4 20050803235300 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED 'The Exchange 2003 Exadmin virtual directory uses only Integrated Windows Authentication.' 2.1.6 ACCEPTED 1 Corresponds to item 2.1.6 in the Exchange 2003 Benchmark Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows NT Windows Shell Matthew Burton Matthew Burton DRAFT INTERIM Matthew Burton ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability. CAN-2002-0189 ACCEPTED 3 Microsoft Windows 2000 Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528. CAN-2003-0715 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Andrew Buttner ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows NT FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Network Connection Manager (NCM) Christine Walzer Christine Walzer INTERIM ACCEPTED A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code. CVE-2002-0720 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01 Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 4 Microsoft Windows 2000 SMTP Tiffany Bergeron Andrew Buttner SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request. CVE-2002-0055 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows 2000 FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 4 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access. CVE-2002-0051 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. CVE-2000-0884 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. CVE-2002-0074 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01 David Proulx Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." CVE-2003-1328 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. CVE-2002-0075 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. CAN-2002-1561 ACCEPTED 2 Microsoft Windows NT Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 1 Microsoft Windows 2000 Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 David Proulx Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. CAN-2003-0223 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. CVE-2001-0344 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Tiffany Bergeron Jonathan Baker INTERIM Ingrid Skoog ACCEPTED Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. CAN-2001-0509 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server Yi-Fang Koh Ingrid Skoog INTERIM ACCEPTED Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CAN-2001-0879. CAN-2001-0542 ACCEPTED 2 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CAN-2002-0013 ACCEPTED 1 Microsoft Windows 2000 Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. CVE-2001-0151 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner INTERIM ACCEPTED The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. CVE-2002-0078 ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. CAN-2002-0371 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 4 Microsoft Windows NT Locator service Tiffany Bergeron Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. CVE-2003-0003 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CAN-2003-0109 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron ACCEPTED Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." CAN-2003-0526 ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Tiffany Bergeron ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CAN-2003-0345 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments. CAN-2002-0154 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. CAN-2003-0809 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715. CAN-2003-0528 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Microsoft Windows 2000 Windows Script Engine for Jscript DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CAN-2003-0010 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Virtual Machine (VM) Tiffany Bergeron INTERIM ACCEPTED The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." CAN-2003-0111 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby INTERIM ACCEPTED The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities. CAN-2001-0046 ACCEPTED 1 Microsoft Windows NT Microsoft Transaction Server (MTS) Matt Busby INTERIM ACCEPTED The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities. CAN-2001-0047 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1 Tiffany Bergeron Andrew Buttner ACCEPTED HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. CVE-2001-0154 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CAN-2003-0112 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CAN-2002-0012 ACCEPTED 1 Microsoft Windows NT Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 1 Microsoft Windows NT SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CAN-2003-0345 ACCEPTED 2 Microsoft Windows 2000 Windows Shell Christine Walzer Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CAN-2002-0012 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Andrew Buttner Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 3 Microsoft Windows XP Authenticode Tiffany Bergeron Andrew Buttner Andrew Buttner ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. CAN-2003-0660 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Christine Walzer Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. CAN-2003-0664 ACCEPTED 2