The MITRE Corporation5.02006-11-01T10:04:35.729-05:00VML Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerStack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWord 2003 (wordview) Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2003Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDChris WoodINTERIMACCEPTEDACCEPTEDWindows Media Player 8 Bitmap Remote Code ExecutionMicrosoft Windows XPWindows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player 7.10 Bitmap Remote Code ExecutionMicrosoft Windows 2000Windows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player 10 Bitmap Remote Code ExecutionMicrosoft Windows XPWindows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMRobert L. HollisACCEPTEDACCEPTEDWindows Media Player 9 Bitmap Remote Code ExecutionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerHeap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPowerPoint Malformed Record Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core ServicesThe XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 does not properly handle HTTP server-side redirects, which allows remote user-assisted attackers to access content from other domains.Robert L. HollisDRAFTINTERIMINTERIMOffice Malformed Chart Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeMicrosoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac do not properly parse the length of a chart record, which allows remote user-assisted attackers to execute arbitrary code via a Word document with an embedded malformed chart record that triggers an overwrite of pointer values with values from the document, a different vulnerability than CVE-2006-3434, CVE-2006-3864, and CVE-2006-3868.Robert L. HollisDRAFTINTERIMINTERIMPowerPoint Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office XP and Office 2003 allows user-assisted attackers to execute arbitrary code via a crafted record in a PPT file, as exploited by malware such as Exploit:Win32/Controlppt.W, Exploit:Win32/Controlppt.X, and Exploit-PPT.d/Trojan.PPDropper.F. NOTE: it has been reported that the attack vector involves SlideShowWindows.View.GotoNamedShow.Robert L. HollisDRAFTINTERIMINTERIMTCP Connection Reset VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemTCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Office Property VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316.Robert L. HollisMatthew WojcikINTERIMACCEPTEDACCEPTEDXSLT Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core ServicesBuffer overflow in the Extensible Stylesheet Language Transformations (XSLT) processing in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted Web page.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services 6 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 6 is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services 5 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 5 is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services 4 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 4 is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft XML Core Services 3 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft XML Core Services 3 is installed.Robert L. HollisDRAFTINTERIMINTERIMWindows Shell Remote Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemInteger overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.Robert L. HollisDRAFTINTERIMINTERIM.NET Framework 2.0 Cross-Site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003.NET FrameworkCross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true".Robert L. HollisDRAFTINTERIMINTERIMOffice Improper Memory Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordInteger overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word document, which overflows a 16-bit integer length value, aka "Memmove Code Execution," a different vulnerability than CVE-2006-3651 and CVE-2006-4693.Robert L. HollisDRAFTINTERIMINTERIMWord 2003 (wordview) Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2003Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDChris WoodINTERIMACCEPTEDACCEPTEDServer Service Denial of Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.Robert L. HollisDRAFTINTERIMINTERIMExcel Malformed STYLE Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in certain Asian language versions of Microsoft Excel might allow user-assisted attackers to execute arbitrary code via a crafted STYLE record in a spreadsheet that triggers the overflow when the user attempts to repair the document or selects the "Style" option, as demonstrated by nanika.xls. NOTE: Microsoft has confirmed to CVE via e-mail that this is different than the other Excel vulnerabilities announced before 20060707, including CVE-2006-3059 and CVE-2006-3086.Robert L. HollisDRAFTINTERIMINTERIMPowerPoint Malformed Data Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via a crafted Data record in a PPT file, a different vulnerability than CVE-2006-3435 and CVE-2006-4694.Robert L. HollisDRAFTINTERIMINTERIMPowerPoint Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointPowerPoint in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac does not properly parse the slide notes field in a document, which allows remote user-assisted attackers to execute arbitrary code via crafted data in this field, which triggers an erroneous object pointer calculation that uses data from within the document. NOTE: this issue is different than other PowerPoint vulnerabilities including CVE-2006-4694.Robert L. HollisDRAFTINTERIMINTERIMExcel Handling of Lotus 1-2-3 File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted Lotus 1-2-3 file, a different vulnerability than CVE-2006-2387 and CVE-2006-3875.Robert L. HollisDRAFTINTERIMINTERIMSpoofed Connection Request VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemWindows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Robert L. HollisDRAFTINTERIMINTERIMExcel Malformed COLINFO Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted COLINFO record in an XLS file, a different vulnerability than CVE-2006-2387 and CVE-2006-3867.Robert L. HollisDRAFTINTERIMINTERIMObject Packager Dialogue Spoofing VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemArgument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka "Object Packager Dialogue Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word Mail Merge VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordUnspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via a crafted mail merge file, a different vulnerability than CVE-2006-3647 and CVE-2006-4693.Robert L. HollisDRAFTINTERIMINTERIMICMP Connection Reset VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Robert L. HollisDRAFTINTERIMINTERIMExcel Malformed DATETIME Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, Excel Viewer 2003, and Microsoft Works Suite 2004 through 2006 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word Malformed Stack VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordUnspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors involving a crafted file resulting in a malformed stack, as exploited by malware with names including Trojan.Mdropper.Q, Mofei, and Femo.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word Viewer is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word Viewer is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2002 is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Word 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2000 is installed.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Publisher VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003PublisherStack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts.Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2003 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2000 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Publisher 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Publisher 2002 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOffice Malformed Record Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and 2003, and Microsoft PowerPoint 2000, XP, and 2003, allows remote user-assisted attackers to execute arbitrary code via a malformed record in a (1) .DOC, (2) .PPT, or (3) .XLS file that triggers memory corruption, related to an "array boundary condition" (possibly an array index overflow), a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868.Robert L. HollisDRAFTINTERIMINTERIMMicrosoft Office Smart Tag Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag.Robert L. HollisDRAFTINTERIMINTERIMSMB Rename VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability."Robert L. HollisDRAFTINTERIMINTERIMInstall Function in Firefox and Mozilla Permits Arbitrary Code ExecutionMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDIFRAME in Firefox and Mozilla Permits Execution of Arbitrary Javascript in Other DomainsMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.Robert L.HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDMozilla Script Privilege Context VulnerabilitiesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160.Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDMozilla JavaScript Wrapping VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant."Robert L. HollisJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2003 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDExchange Server 2003,SP2 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2003,SP1 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v7.1)Microsoft Windows 2000Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2000 when running Outlook Web Access VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerCross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word2003 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (WinXP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0 on WinXP)Microsoft Windows XPMedia PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word2002 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRPC Mutual Authentication VulnerabilityMicrosoft Windows 2000Operating SystemMicrosoft Windows 2000 SP4 does not properly validate an RPC server during mutual authentication over SSL, which allows remote attackers to spoof an RPC server, aka the "RPC Mutual Authentication Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (Win2K w/ JScript 5.6)Microsoft Windows 2000Operating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to conduct spoofing and phishing attacks by using a modal browser window in a way that preserves the original address bar and trusted UI of a trusted site, even after the browser has been navigated to a malicious site, aka the "Address Bar Spoofing Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000,SP4 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows 2000Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0, 64-bit)Microsoft Windows XPMicrosoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v8.0)Microsoft Windows XPMedia PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v9.0)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (WinXP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows localusers to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2002 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTMatthew WojcikINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability (Win2k)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (Win2K)Microsoft Windows 2000Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (Win2K)Microsoft Windows 2000Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDART Image Rendering Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the ART Image Rendering component (jgdw400.dll) in Microsoft Windows XP SP1 and Sp2, Server 2003 SP1 and earlier, and Windows 98 and Me allows remote attackers to execute arbitrary code via a crafted ART image that causes heap corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (Win2K)Microsoft Windows 2000Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMHT Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFlash Address Bar Spoofing Vulnerability (S03,SP1)Microsoft Windows Server 2003Internet ExplorerInternet Explorer 6 for Windows XP SP2 and earlier allows remote attackers to spoof the address bar and possibly conduct phishing attacks by re-opening the window to a malicious Shockwave Flash application, then changing the window location back to a trusted URL while the Flash application is still loading. NOTE: this is a different vulnerability than CVE-2006-1192.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (Win2K)Microsoft Windows 2000Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Decoding Memory Corruption Vulnerability (XP,SP2)Microsoft Windows XPInternet ExplorerHeap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via crafted UTF-8 encoded HTML that results in size discrepancies during conversion to Unicode, aka "HTML Decoding Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDException Handling Memory Corruption Vulnerability(64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Internet Explorer 6.0 on Microsoft Windows XP SP2 allows remote attackers to execute arbitrary code via "exceptional conditions" that trigger memory corruption, as demonstrated using an exception handler and nested object tags, a variant of CVE-2006-1992.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (2K/XP)Microsoft Windows 2000Microsoft Windows XPInternet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player PNG Vulnerability (v10.0 on S03)Microsoft Windows Server 2003Media PlayerStack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRASMAN Registry Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Remote Access Connection Manager service (RASMAN) service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," that lead to registry corruption and stack corruption, aka the "RASMAN Registry Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2000 Remote Code Execution Using a Malformed Record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft PowerPointUnspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDCSS Cross-Domain Information Disclosure Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer allows remote attackers to bypass cross-domain security restrictions and obtain sensitive information by using the @import directive to download files from other domains that are not valid Cascading Style Sheets (CSS) files, as demonstrated using Google Desktop, aka "CSSXSS" and "CSS Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft JScript Memory Corruption Vulnerability (WinXP)Microsoft Windows XPOperating SystemMicrosoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Windows XP, Server 2003, Windows 98 and Windows Me, will "release objects early" in certain cases, which results in memory corruption and allows remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Driver Elevation of Privilege Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDActiveX Control Memory Corruption Vulnerability (64-bit XP)Microsoft Windows XPInternet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remote attackers to execute arbitrary code via "unexpected data" related to "parameter validation" in the DXImageTransform.Microsoft.Light ActiveX control, which causes Internet Explorer to crash in a way that enables the code execution.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption Vulnerability (WinS03)Microsoft Windows Server 2003Internet ExplorerMultiple unspecified vulnerabilities in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allow remote attackers to execute arbitrary code by instantiating certain COM objects from Wmm2fxa.dll as ActiveX controls including (1) DXImageTransform.Microsoft.MMSpecialEffect1Input, (2) DXImageTransform.Microsoft.MMSpecialEffect1Input.1, (3) DXImageTransform.Microsoft.MMSpecialEffect2Inputs, (4) DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, (5) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and (6) DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, which causes memory corruption during garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIP Source Route Vulnerability (S03,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the TCP/IP Protocol driver in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via unknown vectors related to IP source routing.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (64-bit XP)Microsoft Windows XPOperating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSMB Invalid Handle Vulnerability (WinS03)Microsoft Windows Server 2003Operating SystemThe Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to cause a denial of service (hang) via by calling the MrxSmbCscIoctlCloseForCopyChunk with the file handle of the shadow device, which results in a deadlock, aka the "SMB Invalid Handle Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRRAS Memory Corruption Vulnerability (WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word2000 Malformed Object Pointer VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft WordBuffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Print Spooler Service Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003,SP1 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPGM Code Execution VulnerabilityMicrosoft Windows XPMSMQ ServiceUnspecified vulnerability in Pragmatic General Multicast (PGM) in Microsoft Windows XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted multicast message.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows 2000Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Indexing Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Indexing ServiceCross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP1 Remote Desktop Protocol (RDP) DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Plug and Play Buffer Overflow VulnerabilityMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6,SP2 PNG Image Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMINTERIMIE5.01,SP4 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTINTERIMACCEPTEDAnna MinINTERIMINTERIMIE5.01,SP3 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMINTERIMIE6,SP1 PNG Image Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMINTERIMIE6 for Server 2003 PNG Image Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDAnna MinINTERIMINTERIMHyperlink Object Function VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft Hyperlink Object Library (hlink.dll), possibly a buffer overflow, allows user-assisted attackers to execute arbitrary code via crafted hyperlinks that are not properly handled when hlink.dll "uses a file containing a malformed function," aka "Hyperlink Object Function Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overrun in HTML Help VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in HTML Help ActiveX control (hhctrl.ocx) in Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code by repeatedly setting the Image field of an Internet.HHCtrl.1 object to certain values, possibly related to improper escaping and long strings.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDUser Profile Elevation of Privilege VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUntrusted search path vulnerability in Winlogon in Microsoft Windows 2000 SP4, when SafeDllSearchMode is disabled, allows local users to gain privileges via a malicious DLL in the UserProfile directory, aka "User Profile Elevation of Privilege Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Office Remote Code Execution Using a Malformed PNG VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindow Location Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 allows certain script to persist across navigations between pages, which allows remote attackers to obtain the window location of visited web pages in other domains or zones, aka "Window Location Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Word 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office Remote Code Execution Using a Malformed GIF VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed.Robert L. HollisINTERIMACCEPTEDACCEPTEDBuffer Overrun in DHCP Client Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003DHCP ClientBuffer overflow in the DHCP Client service for Microsoft Windows 2000 SP4, Windows XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via a crafted DHCP response.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Office Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via malformed cell comments, which lead to modification of "critical data offsets" during the rebuilding process.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed FNGROUPCOUNT value VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted FNGROUPCOUNT value.Robert L. HollisINTERIMACCEPTEDACCEPTEDSMB Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to obtain sensitive information via crafted requests that leak information in SMB buffers, which are not properly initialized, aka "SMB Information Disclosure Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDFolder GUID Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMicrosoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint Malformed Records VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbitrary commands via a malformed record in the BIFF file format used in a PPT file, a different issue than CVE-2006-1540, aka "Microsoft PowerPoint Malformed Record Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed SELECTION record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with certain crafted fields in a SELECTION record, which triggers memory corruption, aka "Malformed SELECTION record Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2000 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2003 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft PowerPoint 2002 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft PowerPoint Mso.dll VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating Systemmso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft .NET Framework 2.0 is installedMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft .NET Framework 2.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTED.NET 2.0 Application Folder Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003.NET FrameworkMicrosoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1 allows remote attackers to bypass access restrictions via unspecified "URL paths" that can access Application Folder objects "explicitly by name."Robert L. HollisINTERIMACCEPTEDACCEPTEDHTML Layout and Positioning Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using the document.getElementByID Javascript function to access crafted Cascading Style Sheet (CSS) elements, and possibly other unspecified vectors involving certain layout positioning combinations in an HTML file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDInternet Information Services using Malformed Active Server Pages VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003IISBuffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP).Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft IIS 6.0 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 6.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDIIS 5.1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 5.1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft IIS 5.0 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft IIS 5.0 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMHTML Parsing VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Outlook ExpressBuffer overflow in INETCOMM.DLL, as used in Microsoft Internet Explorer 6.0 through 6.0 SP2, Windows Explorer, Outlook Express 6, and possibly other programs, allows remote user-assisted attackers to cause a denial of service (application crash) via a long mhtml URI in the URL value in a URL file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFTP Server Command Injection VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overrun in Server Service VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSS Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5 SP4 and 6 do not properly garbage collect when "multiple imports are used on a styleSheets collection" to construct a chain of Cascading Style Sheets (CSS), which allows remote attackers to execute arbitrary code via unspecified vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHTML Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 SP4 and 6 does not properly handle various HTML layout component combinations, which allows user-assisted remote attackers to execute arbitrary code via a crafted HTML file that leads to memory corruption, aka "HTML Rendering Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed File VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelUnspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors. NOTE: this is a different vulnerability than CVE-2006-3086.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed COLINFO record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelBuffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted COLINFO record, which triggers the overflow during a "data filling operation."Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed SELECTION record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted SELECTION record that triggers memory corruption, a different vulnerability than CVE-2006-1302.Robert L. HollisINTERIMACCEPTEDACCEPTEDSource Element Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 does not properly identify the originating domain zone when handling redirects, which allows remote attackers to read cross-domain web pages and possibly execute code via unspecified vectors involving a crafted web page, aka "Source Element Cross-Domain Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 98 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 98Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMINTERIMMailslot Heap Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SsytemHeap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages.Robert L. HollisINTERIMACCEPTEDACCEPTEDMMC Redirect Cross-Site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Management ConsoleCross-site scripting (XSS) vulnerability in Internet Explorer 5.01 and 6 in Microsoft Windows 2000 SP4 permits access to local "HTML-embedded resource files" in the Microsoft Management Console (MMC) library, which allows remote authenticated users to execute arbitrary commands, aka "MMC Redirect Cross-Site Scripting Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Office Malformed String Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeMSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Elevation of Privilege VulnerabilityMicrosoft Windows 2000Operating SystemUnspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, probably a buffer overflow, allows local users to obtain privileges via unspecified vectors involving an "unchecked buffer."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDVisual Basic for Applications VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Visual BasicBuffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerMicrosoft Internet Explorer 5.01 and 6 does not properly handle uninitialized COM objects, which allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code, as demonstrated by the Nth function in the DirectAnimation.DATuple ActiveX control, aka "COM Object Instantiation Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDNS Client Buffer Overrun VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDInternet Explorer 6 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Internet Explorer 6 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDInternet Explorer 5.01,SP4 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Internet Explorer 5.01,SP4 is installed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRedirect Cross-Domain Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Internet ExplorerCross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinsock Hostname VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemBuffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka "Winsock Hostname Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed LABEL record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption.Robert L. HollisINTERIMACCEPTEDACCEPTEDUnhandled Exception VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1, allows remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Project 2002, SP1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Project 2002, SP1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Visio 2002, SP2 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Visio 2002, SP2 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2002 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Project 2000, SP1 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Project 2000, SP1 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Office Parsing VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel 2003 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2003 is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2000 is installed.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft Excel 2002 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel 2002 is installed.Robert L. HollisDRAFTJohn HoylandINTERIMACCEPTEDACCEPTEDMicrosoft Excel Viewer is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Excel Viewer is installed.Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Excel Malformed OBJECT record VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft ExcelMicrosoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability."Robert L. HollisINTERIMACCEPTEDACCEPTEDMicrosoft Windows Server 2003, SP1 is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003, SP1.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows XP, SP2 is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP2.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows XP, SP1 (64-bit) is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP1 (64-bit).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows 2000, SP4 is installedMicrosoft Windows 2000The operating system installed on the system is Microsoft Windows 2000, SP4.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows Server 2003 is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003.Andrew ButtnerACCEPTEDACCEPTEDMicrosoft Windows Server 2003 (Gold) is installedMicrosoft Windows Server 2003The operating system installed on the system is Microsoft Windows Server 2003 (Gold).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Windows XP is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP.Andrew ButtnerACCEPTEDACCEPTEDMicrosoft Windows XP, SP1 (32-bit) is installedMicrosoft Windows XPThe operating system installed on the system is Microsoft Windows XP, SP1 (32-bit).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHyperlink Object Buffer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemStack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Help Center Command Insertion VulnerabilityMicrosoft Windows XPHelp and Support Center (HSC)Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMAnna MinACCEPTEDACCEPTEDWinXP Management VulnerabilityMicrosoft Windows XPWindows XPWindows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability."Harvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 4)Microsoft Windows 2000Windows Script Engine for JscriptInteger overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.DRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMAnna MinACCEPTEDACCEPTEDWindows XP (32-Bit) Task Scheduler Stack OverflowMicrosoft Windows XPTask SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronTiffany BergeronINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDWindows XP Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows XPNegotiate SSP interfaceThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogIngrid SkoogIngrid SkoogACCEPTEDChristine WalzerINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) DirectPlay Denial of ServiceMicrosoft Windows XPDirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDAnna MinINTERIMACCEPTEDACCEPTEDOffice XP URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Office XP SP3Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenamesor (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogIngrid SkoogIngrid SkoogAnna MinDRAFTINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDWindows NT Windows POSIX Buffer OverflowMicrosoft Windows NTPOSIXThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Ingrid SkoogIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Windows POSIX Buffer OverflowMicrosoft Windows 2000POSIXThe POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Ingrid SkoogINTERIMACCEPTEDJohn HoylandMatthew WojcikINTERIMACCEPTEDACCEPTEDMicrosoft Windows 2000 is installedMicrosoft Windows 2000The operating system installed on the system is Microsoft Windows 2000.Andrew ButtnerACCEPTEDACCEPTEDWindows 2000 winlogon Remote Buffer OverflowMicrosoft Windows 2000Windows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Wallpaper VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling."Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDMatthew WojcikACCEPTEDACCEPTEDServer 2003,SP1 PKINIT Information Disclosure VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWinXP,SP2 Drag-and-Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation via XBL.method.evalMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using an eval in an XBL method binding (XBL.method.eval) to create Javascript functions that are compiled with extra privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-collection Hazard AuditMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly handle temporary variables that are not garbage collected, which might allow remote attackers to trigger operations on freed memory and cause memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Properties Remote Code Execution Vulnerability (Windows XP)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFTP Download Destination Tampering Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDOutlook 2002 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Table Rebuilding Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via "an invalid and non-sensical ordering of table-related tags" that results in a negative array index.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Word 2002 Font Parsing VulnerabilityMicrosoft Windows XPMicrosoft Office XPSP3Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information.Christine WalzerDRAFTINTERIMJonathan BakerACCEPTEDRobert L. HollisINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTED.lnk File-Properties Remote Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDServer 2003,SP1 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Invalid Memory Access Vulnerability (Win2K)Microsoft Windows 2000Operating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPlug and Play User Data Validation Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation Using a JavaScript Function's Cloned ParentMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to execute arbitrary code by using the Object.watch method to access the "clone parent" internal function.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Server 2003)Microsoft Windows Server 2003Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows XP,SP1)Microsoft Windows XPOperating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (Firefox Regression Fix)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaA regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the InstallTrigger.install method, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFTP Download Destination Tampering Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows 2000)Microsoft Windows 2000Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows Explorer Web View Script Injection VulnerabilityMicrosoft Windows 2000Operating SystemWeb View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDMicrosoft Word 2000 Font Parsing VulnerabilityMicrosoft Windows 2000Microsoft Office 2000 SP3Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWinXP,SP1 (64-bit) File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDFTP Download Destination Tampering Vulnerability (Windows XP)Microsoft Windows XPOperating SystemThe FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (Win2K,SP4)Microsoft Windows 2000Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (Server 2003)Microsoft Windows Server 2003MSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (Server 2003)Microsoft Windows Server 2003Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Spoofing with Translucent WindowsMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes certain windows to become translucent due to an interaction between XUL content windows and the history mechanism, which might allow user-assisted remote attackers to trick users into executing arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Invalid Memory Access Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook 2000 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (Windows 2000,SP4)Microsoft Windows 2000Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWin2K,SP4 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 File Download Dialog Box Manipulation VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Windows XP,SP2)Microsoft Windows XPOperating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k,SP4 DDS Library Shape Control Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (Win2k,SP4)Microsoft Windows 2000NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla Downloading Executables with "Save Image As..."Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to trick users into downloading and saving an executable file via an image that is overlaid by a transparent image link that points to the executable, which causes the executable to be saved when the user clicks the "Save image as..." option. NOTE: this attack is made easier due to a GUI truncation issue that prevents the user from seeing the malicious extension when there is extra whitespace in the filename.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Office 2000 is installedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003The application Microsoft Office 2000 is installed.Robert L. HollisINTERIMGlenn StricklandINTERIMOffice 2000 Remote Code Execution via Malformed Routing SlipBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Microsoft Windows 2000Microsoft OfficeRobert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDPowerpoint TIFF Information DisclosureMicrosoft Windows 2000PowerPointMicrosoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF).Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 6&7 (XP,SP2)Microsoft Windows XPFlash PlayerMacromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execute arbitrary code via a SWF file with a modified frame type identifier that is used as an out-of-bounds array index to a function pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1723)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDServer 2003 Graphics Rendering Engine VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla CSS Letter-Spacing Heap Overflow VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via a large number in the CSS letter-spacing property that leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel 2000 Remote Code Execution via Malformed DescriptionMicrosoft Windows 2000Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed File FormatMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation through Print PreviewMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to gain chrome privileges via multiple attack vectors related to the use of XBL scripts with "Print Preview".Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExcel Viewer 2003 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed GraphicMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeUnspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CSS BO)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain Cascading Style Sheets (CSS) that causes an out-of-bounds array write and buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Insecure Default ACLsMicrosoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (moz-grid)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) by changing the (1) -moz-grid and (2) -moz-grid-group display styles.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Insecure Default ACLsMicrosoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla Privilege Escalation Using crypto.generateCRMFRequestMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to execute arbitrary code via unknown vectors related to the crypto.generateCRMFRequest method.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (VS.NET 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDExcel 2003 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Deleted Object Reference When designMode="on"Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5.0.2, when designMode is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain Javascript that is not properly handled by the contentWindow.focus method in an iframe, which causes a reference to a deleted controller context object. NOTE: this was originally claimed to be a buffer overflow in (1) js320.dll and (2) xpcom_core.dll, but the vendor disputes this claim.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Secure-site Spoof (requires security warning dialog)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to spoof secure site indicators such as the locked icon by opening the trusted site in a popup window, then changing the location to a malicious site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange 2000,SP4 Calendar VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (RegEx)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary bytecode via JavaScript with a large regular expression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Mozilla Firefox Tag Order VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors involving a "particular sequence of HTML tags" that leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Cross-site JavaScript Injection Using Event HandlersMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection".Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Cross-site Scripting through window.controllersMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to bypass same-origin protections and conduct cross-site scripting (XSS) attacks via unspecified vectors involving the window.controllers array.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 8 (XP,SP1)Microsoft Windows XPFlash PlayerMultiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1724)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to DHTML.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1530)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Invalid Memory Access Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemHeap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, aka the MSDTC Invalid Memory Access Vulnerability.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 8 (XP,SP2)Microsoft Windows XPFlash PlayerMultiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla File Stealing by Changing Input TypeMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote attackers to read arbitrary files by (1) inserting the target filename into a text box, then turning that box into a file upload control, or (2) changing the type of y that is associated with an event handler.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1529)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Cross-site Scripting Using .valueOf.call()Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Security Check of js_ValueToFunctionObject() Can Be CircumventedMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass the js_ValueToFunctionObject check and execute arbitrary code via unknown vectors involving setTimeout and Firefox' ForEach method.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Mail Multiple Information DisclosureMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in Flash Player 6&7 (XP,SP1)Microsoft Windows XPFlash PlayerMacromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execute arbitrary code via a SWF file with a modified frame type identifier that is used as an out-of-bounds array index to a function pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Denial of Service Vulnerability (Win2K)Microsoft Windows 2000Operating SystemMicrosoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange 2003,SP2 Calendar VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Accessing XBL Compilation Scope via valueOf.call()Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Crashes with Evidence of Memory Corruption (CVE-2006-1531)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaUnspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors related to DHTML. NOTE: due to the lack of sufficient public details from the vendor as of 20060413, it is unclear how CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, and CVE-2006-1723 are different.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Execution in Mail When Forwarding In-lineMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange 2003,SP1 Calendar VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerUnspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (VS.NET 2002)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visual Studio .NET 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (Win2k,SP4)Microsoft Windows 2000MSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla IDN heap overrun using soft-hyphensMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaBuffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Excel 2000 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisINTERIMJohn HoylandACCEPTEDACCEPTEDMS Excel 2002 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDMatthew WojcikINTERIMJohn HoylandACCEPTEDACCEPTEDExcel 2002 Remote Code Execution via Malformed RecordMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeStack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDNetwork Connection Manager Interruption of Service (Server 2003,SP1)Microsoft Windows Server 2003Operating Systemnetman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 2)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.1Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDOffice 2002 Remote Code Execution via Malformed Routing SlipMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OfficeBuffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (Win2k,SP4)Microsoft Windows 2000Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE6:XP,SP2 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDFirefox and Mozilla Shared Object Code ExecutionMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox and Mozilla DOM Node SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox and Mozilla Javascript Dialog Box SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."Robert L. HollisChristine WalzerJonathan BakerMatthew WojcikINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox External App Code Acceptance VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.Robert L. HollisChristine WalzerJonathan BakerINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox and Mozilla Framed Site Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaA regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Robert L. HollisJonathan BakerChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDInstallVersion.compareTo() DoS and Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Sidebar Script Injection via _search TargetMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox InstallTrigger Callback VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDXBL Script Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDImproper Handling of Synthetic Events in MozillaMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Suite InstallTrigger Callback VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.Robert L. HollisChristine WalzerJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla DOM Node Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla InstallTrigger Instance Validation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Sidebar Code Execution via _search TargetMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxMultiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Search Plugin Cross-site Scripting VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla favicons Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Global Pollution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution."Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla blocked javascript: popup Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option.Robert L. HollisINTERIMMatthew WojcikMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla PLUGINSPAGE Privileged Javascript Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Javascript "lambda"Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe find_replen function in jsstr.c in the the Javascript engine for Mozilla Suite 1.7.6, Firefox 1.0.1 and 1.0.2, and Netscape 7.2 allows remote attackers to read portions of heap memory in a Javascript string via the lambda replace method.Robert L. HollisINTERIMMatthew WojcikACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla XUL Drag and Drop Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFirefox Sidebar Panel Code Execution VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla GIF Heap OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdHeap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla IDN Homograph Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThe International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Privileged Content Loading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Cross-site Scripting via Drag and Drop to TabMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Image Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla HTTP auth Prompt Tab SpoofingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Download Dialog Source Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla "Save Link As" Dialog Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Double Download .lnk VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla XSLT Stylesheet Information Disclosure PotentialMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Autocomplete Data LeakMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxThe Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla String Library Memory Overwrite VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdString handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla 'user:pass@host' Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdThe installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Download/Security Dialogs Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla UTF8 to Unicode Conversion Heap OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxThunderbirdHeap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Popup Content Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxMozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Livefeed Bookmark Cookie SwipingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Mail News Cookie Security Bypass VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Thunderbird Subject to IE Vulnerabilities via javascriptMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003ThunderbirdThunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla 407 Proxy Information Disclosure VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Inactive Tab Dialog Box VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability."Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDFirefox Script-generated Download Prompt BypassMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003FirefoxFirefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Malicious news: VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThunderbirdHeap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated.Robert L. HollisChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Inactive Tab Form Data Theft VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing via "View Source"Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla SSL Lock Image Spoofing during Binary DownloadMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxFirefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMozilla Creates World-readable temp FilesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.Robert L. HollisJonathan BakerINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDMozilla Local File Loading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.Robert L. HollisINTERIMACCEPTEDINTERIMACCEPTEDACCEPTEDWindows XP (64-bit) PnP Buffer OverflowMicrosoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 Print Spooler Service Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL790Microsoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL1221Microsoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 TAPI Buffer OverflowMicrosoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1075Microsoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1075Microsoft Windows XPOperating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDTest Consolidated to OVAL Definition 1297Microsoft Windows Server 2003Operating SystemBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) RDP DoS VulnerabilityMicrosoft Windows XPOperating SystemThe Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 Kerberos Message DoS VulnerabilityMicrosoft Windows 2000Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows 2000 PKINIT Information Disclosure VulnerabilityMicrosoft Windows 2000Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (32-bit) Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (32-bit) PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP2 PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) Kerberos Message DoS VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP,SP1 (64-bit) PKINIT Information Disclosure VulnerabilityMicrosoft Windows XPOperating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDServer 2003 Kerberos Message DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDServer 2003 PKINIT Information Disclosure VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.Robert L. HollisINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Kerberos Message DoS VulnerabilityMicrosoft Windows Server 2003Operating SystemUnknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.Robert L. HollisINTERIMACCEPTEDACCEPTEDFirefox and Mozilla top.focus() Cross-Site Scripting VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.Robert L. HollisChristine WalzerJonathan BakerINTERIMACCEPTEDACCEPTEDIE6,SP1 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP Help and Support Center HCP URL Validation VulnerabilityMicrosoft Windows XPHelp and Support Center (HSC)Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE6 Double Byte Character Parsing Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinNT Broad Permissions for Remote Registry AccessMicrosoft Windows NTMicrosoft Windows NTThe registry in Windows NT can be accessed remotely by users who are not administrators.Tiffany BergeronDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows Server 2003 Help and Support Center HCP URL Validation VulnerabilityMicrosoft Windows Server 2003Help and Support Center (HSC)Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE6:XP,SP2 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMSDTC Unchecked Buffer Permits Remote Code Execution or Privilege Elevation (WinXP,SP1)Microsoft Windows XPMSDTCThe MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange 2000 Server TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDXMLHttpRequest Header Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDDirectX 8 DirectShow Malicious MIDI File VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000DirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 HTTPS Proxy VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 (64-bit) HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDirectX 9 DirectShow Malicious MIDI File VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003DirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Server 2003)Microsoft Windows XPMicrosoft Windows Server 2003GDI+Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (WinXP,SP1)Microsoft Windows XPNetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP2)Microsoft Windows XPOperating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Embedded Web Font VulnerabilityMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (Server 2003)Microsoft Windows Server 2003Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (XP,SP2)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 HTTPS Proxy VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 DirectShow Malicious avi File VulnerabilityMicrosoft Windows Server 2003DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCrash on "zero-width non-joiner" SequenceMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Unicode sequences with "zero-width non-joiner" characters.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP1)Microsoft Windows XPOperating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 (64-bit) DDS Library Shape Control Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP2)Microsoft Windows XPOperating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (XP,SP2)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Embedded Web Font VulnerabilityMicrosoft Windows Server 2003Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K COM object Remote Code Execution VulnerabilityMicrosoft Windows 2000Operating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFirefox/Mozilla Suite Chrome Window Spoofing VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOEX Message ProcessingMicrosoft Windows 2000Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (WinXP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (WinXP,SP2)Microsoft Windows XPNetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,SP1)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Server 2003 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6:S03 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDStep-by-Step Interactive Training Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Interactive TrainingBuffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWinXP,SP2 DirectShow Malicious avi File VulnerabilityMicrosoft Windows XPDirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (Windows 2000)Microsoft Windows 2000Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 Cross-Domain Information Disclosure Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (Win2k,SP4)Microsoft Windows 2000TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (64-bit XP,SP1)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,Unpatched)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k,SP4 DirectShow Malicious avi File VulnerabilityMicrosoft Windows 2000DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (WinXP,SP1)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDObject Spoofing using XBL <implements> VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (WinXP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (Win2K/WinXP)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIFRAME VulnerabilityMicrosoft Windows 98Microsoft Internet ExplorerHeap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWinXP,SP1 (64-bit) IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWindows XP Media Player PNG Processing VulnerabilityMicrosoft Windows XPWindows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDFirefox/Mozilla Suite JavaScript Integer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaInteger overflow in the JavaScript engine in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 might allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP4 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (Server 2003)Microsoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 5.0 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows Server 2003MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (64-bit XP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP4 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Harvey RubinovitzDRAFTJonathan BakerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDPlug and Play User Data Validation Vulnerability (WinXP,SP1)Microsoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (XP,SP1)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 for Server 2003 Drag-and-Drop VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 for XP,SP2 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP4 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (Win2k,SP4)Microsoft Windows 2000TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Integer overflows in E4X, SVG, and Canvas FeaturesMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMultiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinamp Hostname Buffer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003WinampBuffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDDistributed TIP Request Validation Process Permits Denial of Service (Server 2003)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (NT 4.0 Terminal Server)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDServer 2003 DirectShow Malicious avi File VulnerabilityMicrosoft Windows Server 2003DirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (XP,SP2)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K Graphics Rendering Engine VulnerabilityMicrosoft Windows 2000Operating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWinXP,SP1 DirectShow Malicious avi File VulnerabilityMicrosoft Windows XPDirectXQUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 HTTPS Proxy VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFirefox/Mozilla Suite about: Scheme Privilege Escalation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5 COM Object Instantiation Memory Corruption (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5 Multiple Event Handler Memory Corruption (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 DDS Library Shape Control Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook 2003 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP (64-bit) Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 DDS Library Shape Control Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP2 DDS Library Shape Control Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDHeap Overrun in XBM Image ProcessingMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaHeap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Double Byte Character Parsing Memory Corruption(Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2k,SP4 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWinXP,SP1 Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP (64-bit) Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla XML Attribute Name Validation VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-Collection Hazards in jsfun.cMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Application Suite has reached End-of-LifeMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozilla'mozilla.org has launched and delivered SeaMonkey, a community effort to deliver production-quality releases of code derived from the \"Mozilla Application Suite\". This equates to a cessation in software and security patches for that baseline. Using an unsupported software represents a high security risk because no fixes or patches will be made available in response to new vulnerabilities.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (XP,SP2)Microsoft Windows XPOperating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6,SP1 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDWinXP,SP1 MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (64-bit XP,SP1)Microsoft Windows XPTIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDElement position: Style Change VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (WinXP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (XP,SP2)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6:S03 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDPlug and Play User Data Validation Vulnerability (WinXP,SP2)Microsoft Windows XPOperating SystemStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 (64-bit) COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K,SP4 HTTPS Proxy VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDUnsupported Version of WindowsMicrosoft Windows 2000Microsoft Windows XPOperating System'As Service Packs released by Microsft mature, earlier versions and releases become unspported. This equates to a cessation in software and security patches for that baseline. Using an unsupported version of Windows represents a severe security risk.'Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 DDS Library Shape Control Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (Server 2003)Microsoft Windows Server 2003NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP1)Microsoft Windows XPOperating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (Server 2003)Microsoft Windows Server 2003Operating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (Server 2003)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K,SP4 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player Plug-in EMBED VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Windows Media PlayerBuffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla QueryInterface Memory Corruption VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaMozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 Graphics Rendering Engine VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Media Player PNG Processing VulnerabilityMicrosoft Windows Server 2003Windows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K Kernel Privilege Escalation VulnerabilityMicrosoft Windows 2000Operating SystemThe thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in 64-bit Windows XPMicrosoft Windows XPOperating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (XP,SP2)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6 (XP,SP2) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMozilla Firefox History File Buffer OverflowMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaFirefoxMozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. NOTE: despite initial reports, the Mozilla vendor does not believe that this issue can be used to trigger a crash or buffer overflow in Firefox. Also, it has been independently reported that Netscape 8.1 does not have this issue.Robert L. HollisDRAFTMatthew WojcikMatthew WojcikRobert L. HollisINTERIMACCEPTEDACCEPTEDMozilla "AnyName" Entrainment and Access Control HazardMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDRemote Code Execution Vulnerability in IE5.01Microsoft Windows 2000Microsoft Internet ExplorerAn unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (64-bit XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Server 2003Microsoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (XP,SP1)Microsoft Windows XPOperating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Windows XPMicrosoft Windows XPOperating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Parsing Vulnerability (Server 2003,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE 5.01 DHTML Method Call Memory CorruptionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWinXP,SP1 COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6,SP1 WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Server 2003,SP1Microsoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Cross-Domain Information Disclosure Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5 HTML Parsing Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTA Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Address Bar Spoofing Vulnerability (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP3 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE5 Address Bar Spoofing Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows (S03,SP1/XP 64-bit) MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows (S03/64-bit XP) COM object Remote Code Execution VulnerabilityMicrosoft Windows XPOperating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDFPSE XSS VulnerabilityMicrosoft Windows 2000Microsoft Windows XPFrontPage Server ExtensionsCross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 COM object Remote Code Execution VulnerabilityMicrosoft Windows Server 2003Operating SystemUnspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Multiple Event Handler Memory Corruption (Server 2003,SP1)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6 (64-bit XP) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6 (S03-Gold, Itanium) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 HTML Tag Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5 HTA Execution Vulnerability (Win2K)Microsoft Windows 2000Microsoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K MDAC RDS.Dataspace Remote Code Execution VulnerabilityMicrosoft Windows 2000MDACUnspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 5.5 WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express 6 (S03,SP1) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWord 2003 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003SambaBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Word Macro Security Bypass VulnerabilityMicrosoft Windows 2000Microsoft Word 2000Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document.Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE Cross-Site ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability.Andrew ButtnerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMChristine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 1)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPWindows Script Engine for JScript v5.6Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxDavid ProulxACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDFlaw in Word Fields and Excel External Updates Could Lead to Information DisclosureMicrosoft Windows 2000Microsoft Word 2000Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Windows 2000Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Outlook (Word 2000) RTF/HTML Script Execution VulnerabilityMicrosoft Windows 2000Microsoft Word 2000Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWord 2002 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDOutlook Express v5.5,SP2 Malformed Email Header Denial of ServiceMicrosoft Windows 2000Microsoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (Windows 2000)Microsoft Windows 2000Help and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWord 2000 Malicious .doc Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE v6.0 SSL Cached Content VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows XP (32-bit,SP2/64-bit,SP1) Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows Messenger 5 libpng Buffer OverflowMicrosoft Windows 2000MDAC 2.8Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Christine WalzerDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows Project Professional URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Media Player PNG Processing VulnerabilityMicrosoft Windows 2000Windows Media Player 9Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows Server 2003 Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows Server 2003Operating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE5.01,SP3 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWord 2002 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDServer 2003 Unknown Vector SMB VulnerabilityMicrosoft Windows Server 2003SMB (Server Message Block)Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDOffice 2000 WordPerfect Converter Buffer OverflowMicrosoft Windows 2000Microsoft Office 2000 SP3Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDExcel 2000 File Handler Code Execution VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2000Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWord 2000 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE5.01,SP3 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v5.01 Content Disposition/Type Arbitrary Code ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.Tiffany BergeronChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Office 2003)Microsoft Windows 2000Microsoft Windows XPMicrosoft Office 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE for Server 2003 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP (64-bit Gold) Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP,SP2 IE6.0 Drag-and-Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE5.01,SP3 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Project 2002,SP1)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 for Server 2003 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Visio Pro 2002)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 DHTML Method Heap Memory Corruption Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzHarvey RubinovitzHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6.0,SP2 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (NT 4.0)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6,SP1 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Visio Pro 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v5.5 Domain Restriction Bypass Cross-Frame ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.Harvey RubinovitzACCEPTEDACCEPTEDMS Word 2000 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2000Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Christine WalzerACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDWindows 2000 Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows 2000Operating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDNetBT Name Service Information Access VulnerabilityMicrosoft Windows XPNetBT Name ServiceThe NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.Ingrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows XP Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows XPOperating SystemThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerINTERIMACCEPTEDRobert L. HollisACCEPTEDINTERIMACCEPTEDACCEPTEDIE6.0,SP1 Security Zone Restriction Bypass VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows NT Shell CLSID File Type Spoof VulnerabilityMicrosoft Windows NTMicrosoft Internet ExplorerThe Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (64-bit XP)Microsoft Windows XPHelp and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDHTML Help ActiveX Control Buffer OverflowMicrosoft Windows 2000HTML Help ActiveX ControlBuffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.Christine WalzerAndrew ButtnerACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDDHTML Object Memory Corruption Vulnerability (IE6,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Project 2003)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Project Professional 2003Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) SSL Cached Content VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Office XP,SP2)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Office XP SP2Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE5.01,SP4 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE5.01,SP4 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6,SP1 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (Windows XP)Microsoft Windows XPGDI+Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6,SP2 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDGDI+ JPEG Parsing Engine Buffer Overflow (IE6)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Ingrid SkoogDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWord 2003 Malicious .doc Buffer Overflow IIMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003SambaBuffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.Matthew BurtonDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDISA Server Reverse DNS Lookup Results SpoofingMicrosoft Windows 2000ISA Server 2000Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.Christine WalzerDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Outlook (Word 2002) RTF/HTML Script Execution VulnerabilityMicrosoft Windows 2000Microsoft Word 2002Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.Ingrid SkoogDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Word 6.0 Table Conversion Vulnerability (NT 4.0)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWindows XP Object Management VulnerabilityMicrosoft Windows XPWindows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (NT Terminal Server)Microsoft Windows NTMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDServer 2003/64-bit XP Drag-and-Drop VulnerabilityMicrosoft Windows Server 2003Windows MessengerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDServer 2003 Blind Connection Reset Attack VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP4 Drag-and-Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDMSN Messenger GIF Size Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerGIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisACCEPTEDACCEPTEDIE5.01,SP4 Channel Definition Format Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v6.0,SP1 Improper URL Canonicalization VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01, SP4 SSL Cached Content VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMS Word 6.0 Font Conversion Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE v5.5, SP2 SSL Cached Content VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 SSL Cached Content VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDCOM+ Memory Structures Process Permits Remote Code Execution (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemCOM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Messenger 6 libpng Buffer OverflowMicrosoft Windows 2000Microsoft Windows XPMSN MessengerMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Christine WalzerDRAFTINTERIMACCEPTEDRobert L. HollisINTERIMRobert L. HollisACCEPTEDACCEPTEDExchange Server 5.5 TNEF Decoding VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft OutlookUnspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Word 2002 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 2002Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDMozilla JavaScript Garbage-Collection Hazards in jsinterp.cMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDEMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,Unpatched)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDMS Excel 97 Malicious Macro Security Bypass VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 97Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMMatthew WojcikINTERIMMozilla XML Parser Read Beyond Buffer BugMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003mozillaThe XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTCP/IP IGMP v3 Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003Operating SystemMicrosoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDTIP Request Validation Process Permits Denial of Service (Server 2003,SP1)Microsoft Windows Server 2003TIPDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6,SP1 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWinXP,SP2 Embedded Web Font VulnerabilityMicrosoft Windows XPOperating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,SP1)Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTED.lnk File-Open Remote Code Execution Vulnerability (64-bit XP,SP1)Microsoft Windows XPOperating SystemWindows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Heap Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDRobert L. HollisACCEPTEDACCEPTEDWin2k Embedded Web Font VulnerabilityMicrosoft Windows 2000Operating SystemHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWebClient Service Unchecked Buffer Remote Code Execution (64-bit XP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWin2K/XP,SP1 IE Mismatched Document Object Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."Robert L. HollisDRAFTRobert L. HollisINTERIMACCEPTEDACCEPTEDKorean IME Privilege Elevation Vulnerability in Office 2003 and AccessoriesMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Operating SystemThe ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 SSL Cached Content VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.Harvey RubinovitzDRAFTINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDIE6 HTML Parsing Vulnerability (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDURL Parsing Memory Corruption Vulnerability (IE6,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDJason SpashettINTERIMACCEPTEDACCEPTEDIE6:Server 2003 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDIE6 COM Object Instantiation Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 Double Byte Character Parsing Memory Corruption (Win2K/WinXP)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability."Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6:XP,SP2 Java Proxy COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDWindows Script Engine Heap Overflow (Test 3)Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Windows Script Engine for JScript v5.5Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.Tiffany BergeronDavid ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDOutlook Express 6 (S03-Gold) WAB Remote Code Execution VulnerabilityMicrosoft Windows 2000Outlook ExpressBuffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in CDOSYS Message Processing (64-bit WinXP,SP1)Microsoft Windows XPOperating SystemBuffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP4 Web Folder Behaviors Cross-Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDRobert L. HollisACCEPTEDACCEPTEDServer 2003 RPCSS DCOM Buffer OverflowMicrosoft Windows Server 2003Remote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerDRAFTWindows Server 2003 Help Center Command Insertion VulnerabilityMicrosoft Windows Server 2003Help and Support Center (HSC)Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDJohn HoylandINTERIMACCEPTEDACCEPTEDCSNW Remote Buffer Overflow via Network Messages (Server 2003,SP1)Microsoft Windows Server 2003NetWareThe Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDZone Spoofing through Malformed Web Page VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 WMF/EMF Buffer OverflowMicrosoft Windows 2000Enhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE6 Script Execution Vulnerability (Win2K/XP,SP1)Microsoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE6 DHTML Method Call Memory Corruption (WinXP)Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Content Disposition/Type Arbitrary Code ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.Andrew ButtnerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDExcel 2002 File Handler Code Execution VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Excel 2002Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.Matthew BurtonDRAFTJohn HoylandDRAFTMS Exchange / OWA NTLM Authentication VulnerabilityMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange ServerMicrosoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed.Andrew ButtnerINTERIMACCEPTEDJohn HoylandINTERIMINTERIMMicrosoft Windows NT is installedMicrosoft Windows NTThe operating system installed on the system is Microsoft Windows NT.Andrew ButtnerACCEPTEDACCEPTEDIE v6.0,SP1 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP IIS5 WebDAV Denial of ServiceMicrosoft Windows XPMicrosoft Internet Information Server (IIS)IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.Christine WalzerINTERIMACCEPTEDACCEPTEDOutlook Express v6.0,SP1 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS5 WebDAV Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE File Download Dialog Deception VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWin2k Domain Controller LSASS Denial of ServiceMicrosoft Windows 2000Lightweight Directory Access Protocol (LDAP)Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message.Tiffany BergeronINTERIMACCEPTEDACCEPTEDWindows NT IIS Directory Traversal Command Execution (Test 2)Microsoft Windows NTMicrosoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Christine WalzerINTERIMACCEPTEDACCEPTEDNT4.0 Remote Registry Access Authentication VulnerabilityMicrosoft Windows NTMicrosoft Windows NTThe Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability.Tiffany BergeronINTERIMACCEPTEDACCEPTEDMS Exchange Server Broad Permissions in WinReg Registry KeyMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Exchange ServerMicrosoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDThe Remote Access Service is RunningMicrosoft Windows 2000NetBIOSA component service related to NETBIOS is running.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIncorrect Permission on SQL Server Service Account Registry KeyMicrosoft Windows NTSQL Server 2000The registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key."Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDIE5.01,SP3 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 DirectPlay Denial of ServiceMicrosoft Windows 2000Microsoft DirectPlayIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronINTERIMACCEPTEDACCEPTEDOutlook Express v6.0 for Server 2003 MHTML URL Processing VulnerabilityMicrosoft Windows Server 2003Microsoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows RPC Locator Service Buffer OverflowMicrosoft Windows NTLocator serviceBuffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.Tiffany BergeronACCEPTEDWindows Server 2003 COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows Server 2003COM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDACCEPTEDVeritas Backup Exec RestrictAnonymous Forced Misconfiguration VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Veritas Backup Exec 8.5Veritas Backup Exec 8.5 and earlier requires that the "RestrictAnonymous" registry key for Microsoft Exchange 2000 must be set to 0, which enables anonymous listing of the SAM database and shares.Tiffany BergeronINTERIMIngrid SkoogINTERIMMDAC SQL-DMO Buffer Overflow (Test 3)Microsoft Windows XPMicrosoft Data Access Components 2.7Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows NT VulnerabilityMicrosoft Windows NTRemote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Print Spooler Service Buffer OverflowMicrosoft Windows 2000Print Spooler ServiceBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows Utility Manager Shatter Message VulnerabilityMicrosoft Windows 2000Utility ManagerThe Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.Harvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Directory Traversal Command Execution (Test 2)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Christine WalzerINTERIMACCEPTEDACCEPTEDMultiple Vulnerabilities in Rockliffe MailSite ExpressMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Rockliffe MailSite ExpressCross-site scripting (XSS) vulnerability in Rockliffe MailSite Express before 6.1.22 allows remote attackers to inject arbitrary web script or HTML via a message body.Rahul MohandasDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) DUNZIP Integer OverflowMicrosoft Windows XPCompressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows XP winlogon Remote Buffer OverflowMicrosoft Windows XPWindows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Certificate Validation Flaw Identity Spoofing VulnerabilityMicrosoft Windows XPMicrosoft CryptoAPIThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP HTML Help Remote Code Execution VulnerabilityMicrosoft Windows XPHTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Certificate Validation Flaw Identity Spoofing Vulnerability (Variant)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows 2000 VulnerabilityMicrosoft Windows 2000Remote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDWindows XP WMF/EMF Buffer OverflowMicrosoft Windows XPEnhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows 2003 VulnerabilityMicrosoft Windows Server 2003Remote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Internet Printing ISAPI Extension Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.Christine WalzerINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDDCOM RPC Object Identity Windows XP VulnerabilityMicrosoft Windows XPRemote Procedure Call (RPC)The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP TAPI Buffer OverflowMicrosoft Windows XPTelephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT/2000 ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDACCEPTEDMS SQL Server 2000 Resolution Service Buffer OverflowMicrosoft Windows NTSQL Server 2000Multiple buffer overflows in SQL Server 2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption.Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDMS CIFS Spoofed Browse Frame Request VulnerabilityMicrosoft Windows 2000NetBIOSInteractions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.Tiffany BergeronINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDOutlook Express 5.5,SP2 News Reading VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows ntdll.dll Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.Tiffany BergeronACCEPTEDWindows Server 2003 SSL PCT Handshake VulnerabilityMicrosoft Windows Server 2003Private Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE plugin.ocx Heap OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerHeap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDIE Web Page Spoofing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability."Tiffany BergeronINTERIMACCEPTEDACCEPTEDIE AbusiveParent Vulnerability (32-bit Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS Windows RPC DCOM DoS-based Privilege Escalation Vulnerability (Test 2)Microsoft Windows 2000Remote Procedure Call (RPC)The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDServer 2003 Color Management Module Buffer OverflowMicrosoft Windows Server 2003Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Telnet Environment Disclosure VulnerabilityMicrosoft Windows XPServices for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDScob and Toofer Internet Explorer v6.0,SP1 VulnerabilitiesMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE6,SP1 JPEG Image Rendering Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerUnknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Unknown Vector SMB VulnerabilityMicrosoft Windows XPSMB (Server Message Block)Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDISA Server Poison Cache VulnerabilityMicrosoft Windows 2000ISA Server 2000Microsoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers.Christine WalzerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDIE6 Installed XP,SP2 File Disclosure via Redirects VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDCrystal Reports Business Objects Directory TraversalMicrosoft Windows 2000Crystal EnterpriseCrystal ReportsDirectory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.Andrew ButtnerJonathan BakerDRAFTWindows 2000 COM Structured Storage VulnerabilityMicrosoft Windows 2000COM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL3743Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMicrosoft ISA Server Cross-Site ScriptingMicrosoft Windows 2000ISA Server 2000Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."Tiffany BergeronACCEPTEDACCEPTEDWindows 2000 SMB Buffer OverflowMicrosoft Windows 2000SMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Tiffany BergeronACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows Media Player 9The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows XP VulnerabilityMicrosoft Windows XPHTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Windows XP)Microsoft Windows XPMicrosoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDACCEPTEDURL Parsing Memory Corruption Vulnerability (IE5.01,SP3)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxACCEPTEDWindows Server 2003 (64-bit) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows Server 2003Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE6,SP1 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft SQL Server Extended Stored Procedure Buffer OverflowMicrosoft Windows 2000SQL Server 2000Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments.Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows 2000 TAPI Buffer OverflowMicrosoft Windows 2000Telephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDIE Improper Object Tag HandlingMicrosoft Windows 2000Windows 2000Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page.Tiffany BergeronTiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE6,SP1 COM Object Instantiation Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Web Client Service Buffer OverflowMicrosoft Windows XPWeb Client ServiceBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."Andrew ButtnerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Kernel Debugger-based Buffer Overflow (Test 1)Microsoft Windows XPWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (Windows 2000)Microsoft Windows 2000Remote Procedure Call (RPC)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Tiffany BergeronACCEPTEDACCEPTEDServer 2003 Object Management VulnerabilityMicrosoft Windows Server 2003Windows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows 98 Program Group Converter Buffer OverflowMicrosoft Windows 98Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Color Management Module Buffer OverflowMicrosoft Windows 2000Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWin2k Land VulnerabilityMicrosoft Windows 2000Windows 2000Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 TAPI Buffer OverflowMicrosoft Windows Server 2003Telephony ServiceBuffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 HTR ISAPI Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.Tiffany BergeronACCEPTEDACCEPTEDAnimated Cursor Denial of Service (XP)Microsoft Windows XPWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS ASP Server-Side Include Function Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.Tiffany BergeronACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (NT 4.0)Microsoft Windows NTWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 1)Microsoft Windows 2000Certificate ValidationThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Task Scheduler Stack OverflowMicrosoft Windows NTMicrosoft Internet ExplorerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDAndrew ButtnerChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows Server 2003HTML Help ActiveX ControlInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Java Virtual Machine Security BypassMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Virtual Machine (VM)The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise."Tiffany BergeronINTERIMACCEPTEDACCEPTEDWindows NT IIS HTTP Header Field Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.Tiffany BergeronACCEPTEDACCEPTEDDefault Registry Permissions on SNMP ParametersMicrosoft Windows NTSimple Network Management Protocol (SNMP)The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDDefault Registry Permissions on the MTS Package Admin KeyMicrosoft Windows NTMicrosoft Transaction Server (MTS)The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDServer 2003 Print Spooler Service Buffer OverflowMicrosoft Windows Server 2003Print Spooler ServiceBuffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Internet Explorer MIME HackMicrosoft Windows 2000Microsoft Internet ExplorerHTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.Tiffany BergeronAndrew ButtnerACCEPTEDACCEPTEDSuppressed OVAL142, covered by OVAL2022Microsoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows XPMicrosoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft IE Encoded Characters Information DisclosureMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 1)Microsoft Windows 2000Simple Network Management Protocol (SNMP)Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDWindows NT MUP UNC Request Buffer OverflowMicrosoft Windows NTMultiple UNC Provider (MUP)Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.Tiffany BergeronACCEPTEDWindows NT Certificate Validation Identity Spoofing Vulnerability (Test 1)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT SMB Buffer OverflowMicrosoft Windows NTSMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Shell Buffer OverflowMicrosoft Windows 2000Windows ShellBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 HtmlHelp Heap OverflowMicrosoft Windows 2000HTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows Virtual DOS Machine Local Privilege Escalation Vulnerability (Test 1)Microsoft Windows NTVDMThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.Ingrid SkoogIngrid SkoogACCEPTEDACCEPTEDWindows XP HtmlHelp Heap OverflowMicrosoft Windows XPHTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (64-bit Server 2003, Test 1)Microsoft Windows Server 2003Windows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (Windows 2000)Microsoft Windows 2000Windows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT Process Handle Duplication Privilege EscalationMicrosoft Windows NTWindows NT 4.0smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.Tiffany BergeronACCEPTEDSuppressed Test OVAL1581 (Identical to OVAL4458)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Trusted Domain LoopholeMicrosoft Windows NTWindows NT 4.0In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.Tiffany BergeronACCEPTEDWindows NT IIS Chunked Encoding Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.Tiffany BergeronACCEPTEDACCEPTEDWindows ME Long Share Names VulnerabilityMicrosoft Windows MEWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (Windows XP,SP1)Microsoft Windows XPHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMChristine WalzerDavid ProulxACCEPTEDACCEPTEDSMB Code Execution Vulnerability (32-bit XP)Microsoft Windows XPSMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT SNMPv1 Trap Handling DoS and Privilege EscalationMicrosoft Windows NTSimple Network Management Protocol (SNMP)Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDWindows XP,SP2 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows XPWindows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDOutlook Express 6,2003 News Reading VulnerabilityMicrosoft Windows Server 2003Microsoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWinXP Land VulnerabilityMicrosoft Windows XPWindows XPWindows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDDHTML Object Memory Corruption Vulnerability (IE6 for XP,SP2)Microsoft Windows XPMicrosoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE GetObject Security BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDIE AbusiveParent Vulnerability (64-bit XP)Microsoft Windows XPMicrosoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Virtual DOS Machine Local Privilege Escalation Vulnerability (Test 2)Microsoft Windows NTVDMThe component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.Ingrid SkoogACCEPTEDACCEPTEDWinXP IP Validation VulnerabilityMicrosoft Windows XPWindows XPMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Long Share Names VulnerabilityMicrosoft Windows NTWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 (64-Bit) VDM Privilege Escalation VulnerabilityMicrosoft Windows XPMicrosoft Windows Server 2003VDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows Server 2003Windows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.5 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."Andrew ButtnerACCEPTEDWindows XP (64-Bit) Task Scheduler Stack OverflowMicrosoft Windows XPTask SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDWindows NT Shell Buffer OverflowMicrosoft Windows NTWindows ShellBuffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled.Matthew BurtonMatthew BurtonDRAFTINTERIMMatthew BurtonACCEPTEDACCEPTEDWindows 2000 Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows 2000Negotiate SSP interfaceThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDWindows XP (32-bit, SP1) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS Heap Overrun in HTR Chunked EncodingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."Tiffany BergeronACCEPTEDACCEPTEDServer 2003 CSRSS Privilege Escalation VulnerabilityMicrosoft Windows Server 2003Client Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows XP (64-Bit) Program Group Converter Buffer Overflow in grpconv.exeMicrosoft Windows XPProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) Program Group Converter Buffer OverflowMicrosoft Windows XPProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (Server 2003 / 64-bit XP)Microsoft Windows Server 2003SMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDAutomatic ActiveX Approval on WinXP Low MemoryMicrosoft Windows XPAuthenticodeThe Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.Tiffany BergeronAndrew ButtnerAndrew ButtnerACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server Unchecked Buffer in NetDDEMicrosoft Windows NTNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows XPEnhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (32-bit XP,SP1)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (64-bit Server 2003)Microsoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (XP,SP1)Microsoft Windows XPSMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDNetwork Share Provider Buffer OverflowMicrosoft Windows 2000SMB (Server Message Block)Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service".Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDActiveX Certificate Enrollment Unauthorized Remote Certificate DeletionMicrosoft Windows 2000Certificate Enrollment ControlUnknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS Web Server File Request ParsingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability.Tiffany BergeronACCEPTEDWinXP Blind Connection Reset Attack VulnerabilityMicrosoft Windows XPWindows XPMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790,CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows NT RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows NTRemote Procedure Call (RPC)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows 2000 VulnerabilityMicrosoft Windows 2000HTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bugmay overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDACCEPTEDOutlook Express v6,SP1 Malformed Email Header Denial of ServiceMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 Negotiate Security Software Provider Denial of Service VulnerabilityMicrosoft Windows Server 2003Negotiate Security Software ProviderThe Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.Ingrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows XPWindows XPInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIIS ISAPI Extension Indexing Service Buffer Overflow (Code Red)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.Tiffany BergeronTiffany BergeronACCEPTEDACCEPTEDAutomatic ActiveX Approval on Windows 2000 Low MemoryMicrosoft Windows 2000Windows 2000The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval.Tiffany BergeronTiffany BergeronACCEPTEDACCEPTEDWeak Encryption in RDP ProtocolMicrosoft Windows 2000Remote Data Protocol (RDP)Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol."Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDSuppressed OVAL20Microsoft Windows 2000Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (64-bit XP)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows XP ComboBox/ListBox GUI Widget User32.dll Buffer OverflowMicrosoft Windows XPWindows XPBuffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMACCEPTEDACCEPTEDMS Exchange Server Cross-site Scripting VulnerabilityMicrosoft Windows NTOutlook Web AccessCross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Kernel Debugger-based Buffer OverflowMicrosoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 Frames Cross-site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE ActiveX Popup Zone Restriction BypassMicrosoft Windows 2000Windows 2000Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe).Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Object Management VulnerabilityMicrosoft Windows XPWindows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.01,SP2 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (64-bit XP, SP1)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDScob and Toofer Internet Explorer v6.0,SP1 for Server 2003 VulnerabilitiesMicrosoft Windows Server 2003Microsoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE5.01,SP3 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDSNMP Agent Service Buffer OverflowMicrosoft Windows 2000Simple Network Management Protocol (SNMP)Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available.Tiffany BergeronACCEPTEDWindows 2000 IIS HTTP Redirect Error Message Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.Harvey RubinovitzACCEPTEDIE v5.5,SP2 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Certificate Validation Identity Spoofing Vulnerability (Test 2)Microsoft Windows NTCertificate ValidationMicrosoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).Christine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows 2000Enhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2003/64-bit XP Indexing Service Code Execution VulnerabilityMicrosoft Windows Server 2003Indexing ServiceThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Messenger Service Buffer OverflowMicrosoft Windows 2000Messenger ServiceThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Christine WalzerACCEPTEDAndrew ButtnerACCEPTEDACCEPTEDWindows Server 2003 HtmlHelp Heap OverflowMicrosoft Windows Server 2003HTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDInteger Overflows in Windows NT DirectX MIDI Library (QUARTZ.DLL)Microsoft Windows NTDirectXMultiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (64-bit XP,SP1)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWin2k Path MTU Discovery Attack VulnerabilityMicrosoft Windows 2000Windows 2000Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Variant of Chunked Encoding Buffer OverrunMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."Andrew ButtnerACCEPTEDACCEPTEDIIS4.0 Redirect Function Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.David ProulxINTERIMACCEPTEDACCEPTEDIE v5.5 Frames Cross-site Scripting VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerCross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource.Harvey RubinovitzACCEPTEDACCEPTEDURL Parsing Memory Corruption Vulnerability (IE5.01,SP4)Microsoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server Kernel Debugger-based Buffer OverflowMicrosoft Windows NTWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDDHCP Server Logging Vulnerability (NT 4.0)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."Ingrid SkoogDRAFTIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows XP Named Pipe Vulnerability (32-bit architecture)Microsoft Windows XPThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDIE v5.5 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxACCEPTEDExchange Server 2003 (INTERIM) Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTChristine WalzerINTERIMACCEPTEDACCEPTEDSQL Server Extended Stored Procedure Parameter ParsingMicrosoft Windows 2000Microsoft SQL ServerThe xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.Tiffany BergeronIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMIngrid SkoogACCEPTEDChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows XPDistributed Component Object Model (DCOM)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDThis bulletin has been superceded by MS03-039. Definition reflects updated information.SQL Server Named Pipe HijackingMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability.Yi-Fang KohJonathan BakerINTERIMACCEPTEDINTERIMIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP,SP2 COM Structured Storage VulnerabilityMicrosoft Windows XPCOM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDTroubleshooter ActiveX Control Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method.Tiffany BergeronAndrew ButtnerACCEPTEDACCEPTEDWindows NT Unchecked Buffer in NetDDEMicrosoft Windows NTNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT IIS FTP Connection Status Request Denial of ServiceMicrosoft Windows NTFTPThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.Tiffany BergeronACCEPTEDScob and Toofer Internet Explorer v5.5,SP2 VulnerabilitiesMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) DirectPlay Denial of ServiceMicrosoft Windows XPDirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 (64-Bit) Enhanced Metafile Image Format Rendering Buffer OverflowMicrosoft Windows XPMicrosoft Windows Server 2003Enhanced Metafile (EMF)Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Indexing Service Code Execution VulnerabilityMicrosoft Windows XPIndexing ServiceThe Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to executearbitrary code via a buffer overflow attack.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDAddress Bar Spoofing on Double Byte Character Set Systems Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDNetwork News Transfer Protocol Buffer OverflowMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Utility Manager Shatter Message Vulnerability IIMicrosoft Windows 2000Utility ManagerUtility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Chunked Encoding Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code.Tiffany BergeronACCEPTEDACCEPTEDRPC Runtime Library Denial of Service and Information Disclosure VulnerabilityMicrosoft Windows NTRemote Procedure Call (RPC)The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (32-Bit) DirectPlay Denial of ServiceMicrosoft Windows Server 2003DirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDACCEPTEDSQL Server Format String VulnerabilityMicrosoft Windows 2000Windows 2000Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service.Yi-Fang KohACCEPTEDIE v5.01,SP4 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (Windows 2000)Microsoft Windows 2000Windows 2000The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (Windows XP,SP2)Microsoft Windows XPHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDChristine WalzerDavid ProulxINTERIMACCEPTEDACCEPTEDURL Parsing Memory Corruption Vulnerability (IE6 for Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Font Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Windows 2000)Microsoft Windows 2000MDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows XPHyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (Server 2003)Microsoft Windows Server 2003Windows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Network Connection Manager Privilege EscalationMicrosoft Windows 2000Network Connection Manager (NCM)A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Debugger-based Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 98 Long Share Names VulnerabilityMicrosoft Windows 98Windows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 1)Microsoft Windows 2000Windows 2000Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Tiffany BergeronACCEPTEDACCEPTEDOutlook Express v6.0 for Server 2003 Malformed Email Header Denial of ServiceMicrosoft Windows Server 2003Microsoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP (SP2) CSRSS Privilege Escalation VulnerabilityMicrosoft Windows XPClient Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 2)Microsoft Windows 2000Certificate ValidationThe (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.Christine WalzerChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Messenger Service Buffer OverflowMicrosoft Windows XPWindows XPThe Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.Tiffany BergeronAndrew ButtnerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 Large Window Size TCP RST Denial of ServiceMicrosoft Windows Server 2003Microsoft Word 2003TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows XP/Server 2003 DirectPlay Denial of Service (Test 2)Microsoft Windows XPMicrosoft Windows Server 2003DirectXIDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Tiffany BergeronTiffany BergeronTiffany BergeronINTERIMACCEPTEDACCEPTEDSQL Server OpenDataSource/OpenRowset Buffer OverflowMicrosoft Windows 2000Microsoft SQL Server 2000Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection.Yi-Fang KohIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 Domain Restriction Bypass Cross-Frame ScriptingMicrosoft Windows 2000Microsoft Internet ExplorerCross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSuppressed OVAL2730Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDServer 2003 Font Buffer OverflowMicrosoft Windows Server 2003Windows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWINS Association Context Vulnerability (Terminal Server Test 1)Microsoft Windows NTWindows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDVisio Professional URL Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Visio Professional 2002Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Program Group Converter Buffer OverflowMicrosoft Windows 2000Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDSMB Session Digital Signature SidestepMicrosoft Windows 2000SMB Signing (Server Message Block)The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE5.01,SP4 Content Advisor Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDCache Path Disclosure via Windows Media PlayerMicrosoft Windows XPWindows Media Player for Windows XPMicrosoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player".Tiffany BergeronACCEPTEDACCEPTEDWindows 2000 IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows 2000Windows 2000Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTMatthew BurtonMatthew BurtonINTERIMACCEPTEDACCEPTEDWindows Media Player Buffer Overflow via ASFMicrosoft Windows XPWindows Media Player for Windows XPBuffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file.Tiffany BergeronACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (XP, SP1)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP1 COM Structured Storage VulnerabilityMicrosoft Windows XPCOM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Heap Overrun in HTR Chunked EncodingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise."Tiffany BergeronACCEPTEDACCEPTEDWindows 2000, IE v5.01 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDUnchecked Buffer in Password Encryption ProcedureMicrosoft Windows 2000SQL Server 2000Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure."Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (Windows 2000)Microsoft Windows 2000Windows Media Player 9The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDAdobe Acrobat Reader .ETD Document Code Execution VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderFormat string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields.Matthew WojcikDRAFTINTERIMACCEPTEDACCEPTEDiDEFENSE reports that deleting eBook.api from the plug_ins directory is a workaround. See http://www.idefense.com/application/poi/display?id=163&type=vulnerabilitiesMS MDAC RDS Buffer Overflow (Test 1)Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.6Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (XP)Microsoft Windows XPCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 2)Microsoft Windows 2000Remote Procedure Call (RPC)Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.Tiffany BergeronACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (XP)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 SNMPv1 Trap Handling DoS and Privilege Escalation (Test 2)Microsoft Windows 2000Simple Network Management Protocol (SNMP)Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDACCEPTEDSQL Server Named Pipe Denial of ServiceMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft SMTP Malformed BDAT Request Denial of ServiceMicrosoft Windows 2000SMTPSMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request.Tiffany BergeronAndrew ButtnerACCEPTEDSQL Server LPC Port Buffer OverflowMicrosoft Windows 2000SQL Server 2000Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow.Yi-Fang KohJonathan BakerINTERIMACCEPTEDIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDChristine WalzerChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Named Pipe Vulnerability (64-bit architecture)Microsoft Windows XPThe Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Program Group Converter Buffer OverflowMicrosoft Windows NTProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 1)Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Tiffany BergeronTiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWinXP Explorer Buffer OverflowMicrosoft Windows XPExplorer.exeBuffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter.Ingrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Terminal Server)Microsoft Windows NTCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDDHTML Object Memory Corruption Vulnerability (IE6 for Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Unchecked Buffer in NetDDE (Test 1)Microsoft Windows 2000NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (Server 2003)Microsoft Windows Server 2003HyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTHarvey RubinovitzHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows 2000 Kernel Debugger-based Buffer OverflowMicrosoft Windows 2000Windows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerChristine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE6 (for XP,SP2) Content Advisor Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDMS SQL Server Bulk Insert Procedure Buffer OverflowMicrosoft Windows 2000SQL Server 2000Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query.Yi-Fang KohIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows XP VDM Privilege Escalation VulnerabilityMicrosoft Windows XPVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows NT HtmlHelp Heap OverflowMicrosoft Windows NTHTML Help FacilityHeap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows NT getCanonicalPath Heap Corruption Denial of ServiceMicrosoft Windows NTWindows NT 4.0The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIE v6.0 Forced Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows Server 2003Hyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows Media Player Directory TraversalMicrosoft Windows XPWindows Media Player for Windows XPDirectory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location.Tiffany BergeronACCEPTEDACCEPTEDAnimated Cursor Denial of Service (Windows 2000)Microsoft Windows 2000Windows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Bitmap Integer Overflow VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Server 2003)Microsoft Windows Server 2003Cursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Unchecked Buffer in NetDDEMicrosoft Windows XPNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP,SP2 Color Management Module Buffer OverflowMicrosoft Windows XPMicrosoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Workstation Service Logging Function Buffer OverflowMicrosoft Windows XPMicrosoft Windows Workstation ServiceStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDOffice 2003 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office 2003Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (Server 2003/64-bit XP)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (32-bit XP, SP1)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDOffice XP, SP3 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office XP SP3Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows NNTP Memory LeakMicrosoft Windows 2000Network News Transport Protocol (NNTP)Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts.Christine WalzerACCEPTEDACCEPTEDIE v5.01,SP2 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (NT 4.0)Microsoft Windows NTCursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003, IE v6,SP1 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDOutlook Express v6.0 (WinXP) Malformed Email Header Denial of ServiceMicrosoft Windows XPMicrosoft Outlook ExpressMicrosoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Jonathan BakerDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDWindows XP SMB Buffer OverflowMicrosoft Windows XPSMB (Server Message Block)Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.Ingrid SkoogINTERIMACCEPTEDACCEPTEDWindows 2000 ComboBox/ListBox GUI Widget User32.dll Buffer OverflowMicrosoft Windows 2000Windows 2000Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.Tiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDINTERIMChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 Task Scheduler Stack OverflowMicrosoft Windows 2000Task SchedulerStack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (32-bit XP,SP1)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWin2k Blind Connection Reset Attack VulnerabilityMicrosoft Windows 2000Windows 2000Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDExchange Server 2003 (Windows Server 2003, 64-Bit Edition) Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE AbusiveParent Vulnerability (32-bit XP)Microsoft Windows XPMicrosoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows NT IE HTML Help ActiveX control Cross Domain VulnerabilityMicrosoft Windows NTHTML Help ActiveX ControlInternet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 IIS FTP Connection Status Request Denial of ServiceMicrosoft Windows 2000FTPThe FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters.Tiffany BergeronACCEPTEDWinXP Large Window Size TCP RST Denial of ServiceMicrosoft Windows XPWindows XPTCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP2 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows Server 2003 VulnerabilityMicrosoft Windows Server 2003HTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP CSRSS Privilege Escalation VulnerabilityMicrosoft Windows XPClient Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTED.NET Framework v1.1 Security BypassMicrosoft Windows XPMicrosoft Windows Server 2003MDAC 2.7The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (Server / XP 2003)Microsoft Windows Server 2003OLEThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDSuppressed OVAL3573Microsoft Windows 95Microsoft Windows 98Microsoft Windows NTMDAC 2.1Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.Ingrid SkoogDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT DHCP Request Code Execution VulnerabilityMicrosoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Server 2003)Microsoft Windows Server 2003MDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDWeb View Remote Code Execution VulnerabilityMicrosoft Windows 2000Windows ExplorerThe Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file.Ingrid SkoogDRAFTAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDIE v5.01,SP2 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 1)Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 2)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 3)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesBuffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (64-bit Server 2003, Test 2)Microsoft Windows Server 2003Windows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP2 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT IIS Directory Traversal Command Execution (Test 1)Microsoft Windows NTMicrosoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Tiffany BergeronACCEPTEDIE v5.01,SP4 HijackClick VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 HijackClick VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 HijackClick VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIIS AddHeader Large Header Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDWindows ME Program Group Converter Buffer OverflowMicrosoft Windows MEProgram Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Group Policy BypassMicrosoft Windows 2000Windows 2000Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access.Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 HTML Help Remote Code Execution VulnerabilityMicrosoft Windows Server 2003HTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDURL Parsing Memory Corruption Vulnerability (IE6 for XP,SP2)Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) Program Group Converter Buffer Overflow in shell32.dllMicrosoft Windows XPWindows ShellBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWin2k IP Validation VulnerabilityMicrosoft Windows 2000Windows 2000Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWinXP Path MTU Discovery Attack VulnerabilityMicrosoft Windows XPWindows XPMultiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE AbusiveParent Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMAndrew ButtnerACCEPTEDACCEPTEDIE v6.0 Cross Domain Verification via Cached Methods VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (32-bit XP)Microsoft Windows XPWindows Help and Support CenterStack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS HTTP Header Field Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.Tiffany BergeronACCEPTEDACCEPTEDWindows Server 2003 (32-Bit) DUNZIP Integer OverflowMicrosoft Windows Server 2003Compressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) ExecCommand Cross Domain Zone Restriction BypassMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 Malformed PNG Image File Failure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Font Buffer Overflow (SP2)Microsoft Windows XPWindows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.01, SP3 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows NT VDM Privilege Escalation VulnerabilityMicrosoft Windows NTVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (NT 4.0 Terminal Server)Microsoft Windows NTWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDRPCSS DCOM Buffer Overflow (Server 2003)Microsoft Windows Server 2003Distributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (NT 4.0)Microsoft Windows NTHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows XP Access Requests Privilege Escalation VulnerabilityMicrosoft Windows XPWindows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.5,SP2 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxACCEPTEDOffice XP, SP2 WordPerfect Converter Buffer OverflowMicrosoft Windows XPMicrosoft Office XP SP2Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Ingrid SkoogDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDSNMP Request Handling Buffer OverflowMicrosoft Windows NTSimple Network Management Protocol (SNMP)Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available.Matt BusbyMatthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (NT Terminal Server)Microsoft Windows NTWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDCode Execution via Compiled HTML Help FileMicrosoft Windows 2000HTML Help FacilityThe HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File."Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDExchange Server SMTP Buffer OverflowMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Exchange ServerHeap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDSMB Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000SMB (Server Message Block)The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Winsock Proxy Service Denial of ServiceMicrosoft Windows 2000ISA Server 2000The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745.Tiffany BergeronACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (32-bit Server 2003)Microsoft Windows Server 2003Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL1655Microsoft Windows Server 2003Microsoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDIE v5.5 Cross Domain Verification via Cached Methods VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods."Harvey RubinovitzACCEPTEDACCEPTEDIE v5.5,SP2 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP, IE v6.0 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP (32-bit) RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPDistributed Component Object Model (DCOM)Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows Telnet Server Buffer OverflowMicrosoft Windows 2000Telnet protocolBuffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options.Christine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2003 (32-Bit) Program Group Converter Buffer OverflowMicrosoft Windows Server 2003Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (64-Bit) DUNZIP Integer OverflowMicrosoft Windows Server 2003Compressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDDHCP Server Logging Vulnerability (Terminal Server)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 VDM Privilege Escalation VulnerabilityMicrosoft Windows 2000VDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Long Share Names VulnerabilityMicrosoft Windows 2000Windows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01, SP3 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (32-bit XP, SP2)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (Terminal Server Test 2)Microsoft Windows NTWindows Internet Naming Service (WINS)The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Message Queuing Buffer OverflowMicrosoft Windows XPMessage QueuingBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 NNTP Component Buffer OverflowMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIIS Web Server Folder TraversalMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.Tiffany BergeronACCEPTEDWindows XP,SP1 Color Management Module Buffer OverflowMicrosoft Windows XPMicrosoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Temporary Internet Files folders Name Reading VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."Harvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (Server 2003)Microsoft Windows Server 2003Windows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDAdobe Acrobat Reader libpng Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPAdobe Acrobat ReaderMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Matthew WojcikDRAFTINTERIMACCEPTEDACCEPTEDWindows 2003 (64-Bit) Program Group Converter Buffer OverflowMicrosoft Windows Server 2003Program Group ConverterBuffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDOLE Component Input Validation Vulnerability (Windows XP)Microsoft Windows XPunknownThe OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT HTR ISAPI Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.Tiffany BergeronACCEPTEDACCEPTEDWindows Kernel LPC Privilege Escalation Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows kernelThe Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (Terminal Server)Microsoft Windows NTHyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows ListView Shatter Message VulnerabilityMicrosoft Windows 2000Utilities Manager/Windows MessagingThe control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function.Christine WalzerACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 IP Validation VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows Server 2003 (32-Bit) Unchecked Buffer in NetDDEMicrosoft Windows Server 2003NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Access Requests Privilege Escalation VulnerabilityMicrosoft Windows 2000Windows kernelThe kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDIIS Help File Search Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session.Tiffany BergeronACCEPTEDWindows 2000 HTML Help Remote Code Execution VulnerabilityMicrosoft Windows 2000HTML Help FacilityInteger overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Unknown Vector SMB VulnerabilityMicrosoft Windows 2000Small Business Server 2000Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDLoadImage Cursor and Icon Format Handling Vulnerability (Windows 2000)Microsoft Windows 2000Cursor and Icon FormattingInteger overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE6 (for Server 2003) Content Advisor Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDISA Server NetBIOS Packet Filter Bypass VulnerabilityMicrosoft Windows 2000ISA Server 2000Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter.Christine WalzerDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDHelp and Support Center PCHealth System Buffer Overflow (Server 2003)Microsoft Windows Server 2003Help and Support Center (HSC)Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01 Encoded Characters Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (Windows 2000)Microsoft Windows 2000Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMAndrew ButtnerACCEPTEDACCEPTEDIE v6.0 (XP) Function Pointer Override Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDHyperTerminal Session File Vulnerability (Windows 2000)Microsoft Windows 2000HyperTerminalHyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Harvey RubinovitzDRAFTINTERIMHarvey RubinovitzACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL3882Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE AbusiveParent Vulnerability (64-bit Server 2003)Microsoft Windows Server 2003Microsoft Internet ExplorerThe DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.Jonathan BakerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server VDM Privilege Escalation VulnerabilityMicrosoft Windows NTVDMThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 IIS WebDAV Message Handler Denial of Service VulnerabilityMicrosoft Windows Server 2003Microsoft Internet Information Server (IIS)The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDMS Internet Security and Acceleration Server H.323 Buffer OverflowMicrosoft Windows 2000Microsoft Windows Server 2003Microsoft Internet Security and Acceleration Server 2000Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.David ProulxINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Windows NT)Microsoft Windows NTMDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) Script URLs Cross Domain Zone Restrictions BypassMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWin2k Large Window Size TCP RST Denial of ServiceMicrosoft Windows 2000Windows 2000TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows XP Font Buffer Overflow (SP1)Microsoft Windows XPWindows kernelBuffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.Ingrid SkoogDRAFTINTERIMChristine WalzerACCEPTEDACCEPTEDIIS Server Side Include Web Pages Buffer OverrunMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun."Tiffany BergeronACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWINS Association Context Vulnerability (NT 4.0)Microsoft Windows NTWindows NT 4.0The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Object Management VulnerabilityMicrosoft Windows 2000Windows kernelBuffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDUnchecked Buffer in SQLXML ISAPI Extension (MDAC 2.6)Microsoft Windows 2000Microsoft SQL Server 2000Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."Matthew BurtonMatthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDWindows NT DHCP Request Code Execution Vulnerability (Terminal Server)Microsoft Windows NTDHCPThe DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDProxy Server Reverse DNS Lookup Results SpoofingMicrosoft Windows NTProxy Server 2.0 SP1Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.Christine WalzerDRAFTINTERIMChristine WalzerIngrid SkoogACCEPTEDACCEPTEDDHTML Object Memory Corruption Vulnerability (IE5.01,SP3)Microsoft Windows 2000Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDUnchecked Buffer in SQLXML ISAPI Extension (MDAC 2.7)Microsoft Windows 2000Microsoft SQL Server 2000Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension."Matthew BurtonMatthew BurtonDRAFTINTERIMACCEPTEDIngrid SkoogINTERIMACCEPTEDACCEPTEDMicrosoft Windows Kernel Local Denial of ServiceMicrosoft Windows XPMicrosoft Windows Server 2003Windows kernelThe kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program.Ingrid SkoogIngrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01 Improper Cross Domain Security Validation with Dialog BoxMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box."David ProulxACCEPTEDIE v5.01,SP2 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS Windows RPC DCOM DoS-based Privilege Escalation VulnerabilityMicrosoft Windows 2000Remote Procedure Call (RPC)The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.Tiffany BergeronACCEPTEDACCEPTEDIE v5.5 Encoded Characters Information Disclosure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure."Harvey RubinovitzACCEPTEDACCEPTEDServer 2003 Object Management VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDDHTML Object Memory Corruption Vulnerability (IE5.01,SP4)Microsoft Windows 2000Microsoft Internet ExplorerRace condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTED.NET Framework v1.0 Security BypassMicrosoft Windows XPMicrosoft Windows Server 2003MDAC 2.7The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Message Queuing Buffer OverflowMicrosoft Windows 2000Message QueuingBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDIE v5.01 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxACCEPTEDDefault Permissions on RAS Administration KeyMicrosoft Windows NTRemote Access Service (RAS)The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.Matt BusbyINTERIMACCEPTEDACCEPTEDOffice on Windows Server 2003 WordPerfect Converter Buffer OverflowMicrosoft Windows Server 2003Network News Transport Protocol (NNTP)Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Bitmap Integer Overflow VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDWindows NT NNTP Component Buffer OverflowMicrosoft Windows NTNetwork News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows XP (32-Bit) Unchecked Buffer in NetDDEMicrosoft Windows XPNetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP2 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Malformed GIF Image Double-free VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Improper URL Canonicalization VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Improper URL Canonicalization VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0 Improper URL Canonicalization VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.01,SP2 Bitmap Integer Overflow VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Malformed GIF Image Double-free VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerDouble-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.Andrew ButtnerDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDScob and Toofer Internet Explorer v6.0 VulnerabilitiesMicrosoft Windows XPMicrosoft Internet ExplorerThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Tiffany BergeronDRAFTINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v5.01,SP3 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.5 Broadcast Response Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.5Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Improper URL Canonicalization VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP2 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSuppressed OVAL5277Microsoft Windows NTRemote Procedure Call (RPC)The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.Matthew BurtonDRAFTINTERIMACCEPTEDMatthew BurtonINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP Long Share Names VulnerabilityMicrosoft Windows XPWindows ShellBuffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Andrew ButtnerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Install Engine Buffer OverflowMicrosoft Windows Server 2003Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDIE v6.0 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v6.0,SP1 Install Engine Buffer OverflowMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Function Pointer Drag and Drop VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5 Malformed PNG Image File Failure VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure."Harvey RubinovitzACCEPTEDACCEPTEDIE v6.0 (XP) Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDExchange Server 2003 Routing Engine Buffer OverflowMicrosoft Windows Server 2003SMTPThe SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.6 Broadcast Response Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Data Access Compnents 2.6Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows (ME, NT, 2K), IE v5.5,SP2 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 for 2003, SP3 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Zone Restrictions Bypass via XML VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDImproper Cross Domain Security Validation with ShowHelp FunctionalityMicrosoft Windows 2000Microsoft Internet ExplorerThe showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality."David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDMSHTA Code Execution Vulnerability (32-bit XP,SP2)Microsoft Windows XPWindows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Workstation Service Logging Function Buffer OverflowMicrosoft Windows 2000Microsoft Windows Workstation ServiceStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.Tiffany BergeronACCEPTEDACCEPTEDWindows NT IIS HTTP Redirect Error Message Cross-site ScriptingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.Tiffany BergeronACCEPTEDMSJava Applet CODEBASE File Access VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Virtual Machine (VM)Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error.Tiffany BergeronINTERIMACCEPTEDACCEPTEDMS Word 97 Macro Names Buffer OverflowMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Word 97Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.Andrew ButtnerINTERIMACCEPTEDIngrid SkoogINTERIMIngrid SkoogINTERIMMSHTA Code Execution Vulnerability (64-bit Server 2003 and XP Version 2003)Microsoft Windows Server 2003Windows ShellThe document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) HijackClick VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Andrew ButtnerAndrew ButtnerAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDMicrosoft Windows RPC Denial of ServiceMicrosoft Windows 2000Remote Procedure Call (RPC)The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.Tiffany BergeronChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 2)Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 NNTP Component Buffer OverflowMicrosoft Windows 2000Network News Transport Protocol (NNTP)The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5, SP2 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01, SP4 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDServer 2003 Telnet Environment Disclosure VulnerabilityMicrosoft Windows Server 2003Services for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 3)Microsoft Windows XPMicrosoft FrontPage Server Extensions 2000Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE6 for Server 2003 File Disclosure via Redirects VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows NT Remote Access Service Phonebook Buffer OverflowMicrosoft Windows NTRemote Access Service (RAS)Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.Tiffany BergeronACCEPTEDIE v5.5,SP2 Install Engine Buffer OverflowMicrosoft Windows MEMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 4)Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft FrontPage Server Extensions 2002Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMIE v6.0,SP1 (Server 2003) Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Function Pointer Drag and Drop VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Remote Access Service Phonebook Buffer OverflowMicrosoft Windows 2000Remote Access Service (RAS)Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry.Tiffany BergeronACCEPTEDIE v5.01,SP2 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 for Server 2003 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows XP (64-Bit) DUNZIP Integer OverflowMicrosoft Windows XPCompressed FoldersInteger overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.David ProulxDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDWindows 2000 Trusted Domain LoopholeMicrosoft Windows 2000Windows 2000In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain.Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDLicense Logging Service Vulnerability (Terminal Server)Microsoft Windows NTMDAC 2.8The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows 2000Microsoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows (ME, NT, 2K, XP), IE v6,SP1 CSS Heap Memory Corruption VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS ASP Function Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.01,SP4 Install Engine Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows Server 2003 (64-Bit) Unchecked Buffer in NetDDEMicrosoft Windows Server 2003NetDDENetwork Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDFlaw in Windows WM_TIMER Message Handling Could Enable Privilege ElevationMicrosoft Windows NTNetDDE AgentNetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Windows 2000)Microsoft Windows 2000Microsoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSuppressed: Duplicate of OVAL1959Microsoft Windows XPMicrosoft Word for Windows 6.0 ConverterMicrosoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Christine WalzerDRAFTINTERIMJonathan BakerIngrid SkoogACCEPTEDACCEPTEDIE v5.01,SP4 Travel Log Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Travel Log Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.5 Temporary Internet Files folders Name Reading VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading."Harvey RubinovitzACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 4)Microsoft Windows NTMicrosoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 WINS Buffer OverflowMicrosoft Windows 2000Windows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5,SP2 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDPrivilege Escalation Using Cached Admin ConnectionMicrosoft Windows 2000Microsoft SQL Server 2000An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account.Yi-Fang KohACCEPTEDJonathan BakerJonathan BakerINTERIMACCEPTEDACCEPTEDAnimated Cursor Denial of Service (NT 4.0)Microsoft Windows NTWindows Animated CursorThe Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Hyperlink Object Library Unchecked Buffer VulnerabilityMicrosoft Windows 2000Hyperlink Object LibraryThe Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Plug-in Navigation Address Bar Spoofing VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Variant of Chunked Encoding Buffer OverrunMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun."Tiffany BergeronACCEPTEDACCEPTEDServer 2003 Web Client Service Buffer OverflowMicrosoft Windows Server 2003Web Client ServiceBuffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) HijackClick VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027.Tiffany BergeronAndrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS FrontPage Server Extensions Chunked Encoded Request Buffer Overflow (Test 5)Microsoft Windows 2000Microsoft FrontPage Server Extensions 2000Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.Tiffany BergeronAndrew ButtnerINTERIMACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDOracle 9i XDB Buffer OverflowMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDHarvey RubinovitzMatthew WojcikINTERIMACCEPTEDACCEPTEDIE v6.0 (XP) Travel Log Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMChristine WalzerACCEPTEDACCEPTEDIE v6.0,SP2 for Server 2003 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.7 Broadcast Response Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Data Access Compnents 2.7Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Process Handle Duplication Privilege EscalationMicrosoft Windows 2000Windows 2000smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.Tiffany BergeronACCEPTEDMS FrontPage Server Extensions SmartHTML Denial of Service (Test 5)Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft SharePoint Team ServicesUnknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMINTERIMServer 2003,SP1 Color Management Module Buffer OverflowMicrosoft Windows Server 2003Microsoft Color Management ModuleBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.Christine WalzerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.5 GetObject File RetrievalMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks.David ProulxACCEPTEDIE v6.0 Install Engine Buffer OverflowMicrosoft Windows XPMicrosoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0 Drag-and-Drop Code Execution VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerInternet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 Travel Log Cross Domain VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft MDAC 2.8 Broadcast Response Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Data Access Compnents 2.8Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request.Christine WalzerINTERIMACCEPTEDACCEPTEDIE5.01,SP4 File Disclosure via Redirects VulnerabilityMicrosoft Windows 2000Microsoft Internet ExplorerThe legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 CSRSS Privilege Escalation VulnerabilityMicrosoft Windows 2000Client Server Runtime System (CSRSS)Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.Ingrid SkoogDRAFTINTERIMChristine WalzerAndrew ButtnerACCEPTEDACCEPTEDLSASS Privilege Escalation Vulnerability (Windows 2000)Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Christine WalzerDRAFTINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP Kernel Debugger-based Buffer Overflow (Test 2)Microsoft Windows XPWindows kernelBuffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger.Christine WalzerDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Directory Traversal Command Execution (Test 1)Microsoft Windows 2000Microsoft Internet Information Server (IIS)Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.Tiffany BergeronTiffany BergeronACCEPTEDINTERIMACCEPTEDACCEPTEDServer 2003 Path MTU Discovery Attack VulnerabilityMicrosoft Windows Server 2003Microsoft Word 2003Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.Matthew BurtonDRAFTINTERIMACCEPTEDACCEPTEDWindows 2000 Telnet Environment Disclosure VulnerabilityMicrosoft Windows 2000Services for UNIXThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDIE v5.01,SP3 Install Engine Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerInteger overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Harvey RubinovitzDRAFTINTERIMACCEPTEDACCEPTEDIE v6.0 Similar Method Name Redirection Cross Domain VulnerabilityMicrosoft Windows XPMicrosoft Internet ExplorerMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows NTMicrosoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows XPMicrosoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 ASN.1 Library Integer Overflow VulnerabilitiesMicrosoft Windows Server 2003Microsoft ASN.1 LibraryMultiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT WINS Buffer OverflowMicrosoft Windows NTWindows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT Terminal Server WINS Buffer OverflowMicrosoft Windows NTWindows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows Server 2003 WINS Buffer OverflowMicrosoft Windows Server 2003Windows Internet Naming Service (WINS)The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDIE v6.0,SP1 (Server 2003) Travel Log Cross Domain VulnerabilityMicrosoft Windows Server 2003Microsoft Internet ExplorerInternet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability."Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE v6.0, SP1 HijackClick 3 / Script in Image Tag File Download VulnerabilityMicrosoft Windows MEMicrosoft Internet ExplorerInternet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT IIS HTTP Error Page Cross-site ScriptingMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.Tiffany BergeronACCEPTEDAddress Bar Spoofing on Double Byte Character Set Systems VulnerabilityMicrosoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."Harvey RubinovitzDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft RPC Denial of ServiceMicrosoft Windows 2000Microsoft SQL Server 2000Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs.Tiffany BergeronJonathan BakerINTERIMIngrid SkoogACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft SQL Server 3-Function Buffer OverflowMicrosoft Windows 2000MicrosoftSQL ServerBuffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879.Yi-Fang KohIngrid SkoogINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMS Windows Media Service Denial of ServiceMicrosoft Windows 2000Windows Media ServicesUnknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets.Tiffany BergeronINTERIMINTERIMMS Outlook Argument Injection Local VulnerabilityMicrosoft Windows 95Microsoft OutlookArgument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.Andrew ButtnerINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMSN Messenger Remote File Access VulnerabilityMicrosoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003MSN MessengerMicrosoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.Christine WalzerINTERIMAndrew ButtnerACCEPTEDACCEPTEDSNMPv1 Request Handling DoS and Privilege EscalationMicrosoft Windows NTSimple Network Management Protocol (SNMP)Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Harvey RubinovitzACCEPTEDOutlook Express v5.5,SP2 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 LSASS Buffer Overflow (Sasser Worm Vulnerability)Microsoft Windows 2000Local Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Tiffany BergeronINTERIMACCEPTEDACCEPTEDWindows Server 2003 SSL Library Denial of ServiceMicrosoft Windows Server 2003Secure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDACCEPTEDWindows XP SSL Library Denial of ServiceMicrosoft Windows XPSecure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP SSL PCT Handshake VulnerabilityMicrosoft Windows XPPrivate Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 MUP UNC Request Buffer OverflowMicrosoft Windows 2000Multiple UNC Provider (MUP)Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request.Tiffany BergeronACCEPTEDWindows 2000 Local Descriptor Table Kernel Access VulnerabilityMicrosoft Windows 2000Local Descriptor Table (LDT)The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows 2000 SSL Library Denial of ServiceMicrosoft Windows 2000Secure Sockets Layer (SSL)The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.David ProulxINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 3)Microsoft Windows 2000Remote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows NT winlogon Remote Buffer OverflowMicrosoft Windows NTWindows logon process (winlogon)Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT WMF/EMF Buffer OverflowMicrosoft Windows NTEnhanced Metafile (EMF)Windows Metafile (WMF)Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows XP LSASS Buffer Overflow (Sasser Worm Vulnerability)Microsoft Windows XPLocal Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Andrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS Denial of Service via WebDAVMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests.Tiffany BergeronINTERIMIngrid SkoogACCEPTEDACCEPTEDWindows XP RPCSS DCOM Buffer Overflow (Blaster)Microsoft Windows XPRemote Procedure Call (RPC)A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.Christine WalzerINTERIMACCEPTEDACCEPTEDServer 2003 COM Structured Storage VulnerabilityMicrosoft Windows Server 2003COM Internet ServicesWindows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."Christine WalzerChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDWindows NT SSL PCT Handshake VulnerabilityMicrosoft Windows NTPrivate Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDMicrosoft Agent Security Prompt Spoofing Vulnerability (Server 2003)Microsoft Windows Server 2003Microsoft AgentMicrosoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.Harvey RubinovitzDRAFTHarvey RubinovitzINTERIMACCEPTEDACCEPTEDWindows 2000 H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows 2000H.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows NT IIS System File Listing Privilege Elevation VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows NT Local Descriptor Table Kernel Access VulnerabilityMicrosoft Windows NTLocal Descriptor Table (LDT)The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS System File Listing Privilege Elevation VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS ASP Source Code Access VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.Christine WalzerINTERIMACCEPTEDACCEPTEDIIS4.0 Buffer OverflowMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 LSASS Buffer Overflow (Sasser Worm VulnerabilityMicrosoft Windows Server 2003Local Security Authority Subsystem Service (LSASS)Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS HTTP Error Page Cross-site ScriptingMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page.Harvey RubinovitzACCEPTEDIE Cached Content Command Execution VulnerabilityMicrosoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs.Tiffany BergeronINTERIMACCEPTEDACCEPTEDIE File Execution User-prompt Bypass VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability."Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE Slash Characters in Type Property VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows Server 2003 ASN.1 Library Double-free Memory Corruption VulnerabilityMicrosoft Windows Server 2003Microsoft ASN.1 LibraryDouble-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.David ProulxINTERIMACCEPTEDACCEPTEDMS IE HTML Directive Buffer OverflowMicrosoft Windows 98Microsoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerBuffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE URLMON Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerBuffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDIIS5.0 Specialized Header VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows NT IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS5.0 Script Source Access VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability."Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIIS showcode.asp Sample File VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.Christine WalzerINTERIMACCEPTEDACCEPTEDIIS WebDAV Request Denial of ServiceMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 Media Services ISAPI Logging VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.Christine WalzerINTERIMACCEPTEDACCEPTEDIIS5.0 Windows Media Services Large POST VulnerabilityMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows 2000 IIS Cross-site Scripting VulnerabilitiesMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDWindows NT IIS Cross-site Scripting VulnerabilitiesMicrosoft Windows NTMicrosoft Internet Information Server (IIS)Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors.Christine WalzerINTERIMACCEPTEDACCEPTEDWindows Server 2003 H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows Server 2003H.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDIE File Download Dialog VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Internet ExplorerInternet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability."Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows 2000 IIS ASP Server-Side Include Function Buffer OverflowMicrosoft Windows 2000Microsoft Internet Information Server (IIS)Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names.Tiffany BergeronACCEPTEDACCEPTEDWindows 2000 SSL PCT Handshake VulnerabilityMicrosoft Windows 2000Private Communications Transport (PCT)Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.Andrew ButtnerINTERIMACCEPTEDACCEPTEDNT4.0 SNMP Denial of ServiceMicrosoft Windows NTSNMPMemory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries.Christine WalzerINTERIMACCEPTEDAndrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows 2000Remote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerINTERIMACCEPTEDACCEPTEDIE .chm Directory Traversal Windows NT VulnerabilityMicrosoft Windows NTHTML Help FacilityInternet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475.Andrew ButtnerINTERIMACCEPTEDHarvey RubinovitzINTERIMACCEPTEDACCEPTEDServer 2003 RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows Server 2003Remote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerChristine WalzerDRAFTWindows XP RPCSS Service DCOM Activation Denial of ServiceMicrosoft Windows XPRemote Procedure Call (RPC)An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDIE Cookie-based Script ExecutionMicrosoft Windows 2000Microsoft Internet ExplorerThe zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability.Andrew ButtnerAndrew ButtnerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMDAC SQL-DMO Buffer Overflow (Test 1)Microsoft Windows 95Microsoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000MDAC 2.5Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDMDAC SQL-DMO Buffer Overflow (Test 2)Microsoft Windows XPMicrosoft Data Access Components 2.6Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434.Christine WalzerINTERIMACCEPTEDACCEPTEDIE File Upload VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Internet ExplorerThe file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDACCEPTEDWindows XP H.323 Protocol Remote Code Execution VulnerabilityMicrosoft Windows XPH.323Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.Jonathan BakerINTERIMACCEPTEDACCEPTEDWindows NT Media Services ISAPI Logging VulnerabilityMicrosoft Windows NTMicrosoft Internet Information Server (IIS)The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request.Christine WalzerINTERIMACCEPTEDACCEPTEDMS Jet Database Buffer OverflowMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Jet Database EngineBuffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows NT COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows NTCOM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDACCEPTEDIE Frame Domain Verification VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Internet ExplorerInternet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874.Tiffany BergeronINTERIMACCEPTEDINTERIMHarvey RubinovitzACCEPTEDChristine WalzerChristine WalzerINTERIMACCEPTEDACCEPTEDGopher Client Buffer OverflowMicrosoft Windows 2000Microsoft Internet ExplorerBuffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response.David ProulxChristine WalzerINTERIMACCEPTEDACCEPTEDWindows XP IIS Out of Process Privilege Elevation VulnerabilityMicrosoft Windows XPMicrosoft Internet Information Server (IIS)Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation."Christine WalzerINTERIMACCEPTEDACCEPTEDOutlook Express 6,SP1 News Reading VulnerabilityMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.Ingrid SkoogDRAFTINTERIMACCEPTEDACCEPTEDOutlook Express v6.0 MHTML URL Processing VulnerabilityMicrosoft Windows 98Microsoft Windows MEMicrosoft Windows NTMicrosoft Windows 2000Microsoft Windows XPMicrosoft Outlook ExpressThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Andrew ButtnerINTERIMACCEPTEDACCEPTEDWindows 2000 COM Internet Services/RPC over HTTP Proxy Component Buffer OverflowMicrosoft Windows 2000COM Internet ServicesBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.Christine WalzerINTERIMACCEPTEDACCEPTEDMicrosoft Share Level Password VulnerabilityMicrosoft Windows 98File and Print SharingFile and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.Tiffany BergeronINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDAs stated in the iDefense security advisory, if this key exists and contains a value, then the system has Interactive Training installed, and it will process .cbo files.Service Pack 2 or less for Windows Office XP needs regex involving strings and less thanWe think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exeWe think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:Program Files\VERITAS\Backup Exec\NT\bkupexec.exeWmpui.dllWmp.dllMsxml6.dllMsxml5.dllMsxml4.dllMsxml3.dllComctl32.dllSystem.web.dllTcpip6.syswordview.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mspub.exePathmspub.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Publisher\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Publisher\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Publisher\InstallRootHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-3]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\7.1\RegistrationUDBVersionmdbmsg.dllwwmp.dllwmpui.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exePathpowerpnt.exejgdw400.dllwjgdw400.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\10.0\RegistrationUDBVersionrasmans.dllspoolsv.exeRmcast.sysQuery.dllrdpwd.sysHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentPROCESSOR_ARCHITECTUREHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionSystemRootumpnpmgr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCSDVersionHKEY_LOCAL_MACHINESOFTWARE\CLASSES\PNGFilter.CoPNGFilterPng32.fltGifimp32.fltDhcpcsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\PowerPoint\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\PowerPoint\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v2.0\v2.0.50727\aspnet_filter.dllnetapi32.dllmmc.exevbe6.dlldnsapi.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Common\InstallRootPathMso9.dllevtgprov.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841872InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\SubSystemsPosixpsxss.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Outlook\InstallRootPathmsmapi32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 1.0.7DisplayNamemsieftp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Outlook\InstallRootPathmsmapi32.dllHKEY_LOCAL_MACHINESoftware\Microsoft\Office\9.0\RegistrationProductIDHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\PowerPoint\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerPnt.exePathowerPnt.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90840409-6000-11D3-8CFE-0150048383C9}InstallLocationxlview.exeHKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Windows Server 2003\SP1\KB914798HKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Windows XP\SP2\KB914798HKEY_LOCAL_MACHINESoftware\Microsoft\VisualStudio\7.1HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Excel\InstallRootPathHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5.0.2)DisplayNameFlash.ocxSwflash.ocxMsdtctm.dllHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5.0.1)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-7]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.1[0-2]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird (1.5)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla Thunderbird 1.5\binPathToExeHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SeaMonkey \((1\.0[ab]|1\.0)\)DisplayNamecdoex.dllwindirGdiplus.dllHKEY_LOCAL_MACHINESoftware\Microsoft\VisualStudio\7.0HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Excel\InstallRootPathHKEY_LOCAL_MACHINESoftware\\Microsoft\\Office\\10\.0\\Registration\\.*ProductIDHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-2]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-4]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-8]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-2]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-6]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-1]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-5]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[6-9]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[0-8]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\(1\.7\)|\(1\.[0-7]\.[0-3]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \(0\.9.*\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \(0\.[6-8]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \(0\.[0-9].*\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-4]\))DisplayNamekerberos.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurePipeServers\winregHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840374InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB819696Installedcdoex.dllHKEY_CLASSES_ROOTMITrain.Document\shell\open\commandOrun32.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Step by Step Interactive Training\SP2\KB898458\FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{839117ee-2132-4bae-a56a-42b50204c9b9}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB889293IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB885492PackageVersionMdbmsg.dllHKEY_LOCAL_MACHINESOFTWARE\Clients\Media\Winamp\shell\opencommandQuartz.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Outlook\InstallRootPathmsmapi32.dllHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.10\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-6]\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\SubcomponentsieHardenadminHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\SubcomponentsieHardenuserumpnpmgr.dllMf3216.dllNpdsplay.dllNtkrnlpa.exeImekr61.imeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared ToolsSharedFilesDirfpadmdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C3A6819F-62D3-4750-AF1C-28206DDF2C2E}Windows Messenger 5.1Messengermsmsgs.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wvxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wplHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmsHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wmzHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player 9\KB885492PackageVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\9.0\RegistrationUDBVersionwmp.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\.waxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches\A1334AC428B43BF4E9547C55D3DFE977HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00000409-78E1-11D2-B60F-006097C998E7}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00010409-78E1-11D2-B60F-006097C998E7}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Excel\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Common\InstallRootPathDIPLUS.DLLhelpctr.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6000-11D3-8CFE-0150048383C9}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\9.0\Word\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824105\FilelistinstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824105\Filelistinstallednetbt.sysGDIPLUS.DLLHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{903B0409-6000-11D3-8CFE-0150048383C9}DisplayVersionMSO.DLLsxs.dllvgx.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\11.0\Word\InstallRootHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FpcInstallDirectorymsphlpr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\408KbsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Common\InstallRootPathsohev.dllHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Hotfix\\[Kk][Bb]834707[-a-zA-Z0-9.]*$InstalledHKEY_LOCAL_MACHINE^Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[1-3]$1802HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ABEB838C-A1A7-4C5D-B7E1-8B4314600208}DisplayVersionwordpad.exeHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayNameHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayVersionMapi32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Word\InstallRootHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Thunderbird \((0\..