The MITRE Corporation 5.2 2007-04-30T08:33:42.894-04:00 Microsoft Windows 2000 Windows Media Services Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. Tiffany Bergeron INTERIM John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Matthew Wojcik INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP MSN Messenger Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Jonathan Baker INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Microsoft Windows XP Operating System Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows XP Operating System The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows NT The operating system installed on the system is Microsoft Windows NT. Andrew Buttner ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows XP Operating System Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 MDAC 2.8 Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNSfunction does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Christine Walzer DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jason Spashett INTERIM John Hoyland ACCEPTED Dragos Prisaca INTERIM INTERIM Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. David Proulx INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Operating System The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures. Sudhir Gandhe DRAFT INTERIM Robert L. Hollis INTERIM Microsoft Windows XP Operating System Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in Microsoft Windows XP SP2 allows remote attackers on the same subnet to execute arbitrary code via crafted HTTP headers in request or notification messages, which trigger memory corruption. Robert L. Hollis DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in Microsoft Agent (msagent\agentsvr.exe) in Windows 2000 SP4, XP SP2, and Server 2003, 2003 SP1, and 2003 SP2 allows remote attackers to execute arbitrary code via crafted URLs, which result in memory corruption. Sudhir Gandhe DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Operating System The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696. Sudhir Gandhe DRAFT INTERIM Robert L. Hollis INTERIM Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Content Management Server Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 does not properly handle certain characters in a crafted HTTP GET request, which allows remote attackers to execute arbitrary code, aka the "CMS Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows Vista The patch Windows6.0-KB925902-x64.msu that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-017 should be installed. Jonathan Baker DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of the input control that is associated with an event handler. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Operating System Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images. Sudhir Gandhe DRAFT INTERIM Robert L. Hollis INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Operating System Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file. Sudhir Gandhe DRAFT INTERIM Robert L. Hollis INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker