5.1 2007-01-29T12:58:40.361-05:00 The MITRE Corporation Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." Robert L. Hollis Christine Walzer Jonathan Baker Matthew Wojcik INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. Robert L. Hollis Christine Walzer Jonathan Baker INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Robert L. Hollis Jonathan Baker Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL. Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. Robert L. Hollis Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling." Robert L. Hollis INTERIM Matthew Wojcik Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. Robert L. Hollis Christine Walzer Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages. Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Thunderbird Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future. Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Thunderbird Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. Robert L. Hollis Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. Robert L. Hollis Christine Walzer Jonathan Baker INTERIM ACCEPTED John Hoyland INTERIM John Hoyland INTERIM Microsoft Windows Server 2003 COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM Andrew Buttner INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM INTERIM Microsoft Windows XP Services for UNIX The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jonathan Baker DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Media Player Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Windows Media Player Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Windows kernel Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 98 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxyserver that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. Harvey Rubinovitz DRAFT Jonathan Baker INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Internet Explorer Heap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM INTERIM