microsoft Windows 2000Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMutt BO Vulnerability in balsaRed Hat Linux 9MuttBuffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows XP Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows XPNegotiate SSP interfaceThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogIngrid SkoogIngrid SkoogACCEPTEDChristine WalzerINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDExchange 2003,SP2 Calendar VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (Win2K)Microsoft Windows 2000Operating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWeak Encryption in RDP ProtocolMicrosoft Windows 2000Remote Data Protocol (RDP)Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol."Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 6&7 (XP,SP1)Microsoft Windows XPFlash PlayerMacromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execute arbitrary code via a SWF file with a modified frame type identifier that is used as an out-of-bounds array index to a function pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Connection Blocking Denial Of Service VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Brian SobyBrian SobyBrian SobyDRAFTINTERIMACCEPTEDACCEPTEDAutomatic ActiveX Approval on Windows 2000 Low MemoryMicrosoft Windows 2000Windows 2000The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.Tiffany BergeronTiffany BergeronACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMozilla Mail Multiple Information DisclosureMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0 on S03)Microsoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOff-by-one Error in fb_realpath()Sun Solaris 9Solaris Management Console (SMC)Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDIIS ISAPI Extension Indexing Service Buffer Overflow (Code Red)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.Tiffany BergeronTiffany BergeronACCEPTEDACCEPTEDMozilla Security Check of js_ValueToFunctionObject() Can Be CircumventedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) Task Scheduler Stack OverflowMicrosoft Windows XPTask SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronTiffany BergeronINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDWindows XP IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows XPWindows XPInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows Server 2003Negotiate Security Software ProviderThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability(64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMChristine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMozilla Cross-site Scripting Using .valueOf.call()Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 KCMS Arbitrary File Access VulnerabilitySun Solaris 8kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1529)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows 2000 VulnerabilityMicrosoft Windows 2000HTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bugmay overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows NTRemote Procedure Call (RPC)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKDM pam_setcred Privilege Escalation VulnerabilityRed Hat Linux 9KDMKDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.Jay BealeINTERIMACCEPTEDACCEPTEDMozilla File Stealing by Changing Input TypeMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of y that is associated with an event handler.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 8 (XP,SP2)Microsoft Windows XPFlash PlayerMultiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 8CDEBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxACCEPTEDFlash Address Bar Spoofing Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP Blind Connection Reset Attack VulnerabilityMicrosoft Windows XPWindows XPMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIIS Web Server File Request ParsingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability.Tiffany BergeronACCEPTEDMSDTC Invalid Memory Access Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDdtsession Buffer Overflow via HOME EnvvarSun Solaris 7Sun Solaris 8Sun Solaris 9CDEHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (Win2K)Microsoft Windows 2000Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1530)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1724)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to DHTML.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Certificate Enrollment Unauthorized Remote Certificate DeletionMicrosoft Windows 2000Certificate Enrollment ControlUnknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE Cross-Site ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability.Andrew ButtnerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 8 (XP,SP1)Microsoft Windows XPFlash PlayerMultiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Share Provider Buffer OverflowMicrosoft Windows 2000SMB (Server Message Block)Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service".Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (XP,SP1)Microsoft Windows XPSMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (64-bit Server 2003)Microsoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDMozilla Cross-site Scripting through window.controllersMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to bypass same-origin protections and conduct cross-site scripting (XSS) attacks via unspecified vectors involving the window.controllers array.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (32-bit XP,SP1)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDCDE dtspcd Daemon Symlink VulnerabilitySun Solaris 7dtspcdThe CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMS Word Macro Security Bypass VulnerabilityMicrosoft Windows 2000Microsoft Word 2000Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document.Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows XPEnhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Cross-site JavaScript Injection Using Event HandlersMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection".Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server Unchecked Buffer in NetDDEMicrosoft Windows NTNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (Win2K)Microsoft Windows 2000Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAutomatic ActiveX Approval on WinXP Low MemoryMicrosoft Windows XPAuthenticodeThe Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.Tiffany BergeronAndrew ButtnerAndrew ButtnerACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDMozilla Mozilla Firefox Tag Order VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors involving a "particular sequence of HTML tags" that leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (Server 2003 / 64-bit XP)Microsoft Windows Server 2003SMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDypbind Daemon Buffer OverflowSun Solaris 7NISBuffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) Program Group Converter Buffer OverflowMicrosoft Windows XPProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLDAP rootDN Password Disclosure VulnerabilitySun Solaris 8Sun Solaris 9LDAPUnspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Program Group Converter Buffer Overflow in grpconv.exeMicrosoft Windows XPProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2002 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache IPv6 Socket Failure Denial of ServiceRed Hat Linux 9ApacheApache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (RegEx)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary bytecode via JavaScript with a large regular expression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows localusers to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (WinXP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 CSRSS Privilege Escalation VulnerabilityMicrosoft Windows Server 2003Client Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS Heap Overrun in HTR Chunked EncodingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."Tiffany BergeronACCEPTEDACCEPTEDExchange 2000,SP4 Calendar VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-bit, SP1) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDMozilla Secure-site Spoof (requires security warning dialog)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to spoof secure site indicators such as the locked icon by opening the trusted site in a popup window, then changing the location to a malicious site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows 2000Negotiate SSP interfaceThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0, 64-bit)Microsoft Windows XPMicrosoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000,SP4 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows 2000Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Shell Buffer OverflowMicrosoft Windows NTWindows ShellBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.Matthew BurtonMatthew BurtonDRAFTINTERIMMatthew BurtonACCEPTEDACCEPTEDWord 2003 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003SambaBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE v6.0 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDOutlook Express 6 (S03,SP1) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDACCEPTEDMozilla Deleted Object Reference When designMode="on"Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5.0.2, when designMode is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain Javascript that is not properly handled by the contentWindow.focus method in an iframe, which causes a reference to a deleted controller context object. NOTE: this was originally claimed to be a buffer overflow in (1) js320.dll and (2) xpcom_core.dll, but the vendor disputes this claim.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 LBXProxy Display Name Buffer OverflowSun Solaris 7lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDAddress Bar Spoofing Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Malicious Color String VulnerabilitySun Solaris 8Sun Solaris 9Operating SystemStack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (Win2K w/ JScript 5.6)Microsoft Windows 2000Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Task Scheduler Stack OverflowMicrosoft Windows XPTask SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDOutlook Express 5.5 WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDACCEPTEDIE v5.5 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."Andrew ButtnerACCEPTEDWin2K MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows 2000MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 7CDEBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxACCEPTEDOutlook Express 6 (64-bit XP) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandAnna MinINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRPC Mutual Authentication VulnerabilityMicrosoft Windows 2000Operating SystemMicrosoft Windows 2000 SP4 does not properly validate an RPC server during mutual authentication over SSL, which allows remote attackers to spoof an RPC server, aka the "RPC Mutual Authentication Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.11)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows Server 2003Windows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED"su" Privilege Escalation VulnerabilityHP-UX 11LDAP'An undisclosed vulnerability has been identified in su when used with LDAP. The potential vulnerability could be exploited by a local authorized user to gain unauthorized access.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 (64-Bit) VDM Privilege Escalation VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003VDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Server Symbolic Link VulnerabilitySun Solaris 8CDECDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxACCEPTEDWindows NT Long Share Names VulnerabilityMicrosoft Windows NTWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDFPSE XSS VulnerabilityMicrosoft Windows 2000Microsoft Windows XPFrontPage Server ExtensionsCross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy Off-by-One Error in mod_ssl CRLHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP IP Validation VulnerabilityMicrosoft Windows XPWindows XPMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows (S03/64-bit XP) COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows (S03,SP1/XP 64-bit) MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemAn SCLT_INCOMPLETE error was blocking receipt of proper READY status from the array. A timer was changed to allow array to reach full READY before SCSI response is tested.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word2002 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED/usr/lib/print/conv_fix Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache prefork MPM Denial of ServiceRed Hat Linux 9ApacheThe prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0 on WinXP)Microsoft Windows XPMedia PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy CGI Byterange Request DoSHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Virtual DOS Machine Local Privilege Escalation Vulnerability (Test 2)Microsoft Windows NTVDMThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.Ingrid SkoogACCEPTEDACCEPTEDVirusVault Off-by-One Error in mod_ssl CRLHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Cross-Domain Information Disclosure Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEnterprise Storage Manager 2.1 SAN Manager management station patchSun Solaris 8Sun Enterprise Storage Manager (ESM)Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9Sun Solaris 10gzipDirectory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE GetObject Security BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation Using crypto.generateCRMFRequestMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via unknown vectors related to the crypto.generateCRMFRequest method.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX.Org Privilege Escalation Vulnerability in X11R6.9, X11R7.0Sun Solaris 10Operating SystemX.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Insecure Default ACLsMicrosoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.23)HP-UX 11Operating SystemAn undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Weak Cipher Suite VulnerabilityRed Hat Linux 9ApacheApache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSendmail setjmp longjmp bo (Red Hat Internal)Red Hat Linux 9Red Hat Enterprise Linux 3Red Hat Enterprise Linux 4SendmailSignal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Server 2003,SP1Microsoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (moz-grid)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) by changing the (1) -moz-grid and (2) -moz-grid-group display styles.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP Land VulnerabilityMicrosoft Windows XPWindows XPWindows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDsendfilev DoS VulnerabilitySun Solaris 8Sun Solaris 9sendfilev()Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6,SP1 WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Parsing Vulnerability (Server 2003,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6,2003 News Reading VulnerabilityMicrosoft Windows Server 2003Microsoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CSS BO)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Windows XPMicrosoft Windows XPOperating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.11)HP-UX 11Operating SystemAn undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault Integer Overflow in pcre_compileHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows XPWindows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDgzip -force File Permission Alteration VulnerabilitySun Solaris 8Licence Logging Servicegzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation through Print PreviewMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to gain chrome privileges via multiple attack vectors related to the use of XBL scripts with "Print Preview".Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (64-bit XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTrustix Secure Linux der_chop Script Symlink Attack VulnerabilityRed Hat Enterprise Linux 3OpenSSLThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.00)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.22)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Project 2002, SP1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Project 2002, SP1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2002 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Word 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office Remote Code Execution Using a Malformed PNG VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed.Robert L. HollisINTERIMACCEPTEDACCEPTEDWebproxy HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCD Drive DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating SystemUnspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla "AnyName" Entrainment and Access Control HazardMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Firefox History File Buffer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxMozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. NOTE: despite initial reports, the Mozilla vendor does not believe that this issue can be used to trigger a crash or buffer overflow in Firefox. Also, it has been independently reported that Netscape 8.1 does not have this issue.Robert L. HollisDRAFTMatthew WojcikMatthew WojcikRobert L. HollisINTERIMACCEPTEDACCEPTEDpagedata Subsystem Local DoS VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Operating System'An undisclosed vulnerability in the pagedata subsystem in /proc may allow a local unprivileged user to cause significant performance degradation and even panic the system.