Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0079 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows NT Windows Shell Matthew Burton 2002-0070 Completing an initial submission. done DRAFT INTERIM ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2002-0189 Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability ACCEPTED 3 Microsoft Windows 2000 Christine Walzer 2003-0715 DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Andrew Buttner Andrew Buttner 2002-0147 ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun. ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows NT FTP Tiffany Bergeron Tiffany Bergeron 2002-0073 The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0079 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code ACCEPTED 3 Microsoft Windows 2000 Network Connection Manager (NCM) Christine Walzer Christine Walzer 2002-0720 modified wrt-222 - changed pattern match INTERIM A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code INTERIM 1 Microsoft Windows 2000 Internet Explorer 5.01 Tiffany Bergeron Tiffany Bergeron Christine Walzer 2002-0193 modified wrt-222 - changed pattern match INTERIM Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability INTERIM 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0364 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise. ACCEPTED 4 Microsoft Windows 2000 SMTP Tiffany Bergeron Andrew Buttner 2002-0055 Changed the registry key in question for the SMTP enabled check to SMTPSVC from SMTP. SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0026 Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made ACCEPTED 3 Microsoft Windows 2000 FTP Tiffany Bergeron Tiffany Bergeron 2002-0073 The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters ACCEPTED 4 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2001-0333 Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0051 Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0150 ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2000-0884 IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0071 ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0074 Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01 David Proulx David Proulx 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2003-1328 The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality. ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0075 Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron Tiffany Bergeron Christine Walzer 2002-1561 modified wrt-222 - changed pattern match INTERIM The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference INTERIM 1 Microsoft Windows NT Remote Access Service (RAS) Tiffany Bergeron 2002-0366 Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry ACCEPTED 1 Microsoft Windows 2000 Remote Access Service (RAS) Tiffany Bergeron 2002-0366 Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0018 ACCEPTED INTERIM ACCEPTED In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 David Proulx David Proulx Christine Walzer 2003-0223 modified wrt-222 - changed pattern match INTERIM Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message INTERIM 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh 2001-0344 ACCEPTED An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0147 ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun. ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron 2002-0367 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx David Proulx 2002-0023 Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2001-0333 ACCEPTED INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0148 Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Tiffany Bergeron 2001-0509 Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server Yi-Fang Koh Yi-Fang Koh 2001-0542 Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CAN-2001-0879 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0013 Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 Multiple UNC Provider (MUP) Tiffany Bergeron 2002-0151 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron Ingrid Skoog 2001-0151 corrected configuration criterion INTERIM ACCEPTED IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Harvey Rubinovitz 2002-0148 Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0149 ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2002-0078 Added the configuration check to see if cookies are enabled by the current user when local machine settings are not in use. INTERIM ACCEPTED The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx David Proulx 2002-0371 Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner Christine Walzer 2002-0193 modified wrt-222 - changed pattern match INTERIM Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability INTERIM 3 Microsoft Windows NT Locator service Tiffany Bergeron 2003-0003 Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron 2003-0109 Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron 2003-0526 ACCEPTED Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found. ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Tiffany Bergeron Tiffany Bergeron 2003-0345 ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Yi-Fang Koh 2002-0154 Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron 2003-0809 Added the configuration check to see if ActiveX controls are enabled by the current user when local machine settings are not in use. ACCEPTED Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron 2003-0528 ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron 2002-0071 ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0149 ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names ACCEPTED 3 Microsoft Windows 2000 Christine Walzer 2003-0010 DRAFT INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Virtual Machine (VM) Tiffany Bergeron 2003-0111 INTERIM ACCEPTED The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise. ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0150 ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values ACCEPTED 3 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby 2001-0046 INTERIM ACCEPTED The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities ACCEPTED 1 Microsoft Windows NT Microsoft Transaction Server (MTS) Matt Busby 2001-0047 INTERIM ACCEPTED The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1 Tiffany Bergeron Andrew Buttner 2001-0154 Added the configuration check to see if file downloads are enabled by the current user when local machine settings are not in use. Changed the status from ACCEPTED to INTERIM ACCEPTED HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly ACCEPTED 2 Microsoft Windows NT Christine Walzer 2003-0112 DRAFT INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Harvey Rubinovitz 2002-1186 Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure. ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0012 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows NT Multiple UNC Provider (MUP) Tiffany Bergeron 2002-0151 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request ACCEPTED 1 Microsoft Windows NT Christine Walzer 2003-0345 DRAFT INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required ACCEPTED 1 Microsoft Windows 2000 Windows Shell Christine Walzer Christine Walzer 2002-0070 Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron 2002-0367 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron 2002-0018 In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz 2002-0012 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Andrew Buttner Andrew Buttner 2003-1326 Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box. ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Tiffany Bergeron 2002-0364 ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise. ACCEPTED 3 Microsoft Windows XP Authenticode Tiffany Bergeron Andrew Buttner Christine Walzer 2003-0660 Added the configuration check to see if downloading of signed ActiveX controls are enabled by the current user when local machine settings are not in use. Fixed the logic that checks for one version of the file if no sp is installed and a different version if sp1 is installed. The compound test that includes SP1 or earlier has been added ACCEPTED INTERIM ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Christine Walzer 2003-0664 Added word 2000 and winword.exe information changed to word 2000 DRAFT INTERIM ACCEPTED Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Christine Walzer Christine Walzer 2002-0724 modified wrt-222 - changed pattern match INTERIM Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service" INTERIM 1 Microsoft Windows 2000 Certificate Enrollment Control Christine Walzer Christine Walzer 2002-0699 modified wrt-222 - changed pattern match ACCEPTED INTERIM Unknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML INTERIM 1