The OVAL Repository 5.10 2012-01-27T05:09:53.777-05:00 Microsoft Office 2003 Microsoft Office 2007 Microsoft Office Visio 2002 Microsoft Office XP Microsoft PowerPoint Viewer Microsoft SQL Server 2005 Integer overflow in gdiplus.dll in GDI+ in Microsoft Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a BMP image file with a malformed BitMapInfoHeader that triggers a buffer overflow, aka "GDI+ BMP Integer Overflow Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED Mike Lah INTERIM ACCEPTED Pradeep R B INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft SQL Server 2005 Microsoft SQL Server 2005 SP2 is installed. J. Daniel Brown DRAFT INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Office Visio 2002 SP2 is installed. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Office XP is installed. Robert L. Hollis INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED Dragos Prisaca INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft SQL Server 2005 Microsoft SQL Server 2005 is installed. Dragos Prisaca DRAFT INTERIM ACCEPTED J. Daniel Brown INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista The application Microsoft PowerPoint Viewer is installed. Dragos Prisaca DRAFT INTERIM ACCEPTED Brendan Miles INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Office 2003 is installed. Robert L. Hollis INTERIM ACCEPTED Jonathan Baker INTERIM Ken Lassesen ACCEPTED Rachana Shetty INTERIM ACCEPTED Chandan S INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Office 2007 The application Microsoft Office 2007 is installed. Jonathan Baker DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Jonathan Baker ACCEPTED ACCEPTED Wireshark The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. Preeti Subramanian DRAFT INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows 7 Wireshark Wireshark is installed on the system. Prabhu S A DRAFT INTERIM ACCEPTED J. Daniel Brown INTERIM ACCEPTED Preeti Subramanian INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Microsoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Nate Przybyszewski INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.5 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Josh Turpin DEPRECATED DEPRECATED Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT SNMP Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows NT Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Simple Network Management Protocol (SNMP) Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Harvey Rubinovitz Jonathan Baker ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. Christine Walzer INTERIM Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Tiffany Bergeron Josh Turpin DEPRECATED DEPRECATED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.5 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Nate Przybyszewski DEPRECATED Sudhir Gandhe Shane Shaffer DEPRECATED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.1 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Nate Przybyszewski DEPRECATED Sudhir Gandhe Shane Shaffer DEPRECATED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Data Access Components 2.8 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM Jeff Cheng ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Messenger Microsoft MSN Messenger Adobe Acrobat Reader Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Josh Turpin DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista MSN Messenger MSN Messenger 6.1 is installed Josh Turpin DRAFT INTERIM ACCEPTED David Rothenberg INTERIM ACCEPTED ACCEPTED Microsoft Windows XP A version of Microsoft Windows XP (x86) Service Pack 2 is installed. Andrew Buttner DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED Tim Harrison INTERIM Tim Harrison Tim Harrison ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows XP A version of Microsoft Windows XP Professional x64 Edition Service Pack 1 is installed. Andrew Buttner DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Brendan Miles INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Todd Dolinsky INTERIM Tim Harrison Tim Harrison Tim Harrison ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Windows Messenger 4.7 is installed Dragos Prisaca DRAFT INTERIM ACCEPTED Dragos Prisaca INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 A version of Microsoft Windows Server 2003 Service Pack 1 (x86) is installed. Robert L. Hollis DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Tim Harrison INTERIM Tim Harrison Tim Harrison ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED David Rothenberg INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 The operating system installed on the system is Microsoft Windows 2000 SP4 or later. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Tim Harrison INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista MSN Messenger MSN Messenger 6.2 is installed Robert L. Hollis DRAFT INTERIM ACCEPTED David Rothenberg INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 A version of Microsoft Windows Server 2003 (x86) Gold is installed. Robert L. Hollis DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Tim Harrison INTERIM Tim Harrison Tim Harrison ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED David Rothenberg INTERIM ACCEPTED ACCEPTED Microsoft Windows XP The operating system installed on the system is Microsoft Windows XP SP1 (32-bit). Robert L. Hollis DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Data Access Components 2.7 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Andrew Simmons INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED Josh Turpin DEPRECATED DEPRECATED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Animated Cursor The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Matthew Wojcik INTERIM John Hoyland ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT NetDDE Agent NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation." Ingrid Skoog DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED Mike Lah INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Matthew Wojcik INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Robert L. Hollis ACCEPTED Mike Lah INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Data Access Components 2.8 The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, aka the "License Logging Service Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Glenn Strickland Jonathan Baker Jonathan Baker Shane Shaffer Sudhir Gandhe Shane Shaffer INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. Robert L. Hollis DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Remote Access Service (RAS) Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Tiffany Bergeron Jonathan Baker ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog Dragos Prisaca INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. Tiffany Bergeron Josh Turpin DEPRECATED DEPRECATED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.6 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Remote Procedure Call (RPC) The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. Matthew Burton DRAFT INTERIM ACCEPTED Matthew Burton INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.5 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Network News Transport Protocol (NNTP) The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. Christine Walzer DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Remote Access Service (RAS) The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities. Matt Busby INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Proxy Server 2.0 SP1 Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results. Christine Walzer DRAFT INTERIM Christine Walzer Ingrid Skoog ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows NT DHCP The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows NT 4.0 The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Data Access Components 2.8 The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, aka the "License Logging Service Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT VDM The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT HyperTerminal HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED John Hoyland INTERIM Daniel Tarnu ACCEPTED Jonathan Baker INTERIM ACCEPTED Mike Lah INTERIM Mike Lah ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED Josh Turpin DEPRECATED DEPRECATED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Adobe Acrobat Reader Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Matthew Wojcik DRAFT INTERIM ACCEPTED DEPRECATED DEPRECATED Microsoft Windows NT Windows Internet Naming Service (WINS) The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." Matthew Burton DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visual Studio .NET 2002 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED John Hoyland INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows NT DHCP The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Samba Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated. Matthew Burton DRAFT John Hoyland INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2003 Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Chris Wood INTERIM ACCEPTED Sharath S INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office XP SP3 Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. Ingrid Skoog Ingrid Skoog Ingrid Skoog Anna Min DRAFT INTERIM ACCEPTED INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows kernel The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." Christine Walzer DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Simple Network Management Protocol (SNMP) Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. Matt Busby Matthew Burton DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT HyperTerminal HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED John Hoyland INTERIM ACCEPTED John Hoyland INTERIM Daniel Tarnu ACCEPTED Jonathan Baker INTERIM ACCEPTED Mike Lah INTERIM Mike Lah ACCEPTED ACCEPTED Microsoft Windows NT Windows Animated Cursor The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. Christine Walzer DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT VDM The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. Ingrid Skoog DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Office XP SP2 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Project Professional 2003 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. Tiffany Bergeron ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED Sudhir Gandhe INTERIM Shane Shaffer ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Explorer The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT DHCP The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows NT Microsoft Data Access Components 2.1 Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT HTML Help ActiveX Control Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Cursor and Icon Formatting Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Office Visio Professional 2003 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Office Visio 2003 is installed. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows NT 4.0 The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. Tiffany Bergeron INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT HTML Help Facility Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Cursor and Icon Formatting Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." Christine Walzer DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Office Visio Professional 2002 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows NT Program Group Converter Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. Andrew Buttner DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Project Professional 2002 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.6 Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Adobe Acrobat Reader Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields. Matthew Wojcik DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED iDEFENSE reports that deleting eBook.api from the plug_ins directory is a workaround. See http://www.idefense.com/application/poi/display?id=163&type=vulnerabilities Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Office Visio Professional 2002 Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." Matthew Burton DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Components 2.5 Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT