5.1 2007-01-29T13:01:55.549-05:00 The MITRE Corporation Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 95 Microsoft Outlook Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Microsoft Windows 2000 Windows Media Services Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. Tiffany Bergeron INTERIM John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Outlook Express Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland Anna Min INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows ME Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Jason Spashett INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using JavaScript to cause certain errors simultaneously, which results in the access of previously freed memory, aka "Script Error Handling Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM Matthew Wojcik INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 5.01 and 6 does not properly handle uninitialized COM objects, which allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code, as demonstrated by the Nth function in the DirectAnimation.DATuple ActiveX control, aka "COM Object Instantiation Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM Microsoft Windows XP Flash Player Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors. Robert L. Hollis DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED RobertL. Hollis INTERIM INTERIM