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXPM Image Decoder Buffer OverflowSun Solaris 8Sun Solaris 9Operating SystemInteger overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla CSS Letter-Spacing Heap Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via a large number in the CSS letter-spacing property that leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT SNMPv1 Trap Handling DoS and Privilege EscalationMicrosoft Windows NTSimple Network Management Protocol (SNMP)Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDMHT Memory Corruption Vulnerability (WinXP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 10 find on /proc panic DoS VulnerabilitySun Solaris 10Operating SystemUnspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.11)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (32-bit XP)Microsoft Windows XPSMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows ME Long Share Names VulnerabilityMicrosoft Windows MEWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS Chunked Encoding Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.Tiffany BergeronACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player 10 Bitmap Remote Code ExecutionMicrosoft Windows XPWindows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMRobert L. HollisACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in 64-bit Windows XPMicrosoft Windows XPOperating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Trusted Domain LoopholeMicrosoft Windows NTWindows NT 4.0In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.Tiffany BergeronACCEPTEDRRAS Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.04)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX SIM Hangs MS-IE Due to MS04-025 ChangesHP-UX 11Operating SystemUnknown vulnerability in the login page for HP Systems Insight Manager (SIM) 4.0 and 4.1, when accessed by Microsoft Internet Explorer with the MS04-025 patch, leads to a denial of service (browser hang). NOTE: although the advisory is vague, this issue does not appear to involve an attacker at all. If not, then this issue is not a vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSuppressed Test OVAL1581 (Identical to OVAL4458)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDKerberos Command Execution Vulnerability rexec DaemonSun Solaris 10XUnspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Process Handle Duplication Privilege EscalationMicrosoft Windows NTWindows NT 4.0smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.Tiffany BergeronACCEPTEDExcel 2003 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.00)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.23)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1723)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX envd Local Execution of Privileged Code (B.11.11)HP-UX 11envdenvd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLeaking GSSAPI Credentials Vulnerability (B.11.00/B.11.11)HP-UX 11SecureShellsshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla QueryInterface Memory Corruption VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (Windows 2000)Microsoft Windows 2000Windows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDApache Linefeed Allocation VulnerabilityRed Hat Linux 9ApacheA memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows Media Player Plug-in EMBED VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerBuffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 6&7 (XP,SP2)Microsoft Windows XPFlash PlayerMacromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execute arbitrary code via a SWF file with a modified frame type identifier that is used as an out-of-bounds array index to a function pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Office 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2000 is installed.Robert L. HollisINTERIMGlenn StricklandACCEPTEDACCEPTEDOffice 2000 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.22)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDUser Profile Elevation of Privilege VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUntrusted search path vulnerability in Winlogon in Microsoft Windows 2000 SP4, when SafeDllSearchMode is disabled, allows local users to gain privileges via a malicious DLL in the UserProfile directory, aka "User Profile Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (64-bit Server 2003, Test 1)Microsoft Windows Server 2003Windows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDMozilla Downloading Executables with "Save Image As..."Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes the executable to be saved when the user clicks the "Save image as..." option. NOTE: this attack is made easier due to a GUI truncation issue that prevents the user from seeing the malicious extension when there is extra whitespace in the filename.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP1)Microsoft Windows XPOperating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDzlib Compression Remote DoS Vulnerability (B.11.00/B.11.11)HP-UX 11SecureShellzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 DDS Library Shape Control Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (Win2k,SP4)Microsoft Windows 2000NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWin2k,SP4 DDS Library Shape Control Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDuucp/uustat Privilege Escalation VulnerabilitySun Solaris 8Sun Solaris 9Operating SystemUnspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.11-IPSEC)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows XP,SP2)Microsoft Windows XPOperating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP HtmlHelp Heap OverflowMicrosoft Windows XPHTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDls-F Privilege Escalation VulnerabilitySun Solaris 8TENEX C Shell (tcsh)Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMDRAFTINTERIMACCEPTEDACCEPTEDVirusVault HTTP Request SmugglingHP-UX 11ApacheThe Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDSolaris 7 X Font Server Remote Buffer OverrunSun Solaris 7fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxACCEPTEDPlug and Play User Data Validation Vulnerability (WinXP,SP2)Microsoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (WinXP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDElement position: Style Change VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (64-bit XP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDApache Terminal Escape Sequence Vulnerability IIRed Hat Linux 9ApacheApache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows 2000 HtmlHelp Heap OverflowMicrosoft Windows 2000HTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDACCEPTEDApache Terminal Escape Sequence VulnerabilityRed Hat Linux 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDSolaris 8 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 8CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (XP,SP2)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Application Suite has reached End-of-LifeMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozilla'mozilla.org has launched and delivered SeaMonkey, a community effort to deliver production-quality releases of code derived from the \"Mozilla Application Suite\". This equates to a cessation in software and security patches for that baseline. Using an unsupported software represents a high security risk because no fixes or patches will be made available in response to new vulnerabilities.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebproxy Integer Overflow in pcre_compileHP-UX 11ApacheInteger overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-Collection Hazards in jsfun.cMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla XML Attribute Name Validation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP (64-bit) Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 X Font Server Remote Buffer OverrunSun Solaris 8fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxACCEPTED.lnk File-Open Remote Code Execution Vulnerability (Windows 2000,SP4)Microsoft Windows 2000Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDManagement Console Directory Traversal VulnerabilitySun Solaris 8Sun Solaris 9Solaris Management Console (SMC)The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDHeap Overrun in XBM Image ProcessingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaHeap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEvolution GtkHTML DoS via null Pointer DereferenceRed Hat Linux 9GtkHTMLgtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDInteger Overflow in libpng via Malformed PNG ImageSun Solaris 7libpngMultiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.20)HP-UX 10ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Spoofing with Translucent WindowsMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes certain windows to become translucent due to an interaction between XUL content windows and the history mechanism, which might allow user-assisted remote attackers to trick users into executing arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAlternate ps Command Information Disclosure VulnerabilitySun Solaris 8Sun Solaris 9Operating System'An unspecified vulnerability in the \"/usr/ucb/ps\" command could allow unprivileged local users to see environment settings for processes of other users. When the \'e\' flag is used, a low-privileged user can see environment variables and values for processes that belong to root and any other system users. NOTE: \"/usr/bin/ps\" is the default \'ps\' command for most users per the command search path and is not affected by this vulnerability'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Shell Buffer OverflowMicrosoft Windows 2000Windows ShellBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWinXP,SP2 DDS Library Shape Control Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSamba Encrypted Password DoSSun Solaris 9SambaBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 DDS Library Shape Control Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP (64-bit) Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX xterm Privilege Escalation Vulnerability (B.11.11)HP-UX 11Operating SystemUnspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT SMB Buffer OverflowMicrosoft Windows NTSMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHP-Samba DACL Remote Integer Overflow Vulnerability (CIFS A.01)HP-UX 11SambaInteger overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Certificate Validation Identity Spoofing Vulnerability (Test 1)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDHP-UX Shared Library Privilege Escalation Vulnerability (B.11.11)HP-UX 11Operating SystemUnspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT MUP UNC Request Buffer OverflowMicrosoft Windows NTMultiple UNC Provider (MUP)Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.Tiffany BergeronACCEPTEDWinXP,SP2 COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMC TRACE HTTP VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10Solaris Management ConsoleThe default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFirefox/Mozilla Suite about: Scheme Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 1)Microsoft Windows 2000Simple Network Management Protocol (SNMP)Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.11)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 DirectShow Malicious avi File VulnerabilityMicrosoft Windows XPDirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWin2K Graphics Rendering Engine VulnerabilityMicrosoft Windows 2000Operating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft IE Encoded Characters Information DisclosureMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzChristine WalzerINTERIMACCEPTEDACCEPTEDHP-UX envd Local Execution of Privileged Code (B.11.00)HP-UX 11envdenvd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows XPMicrosoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (XP,SP2)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 DirectShow Malicious avi File VulnerabilityMicrosoft Windows Server 2003DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (Win2K,SP4)Microsoft Windows 2000Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDSuppressed OVAL142, covered by OVAL2022Microsoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Word2003 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (NT 4.0 Terminal Server)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDFTP Download Destination Tampering Vulnerability (Windows XP)Microsoft Windows XPOperating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Mozilla top.focus() Cross-Site Scripting VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDpasswd Local DoS Vulnerability (B.11.00)HP-UX 11Operating System'An undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDPC Netlink 2.0 Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Management ConsoleThe (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX PMTUD Remote DoS (B.11.23-IPSEC)HP-UX 11Operating SystemUnknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Print Spooler Service Buffer OverflowMicrosoft Windows Server 2003Print Spooler ServiceBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWinamp Hostname Buffer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003WinampBuffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDDefault Registry Permissions on the MTS Package Admin KeyMicrosoft Windows NTMicrosoft Transaction Server (MTS)The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDSun Solaris 8 XSun Color Database File Heap OverflowSun Solaris 8XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDDefault Registry Permissions on SNMP ParametersMicrosoft Windows NTSimple Network Management Protocol (SNMP)The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDEvolution GtkHTML DoS via Malformed MessageRed Hat Linux 9GtkHTMLGtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages.Jay BealeINTERIMACCEPTEDACCEPTEDWindows NT IIS HTTP Header Field Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.Tiffany BergeronACCEPTEDACCEPTEDMicrosoft Java Virtual Machine Security BypassMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Virtual Machine (VM)The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise."Tiffany BergeronINTERIMACCEPTEDACCEPTEDGnuPG Invalid User ID VulnerabilityRed Hat Linux 9GnuPGThe key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDServer 2003 IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows Server 2003HTML Help ActiveX ControlInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDRHE3 XBL Script Security Bypass VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDFreeRADIUS Ascend-Send-Secret Server CrashRed Hat Enterprise Linux 3FreeRADIUSFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDApache mod_ssl CRL off-by-one DoSHP-UX 11ApacheOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDLeaking GSSAPI Credentials Vulnerability (B.11.23)HP-UX 11SecureShellsshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Task Scheduler Stack OverflowMicrosoft Windows NTMicrosoft Internet ExplorerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDAndrew ButtnerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 4)Microsoft Windows 2000Windows Script Engine for JscriptInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.DRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMAnna MinACCEPTEDACCEPTEDMozilla Integer overflows in E4X, SVG, and Canvas FeaturesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMultiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (Win2k,SP4)Microsoft Windows 2000TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 for XP,SP2 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.00)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 1)Microsoft Windows 2000Certificate ValidationThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Word 2000 Font Parsing VulnerabilityMicrosoft Windows 2000Microsoft Office 2000 SP3Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDGNU Ghostscript -dSAFER VulnerabilityRed Hat Linux 9GNU GhostscriptUnknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job.Jay BealeINTERIMJay BealeACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPlug and Play User Data Validation Vulnerability (WinXP,SP1)Microsoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (64-bit XP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (NT 4.0)Microsoft Windows NTWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows NT IIS ASP Server-Side Include Function Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.Tiffany BergeronACCEPTEDACCEPTEDIE6:XP,SP2 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDExchange Server 5.0 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2000 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Firefox and Mozilla Javascript Dialog Box SpoofingRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Firefox InstallTrigger Callback VulnerabilityRed Hat Enterprise Linux 4The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDHeap Overflow in Solaris 7 xlockSun Solaris 7xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDFirefox/Mozilla Suite JavaScript Integer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in the JavaScript engine in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 might allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (XP)Microsoft Windows XPWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 HTR ISAPI Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.Tiffany BergeronACCEPTEDACCEPTEDBuffer Overrun in HTML Help VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in HTML Help ActiveX control (hhctrl.ocx) in Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code by repeatedly setting the Image field of an Internet.HHCtrl.1 object to certain values, possibly related to improper escaping and long strings.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 TAPI Buffer OverflowMicrosoft Windows Server 2003Telephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Explorer Web View Script Injection VulnerabilityMicrosoft Windows 2000Operating SystemWeb View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDGDM X Display Manager Authorization VulnerabilityRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name.Jay BealeINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows 2000)Microsoft Windows 2000Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWin2k Land VulnerabilityMicrosoft Windows 2000Windows 2000Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla IDN heap overrun using soft-hyphensHP-UX 11mozillaBuffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFTP Download Destination Tampering Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (WinXP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox InstallTrigger Callback VulnerabilityRed Hat Enterprise Linux 3mozillaThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Color Management Module Buffer OverflowMicrosoft Windows 2000Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 98 Program Group Converter Buffer OverflowMicrosoft Windows 98Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.00)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDObject Spoofing using XBL <implements> VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Object Management VulnerabilityMicrosoft Windows Server 2003Windows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (Windows 2000)Microsoft Windows 2000Remote Procedure Call (RPC)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Tiffany BergeronACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (WinXP,SP1)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla Javascript Dialog Box SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWin2k,SP4 DirectShow Malicious avi File VulnerabilityMicrosoft Windows 2000DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (Firefox Regression Fix)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaA regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the InstallTrigger.install method, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWU-FTPD "glob-*" Remote DoS Vulnerability (B.11.23)HP-UX 11ftpdThe wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDzlib Compression Remote DoS Vulnerability (B.11.23)HP-UX 11SecureShellzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (64-bit XP,SP1)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDInteger Overflow in libgd2Red Hat Enterprise Linux 3libgdInteger overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."Andrew ButtnerChristine WalzerINTERIMACCEPTEDACCEPTEDRHE3 Firefox and Mozilla DOM Node SpoofingRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Web Client Service Buffer OverflowMicrosoft Windows XPWeb Client ServiceBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows XP,SP1)Microsoft Windows XPOperating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (Win2k,SP4)Microsoft Windows 2000TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Cross-Domain Information Disclosure Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation Using a JavaScript Function's Cloned ParentMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using the Object.watch method to access the "clone parent" internal function.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVirusVault CGI Byterange Request DoSHP-UX 11ApacheThe byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPlug and Play User Data Validation Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDsudo Symlink VulnerabilityRed Hat Enterprise Linux 3sudoRace condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDIt appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp.MS Word 6.0 Font Conversion Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 cachefsd Heap Overflow VulnerabilitySun Solaris 7cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDACCEPTEDWebproxy HTTP Request Smuggling (B.11.04)HP-UX 11Apache'An undisclosed vulnerability has been identified in Apache HTTP server versions prior to Apache 1.3.34 that may allow HTTP Request Splitting/Spoofing attacks, resulting in remote unauthorized access.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWord 2003 (wordview) Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2003Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDChris WoodINTERIMACCEPTEDACCEPTEDWinXP,SP2 DirectShow Malicious avi File VulnerabilityMicrosoft Windows XPDirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla FTP URI MIME Type Exploit VulnerabilitySun Solaris 8mozillaMozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Improper Handling of Synthetic Events in MozillaRed Hat Enterprise Linux 4mozillaThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel shmctl() Memory Swap VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDStep-by-Step Interactive Training Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Interactive TrainingBuffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMSDTC Invalid Memory Access Vulnerability (Win2K)Microsoft Windows 2000Operating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,SP1)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 TAPI Buffer OverflowMicrosoft Windows 2000Telephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.10.24)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (WinXP,SP2)Microsoft Windows XPNetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft SQL Server Extended Stored Procedure Buffer OverflowMicrosoft Windows 2000SQL Server 2000Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments.Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWinXP,SP2 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (WinXP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (64-bit) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows Server 2003Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOEX Message ProcessingMicrosoft Windows 2000Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 KCMS Arbitrary File Access VulnerabilitySun Solaris 7kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxACCEPTEDIE v5.5,SP2 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxACCEPTEDFirefox/Mozilla Suite Chrome Window Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libgdRed Hat Enterprise Linux 3libgdMultiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Windows XP)Microsoft Windows XPMicrosoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTED.lnk File-Properties Remote Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWin2K COM object Remote Code Execution VulnerabilityMicrosoft Windows 2000Operating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word 2002 Font Parsing VulnerabilityMicrosoft Windows XPMicrosoft Office XPSP3Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information.Christine WalzerDRAFTINTERIMJonathan BakerACCEPTEDRobert L. HollisINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla Table Rebuilding Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via "an invalid and non-sensical ordering of table-related tags" that results in a negative array index.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows XP VulnerabilityMicrosoft Windows XPHTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Embedded Web Font VulnerabilityMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (XP,SP2)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows Media Player 9The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 SMB Buffer OverflowMicrosoft Windows 2000SMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Tiffany BergeronACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP2)Microsoft Windows XPOperating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libXML2Red Hat Enterprise Linux 3libxml2Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDRHE3 Firefox External App Code Acceptance VulnerabilityRed Hat Enterprise Linux 3mozillaFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft ISA Server Cross-Site ScriptingMicrosoft Windows 2000ISA Server 2000Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."Tiffany BergeronACCEPTEDACCEPTEDgzip Hard Link AttackRed Hat Enterprise Linux 3gzipRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL3743Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 10Operating SystemUnspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2003,SP1 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSun Solaris 8Sun Solaris 9PerlSafe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 COM Structured Storage VulnerabilityMicrosoft Windows 2000COM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDWinXP,SP1 (64-bit) DDS Library Shape Control Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDbzip2 Arbitrary File Permission Modification VulnerabilityRed Hat Enterprise Linux 3bzip2Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP1)Microsoft Windows XPOperating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHP-UX Trusted Mode remshd Remote Unauthorized Access (B.11.11)HP-UX 11remshdUnknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCrash on "zero-width non-joiner" SequenceMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Unicode sequences with "zero-width non-joiner" characters.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows Server 2003, SP1 is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003, SP1.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows XP, SP2 is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP2.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows XP, SP1 (64-bit) is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP1 (64-bit).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows 2000 is installedMicrosoft Windows 2000The operating system installed on the system is Microsoft Windows 2000.Andrew ButtnerACCEPTEDACCEPTEDMicrosoft Windows 2000, SP4 is installedMicrosoft Windows 2000The operating system installed on the system is Microsoft Windows 2000, SP4.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows Server 2003 is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003.Andrew ButtnerACCEPTEDACCEPTEDMicrosoft Windows Server 2003 (Gold) is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003 (Gold).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHyperlink Object Function VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft Hyperlink Object Library (hlink.dll), possibly a buffer overflow, allows user-assisted attackers to execute arbitrary code via crafted hyperlinks that are not properly handled when hlink.dll "uses a file containing a malformed function," aka "Hyperlink Object Function Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 DirectShow Malicious avi File VulnerabilityMicrosoft Windows Server 2003DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Installed XP,SP2 File Disclosure via Redirects VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDHP-UX wuftpd Privilege Escalation Vulnerability (B.11.11)HP-UX 11ftpdwu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDISA Server Poison Cache VulnerabilityMicrosoft Windows 2000ISA Server 2000Microsoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers.Christine WalzerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Unknown Vector SMB VulnerabilityMicrosoft Windows XPSMB (Server Message Block)Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDString Format Vulnerability in Solaris 7 snmpdxSun Solaris 7snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDTelnet Client Information Disclosure VulnerabilityRed Hat Enterprise Linux 3telnetCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (XP,SP2)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager Control Protocol Denial of ServiceRed Hat Linux 9GDMThe X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549.Jay BealeINTERIMACCEPTEDACCEPTEDBuffer Overflows in uucpSun Solaris 7Sun Solaris 8Sun Solaris 9uucpMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDServer 2003 Color Management Module Buffer OverflowMicrosoft Windows Server 2003Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Fetchmail Buffer Overflow via Long UIDL ResponsesRed Hat Enterprise Linux 4fetchmailBuffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDLinux Kernel elf_core_dump() Buffer OverflowRed Hat Enterprise Linux 3Linux kernelThe elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP2)Microsoft Windows XPOperating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDGDM Examine Errors Symlink VulnerabilityRed Hat Linux 9GDMGDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.Jay BealeINTERIMACCEPTEDACCEPTEDMS Windows RPC DCOM DoS-based Privilege Escalation Vulnerability (Test 2)Microsoft Windows 2000Remote Procedure Call (RPC)The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDmlock Memory Page Tracking VulnerabilityRed Hat Enterprise Linux 3Linux kernelThe linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.Jay BealeDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Properties Remote Code Execution Vulnerability (Windows XP)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6,SP2 PNG Image Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDHP-UX 11Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKerberos V5 Null Pointer DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDXimian Evolution MIME-encoded Image Buffer OverflowRed Hat Linux 9Ximian EvolutionThe handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDgzip zgrep Sanitation VulnerabilityRed Hat Enterprise Linux 3gzipzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (WinXP,SP1)Microsoft Windows XPNetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Server 2003)Microsoft Windows XPMicrosoft Windows Server 2003GDI+Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDDirectX 9 DirectShow Malicious MIDI File VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003DirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDString Format Vulnerability in Solaris 8 snmpdxSun Solaris 8snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDSolaris 9 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 9CDECDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDusermod Recursive Ownership Error (B.11.23)HP-UX 11ApacheA security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE Web Page Spoofing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability."Tiffany BergeronINTERIMACCEPTEDACCEPTEDDirectX 8 DirectShow Malicious MIDI File VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000DirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIE plugin.ocx Heap OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerHeap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows Server 2003 SSL PCT Handshake VulnerabilityMicrosoft Windows Server 2003Private Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows ntdll.dll Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.Tiffany BergeronACCEPTEDXMLHttpRequest Header Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 5.5,SP2 News Reading VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-collection Hazard AuditMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly handle temporary variables that are not garbage collected, which might allow remote attackers to trigger operations on freed memory and cause memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPostgreSQL tsearch2 "internal" Functions VulnerabilityRed Hat Enterprise Linux 3postgresqlThe tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDExchange 2000 Server TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDgzip Argument Sanitation VulnerabilityRed Hat Enterprise Linux 3zgrepzgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDXimian Evolution User Agent Multiple uuencoding Denial of ServiceRed Hat Linux 9Ximian EvolutionXimian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMS CIFS Spoofed Browse Frame Request VulnerabilityMicrosoft Windows 2000NetBIOSInteractions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS SQL Server 2000 Resolution Service Buffer OverflowMicrosoft Windows NTSQL Server 2000Multiple buffer overflows in SQL Server 2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption.Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows NT/2000 ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDACCEPTEDWindows XP TAPI Buffer OverflowMicrosoft Windows XPTelephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDPerl Format String Integer Overflow VulnerabilitySun Solaris 10PerlInteger overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRHE4 Firefox External App Code Acceptance VulnerabilityRed Hat Enterprise Linux 4mozillaFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows XP VulnerabilityMicrosoft Windows XPRemote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (WinXP,SP1)Microsoft Windows XPMSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2003,SP2 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXimian Evolution Mail User Agent uuencoded header Denial of ServiceRed Hat Linux 9Ximian EvolutionThe try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft PowerPoint 2003 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows 2000 Internet Printing ISAPI Extension Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.Christine WalzerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows 2003 VulnerabilityMicrosoft Windows Server 2003Remote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDMultiple Format String Vulnerabilities in neon and Dependent ProductsRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.Jay BealeINTERIMACCEPTEDMatthew WojcikMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows XP WMF/EMF Buffer OverflowMicrosoft Windows XPEnhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows 2000 VulnerabilityMicrosoft Windows 2000Remote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDIE6:XP,SP2 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDDirectory Traversal Vulnerability in CVS ServerRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.Jay BealeINTERIMACCEPTEDACCEPTEDVarious Ethereal Dissector VulnerabilitiesRed Hat Linux 9EtherealEthereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDMicrosoft Certificate Validation Flaw Identity Spoofing Vulnerability (Variant)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP HTML Help Remote Code Execution VulnerabilityMicrosoft Windows XPHTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Certificate Validation Flaw Identity Spoofing VulnerabilityMicrosoft Windows XPMicrosoft CryptoAPIThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP winlogon Remote Buffer OverflowMicrosoft Windows XPWindows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) DUNZIP Integer OverflowMicrosoft Windows XPCompressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMultiple Vulnerabilities in Rockliffe MailSite ExpressMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Rockliffe MailSite ExpressCross-site scripting (XSS) vulnerability in Rockliffe MailSite Express before 6.1.22 allows remote attackers to inject arbitrary web script or HTML via a message body.Rahul MohandasDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Directory Traversal Command Execution (Test 2)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Christine WalzerINTERIMACCEPTEDACCEPTEDRed Hat OpenSSL Kerberos Handshake VulnerabilityRed Hat Linux 9OpenSSLThe SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.Matt BusbyMatt BusbyINTERIMACCEPTEDACCEPTEDSNMP Trap Handling VulnerabilitySun Solaris 7Sun Solaris 8snmpdxVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDWindows Utility Manager Shatter Message VulnerabilityMicrosoft Windows 2000Utility ManagerThe Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.Harvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows 2000 Print Spooler Service Buffer OverflowMicrosoft Windows 2000Print Spooler ServiceBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDSolaris Xsun Privilege Escalation via Pixmaps VulnerabilitySun Solaris 8Sun Solaris 9Sun Solaris 10XMultiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMalicious CVS Server RCS diff File Vulnerability in CVS ClientRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.Jay BealeINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows NT VulnerabilityMicrosoft Windows NTRemote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDMDAC SQL-DMO Buffer Overflow (Test 3)Microsoft Windows XPMicrosoft Data Access Components 2.7Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDRHE3 Fetchmail Buffer Overflow via Long UIDL ResponsesRed Hat Enterprise Linux 3fetchmailBuffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.Jay BealeDRAFTINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation via XBL.method.evalMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using an eval in an XBL method binding (XBL.method.eval) to create Javascript functions that are compiled with extra privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel ncp_lookup Function BORed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail SQL Injection VulnerabilityRed Hat Enterprise Linux 3SquirrelMailSQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.Jay BealeINTERIMACCEPTEDACCEPTEDWindows Server 2003 Help and Support Center HCP URL Validation VulnerabilityMicrosoft Windows Server 2003Help and Support Center (HSC)Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDHP-UX 11swagentdAn undisclosed vulnerability has been identified in swagentd that could potentially be exploited remotely by an unauthenticated attacker to cause swagentd to abort.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows RPC Locator Service Buffer OverflowMicrosoft Windows NTLocator serviceBuffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.Tiffany BergeronACCEPTEDHP-UX ftpd Remote Unauthorized Data Access (B.11.04)HP-UX 11ftpdThe FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express v6.0 for Server 2003 MHTML URL Processing VulnerabilityMicrosoft Windows Server 2003Microsoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 DirectPlay Denial of ServiceMicrosoft Windows 2000Microsoft DirectPlayIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIncorrect Permission on SQL Server Service Account Registry KeyMicrosoft Windows NTSQL Server 2000The registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key."Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDThe Remote Access Service is RunningMicrosoft Windows 2000NetBIOSA component service related to NETBIOS is running.Tiffany BergeronINTERIMACCEPTEDACCEPTEDWinNT Broad Permissions for Remote Registry AccessMicrosoft Windows NTMicrosoft Windows NTThe registry in Windows NT can be accessed remotely by users who are not administrators.Tiffany BergeronDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Exchange Server Broad Permissions in WinReg Registry KeyMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerMicrosoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDNT4.0 Remote Registry Access Authentication VulnerabilityMicrosoft Windows NTMicrosoft Windows NTThe Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIE6 Double Byte Character Parsing Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 7rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDWindows NT IIS Directory Traversal Command Execution (Test 2)Microsoft Windows NTMicrosoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Christine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel R128 DRI Limits Checking VulnerabilityRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Jay BealeINTERIMACCEPTEDACCEPTEDWin2k Domain Controller LSASS Denial of ServiceMicrosoft Windows 2000Lightweight Directory Access Protocol (LDAP)Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message.Tiffany BergeronINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWinXP,SP2 Drag-and-Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIE File Download Dialog Deception VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDRed Hat Enterprise 3 Kernel Real Time Clock Data LeakageRed Hat Enterprise Linux 3Red Hat Enteprise Linux 3Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.Jay BealeINTERIMACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IIRed Hat Enterprise Linux 3SquirrelMailCross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.Jay BealeINTERIMACCEPTEDACCEPTEDWindows 2000 IIS5 WebDAV Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDOutlook Express v6.0,SP1 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDEthereal 0-Length Buffer Size Vulnerability in tvb_get_nstring0()Red Hat Linux 9EtherealThe tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences.Jay BealeINTERIMJay BealeACCEPTEDACCEPTEDWindows XP IIS5 WebDAV Denial of ServiceMicrosoft Windows XPMicrosoft Internet Information Server (IIS)IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Help and Support Center HCP URL Validation VulnerabilityMicrosoft Windows XPHelp and Support Center (HSC)Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSquirrelMail Cross-site Scripting Vulnerability IRed Hat Enterprise Linux 3SquirrelMailMultiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.Jay BealeINTERIMACCEPTEDACCEPTEDWinXP Management VulnerabilityMicrosoft Windows XPWindows XPWindows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability."Harvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDCVS serve_notify Improper Handling of Empty Data LinesRed Hat Enterprise Linux 3CVSserve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.Jay BealeINTERIMACCEPTEDACCEPTEDMicrosoft XML Core Services 4 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 4 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Directory Entry Count Integer Overflow VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Malloc Error Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff tif_dirread divide-by-zero Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff RLE Decoder Buffer Overflow VulnerabilitiesSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager DoS via Invalid XDMCP RequestSun Solaris 7Sun Solaris 8Sun Solaris 9XDMX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.Robert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDApache mod_proxy Content-Length Header Buffer OverflowSun Solaris 8Sun Solaris 9ApacheHeap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Allow/Deny Parsing ErrorSun Solaris 8Sun Solaris 9Apachemod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Listening Socket Starvation VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Error Log Escape Sequence Filtering VulnerabilitySun Solaris 8Sun Solaris 9ApacheApache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDApache Nonce Verification Response Replay VulnerabilitySun Solaris 8Sun Solaris 9Apachemod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 PKINIT Information Disclosure VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Kerberos Message DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP2 PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDInteger overflow in the "Max-dotdot" CVS protocol commandRed Hat Enterprise Linux 3CVSInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.Jay BealeINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (32-bit) PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (32-bit) Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 PKINIT Information Disclosure VulnerabilityMicrosoft Windows 2000Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 Kerberos Message DoS VulnerabilityMicrosoft Windows 2000Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) RDP DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1297Microsoft Windows Server 2003Operating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1075Microsoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1075Microsoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 TAPI Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL1221Microsoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL790Microsoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 Print Spooler Service Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP (64-bit) PnP Buffer OverflowMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisINTERIMACCEPTEDACCEPTEDMozilla Local File Loading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDMozilla Creates World-readable temp FilesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing during Binary DownloadMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing via "View Source"Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Inactive Tab Form Data Theft VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Script-generated Download Prompt BypassMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Inactive Tab Dialog Box VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDMozilla 407 Proxy Information Disclosure VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Livefeed Bookmark Cookie SwipingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Popup Content Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxMozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla UTF8 to Unicode Conversion Heap OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdHeap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Download/Security Dialogs Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla 'user:pass@host' Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdThe installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla String Library Memory Overwrite VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdString handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Autocomplete Data LeakMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla XSLT Stylesheet Information Disclosure PotentialMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Double Download .lnk VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla "Save Link As" Dialog Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Download Dialog Source Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla HTTP auth Prompt Tab SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Image Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Cross-site Scripting via Drag and Drop to TabMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Privileged Content Loading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla IDN Homograph Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla GIF Heap OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdHeap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Sidebar Panel Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla XUL Drag and Drop Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Javascript "lambda"Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe find_replen function in jsstr.c in the the Javascript engine for Mozilla Suite 1.7.6, Firefox 1.0.1 and 1.0.2, and Netscape 7.2 allows remote attackers to read portions of heap memory in a Javascript string via the lambda replace method.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla PLUGINSPAGE Privileged Javascript Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla blocked javascript: popup Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option.Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Global Pollution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla favicons Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Search Plugin Cross-site Scripting VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Sidebar Code Execution via _search TargetMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxMultiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla InstallTrigger Instance Validation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla DOM Node Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla JavaScript Wrapping VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant."Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDMozilla Script Privilege Context VulnerabilitiesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160.Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDIFRAME in Firefox and Mozilla Permits Execution of Arbitrary Javascript in Other DomainsMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDInstall Function in Firefox and Mozilla Permits Arbitrary Code ExecutionMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDWindows XP Help Center Command Insertion VulnerabilityMicrosoft Windows XPHelp and Support Center (HSC)Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMAnna MinACCEPTEDACCEPTEDHeap Overflow in Solaris 8 xlockSun Solaris 8xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDMicrosoft Windows XP is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP.Andrew ButtnerACCEPTEDACCEPTEDMicrosoft Windows XP, SP1 (32-bit) is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP1 (32-bit).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWe think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:Program Files\VERITAS\Backup Exec\NT\bkupexec.exeWe think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exeService Pack 2 or less for Windows Office XP needs regex involving strings and less thanegrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returnedgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiaregrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedThe ImageMagick-* RPMs all require that the main ImageMagick RPM have the same version and release number.The ImageMagick-devel, ImageMagick-c++-devel, and ImageMagick-c++ RPMs all require that the exact same version of the ImageMagick RPM is present. As such, we can test for a vulnerable version of the former alone, rather than testing for the presence of each of these RPMs in particular.For "/tmp is readable by non-root users," use a compound test.The presence of /etc/named.conf indicates that system system is probably configured as a DNS serverSUNWkrbu - 32bit, SUNWkrbux - 64bitPackage which contains /usr/lib/netsvc/yp/ypxfrdCVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265SUNWcsu = 32bit, SUNWcsxu = 64bitSolaris Management Console web interfaceMultiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.As stated in the iDefense security advisory, if this key exists and contains a value, then the system has Interactive Training installed, and it will process .cbo files.Rough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COMMultiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs.HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Outlook\InstallRoot.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEPathoutlook.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\NetShowVersionnscm.exenspmon.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Services\KB832359IsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\nsstationStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Services\KB832359StartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\Setup PackagesSharePointHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707IsInstalled108721
110453
109321
114890
120467
120468
^/etc/lp/printers/.*Wmvcore.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\PlayerUpgradePlayerVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB832894InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v1.0HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\NET Framework Setup\1.0\M886905InstalledHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}VersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}VersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.0\M886906Installed^(/usr)?/bin$admintoolHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FpcInstallDirectoryh323fltr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291InstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Fpc\\Arrays\\\{[^\\]+\}\\Extensions\\Proxy-Plugins\\\{FE440D49-AB26-11D2-A101-00C04FB6CFB6\}$msFPCEnabledexprox.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 2003\SP1\832759HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MSExchangeWEB\DAVReuseConnectionsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB873339\Filelist111826
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSMQHKEY_LOCAL_MACHINESoftware\Microsoft\VisualStudio\7.0HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Common\InstallRootPathmsohev.dllaspnet_filter.dllnwrdr.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873339\FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923-IE6SP1-20050225.103456HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TFTPD\ParametersMastersHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TFTPDHKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v1.1HKEY_LOCAL_MACHINEVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.1\M886903InstalledSystem.web.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.1\M886904InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824245Installed113073
SUNWlvmr/etc/rc[2-4].dS[0-9][0-9]svm.init/etcvfstab^/dev/md/HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB893086\Filelist111600
^/usr/sbin/sparcv.$whodoHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB873339\Filelistmsgprox.dllreplrec.dllsqlvdi.dllHKEY_LOCAL_MACHINESoftware\Microsoft\VisualStudio\8.0WmiScriptUtils.dllGDIPLUS.DLLHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB890923\FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie501sp4-20040929.111451InstalledSp3res.dllUmandlg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB842526InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707Installedconsole.exedbmslpcn.dllsqlmap70.dllsqlrepss.dllssmslpcn.dllssnmpn70.dllums.dllmsgprox.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Microsoft SQL Server\80SharedCodereplprov.dllreplrec.dllsqlvdi.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C3A6819F-62D3-4750-AF1C-28206DDF2C2E}Windows Messenger 5.1msmsgs.exeHKEY_LOCAL_MACHINESSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923 -ie501sp4-20050225.100310InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie6-20040929.115007IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q841373InstalledLM\\W3SVC\\/d*\\ROOT6011HKEY_LOCAL_MACHINESystem\CurrentControlSet\Services\w3svc\parametersMaxClientRequestBufferDataHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie501sp3-20040929.121357InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB867801Installedcdo.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\842436aIsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MSExchangewebHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\kb823353InstalledHKEY_USERS^S-[-0-9]+\\Identities\\\{[-0-9A-Z]+\}\\Software\\Microsoft\\Outlook\ Express\\5\.0\\Mail$ShowHybridViewHKEY_LOCAL_MACHINESoftware\Microsoft\VisualStudio\7.1Gdiplus.dllwdhtmled.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890923\FilelistHKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Windows Server 2003\SP1\KB914798hypertrm.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873339\FilelistHKEY_CLASSES_ROOThtfileHKEY_CLASSES_ROOTtelnet\shell\opencommandNtkrnlpa.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player 9\KB885492PackageVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerPnt.exePathPowerPnt.exemsmapi32.dllmsmapi32.dll/usr/dt/bindtlogin^.*dtlogin.*108919
112807
107180
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{90A2A715-D986-4EAB-8C73-4D06114EF760}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{754D29C1-0C97-405F-98D0-21B212CA7FF1}IsInstalledHKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1803HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wvxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wplHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmsHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmzHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\9.0\RegistrationUDBVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB885492PackageVersionHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.waxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{839117ee-2132-4bae-a56a-42b50204c9b9}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB889293IsInstalledSUNWadmfw.*/usr/sbin/sadmind116457
116442
116454
.*/usr/sbin/sadmindWmpui.dllgedit/usr/bingeditHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\7.1\RegistrationUDBVersionwmpui.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923 -ie501sp3-20050225.100153Installedmsmapi32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896727Installeddhtmled.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB891781IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\SubcomponentsieHardenadminHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\SubcomponentsieHardenuserFlash9.ocxFlash8.ocxHKEY_LOCAL_MACHINESoftware\VERITAS\Backup Exec\ServerCurrentVersionHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\LSARestrictAnonymousHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[0-8]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[6-9]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-2]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-4]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-8]\))DisplayName112604
112609
115172
/etchostname6?\.le.*109007
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Outlook\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Outlook\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Common\InstallRootPathOutllib.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Outlook\InstallRootPathOutllib.dllOutllib.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Outlook\InstallRootPathCrystalDecisions.Web.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\w3svcStartvgx.dll118908
.*Xorg\b.*/proc/tty/driverserial/proc/tty/driver/proc/tty/procvserver.vxdHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\UtilMan{5c773859-bb96- 48fa-875b-6a58aae072f4}IsInstalledOS-Core.CORE2-KRNPHKL_33713PHKL_33714krb5-libsetherealethereal-gnomesquid.*.*.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixesgopherutempter/usr/sbinutempterlha/usr/binlhatcpdumplibpnglibpng-devellibpnglibpng-develcvsrpcproxy.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\OleEnableDCOMHTTPmsjet40.dllwmsjet40.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB837001InstalledrsyncImageMagickHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A02HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A02HKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A03HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A03kdelibs/usr/kerberos/bintelnet/usr/binrlogin/usr/kerberos/binrlogin/usr/binssh/usr/binkmailipsec-toolsUDP.*.*112785
119059
/usr/openwin/binXprt119060
112786
108652
108653
/usr/openwin/binXsunsquid/binmountkernelkernel-smpkernel-hugememnsiislog.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB817772InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB822343InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\Hotfix\Q811114Installedcode.aspHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q232449InstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{A954CDD5-A95F-414F-B3FE-FBEF9D2AECEA}IsInstalledmozilla-nssMsw3prt.dllw3svc.dllh323.tspHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q291845Installedwintrust.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q311967Installedetherealethereal-gnome118535
121004
109325
118536
121005
etherealethereal-gnome/usr/bintetherealsquid.*.*.*mod_sslmozillamozilla-nssopensslopenssl-developenssl-perlopenssl096bnet-snmp.*.*.*kernelkernelkernel-smpkernel-bigmemcvskdepimhttpdhttpdsysstatnfs-utils.*.*.*kernelkernel-smpkernel-bigmemkdepim/usr/share/serviceskfile_vcf.desktopetherealethereal=gnome/usr/binethereal/usr/sbinethereal/usr/sbintetherealcvs/tcpdumpsysstattcpdump/usr/sbintcpdumpgdk-pixbufgdk-pixbuf-develgdk-pixbuf-gnomegdk-pixbufgdk-pixbuf-develgdk-pixbuf-gnomemsgsc.dllmuttkernelkernel-smpkernel-bigmemlibxml2libxml2-devellibxml2-pythonXFree86mod_pythonTCP.*.*sambapwlibkernelkernel-smpkernel-hugememkdelibsmc/usr/binmcslocate/usr/binslocatessmsrp70.dlldbmsrpcn.dllgaimmailmanmuttnetpbmnetpbm-develnetpbm-progsXFree86/usr/X11R6/binXFree86netpbmnetpbm-develnetpbm-progs/usr/bin411toppm/usr/binasciitopgm/usr/binatktopbm/usr/binbioradtopgm/usr/binbmptoppm/usr/binbrushtopbm/usr/bincmuwmtopbm/usr/bineyuvtoppm/usr/binfiascotopnm/usr/binfitstopnm/usr/binfstopgm/usr/bing3topbm/usr/bingemtopbm/usr/bingemtopnm/usr/bingiftopnm/usr/bingouldtoppm/usr/binhipstopgm/usr/binhpcdtoppm/usr/binicontopbm/usr/binilbmtoppm/usr/binimgtoppm/usr/binjpegtopnm/usr/binleaftoppm/usr/binlispmtopgm/usr/binmacptopbm/usr/binmdatopbm/usr/binmgrtopbm/usr/binmtvtoppm/usr/binneotoppm/usr/binpalmtopnm/usr/binpamchannel/usr/binpamcut/usr/binpamdeinterlace/usr/binpamfile/usr/binpamoil/usr/binpamstretch/usr/binpamtopnm/usr/binpbmclean/usr/binpbmlife/usr/binpbmmake/usr/binpbmmask/usr/binpbmpage/usr/binpbmpscale/usr/binpbmreduce/usr/binpbmtext/usr/binpbmto10x/usr/binpbmto4425/usr/binpbmtoascii/usr/binpbmtoatk/usr/binpbmtobbnbg/usr/binpbmtocmuwm/usr/binpbmtoepsi/usr/binpbmtoepson/usr/binpbmtog3/usr/binpbmtogem/usr/binpbmtogo/usr/binpbmtoicon/usr/binpbmtolj/usr/binpbmtoln03/usr/binpbmtolps/usr/binpbmtomacp/usr/binpbmtomda/usr/binpbmtomgr/usr/binpbmtonokia/usr/binpbmtopgm/usr/binpbmtopi3/usr/binpbmtopk/usr/binpbmtoplot/usr/binpbmtoppa/usr/binpbmtopsg3/usr/binpbmtoptx/usr/binpbmtowbmp/usr/binpbmtox10bm/usr/binpbmtoxbm/usr/binpbmtoybm/usr/binpbmtozinc/usr/binpbmupc/usr/binpcxtoppm/usr/binpgmbentley/usr/binpgmcrater/usr/binpgmedge/usr/binpgmenhance/usr/binpgmhist/usr/binpgmkernel/usr/binpgmnoise/usr/binpgmnorm/usr/binpgmoil/usr/binpgmramp/usr/binpgmslice/usr/binpgmtexture/usr/binpgmtofs/usr/binpgmtolispm/usr/binpgmtopbm/usr/binpgmtoppm/usr/binpi1toppm/usr/binpi3topbm/usr/binpjtoppm/usr/binpktopbm/usr/binpngtopnm/usr/binpnmalias/usr/binpnmarith/usr/binpnmcat/usr/binpnmcolormap/usr/binpnmcomp/usr/binpnmconvol/usr/binpnmcrop/usr/binpnmcut/usr/binpnmdepth/usr/binpnmenlarge/usr/binpnmfile/usr/binpnmflip/usr/binpnmgamma/usr/binpnmhisteq/usr/binpnmhistmap/usr/binpnminterp/usr/binpnminvert/usr/binpnmmontage/usr/binpnmnlfilt/usr/binpnmnoraw/usr/binpnmpad/usr/binpnmpaste/usr/binpnmpsnr/usr/binpnmremap/usr/binpnmrotate/usr/binpnmscale/usr/binppmtopict/usr/binppmtopj/usr/binppmtopjxl/usr/binppmtopuzz/usr/binppmtorgb3/usr/binppmtosixel/usr/binppmtotga/usr/binppmtouil/usr/binppmtowinicon/usr/binppmtoxpm/usr/binppmtoyuv/usr/binppmtoyuvsplit/usr/binppmtv/usr/binpsidtopgm/usr/binpstopnm/usr/binqrttoppm/usr/binrasttopnm/usr/binrawtopgm/usr/binrawtoppm/usr/binrgb3toppm/usr/binrletopnm/usr/binsbigtopgm/usr/binsgitopnm/usr/binsirtopnm/usr/binsldtoppm/usr/binspctoppm/usr/binspottopgm/usr/binsputoppm/usr/bintgatoppm/usr/binthinkjettopbm/usr/bintifftopnm/usr/binwbmptopbm/usr/binwinicontoppm/usr/binxbmtopbm/usr/binximtoppm/usr/binxpmtoppm/usr/binxvminitoppm/usr/binxwdtopnm/usr/binybmtopbm/usr/binyuvsplittoppm/usr/binyuvtoppm/usr/binzeisstopnm/usr/binpnmscalefixed/usr/binpnmshear/usr/binpnmsmooth/usr/binpnmsplit/usr/binpnmtile/usr/binpnmtoddif/usr/binpnmtofiasco/usr/binpnmtofits/usr/binpnmtojpeg/usr/binpnmtopalm/usr/binpnmtoplainpnm/usr/binpnmtopng/usr/binpnmtops/usr/binpnmtorast/usr/binpnmtorle/usr/binpnmtosgi/usr/binpnmtosir/usr/binpnmtotiff/usr/binpnmtotiffcmyk/usr/binpnmtoxwd/usr/binppm3d/usr/binppmbrighten/usr/binppmchange/usr/binppmcie/usr/binppmcolormask/usr/binppmcolors/usr/binppmdim/usr/binppmdist/usr/binppmdither/usr/binppmflash/usr/binppmforge/usr/binppmhist/usr/binppmlabel/usr/binppmmake/usr/binppmmix/usr/binppmnorm/usr/binppmntsc/usr/binppmpat/usr/binppmquant/usr/binppmqvga/usr/binppmrelief/usr/binppmshift/usr/binppmspread/usr/binppmtoacad/usr/binppmtobmp/usr/binppmtoeyuv/usr/binppmtogif/usr/binppmtoicr/usr/binppmtoilbm/usr/binppmtojpeg/usr/binppmtoleaf/usr/binppmtolj/usr/binppmtomitsu/usr/binppmtompeg/usr/binppmtoneo/usr/binppmtopcx/usr/binppmtopgm/usr/binppmtopi1pwlib.*.*1720112846
PHCO_29269PHCO_30275PHCO_32181HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Microsoft Services for UNIX\KB896428InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Services for UNIXCurrent_ReleaseHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB832483InstalledInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_23947PHNE_33790120955
106934
Perl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUNPerl5.*\.PERL-RUNImekr70.imeSUNWkrgdoSUNWkr5svSUNWkrgglSUNWkr5sldnsapi.dllgftp/usr/bingftpImageMagickHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB830352Installed112234
117172
.*/usr/dt/bin/dtspcd/usr/dt/bindtspcdvbe6.dllwinsrv.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q328310Installedrh-postgresql-serverHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \((0\..*|1\.0\..*\))DisplayNameypserv.*.*.*xpdf/usr/binxpdfxinetd.*.*.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828028Installed/usr/openwin/binkcms_configurePHNE_30983PHNE_31732mikmod/usr/binmikmodCIFS-Server.CIFS-RUNCIFS-Server.CIFS-UTILCIFS-Server.CIFS-ADMINCIFS-Server.CIFS-LIBmmc.exevsftpdTCP.*.*up2date^.*rhnsd.*$sysreport/usr/lib/snmpmibiisa^.*mibiisa.*unzip/usr/binunzipPHSS_29964PHCO_28848WUFTP-26.INETSVCS-FTPsquirrelmailPHCO_23261OS-Core.C2400-UTILOS-Core.ADMN-ENG-A-MANHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Ras\CurrentVersionPathNamerasman.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138Installedtelnet.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896428Installedcups.*.*.*X11.X11-RUN-CLPHSS_32109PHSS_30791PHSS_33589PHSS_31833PHSS_32366sendmail.*.*.*sendmailHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayVersionInternetSrvcs.INETSVCS-RUNPHNE_33414SUNWrcmds118239
116984
117455
/usr/sbin/in.rwhodHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\Setup PackagesFrontPage 2000 Server Extensions SRHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Publisher\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mspub.exePathmspub.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q331953InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828749Installedsendmail/usr/sbinsendmail.sendmailTCP.*.*wlwl-xemacs/usr/binemacs/usr/binxemacssamba.*.*.*111596
SUNWxwpltHKEY_CURRENT_USERSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsDisableCachingOfSSLPagessambaTCP.*.*etherealQuery.dllsqlsrv32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\DataAccess\Q832483IsInstalledpostfix.*.*.*eog/usr/bineogSUNWdthep107178
108949
116308
TOUR_PRODUCT.T-NET2-KRNHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883935InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RasManStartpine/usr/binpineHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB892944Installedmqrt.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Tcpip\ParametersSynAttackProtectshdocvw.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ABEB838C-A1A7-4C5D-B7E1-8B4314600208}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayNamenetapi32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Proxy ServerMicrosoft Proxy Serverw3proxy.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888258Installedphpsqlisapi.dll112960
/etcnsswitch.conf^[^#].*_attr.*ldapssinc.dllmswrd6.wpc108827
108901
108451
113319
11233
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB893086\Filelistperl-CGIpam_smb.*krb5kdc.*118822
opensslopenssl-developenssl-perlopenssl096openssl096bRmcast.syssp3res.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB822679Installedopenssh-serveropenssh-server.*.*.*110057
110060
116462
nfs-utils.*.*.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q269862InstalledWUFTP-26.INETSVCS-FTPmysql-server.*.*.*mutt/usr/binmuttlvzipfldr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Publisher\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FpcInstallDirectorymsphlpr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\408Kbstlntsvr.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q307298IsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TlntsvrStartlprng/usr/libexec/filterspsbanner.*.*.*PHNE_33412InternetSrvcs.INETSVCS-RUN/usr/lib/dmidmispd.*/usr/dt/bin/rpc.cmsd/usr/dt/binrpc.cmsd^.*dmispd.*108541
/etcnsswitch.conf^[^#]*hosts:.*dnskdelibs/usr/binkonquerorPHNE_34077InternetSrvcs.INETSVCS-RUN112899
.*/usr/lib/netsvc/rwall/rpc.rwalld/usr/lib/netsvc/rwallrpc.rwalldSUNWpcrSUNWpcuSUNWpsrSUNWpsuw3proxy.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA ServerInstallationLocationwspsrv.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\257KbsHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\FwsrvStart108574
108162
108416
110898
109324
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9161A261-6ABE-4668-BBFA-AD06B3F642CFMicrosoft Exchangexlsasink.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 2003\SP1\KB894549.*109613
112810
SUNWdtdst112238
SUNWCryr112390
112237
120469
112240
112537
120470
112536
SUNWCry/etcnamed.confSUNWntpu109409
109667
/usr/lib/inet/xntpdshell32.dllHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0150048383C9}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318593InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{ 3e7bb08a-a7a3-4692-8eac-ac5e7895755b}IsInstalledSystem.web.dllhhsetup.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q323255Installedasp.dllfp5areg.dllfp30reg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\5.0\Setup PackagesMicrosoft FrontPage Server Extensions 2002libpnglibpng-devellibpng10-devellibpng10fp4areg.dllfp30reg.dll106950
109147
112963
120954
SUNWamsvcwebvw.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB894320\FilelistHKEY_CURRENT_USERSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedWebViewcpio/bincpio114332
/etcsystem^[^\*]*set.*c2audit.*OS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MANPHCO_23262OS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MANSUNWsshdu/etc/sshsshd_config^[^#]*ListenAddress.*0\.0\.0\.0/etc/httpd/conf.dphp.confHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q890175InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824105\FilelistinstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824105\Filelistinstallednetbt.sysphpSUNWbip118313
116986
116774
Comctl32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q303984InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90280409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6000-11D3-8CFE-0150048383C9}DisplayVersionGDIPLUS.DLLHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Patches\9FEC06657760FC84499ED532196D45EE2Security Update for Office 2003: Wordperfect 5.x Converter (KB873378)HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanworkstationStartnetdde.exenetdde.exenddenb32.dllnddenb32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm817787IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823803Installedimpprov.dllPHSS_30302PHCO_30006HKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v2.0110896
114008
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB821557Installedshtml.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB810217InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponentsfp_extensionsLM\W3SVC6014SUNWdtba[sx]108219
kernelHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q313450Installed116895
117000
119255
119254
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823980InstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Hotfix\\[Kk][Bb]834707[-a-zA-Z0-9.]*$InstalledHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerVersionMaxHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerVersionMinHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerPatheBook.apiHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSSQLServer\MSSQLServerLoginModeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q321599InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm308567IsInstalledkernelkernelkernel-hugememkernel-smpSUNWxwfs113923
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\8.0\RegistrationUDBVersiondxmasf.dllmsdxm.ocxwmpcore.dllwmplayer.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm320920IsInstalledddskkddskk-xemacsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329170InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanserver\parametersenablesecuritysignatureHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6D54-11D4-BEE3-00C04F990354}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6D54-11D4-BEE3-00C04F990354}WindowsInstallerHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329414Installed113273
^.*sshd.*Tcpip6.sysMSCONV97.DLLHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\A1334AC428B43BF4E9547C55D3DFE977HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00000409-78E1-11D2-B60F-006097C998E7}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00010409-78E1-11D2-B60F-006097C998E7}DisplayVersionHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentPROCESSOR_ARCHITECTUREgaim/usr/bingaim114796
SUNWkcl2rkernelHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q326886InstalledSUNWkcsr[tx]114636
107337
111400
113505
113508
115054
115055
SUNWscvw^/usr/apache/bin/httpd.*SUNWscvw/conf/httpd.conf.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888113Installedllssrv.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885834InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\LicenseServiceStartspoolsv.exe/etcpam.conf[^#]*pam_krb5.+debug.*/etc/pam\.conf.*112908
/etc/krb5krb5.conf[^(#|_)]*default_realm[^_]*/etcsyslog.conf[^#]*(debug|daemon\.debug).*/etc/syslog\.conf115168
kernelSUNWkrbrSUNWkrbux?112925
112923
112921
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q305601InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873350Filekrb5-libskrb5-workstationnntpsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB883935InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NntpSvcStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP2\KB871250\FilelistSUNWypu109328
113579
^.*ypxfrd.*dplayx.dll^LM\\MSFTPSVC\\.*$1016HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Publisher\InstallRootPathtshoot.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB826232InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Excel\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90110409-6000-11D3-8CFE-0150048383C9}DisplayVersionDhcpcsvc.dllsmtpsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885881InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\SMTPSVCStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServices Versionkrb5-serversrvsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888302InstalledDhcpssvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885249Installed108748
108752
106541
106942
107477
108551
108754
108756
108758
108760
108762
108764
.*rpcbind.*SUNWsndmu107684
110615
.*sendmail .*MSO.DLLHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Common\InstallRootPathMso9.dllMSO.DLLMsxml5.dllMsxml3.dllMsxml6.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\PowerPoint\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643-DirectX82InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643-DirectX9InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643Installed118844
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Tcpip\ParametersEnablePMTUDiscoveryHKEY_LOCAL_MACHINESOFTWARE\Classes\MIME\Database\Content Type\application/htaExtensionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893086\FilelistSUNWsndmr113575
quartz.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q19696Installeditircl.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB825119InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841872Installedpsxss.exeHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\SubSystemsPosixSUWNsmbar.*^.*smbd.*msgsvc.dllwkssvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828035InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MessengerStartciodm.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB871250\Filelistgdi32.dllPHNE_32606HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}DisplayVersionGifimp32.fltSUNWinamd/etcpam.conf[^#]*pam_krb5.*debug/etcsyslog.conf^[^#]*(\*|daemon)\.debug112300
112085
106938
109326
112970
SUNWcsx?u/usr/sbin/in.namedHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824141InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\UtilManStart/etc/krb5krb5.conf/etc/krb5krb5.conf^[^#]auth_to_local.*balsa/usr/binbalsaHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Terminal ServerProductVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q324380InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RDPWDStartSUNWapchuSUNWftpu114564
.*/usr/sbin/in.ftpdHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\SP2SRP1Installedidq.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q300972InstalledLM\W3SVC6014Ipnathlp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823980Installedkdebase/usr/binkdmHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q277873Installed107702
109354
114497
xenroll.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q323172InstalledSwflash.ocxxactsrv.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q326830InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanserverStartNtoskrnl.exeSUNWdtdmn108221
vdmdbg.dllnddenb32.dllnetdde.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841533Installedcryptui.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823182InstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1001HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1001SUNWnisu108750
110322
^.*ypbind.*108993
115677
121321
108994
115678
121322
grpconv.exeshell32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\PowerPoint\InstallRootPathism.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q321599Installedcdoex.dllIpnathlp.dllLM\W3SVC6032wwmp.dllrdpwd.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5.0.2)DisplayName/usr/openwin/binlbxproxy107654
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB841873InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}Installed107893
PHNE_34544WUFTP-26.INETSVCS-FTPPHNE_33395PHCO_34545win32k.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840987InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841356InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared ToolsSharedFilesDirfpadmdll.dllOS-Core.ARRAY-MGMTOS-Core.ADMN-ENG-A-MANPHCO_23263SUNWpcu107115
109320
113329
wmp.dllSUNWstm117367
112669
112668
116341
116340
120720
120719
118966
HKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Windows XP\SP2\KB914798OS-Core.UX2-COREPHCO_32149PHCO_32926httpd.*.*.*sendmail108528
112233
wjgdw400.dllPHCO_33214PHCO_33215SUNWgzip112668
jgdw400.dllopenssl-perlopenssl-developensslopenssl096b/tmpInternetSrvcs.INETSVCS2-RUNPHNE_29462HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINESoftware\\Microsoft\\Office\\10\.0\\Registration\\.*ProductIDHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionCommonFilesDirPng32.flt109764
116047
119596
109765
121995
118813
117350
118558
117351
118559
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.0.*</description>\s*114644
114645
114686
/usr/share/gnome/gnome-aboutgnome-version.xml\s*<description>2\.0\.2.*</description>\s*115738
114687
115739
/usr/share/gnome-aboutgnome-version.xml\s*<distributor-version>Sun Java Desktop System, Release 2</distributor-version>\s*121092
118822
118844
PHNE_33159HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885250InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionSystemRootumpnpmgr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCSDVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\10.0\RegistrationUDBVersionWmp.dllImekr61.imenetlogon.dllrasmans.dllPHCO_32280SysMgmtServer.MX-PORTALSysMgmtServer.MX-PORTAL120329
120330
/etcpam.conf^other.*krb5.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q320206Installedsmss.exePHCO_29249InternetSrvcs.INET-ENG-A-MANPHNE_33792InternetSrvcs.INETSVCS2-RUNOS-Core.CORE-ENG-A-MANOS-Core.UX-COREPHCO_33967Npdsplay.dllFlash.ocxHKEY_LOCAL_MACHINESoftware\Microsoft\Office\9.0\RegistrationProductIDNetworking.NET2-KRNkernel32.dllwins.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB870763InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\winsStartSecure_Shell.SECURE_SHELL111571
115880
110943
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90840409-6000-11D3-8CFE-0150048383C9}InstallLocationxlview.exe108117
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Excel\InstallRootPathhttpd.*.*.*110286
/usr/dt/binrpc.ttdbserverdHP_Webproxy.HPWEB-PX-COREPHSS_34163HKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \((0\..*|1\.0\..*\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla \(.*\)DisplayName/usr/openwin/libfs.auto109862
.*/usr/openwin/lib/fs.auto/usr/openwin/binxfsSUNWwbmc.*smcbootgtkhtml/usr/binevolutionSUNWnsbInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_23948109023
120240
109024
120239
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q313829InstalledSUNWsmbau114684
^.*smbd.*PHSS_34102HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q817606InstalledCIFS-Server.CIFS-RUNCIFS-Server.CIFS-UTILCIFS-Server.CIFS-ADMINCIFS-Server.CIFS-LIBPHCO_30402mup.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895Installed111313
111314
116807
116808
121308
121309
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q314147Installedsnmp.exePHNE_23950OS-Core.CORE-ENG-A-MANOS-Core.UX-COREPHCO_33989tcpip.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811493InstalledOS-Core.UX-COREPHCO_33219HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Excel\InstallRootPathSUNWlzas121332
IPSec.IPSEC2-KRNIPSec.IPSEC2-KRNTOUR_PRODUCT.T-NET2-KRNPHNE_32606cdosys.dllHKEY_LOCAL_MACHINESOFTWARE\Clients\Media\Winamp\shell\opencommandHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Transaction Server\PackagesStart/usr/openwin/binXsunHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\SNMPStarttcpcfg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q265714Installedgtkhtmlmsjava.dllgnupg/usr/bingnupgHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890175InstalledFreeRADIUSudp.*1812hpuxwsAPACHEhpuxwsAPACHEmstask.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{bfb56e60-5895-496c-bd6b-459b97142e4c}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}VersionInternetSrvcs.INETSVCS-RUNPHNE_34543WUFTP-26.INETSVCS-FTPHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Word\InstallRoothttpext.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824151InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\W3SVC\ParametersDisableWebDAVghostscript/usr/bingsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885835InstalledLM\W3SVC6014Mdbmsg.dll108376
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB891711Installeduser32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q319733Installedw3svc.dllLM\W3SVC6014hhctrl.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB893066Installedtcpip.sysMozilla.MOZ-COMMozilla.MOZ-COMmsieftp.dllInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_23949HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890859InstalledNtoskrnl.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 1.0.7DisplayNamePHNE_34306Secure_Shell.SECURE_SHELLSecure_Shell.SECURE_SHELLmozillaHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896426Installednetman.dllVaultWS.WS-COREPHSS_34123sudo/etcsudoers/usr/binsudowordpad.exe.*/usr/lib/fs/cachefs/cachefsd/usr/lib/fs/cachefscachefsd108800
PHSS_34169VaultTS.VV-IWSVaultWS.WS-COREPHSS_34121VaultTS.VV-IWSPHSS_34170VaultWS.WS-COREPHSS_34120VaultTS.VV-IWSPHSS_34171VaultWS.WS-COREPHSS_34119HP_Webproxy.HPWEB-PX-COREPHSS_34203HP_Webproxy.HPWEB-PX-COREPHSS_34204HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Word\InstallRootwordview.exeSUNWmoznavSUNWmozmail117765
117767
HKEY_CLASSES_ROOTMITrain.Document\shell\open\commandOrun32.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Step by Step Interactive Training\SP2\KB898458\FilelistMsdtctm.dllwebclnt.dllPHNE_24395msadco.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\OleEnableDCOMcdoex.dll.*/usr/openwin/bin/kcms_server/usr/openwin/binkcms_serverHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{E81659DF-28E1-4C60-B4B9-00A4BC5FA76D}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2D5974C5-5185-4f5b-80B6-28015ACDD74C}IsInstalledlibgdlibgd-develHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890046Installedagentdpv.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Word\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exePathwinword.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla Firefox 1.5\binPathToExeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5.0.1)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird (1.5)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla Thunderbird 1.5\binPathToExeHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SeaMonkey \((1\.0[ab]|1\.0)\)DisplayNameitss.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840315InstalledHKEY_LOCAL_MACHINESOFTWARE\Classes\ITSProtocol.*Fontsub.dllT2embed.dllSRV.SYSHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB817606InstalledPHNE_33159libxmllibxml-develHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA ServerVersionMajorHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\277Kbs/usr/bingzip/usr/bingunzipHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Applets\WordpadEnableLegacyConvertersmswrd632.wpc118844
119450
119449
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873333InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Excel\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Excel.exePathexcel.exe/usr/binbzip2InternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANPHNE_33791hlink.dllQuartz.dllWUFTP-26.INETSVCS-FTPHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA Server SPDisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\UninstallMicrosoft ISA Serverw3proxy.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FPC\Hotfixes\SP1\430kbsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896422Installedsrv.systelnet/usr/bintelnetmrxsmb.sysSUNWbnuu106952
111570
113322
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB901214IsInstalledmscms.dllfetchmailgdmHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146Installedrpcrt4.dllkernelkernel-hugememkernel-smpHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883939InstalledHKEY_LOCAL_MACHINESOFTWARE\CLASSES\PNGFilter.CoPNGFilterPHNE_33427SUNWkr5svSUNWkr5slSUNWkrgdoSUNWkrggl112536
112908
112237
112390
/etc/krb5krb5.conf^[^#_]*default_realm[^=]*=[^_]*$gzip/usr/binzgrepnwwks.dllsxs.dll/usr/lib/snmpsnmpdx^.*inetd.*.*/usr/dt/bin/rpc.ttdbserverdSUNWtltkx?112808
HKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{754D29C1-0C97-405F-98D0-21B212CA7FF1}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB819696Installedschannel.dll^LM\\W3SVC\\.*$5506HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\ServerEnabledntdll.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q815021InstalledHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.10\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-6]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB897715Installed\bpostmaster\brh-postgresql-contrib/usr/lib/pgsqltsearch.soMapi32.dllbzip2/usr/binbzgrepHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionVersionHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\LmHostsStartHKEY_LOCAL_MACHINE^SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\\Interfaces\\Tcpip.*$NetbiosOptionsssnetlib.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB893756InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TapiSrvStart119985
122082
mozilla/usr/binmozillarpcss.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServicePackBuildHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirmdbmsg.dllevolutionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\PowerPoint\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exePathpowerpnt.exeMsw3prt.dlljscript.dllopenoffice/usr/binoocalc/usr/binoodraw/usr/binooffice/usr/binooimpress/usr/binoowritermf3216.dllGdi32.dllMf3216.dllcomsvcs.dllcryptdlg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885836Installedhh.execrypt32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329115InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetlogonStartmsgina.dllzipfldr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873376InstalledHKEY_LOCAL_MACHINESOFTWARE\Classes\CompressedFolderFriendlyTypeNameHKEY_LOCAL_MACHINESOFTWARE\Rockliffe\MailSiteVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q293826Installedopensslopenssl-developenssl-perlopenssl096openssl096b^.*snmpdx.*SUNWsasnm107709
108869
umandlg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB896423Installed/usr/X11/binXorg119059
108653
119060
.*Xsun\b.*cvsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828741Installedole32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\DataAccess\Q823718IsInstalledodbcbcp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\DataAccessFullInstallVerfetchmail/usr/binfetchmailHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SeaMonkey \(1\.0[ab]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\mozilla.org\SeaMonkeyCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.1[0-2]\))DisplayNamePHCO_28847DCE-Core.DCE-CORE-SHLIBSW-DIST.SD-AGENTPHSS_29963Locator.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q810833InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RPCLocatorStartInternetSrvcs.INETSVCS-RUNInternetSrvcs.INET-ENG-A-MANVirtualVaultOS.VVOS-AUX-IAPHNE_24395HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB837009InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX8InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX81InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX82InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\DirectXVersiondplayx.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX9InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersionCurrentVersionsqlservr.exeodsole70.dllxpqueue.dllxprepl.dllxplog70.dllxpweb70.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sqlservr.exePathxpstar.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageBindHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageExportHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageRouteHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurePipeServers\winregHKEY_LOCAL_MACHINE^Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServicesmad.exeHKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Exchange Server 2000\SP3\Q316056.*HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurePipeServers\winregEveryoneHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\ProductOptionsProductSuiteHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q299444Installedwinlogon.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q317636Installed/usr/lib/netsvcrpc.yppasswdd^.*rpc\.yppasswdd.*111590
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q295534InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q301625Installedkernel-unsupportedHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\ProductOptionsProductTypelsasrv.dllHKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1200HKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1200HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1400HKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1400shell32.dllHKEY_LOCAL_MACHINE^Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[1-3]$1802HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{D7B44F3E-77D3-44C5-8E03-4222D9A18B7B}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{61E6EAE5-7821-4AC1-9BBD-AED032A8E273}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Internet ExplorerVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{716E024F-7F74-47F3-B93B-9FF7F3CBF94C}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{E81659DF-28E1-4C60-B4B9-00A4BC5FA76D}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{2D5974C5-5185-4f5b-80B6-28015ACDD74C}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet SettingsSecurity_HKLM_onlyHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1803kernelmsw3prt.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Outlook Express\Version InfoCurrentinetcomm.dlletherealethereal-gnomeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q327696InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\INetStpMajorVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\INetStpMinorVersionw3svc.dllhelpctr.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840374Installedmsasn1.dllTCP.*.*squirrelmailphp/etc/httpd/moduleslibphp4.soevtgprov.dllMsxml4.dllSUNWdtwm118953
118954
109931
109932
114219
SUNWTiffSUNWTiffx114220
119900
119901
111844
111845
112785
112786
.*httpd116973
116974
113146
114145
redhat-release/usr/bincvscvskerberos.dllrdpwd.systapisrv.dllmshtml.dllspoolsv.exeumpnpmgr.dllHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\(1\.7\)|\(1\.[0-7]\.[0-3]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \(0\.9.*\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[6-8]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-4]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \(0\.[0-9].*\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla ThunderbirdCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-5]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-1]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-2]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-6]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-3]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla FirefoxCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\mozilla.org\MozillaCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB835732InstalledHKEY_CLASSES_ROOTHCPHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionSystemRoothelpctr.dll108652
/usr/openwin/binxlockHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCSDVersionHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentPROCESSOR_ARCHITECTURE10.0.5709.010.0.4333.04.14.1.0.39344.1.0.3934144Installed6.00.2900.21806.0.2900.25236.0.2900.2524128.0.1.990411717161703036.0.3790.3276.0.3790.24405.0.2195.71085.1.2600.29766.0.3790.2748.0.0.97168.0.0.93155.1.2600.30195.2.3790.5996.4.9.113310.0.0.37027.10.0.30799.0.0.010.0.0.381010.0.0.370810.0.0.09.0.0.32657.10.0.06[,\.]4.*6.0.3790.11816.0.2800.14005.0.3813.8005.0.3502.485611.0.3705.5561,0,3705,21,0,3705,31.0.3705.602115.0.3526.8005.0.3513.900truetrue3.0.1200.2911146.5.6980.5706.1.0.92315.0.2195.70005.0.3510.110014.0.1381.8425.1.0.104410.0.2609.06.0.2800.14112.0.50727.1016.0.3790.2805.2.3790.5885.2.3790.27835.1.2600.30155.0.2195.71104.0.1381.73236.0.2800.14986.0.2800.149901,0,4322,01.1.4322.203711.1.4322.108516.0.3790.941136.1.0.92326.0.2800.12765.0.3810.17001truetrue6.0.2742.2005.0.3523.17005.2.3790.225srv03_qfe5.2.3790.227srv03_qfe5.2.3790.2335.0.3846.23002000.80.818.02000.80.765.02000.80.765.02000.80.765.08.0.50727.2366.0.3264.05.00.3314.21015.0.3504.25006.0.3790.1816.0.3790.1856.0.3790.2795.1.2600.25635.0.3534.280015.0.2195.69281.0.0.516.0.3790.21911.12000.80.818.02000.80.818.02000.80.811.02000.80.765.02000.80.818.02000.80.818.02000.80.818.02000.80.818.02000.80.816.02000.80.800.02000.80.778.02000.80.765.02000.80.798.02000.80.765.02000.80.765.010.0.8326.05.1.06395.1.0.6395.0.3826.240016.0.2745.2800114.2.788.1
^http:*,PERMANENT,*
163845.0.3819.3005.50.4942.4005.0.3821.280016.0.3790.19115.00.3315.10005.0.3532.3005.5.2558.1029.0.0.89426.0.2800.1441109.0.0.33498.0.0.44965.2.3790.5295.2.3790.5376.0.3790.5046.0.3790.5035.0.3528.7005.1.3102.13555.2.3790.5296.0.2900.29636.0.2800.15616.0.3790.27596.0.3790.5545.0.3842.30006.1.0.92326.0.2900.2627^9\.0+\..*9.0.0.33446.1.3790.15.0.3837.12006.0.2800.15555.2.3790.4626.0.2900.28695.1.2600.1609C:\Program Files\Windows NT\hypertrm.exe /t %15.0.2195.70717.10.0.30771.16.0.2800.14769.0.0.89365.2.3790.4535.2.3790.3862.0.0.34245.2.3790.12426.0.3790.4135.0.2195.69025.0.3835.22005.5.3201.02001.12.4720.48011.0.6566.06.0.3790.418^5\.0+\..*5.0.3839.22002109316.0.3790.5365.0.3841.19005.2.3790.3745.2.3790.3745.00.2919.8005.00.2919.38005.00.2919.63075.00.2920.00005.00.3103.10005.00.3105.01065.0.3214.200011336.0.3790.2595.0.3831.18002.80.1062.05.2.3790.4685.0.3825.7009.00.00.29809.0.0.32501.16.0.2900.2802116.0.2800.1543/usr/sbin/sadmind020101/usr/sbin/sadmind5.1.2600.11515.2.3790.419^8\.0+\..*8.0.0.44955.2.3790.3961:2.2.2-4.rhel3truetruetrue5.0.3828.2700^7.1.*7.10.0.30766.0.2800.12646.00.3790.00006.0.3790.3736.0.3790.24916.0.2800.15056.0.2800.15065.0.3539.240016.0.3790.50710.0.6772.06.0.3790.6056.0.3790.28176.0.2800.15866.0.2900.30205.50.4956.5006.0.2800.15156.0.2800.151616.0.2800.14585.1.2600.16846.5.6749.05.2.3790.4265.2.3790.4266.1.0.923116.0.3790.5946.0.3790.27956.0.2900.29956.0.2800.15785.0.3842.30006.0.3790.25776.0.2800.1528^6\..*6.0.3790.449116.0.3790.6076.0.3790.28266.0.2900.30286.0.2800.18965.50.4971.6009.0.16.08.0.22.05.2.3790.6155.2.3790.28375.1.2600.30385.0.2195.71124.20.9841.06.0.3890.08.505.2.3790.137srv03_qfe5.2.3790.141srv03_qfe5.00.3502.10005.0.3541.27006.00.2800.11066.0.2800.14916.0.2800.14925.2.3790.347^0\.[0-8]($|\s).*^Mozilla Thunderbird \(0\.[0-8]\)^0\.[6-9]($|\s).*^Mozilla Thunderbird \(0\.[6-9]\)[0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).*Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-2]\))^[0-1]\.0($|\s).*|^[0-1]\.0\.[0-4]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-4]\))^[0-1]\.[0-7]($|\s).*|^[0-1]\.[0-7]\.[0-8]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-8]\))6.0.2900.29976.0.2800.15805.0.3845.18006.0.3790.5936.0.3790.27945.2.3790.1421111020201331812.*[Oo][Ff][Ff][Ii][Cc][Ee]11.*.*\\[Oo][Ff][Ff][Ii][Cc][Ee][\\9].*11.0.8118.010.0.6822.09.0.0.8954.*[Oo][Ff][Ff][Ii][Cc][Ee]10.*9.1.9800.949.0.0.895511.0.8117.010.0.6823.0^7\..*^6\..*5.00.3700.10006.0.2800.15886.0.3790.28516.0.2900.30517.0.6000.163866.0.3790.6230209truetruetruetrue4.10.2001.015.0.2195.6904B.11.23PHKL33713PHKL337140:1.2.7-246,0,2600,00006.0.2739.3006.0.2800.15060:0.10.3-0.30E.20:0.10.3-0.30E.27:2.5.STABLE3-6.3E^.*squid6.0.2719.2200gopher://0:0.5.5-1.3EL.0truetruetruetrue0:1.14i-10.2truetruetrue14:3.7.2-7.E3.2truetruetrue2:1.2.2-212:1.2.2-210:1.0.13-120:1.0.13-120:1.11.2-224.0.1381.72554.0.1381.33559Y4.0.8618.04.0.8618.010:2.5.7-4.3E4.1.0.38615.1.2600.1345.1.2600.1348^2\.6.*2000.80.746.03.70.11.400:5.5.6-156.0.2715.40033335.0.2195.68985.1.2600.1355.1.2600.13615.0.2195.69066:3.1.3-6.4truetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue4.0.1381.1335.2.3790.1320:0.2.5-0.4^.*racoon5005truetrue05399382true7:2.5.STABLE3-5.3Etruetrue0:2.4.21-9.0.3.EL0:2.4.21-9.0.3.EL0:2.4.21-9.0.3.EL4.1.0.39324.1.0.3931115.0.2195.667214.0.1381.27914.2.780.15.50.4927.21006.0.2713.110035.2.3790.1396.0.2716.22005.50.4613.170015.2.3790.13437:1.4.2-3.0.24.0.1381.1645.0.2195.36495.131.1880.145.2.3790.25064.2.769.15.0.2195.69015.2.3790.1254.87.1964.18805.1.2600.1355.1.2600.13610.9.3940.2015.1.2600.1345.1.2600.13614.0.1381.72634.0.1381.335625.0.2195.68954.0.1381.72554.0.1381.335595.0.2195.69045.1.2195.68995.131.2195.68245.0.2195.508010:0.10.3-0.30E.10:0.10.3-0.30E.15.1.2600.1365.1.2600.13475.50.4939.3000903010903010:0.10.3-0.90.10:0.10.3-0.90.1truetruetruetruetruetruetruetruetrue7:2.5STABLE1-3.9^.*squid.*0:2.0.46-32.ent37:1.4.2-0.9.0truetruetrue37:1.4.2-0.9.00:0.9.7a-33.40:0.9.7a-33.40:0.9.7a-33.40:0.9.6b-160:5.0.9-2.30E.1^.*snmpd.*x86_640:2.4.21-9.EL0:2.4.21-4.0.2.EL0:2.4.21-4.0.2.EL0:2.4.21-4.0.2.EL0:1.11.2-146:3.1.3-3.30:2.0.46-26.ent0:2.0.40-21.90:4.0.7-4.EL3.20:1.0.6-7.EL^.*rpc\.mountd510:2.4.20-28.90:2.4.20-28.90:2.4.20-28.96:3.1-6truetruetrue0:0.10.0a-0.90.10:0.10.0a-0.90.1truetruetruetruetruetruetruetruetrue0:1.11.2-13true14:3.7.2-7.E3.10:4.0.7-4.rhl9.114:3.7.2-7.9.1truetruetrue1:0.22.0-6.1.01:0.22.0-6.1.01:0.22.0-6.1.01:0.22.0-6.0.31:0.22.0-6.0.31:0.22.0-6.0.36.0.0.06.1.0.2115:1.4.1-3.40:2.4.20-30.90:2.4.20-30.90:2.4.20-30.90:2.5.10-60:2.5.10-60:2.5.10-60:4.3.0-55.EL2000.80.428.00:3.0.1-4^.*httpd0:3.0.2-6.3E0:1.4.7-7.EL0:2.4.21-9.0.1.EL0:2.4.21-9.0.1.EL0:2.4.21-9.0.1.EL6:3.1-131:4.6.0-7.9truetruetrue0:2.7-2truetrue2000.80.213.02000.80.213.01:0.75-0.9.0truetruetrue3:2.1.1-55:1.4.1-3.30:9.24-11.30.10:9.24-11.30.10:9.24-11.30.10:4.3.0-2.90.55truetruetrue0:9.24-10.90.10:9.24-10.90.10:9.24-10.90.1truetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue0:1.4.7-4.1.*5.2.3790.994.0.1381.335544.0.1381.7255195.2.3790.8810.0.6775.05.1.2600.1195.1.2600.12745.0.2195.682415.2.3790.2516PHCO29269PHCO30275PHCO321815.3000.2073.132.23.07.0.1701.443.58.0.1969.335.2.3790.3605.0.2195.34075.1.2600.1605.0.2195.69872000.85.1025.02000.85.1025.015.2.3790.2476B.10.01B.10.01B.10.10B.10.10B.10.01B.10.10PHNE23947PHNE337905.0.2195.5695012000.81.9002.02000.81.9002.02000.81.9042.02000.81.9042.04D\.5\.8\.0\.[ABCDEF]D.5.8.3.AD\.5\.8\.2\.[ABCDE]D\.5\.6\..*D\.5\.8\.2\.[ABC]7.0.8002.005101505090508115.1.2600.18635.2.3790.27455.1.2600.29385.2.3790.5585.0.2195.71005.2.3790.3161:2.0.14-4truetruetrue5.0.2195.70715.0.2195.70730:5.5.6-142000.80.296.06.0.3790.25215.0.2195.68701111216197/usr/dt/bin/dtspcdtruetruetrue5.1.2600.27775.1.2600.277710.0.5815.06.4.99.725.1.2600.17904.0.1381.71774.0.1381.71774.0.1381.72024.0.1381.720715.2.3790.1935.2.3790.1930:7.3.10-15.0.2195.7098Mozilla Thunderbird \((0\..*|1\.0\..*\))(0\..*|1\.0\..*)10.0.5815.00:2.8-0.9E^.*ypserv.*1:2.0.1-11truetruetrue2:2.3.11-1.9.0^.*xinetd.*5.0.2195.68231truetruetrue2PHNE30983PHNE317320:3.1.6-22.EL3truetruetrue4.0.1381.33632A.02.01A.02.01A.02.01A.02.015.0.893.11056.0.2800.15845.0.2195.71029.0.0.82160:1.1.3-8^.*vsftpd.*0:3.1.23.1-55.0.2195.498326535.5.2658.340:1.3.7.2-6true0:5.50-33truetruetrue5.1.2600.1698PHSS29964PHCO28848B\.11\.11\.(00.*|01\.00[0-5])0:1.2.11-1B.10.10B.10.20PHCO23261B.10.01B.10.30RASPHONE.PBK4.0.1381.714015.2.3790.348.*5.2.3790.3295.2.3790.244210:1.1.17-13.3^.*cupsd.*PHSS32109PHSS30791PHSS33589PHSS31833PHSS323660:8.12.8-6.90^.*sendmail.*0:8.12.8-9.906\.2\.020[5-9]B.11.23PHNE334145.0.2195.697210101019.0.0.893011.0.8103.010.0.6815.05.0.2195.610615.0.3809.06.5.6756.05.0.2195.686216.0.2900.26200:8.12.8-5.90truetruetruetrue^.*sendmail.*0:2.10.1-1.10:2.10.1-1.1truetruetruetruetruetrue0:2.2.7a-8.9.0^.*smbd.*225302000.80.747.02000.80.747.010:2.2.7a-7.9.0^.*smbd.*0:0.9.11-0.90.15.2.3790.5525.2.3790.27345.1.2600.29355.1.2600.18605.0.2195.71006.0.2750.1664.0.1381.335783.70.11.463.70.11.4612:1.1.12-1^.*smtpd.*0:2.2.0-2truetruetrue030801A\.0[12]\..*6.0.2737.8005.50.4937.8005.1.2600.1495.1.2600.1585.5.1877.79140:4.44-19.90.0truetruetrue15.0.0.79925.1.2600.27106.0.3790.5886.0.2900.29876.0.3790.27836.0.2800.18926.2.0208MSN Messenger 6.25.2.3790.5595.1.2600.18745.0.2195.71055.2.3790.27475.1.2600.2952^2\.70.*$2.0.390.1610:4.2.2-17.22000.80.309.02000.80.760.038174.0.1381.73295.0.2195.66244.0.1381.73456.0.3790.2124.0.1381.3356610.0.803.25.0.2195.70573060601026.0.3790.2415.0.3900.70322:2.81-88.30:1.1.6-9.95.0.2195.704427285.2.3790.3090:0.9.7a-50:0.9.7a-50:0.9.7a-50:0.9.6-170:0.9.6b-65.2.3790.1735.2.3790.1845.1.2600.18735.1.2600.29512519055.0.2195.67131.0.0.315.2.3790.2050:3.5p1-110:3.5p1-6.9^.*sshd.*040704010:1.0.1-3.9^.*rpc\.mountd.*6.0.2900.29626.0.3790.27575.1.2600.17105.0.2195.21031112B\.11\.00\.(00.*|01\.00[0-4])055.1.2600.25250:3.23.56-1.9^.*mysqld.*5.1.2600.18295.0.2195.70845.1.2600.28896.0.3790.5206.0.3790.26845.0.3900.69705:1.4.1-1truetruetrue025.0.2195.69469.0.0.895011.0.8104.011.0.8105.010.0.6816.00:4.49.4-9.9.14.0.1381.335875.2.3790.5885.2.3790.27835.1.2600.18855.0.2195.71065.1.2600.29746.0.3790.1983.0.1200.408KB8882585.2.3790.2055.0.33668.1140:3.8.19-3.1true^.*lpd.*PHNE33412B.11.11/usr/dt/bin/rpc.cmsdtruetruetrue2260609026:3.1-12truetruetruePHNE34077B.11.041/usr/lib/netsvc/rwall/rpc.rwalldtruetruetrue1307023.0.1200.2573.0.1200.25733106620304020102035.0.2195.70236.5.6981.307064.0.1381.335915.1.2600.13639.0.0.895111.0.8104.011.0.8106.010.0.6818.01211085.713011006012006164.0.1381.72706.0.2734.16006.0.3790.19810.0.4330.004046.0.2800.15806.0.2800.158011.0.5614.05.2.3790.24275.0.2195.498010315.50.4945.28002.0.50727.2105.1.2600.26955.2.3669.05.2.3644.05.2.3644.05.2.3644.015.0.2195.66724.2.764.110.0.4205.010.0.4205.02:1.2.2-242:1.2.2-240:1.0.13-140:1.0.13-144.0.2.75234.0.2.752318044.72.3841.1100140709017\.0,.*7\.0,.*5.0.3900.703615.2.3790.2420:2.5-4.RHEL3true^2\.1.*$2.12.5118.05.2.3790.25008105.1.2600.1634B.11.00B.11.00B.11.10PHCO23262B.11.10B.11.106.0.2600.151051115.1.2600.1175.1.2600.124310.0.6811.09.0.0.894811.0.8036.015.2.3790.24650:4.3.2-24.ent5.50.4934.16004.71.2195.69200102035.0.2195.67995.1.2600.1125.1.2600.11935.82.2800.18915.82.3790.5835.82.3790.27785.82.2900.29825.81.3900.71095.0.3900.69229.0.0.82164.0.1381.73425.0.2195.3881110.0.6626.011.0.3216.56146.0.3264.0Installed4.0.1381.731245.1.2600.2709385.1.2600.15675.1.2600.15675.1.2600.15555.1.2600.15555.0.2195.70178.0.0.449014.0.1381.722416.0.2800.18736.0.2900.29516.0.3790.5595.0.3900.71056.0.3790.27462000.80.650.05.0.2195.61595.0.2195.69525.0.2195.6922PHSS30302PHCO300062014.0.1381.3363016.0.2800.12336.0.2600.1154.0.2.752311014.0.1381.72864.0.1381.335775.1.2600.16130:2.4.20-19.910.0.6714.05.0.2195.490515.2.3790.5265.0.2195.70875.1.2600.18325.2.3790.26915.1.2600.28931010050103030315.0.2195.675316.0.2900.2604^2\.6.*$2.62.9119.16322000.80.650.05.0.2195.567115.1.2600.16196.4.9.112115.0.2195.69290:2.4.20-18.90:2.4.21-15.0.2.EL0:2.4.21-15.0.2.EL0:2.4.21-15.0.2.EL028.0.0.44776.4.9.11216.4.9.11248.0.0.44828.0.0.448210:11.6.0-11.900:11.6.0-11.9011.0.8028.010.0.6804.09.0.0.89445.0.2195.6110115.0.2195.696610.0.6735.010.2.511014.0.1381.336182.53.6202.01^2\.5.*$042000.80.578.02000.80.561.0^5\.[1-2]$5.1.2600.29755.1.2600.18865.2.3790.5765.2.3790.27715.2.3790.3365.1.2600.1205.1.2600.13015.1.2600.1205.1.2600.13012003.1100.6252.09.00.93279.00.93275.1.2600.1711ia641:1.3.1-0.el3truetruetrue045.0.2195.60110:2.4.20-13.95.0.2195.59741010302020201015.2.3790.3245.2.3790.2455.2.3790.22715.0.2195.7021145.0.2195.70355.1.2600.26965.1Service Pack 2120413035.0.2195.700562.4.202.4.20-609080303021015.2.3790.1634.0.1381.729910:1.2.7-140:1.2.7-146.0.3790.206145.1.2600.15962403015.2.3790.163
4
4.0.1381.72684.0.1381.72806.0.3790.1681.0.1.212515.1.2600.1099.0.0.894610.0.6809.011.0.8033.011.0.6252.75.2.3790.5365.1.2600.29125.0.2195.70855.1.2600.18475.2.3790.27062000.80.384.02000.80.223.02000.80.223.02000.80.223.02000.80.223.06.0.3790.21114650:1.2.7-145.50.4725.21005.1.2600.257714.0.1381.73041604.0.1381.335455.50.4922.900010101140903030101010101016.0.2800.155608080311.0.8107.011.0.0.09.0.0.89509.0.0.010.0.6817.010.0.0.09.0.0.89295.10.2930.04.20.9839.08.70.1113.06.0.3888.010.0.6819.011.0.8110.09.0.0.89525.2.3677.144^4\.08\.02.*$15.3.0.903^4\.09.*$15.1.2600.148^4\.08\.01.*$15.1.2600.15175.1064^i.*861406.0.2800.1643.hta016.1.5.13215.2.3790.80114.0.1381.335674.0.1381.726902^.*smbd.*155.0.2195.68615.0.2195.6861145.2.3790.2205.0.2195.6945B.11.23PHNE3260610.0.6754.05.50.4943.4009\..*2003.1100.8020.00710039.0.0.894313125.1.2600.15979.0.0.63285.0.3900.70096.5.7233.6901029.0.0.69260813065.1.2600.1185.1.2600.125514160511095.0.2195.68100:2.0.6-2truetruetrue5.1.2600.1375.1.2600.13646.5.7650.295.05.0.2195.58801401055.131.2195.67585.1.2600.183610.0.0.370402/usr/sbin/in.ftpd15.0.2195.36451
^.*idq\.dll.*$
5.1.2600.1555.1.2600.15645.2.3790.12805.2.3790.1425.1.2600.160614.0.1381.72246:3.1-15truetruetrue102001.12.4414.31115.0.2195.27845.1.2600.18421219015.131.3659.0106.0.2716.22005.0.44.05.0.2195.5971125.1.2600.16205.1.2600.1605019.0.0.79245.1.2600.15604.0.1381.335654.0.1381.3357415.0.2195.70975.131.2600.1175.131.2600.12431335.2.3790.25202015.1.2600.1665.1.2600.290214510201145102015.1.2600.15805.1.2600.1580.*10.0.6800.05.1.2600.29084.2.776.116.0.6618.45.1.2600.12545.0.2195.690210.0.0.3704^Service Pack [4-9]|\d{2,}$5.0.2195.70555.04.0.1381.711611.0.6502.016.0.2743.6006.0.3790.26631.8.20060.42618Mozilla Firefox (1.5.0.2)1\.5\.0\.2 .*truetrue105.0.2195.70875.6.0.05.1.2600.15551^5,50,.*5.50.4963.17005.50.4134.01005.50.4134.06005.50.4522.180015.50.4923.2500^2\.53.*$2.53.6306.02.71.9053.02.80.1062.0^2\.81.*$2.81.1124.0^2\.71.*$^2\.8.*$206.0.3790.2663^6,0,.*5.0.2195.7085PHNE34544B\.11\.11\.(00.*|01\.00[0-7])PHNE33395PHCO345455.2.3790.198114.72.3843.31004.0.1381.72674.0.1381.3356110.0.6790.06.0.3790.26622.82.2644.05.0.2195.7093B.11.11B.11.11PHCO2326310.0.6802.014090510.0.0.40364.0.1381.72654.0.1381.33563WinNT5.2.3790.2709010303040401016.0.2713.11001417PHCO32149PHCO329260:2.0.40-21.5^.*httpd\.worker.*([0-7]|8\.([0-9]|1[01]))8\.12\.([0-9]|10)8\.13\.[0-5]5.1.2600.16935.1.2600.268527126.0.2800.18076.0.2800.18166.0.3790.326106.0.0.06.1.2600.35.1.2600.1792PHCO33214PHCO332155.1.2600.26225.2.3790.224025.2.3790.26175.1.0.12512106.0.0.00:0.9.7a-33.150:0.9.7a-33.150:0.9.7a-33.150:0.9.6b-16.22.3trueB.11.22PHNE2946210.0.8326.0.*-OEM-.*2003.1100.8029.0060303060103332229332229030303040304014.0.1381.71346.0.2900.29122424PHNE331595.1.2600.259815.1.2600.2821Windows ME5.25.2.3790.2477Service Pack 110\.0+\..*10.0.0.40196.2.2551.04.0.1381.70925.2.3790.2697PHCO322805.1.2600.2892C.04.00.00.00C.04.01.00.005.2.3790.220020214.0.1381.7152PHCO29249B.11.23PHNE33792B.11.23B.11.11B.11.11PHCO339675.1.2600.17895.0.2195.69923.0.2.6297.0.19.09.0.0.89386.0.3790.25345.0.2195.70995.2.3790.5565.1.2600.29455.1.2600.18695.2.3790.27415.2.3790.23914A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-3])6.0.2800.15226.0.2800.15235.0.2195.70655.0.3833.200040403025.1.2600.27430211.0.8012.065.1.2600.27446.0.2900.27636.2.4.02.71.9053.011.0.8012.00:2.0.40-21.1^.*httpd.*9truetruetruePHSS34163Mozilla Firefox \((0\..*|1\.0\..*\))(0\..*|1\.0\..*).*Mozilla \(.*\)5.1.2600.17625.1.2600.17623/usr/openwin/lib/fs.autotruetruetrue5.1.2600.183102010:1.1.9-0.9.1truetruetrueB.10.20B.10.20B.10.20PHNE239480501050115.0.3502.47186.0.2900.276901PHSS341025.2.3790.260614.0.1381.7214A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3])PHCO304024.0.1381.712516.0.2900.286903030202010115.0.2195.4919PHNE239506.4.2600.06.4.2600.17385.1.2600.28185.0.2195.70736.0.2722.900B.11.00B.11.00PHCO339896.0.2600.15796.0.2600.1655.1.2600.28276.4.3790.06.4.3790.3996.1.3940.4214.0.1381.7203111.0.8026.04.0.1381.335986.0.2800.1724PHCO3321910.0.6789.001A\.([01].*|2\.00\.00)A\.0[12]\..*PHNE326066.1.1002.0^Service Pack [1-9]|\d{2,}$5.2.3790.3465.1.2.275452truetrue44.0.1381.70644.0.1381.709710:1.1.9-0.95.0.3810.00:1.2.1-4truetrue15.2.3790.2330:1.0.1-1.*/radiusd(((A|B)\.2\.0\.55\.\d+)|((A|B)\.[3-9]\..*)|((A|B)\.[1-9]\d+\..*)|((A|B)\.2\.[1-9]\d*\..*)|((A|B)\.2\.\d+\.[6-9]\d+\..*)|((A|B)\.2\.\d+\.5[6-9]\d*\..*)|((A|B)\.2\.\d+\.\d{3,}\..*))4.71.1979.11^Service Pack [6-9]|\d{2,}$5.1.0.85135.5.0.85135.6.0.85135,6,0,85135,1,0,85135,5,0,85131.8.20060.11112PHNE34543B\.11\.11\.(00.*|01\.00[0-5])5.0.1558.66089.0.0.89305.0.2195.6958110:7.05-32.1truetruetrue5.1.2600.17344.0.1381.72681^.*ServerNT.*$4.2.775.1
^.*asp\.dll.*$
5.0.1460.95.0.1462.2262496.0.6618.43015.1.2600.161715.0.2195.5269
^.*ism\.dll.*$
5.2.3790.5585.2.3790.27445.2.3790.3662001.12.4414.655.0.2195.706115.0.2195.7035B.11.22((1\.7\.12\..*)|(1\.(([8-9])|(\d{2,}))\..*)|(1\.7\.((1[3-9])|([2-9]\d+))\..*))6.0.3790.3835.0.2195.7054Windows 98B.11.00B.11.00B.11.00PHNE2394915.2.3790.2806.1.9.7266.1.9.732Mozilla Firefox (1.0.7)1\.0\.7 .*PHNE34306A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-4])6.0.2723.250037:1.7.10-1.1.3.115.2.3790.16735.1.2600.17335.0.2195.70595.0.2195.7059PHSS341235.0.2195.70690:1.6.7p5-1.1true5.0.2195.6991/usr/lib/fs/cachefs/cachefsdtruetruetrue02PHSS34169A.04.70A.04.70PHSS34121A.04.60PHSS34170A.04.60PHSS34120A.04.50PHSS34171A.04.50PHSS34119A.02.10PHSS34203A.02.00PHSS3420411.0.6506.06.5.2600.06.5.2600.274902023.5.0.1172000.2.3535.05.2.3790.25915.2.3790.25425.0.2195.7057B.10.24PHNE243955.1.2600.27368.00.1942000.80.608.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.628.02.81.1124.0Y5.2.3790.766.0.6617.86/usr/openwin/bin/kcms_servertruetruetrue5.50.4913.1100110:1.8.4-12.3.10:1.8.4-12.3.12.0.0.342315.2.3790.1241Service Pack 45.0.3900.70715.0.3900.707810.0.6764.0Mozilla Firefox \(1\.5\)1\.5($|\s).*1.8.20060.30804Mozilla Firefox (1.5.0.1)1\.5\.0\.1 .*1\.5($|\s).*Mozilla Thunderbird \(1\.5\)1.8.20060.30803(1\.0[ab].*|1\.0[^\.].*)SeaMonkey \((1\.0[ab]|1\.0)\)5.2.3790.18515.2.3790.25495.2.3790.25495.1.2600.25955.0.2195.66991PHNE33159B.11.111:1.8.17-9.21:1.8.17-9.23816456truetruetruetruetruetrue112004.10.25.014^i.*865.1072266.5.7233.6901015.8[Ss][Pp][Aa][Rr][Cc]5.915.0.2195.70219.0.0.89386.0.3790.2541truetruetrue5.1.2600.17555.1.2600.1331B.11.11B.11.11PHNE337915.0^Service Pack [4-9]|\d{2,}$5.25.2.3790.27485.2.3790.5606.5.3790.06.5.3790.25196.3.1.889^4\.[0]*9\..*B.11.11B\.11\.00\.(00.*|01\.00[0-3])Microsoft ISA Server 2000 Updates3.0.1200.430KB8997536.0.3790.26665.2.3790.243715.1.2600.16835.1.2600.2673191:0.17-20.EL3.3truetruetrue5.2.3790.26975.2.3790.24925.2.3790.24925.1.2600.27265.1.2600.272604030215.2.3790.3590:6.2.5-6.el4.25.1.2600.27701:2.4.1.3-5.115.0.2195.6802^Service Pack [5-9]|\d{2,}$0:2.4.21-32.0.1.EL0:2.4.21-32.0.1.EL0:2.4.21-32.0.1.EL6.0.2800.17511CoPNGFilter Class6.0.2900.2668PHNE33427B.11.04020407070:1.3.3-12.rhel3truetruetrue5.1.2600.17275.2.3790.121^4\.[0]*9\.[0]+\.[0]*900^4\.[0]*9\.[0]+\.[0]*90116root/usr/dt/bin/rpc.ttdbserverd02B.11.235.50.4134.01005.50.4134.06005.50.4522.180015.50.4616.2005.50.4701.2400^4\.[0]*8\..*15.50.4807.23005.50.4926.25005.2.3790.13215.0.2195.66851Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.10\))([0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*|1\.7\.10($|\s).*)(0\.[0-9].*|1\.0($|\s).*|1\.0\.[1-6]($|\s).*)Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-6]\))15,50,4807,17005.50.4952.28000:7.3.10-16.0.6603.06.0.6617.470:1.0.2-11.EL3.4truetruetrue^Windows.*426.0.3790.27062000.80.636.02000.80.636.05.0.2195.69055.1.2600.17155.1.2600.27165.2.3790.2483140201^.*4.S37:1.7.10-1.4.1truetruetrue2001.12.4414.535.1.2600.17205.1.2600.172076386.5.7650.280:1.2.2-511.0.8024.05.0.2195.29565.6.0.88312001.12.4720.1300:1.1.0-15.ELtruetruetruetruetruetruetruetruetruetruetruetruetruetruetrue5.1.2600.1325.1.2600.13315.0.2195.70695.0.2195.68982000.2.3511.06.0.2900.21806.0.2900.27225.0.1558.6072x645.2.3790.3155.2.3790.243515.2.3790.24535.131.2600.1123125.1.2600.1285.1.2600.13436.0.2750.1676.0.2800.15841.*zipfldr\.dll.*^([1-5]\.[0-9].*|6\.(0.*|1|1\.([0-9]($|\..*)|[0-1][0-9]($|\..*)|20($|\..*)|21($|\..*))))$15.0.2195.36490:0.9.7a-20.20:0.9.7a-20.20:0.9.7a-20.20:0.9.6-25.90:0.9.6b-1518151.0.0.4^Service Pack [0-4]$5.0.2195.705919452088341080:1.11.2-1814.0.1381.72634.0.1381.3356212000.81.9001.402000.81.9041.40^2\.7.*^.*3.S0:6.2.0-3.el3.1truetruetrueSeaMonkey \(1\.0[ab]\)1\.0[ab].*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-7]\))(0\.[0-9].*|1\.0($|\s).*|1\.0\.[1-7]($|\s).*)Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-7]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-7]($|\s).*([0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*|1\.7\.1[0-2]($|\s).*)Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.1[0-2]\))5.2.3790.161\d+/8\d+PHCO28847PHSS29963B.11.00\d+/7\d+4.0.1381.720214\d+/7\d+\d+/8\d+B.11.04B.11.04B.11.04B.11.04PHNE243956,0,3790,06.0.3790.1371^4\.07.*5.0.2195.69271^4\.08\.00.*5.0.2258.4101^4\.08\.01.*5.1.2600.8911^4\.08\.02.*5.2.3677.1441^4\.09\.00.*5.3.0.90318.00.1942000.80.650.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.628.0000^Service Pack [3-9]|\d{2,}$Microsoft Exchange 20006.0.5700.21Terminal Server4.014.0.1381.705816.0.2900.287324114.2.764.10:2.4.21-15.EL^.*LanmanNT.*$5.0.2195.690213333^Service Pack [0-2]$6.0.2900.257831111111111^6\.0+\.2600\.0+$16.0.2712.300111130:2.4.21-15.EL05.0.2195.580716,0,2800,11066.0.2800.14099^i.*860:0.9.13-1.90.10:0.9.13-1.90.111515.1.2600.11255.1.2600.1375.1.2600.151515.1.2600.1375.1.2600.1362^.*httpd.*0:1.4.3-0.e3.15.1.2600.1365.1.2600.13635.1002021010111101015.7030338275.9[Ss][Pp][Aa][Rr][Cc]^i.*86020205045.2.3790.2464^3.Struetruetrue0:1.11.2-245.1.2600.26985.1.2600.17015.0^Service Pack [4-9]|\d{2,}$5.0.2195.70535.2.3790.24655.2.3790.2483Service Pack 25.1.2600.27165.1.2600.17155.26.0.3790.24915.1.2600.16995.2.3790.24771\.7($|\s).*|1\.7\.[0-3]($|\s).*Mozilla (\(1\.7\)|\(1\.[0-7]\.[0-3]\))0\.9($|\s).*Mozilla Firefox \(0\.9.*\)0\.[6-8]($|\s).*Mozilla Thunderbird \(0\.[6-8]\)[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-4]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-4]\))0\.[0-9]($|\s).*Mozilla Firefox \(0\.[0-9].*\)[0-1]\.0($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\))[0-1]\.0($|\s).*Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\))[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-5]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-5]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-1]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-1]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-2]\))[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-6]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-6]\))Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-3]\))Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-7]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-3]($|\s).*^[0-1]\.[0-7]($|\s).*|^[0-1]\.[0-7]\.[0-7]($|\s).*5.1^Service Pack [2-9]|\d{2,}$x8615.1.2600.1285.1.2600.13405.838truetruewindows5.1Service Pack 1ia64\system32\Windows Media\Server\Microsoft.NET\Framework\v2.0.50727\\Microsoft.NET\Framework\Microsoft Shared\WMI\Messenger\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\Common Files\System\MAPI\1033\NT\Common Files\System\MSMAPI\1033\Common Files\System\MAPI\1033\microsoft shared\triedit\Crystal Decisions\1.1\Managed\Common Files\Microsoft Shared\VGX\system\MSN Messenger\Common Files\Microsoft Shared\VBA\VBA6InetPub\scripts\proxy\System\Ole DB folder\Microsoft.NET\Framework\v2.0.50727\Microsoft Shared\web server extensions\50\bin\Microsoft Shared\web server extensions\40\bin\Microsoft Shared\web server extensions\40\isapiReader\plug_ins\Microsoft Shared\TextConv\SysWOW64\Microsoft Shared\OFFICE11\Microsoft Shared\OFFICE10\syswow64\Common Files\Microsoft Shared\CDO\system32\drivers\web server extensions\50\isapi\_vti_adm\Microsoft Shared\GRPHFLT\System32\Windows Media Player\system32\Macromed\FlashOFFICE11\RES\system32\inetsrv\Windows NT\Accessories\Help\SBSI\Training\Common Files\System\msadc\msagent\system32\Drivers\Common Files\Microsoft Shared\TextConv\SYSTEM32\DRIVERS\Exchsrvr\res\bin\System32\system32\drivers\System32