*|1\.0\..*\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla ThunderbirdCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox \((0\..*|1\.0\..*\))DisplayNameHKEY_LOCAL_MACHINESOFTWARE\mozilla.org\MozillaCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla \(.*\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Excel.exePathexcel.exeHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla Firefox 1.5\binPathToExeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\Mozilla\Mozilla FirefoxCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SeaMonkey \(1\.0[ab]\)DisplayNameHKEY_LOCAL_MACHINESOFTWARE\mozilla.org\SeaMonkeyCurrentVersiontcpip.sysGdi32.dllFontsub.dllT2embed.dllImekr70.imeHKEY_CURRENT_USERSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsDisableCachingOfSSLPagesHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923-IE6SP1-20050225.103456jscript.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}Versioncdosys.dllhelpctr.dllnwwks.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Excel\InstallRootexprox.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 2003\SP1\832759HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MSExchangeWEB\DAVReuseConnectionsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionwinlogon.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q317636InstalledHKEY_LOCAL_MACHINE^Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\.*DisplayNamemad.exeHKEY_LOCAL_MACHINESoftware\Microsoft\Updates\Exchange Server 2000\SP3\Q316056.*HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurePipeServers\winregEveryoneHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageBindHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageExportHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetBIOS\LinkageRouteHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX8InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX81InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX82InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB839643-DirectX9InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB837009InstalledLocator.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q810833InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RPCLocatorStartHKEY_LOCAL_MACHINESoftware\VERITAS\Backup Exec\ServerCurrentVersionHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\LSARestrictAnonymousHKEY_LOCAL_MACHINESOFTWARE\Rockliffe\MailSiteVersioncrypt32.dllMsw3prt.dllcomsvcs.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\LmHostsStartHKEY_LOCAL_MACHINE^SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\\Interfaces\\Tcpip.*$NetbiosOptionsntdll.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q815021InstalledCrystalDecisions.Web.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\w3svcStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\277KbsHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896727InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB893756InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TapiSrvStarttapisrv.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{bfb56e60-5895-496c-bd6b-459b97142e4c}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Transaction Server\PackagesStartspoolsv.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB896423Installedshdocvw.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{90A2A715-D986-4EAB-8C73-4D06114EF760}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{754D29C1-0C97-405F-98D0-21B212CA7FF1}IsInstalledHKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1803HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q817606InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q313829InstalledIpnathlp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q321599Installedxactsrv.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q326830InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanserverStartxenroll.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q323172InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823980InstalledLM\W3SVC6032Ipnathlp.dllidq.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q300972InstalledLM\W3SVC6014HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823182InstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1001HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1001cryptui.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Terminal ServerProductVersionrdpwd.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q324380InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RDPWDStartNtoskrnl.execdo.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\842436aIsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MSExchangeweb.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServicePackBuildHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB871250\Filelistquartz.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q19696InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q841373InstalledLM\\W3SVC\\/d*\\ROOT6011HKEY_LOCAL_MACHINESystem\CurrentControlSet\Services\w3svc\parametersMaxClientRequestBufferDatamsgprox.dllreplrec.dllsqlvdi.dlltshoot.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB826232Installednddenb32.dllciodm.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP2\KB871250\FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServices VersionSp3res.dllUmandlg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB842526InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643-DirectX82InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643-DirectX9Installeddplayx.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q305601InstalledHKEY_CLASSES_ROOTSOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873339\Filelistnetman.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q326886InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329115Installedcryptdlg.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\MessengerStartmsgsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\DirectXVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB839643Installeddplayx.dllMSO.DLLHKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6D54-11D4-BEE3-00C04F990354}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90510409-6D54-11D4-BEE3-00C04F990354}WindowsInstallerHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329170InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanserver\parametersenablesecuritysignaturewmpcore.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm320920IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890175Installeddxmasf.dllmsdxm.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm308567IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q321599InstalledHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerPatheBook.apiHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q313450Installedconsole.exesqlmap70.dllsqlrepss.dllssmslpcn.dllssnetlib.dllssnmpn70.dllums.dlleplprov.dlldbmslpcn.dllsgprox.dlleplrec.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Microsoft SQL Server\80SharedCodeqlvdi.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888302InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB821557Installednetdde.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB873339\ Filelistodsole70.dllxpqueue.dllxprepl.dllxplog70.dllxpweb70.dllxpstar.dllimpprov.dllkernel32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823803InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MediaPlayer\8.0\RegistrationUDBVersionwmplayer.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Player\wm817787IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828035InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90110409-6000-11D3-8CFE-0150048383C9}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Patches\9FEC06657760FC84499ED532196D45EE2Security Update for Office 2003: Wordperfect 5.x Converter (KB873378)HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q303984InstalledHKEY_CLASSES_ROOTSOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\kb823353InstalledHKEY_USERS^S-[-0-9]+\\Identities\\\{[-0-9A-Z]+\}\\Software\\Microsoft\\Outlook\ Express\\5\.0\\Mail$ShowHybridViewSRV.SYSHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB817606InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824141InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\UtilManStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB841873Installedmstask.dllhhctrl.ocxHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q890175Installed^LM\\MSFTPSVC\\.*$1016HKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v1.1HKEY_LOCAL_MACHINEVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.1\M886903InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.1\M886904Installedmsadco.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q329414Installedwebvw.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB894320\FilelistHKEY_CURRENT_USERSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedWebViewfp5areg.dllfp30reg.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\ProductOptionsProductTypeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q295534Installedsrvsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318593InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890923 \Filelistshell32.dlldhtmled.ocxHKEY_CLASSES_ROOTHCPzipfldr.dllMSCONV97.DLLhhsetup.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q323255InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9161A261-6ABE-4668-BBFA-AD06B3F642CFMicrosoft ExchangeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Exchange\SetupServicesxlsasink.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Exchange Server 2003\SP1\KB894549.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885250Installedmrxsmb.sysw3proxy.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA ServerInstallationLocationwspsrv.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\257Kbsmswrd632.wpctlntsvr.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q307298IsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\TlntsvrStartvdmdbg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSMQHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q269862InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q277873InstalledHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerVersionMaxHKEY_LOCAL_MACHINESOFTWARE\Adobe\Acrobat Reader\6.0\InstallerVersionMingrpconv.exeshell32.dllLM\W3SVC6014HKEY_CLASSES_ROOTSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix \KB873339\Filelistsp3res.dllumandlg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB822679Installedhh.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896422Installedsrv.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB890923 \FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA Server SPDisplayNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\UninstallMicrosoft ISA Serverw3proxy.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FPC\Hotfixes\SP1\430kbsitircl.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB825119InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB893086\FilelistHKEY_CLASSES_ROOThtfileHKEY_CLASSES_ROOTtelnet\shell\opencommandhypertrm.dllHKEY_CLASSES_ROOTSOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB873339\ FilelistHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885836Installedwdhtmled.ocxHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB891781IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824151InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft ISA ServerVersionMajorHKEY_LOCAL_MACHINESOFTWARE\Microsoft\FpcInstallDirectory323fltr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291InstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Fpc\\Arrays\\\{[^\\]+\}\\Extensions\\Proxy-Plugins\\\{FE440D49-AB26-11D2-A101-00C04FB6CFB6\}$msFPCEnabledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\FwsrvStartssinc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB870763InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885249InstalledDhcpssvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Proxy ServerMicrosoft Proxy Serverw3proxy.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888258InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923 -ie501sp3-20050225.100153Installedsqlisapi.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB824146InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Tcpip\ParametersSynAttackProtectHKEY_LOCAL_MACHINESSOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923 -ie501sp4-20050225.100310InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\.NETFramework\policy\v1.0HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\NET Framework Setup\1.0\M886905InstalledHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}VersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}VersionSystem.web.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\.NETFramework Setup\1.0\M886906InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB892944Installedmqrt.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q299444Installedtcpcfg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q265714InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB883935InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB867801InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2298d453-bcae-4519-bf33-1cbf3faf1524}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873350FileHKEY_LOCAL_MACHINESoftware\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841356Installedsmtpsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB885881InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\SMTPSVCStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893086\FilelistHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\lanmanworkstationStartwkssvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828749Installedmsjava.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exePathwinword.exeHKEY_LOCAL_MACHINESOFTWARE\Classes\MIME\Database\Content Type\application/htaExtensionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB893086\ Filelistshell32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB824245InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q331953InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB823980InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NntpSvcStartnntpsvc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883935InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896428Installedshtml.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\5.0\Setup PackagesMicrosoft FrontPage Server Extensions 2002HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Ras\CurrentVersionPathNameHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\RasManStartrasman.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707Installedzipfldr.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873376InstalledHKEY_LOCAL_MACHINESOFTWARE\Classes\CompressedFolderFriendlyTypeNamenetlogon.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885834Installedllssrv.exeHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\LicenseServiceStartasp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie501sp4-20040929.111451InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB841533Installednddenb32.dllnetdde.exenetdde.exenddenb32.dllgdi32.dllwinsrv.dllwin32k.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q328310Installedmswrd6.wpcHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Applets\WordpadEnableLegacyConvertersHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\Setup PackagesFrontPage 2000 Server Extensions SRHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSSQLServer\MSSQLServerLoginModeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB891711Installeduser32.dllhlink.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB888113Installedwebclnt.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB896426InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB810217InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponentsfp_extensionsfp4areg.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionCommonFilesDirfp30reg.dllHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707IsInstalledsmss.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q320206InstalledLM\W3SVC6014HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Shared Tools\Web Server Extensions\Setup PackagesSharePointHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB901214IsInstalledmscms.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{E81659DF-28E1-4C60-B4B9-00A4BC5FA76D}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\DataAccess\Q832483IsInstalledsqlsrv32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB832483InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB883939InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890859InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB885835InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811493InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840987InstalledNtoskrnl.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\SP2SRP1Installedism.dlltcpip.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB893066InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Tcpip\ParametersEnablePMTUDiscoveryHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Microsoft Services for UNIX\KB896428InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Services for UNIXCurrent_Releasetelnet.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie501sp3-20040929.121357InstalledHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB834707-ie6-20040929.115007IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828028InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB830352InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\winsStartwins.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB832894InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{ 3e7bb08a-a7a3-4692-8eac-ac5e7895755b}IsInstalledssmsrp70.dlldbmsrpcn.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sqlservr.exePathsqlservr.exeHKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetShowVersionnscm.exenspmon.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Services\KB832359IsInstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\nsstationStartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\Windows Media Services\KB832359StartHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Office\10.0\Outlook\InstallRoot.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEPathutlook.exeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90280409-6000-11D3-8CFE-0050048383C9}DisplayVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirmsgsc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q314147Installedmup.sysHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q311967Installedmsgina.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NetlogonStartmf3216.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q293826Installedhttpext.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q291845InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\W3SVC\ParametersDisableWebDAVrpcrt4.dllole32.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB873333InstalledHKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1200HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1400HKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1400HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB890046Installedagentdpv.dllwintrust.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q301625InstalledMsw3prt.dllw3svc.dlllsasrv.dllHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{A954CDD5-A95F-414F-B3FE-FBEF9D2AECEA}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{754D29C1-0C97-405F-98D0-21B212CA7FF1}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{716E024F-7F74-47F3-B93B-9FF7F3CBF94C}IsInstalledHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1803msasn1.dllHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1200code.aspHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q232449InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\Hotfix\Q811114Installedmsw3prt.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q319733InstalledLM\W3SVC6014w3svc.dll^LM\\W3SVC\\.*$5506HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\ServerEnabledschannel.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\SNMPStartsnmp.exeitss.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB840315InstalledHKEY_LOCAL_MACHINESOFTWARE\Classes\ITSProtocol.*HKEY_LOCAL_MACHINESOFTWARE\Microsoft\OleEnableDCOMrpcss.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2D5974C5-5185-4f5b-80B6-28015ACDD74C}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet SettingsSecurity_HKLM_onlyHKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A02HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A02HKEY_LOCAL_MACHINE^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A03HKEY_CURRENT_USER^SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\[0-4]$1A03HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Updates\DataAccess\Q823718IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\DataAccessFullInstallVerodbcbcp.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCSDVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB835732Installedh323.tspHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB817772InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB822343Installednsiislog.dllHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Session Manager\EnvironmentPROCESSOR_ARCHITECTUREmsjet40.dllwmsjet40.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB837001InstalledHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\ProductOptionsProductSuiteHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Product\OptionsProductTypeHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{D7B44F3E-77D3-44C5-8E03-4222D9A18B7B}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{E81659DF-28E1-4C60-B4B9-00A4BC5FA76D}IsInstalledHKEY_LOCAL_MACHINESoftware\Microsoft\Active Setup\Installed Components\{2D5974C5-5185-4f5b-80B6-28015ACDD74C}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{61E6EAE5-7821-4AC1-9BBD-AED032A8E273}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2757B1D6-0367-4663-877C-93ECC5C01BF6}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Internet ExplorerVersionmshtml.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\URL\PrefixesgopherHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q327696InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q811114InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\INetStpMajorVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\INetStpMinorVersionw3svc.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB897715InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Active Setup\Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}IsInstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Outlook Express\Version InfoCurrentinetcomm.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828741InstalledHKEY_LOCAL_MACHINESOFTWARE\Microsoft\OleEnableDCOMHTTPrpcproxy.dllHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersionVersionHKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersionSystemRootvserver.vxdHKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\UtilMan{5c773859-bb96- 48fa-875b-6a58aae072f4}IsInstalled6.0.2900.29976.0.2800.15805.0.3845.18006.0.3790.5936.0.3790.27948.0.0.44957.10.0.307710.0.0.40199.0.0.33445.10.2930.04.20.9839.08.70.1113.06.0.3888.05.82.2800.18915.82.3790.5835.82.3790.27785.82.2900.29825.81.3900.71092.0.50727.21011.0.6506.010.0.6819.09.0.0.895211.0.8110.06.0.3790.5886.0.2900.29876.0.3790.27836.0.2800.18925.1.2600.29755.1.2600.18865.2.3790.5765.2.3790.27719.0.0.895011.0.8104.011.0.8105.010.0.6816.09.0.0.895111.0.8104.011.0.8106.010.0.6818.09.0.0.893011.0.8103.010.0.6815.09.0.0.895011.0.8107.010.0.6817.05.2.3790.5885.2.3790.27835.1.2600.18855.0.2195.71065.1.2600.2974[0-1]\.0($|\s).*|[0-1]\.0\.[0-3]($|\s).*^[0-1]\.[0-7]($|\s).*|^[0-1]\.[0-7]\.[0-7]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-3]\))Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-7]\))11.0.8024.06.5.7650.286.5.7233.697.1.*7.10.0.30766.0.6618.411.0.8026.05.1.2600.18315.1.2600.28925.2.3790.24775.1.0.1251210.0.0.403610.0.6802.05.0.2195.70855.2.3790.5375.6.0.05.0.2195.7087^Service Pack [4-9]|\d{2,}$5.0.2195.705510.0.0.37048.0.0.44968\.0\.*9.0.*9.0.0.334910.0.6800.05.1.2600.29085.0.2195.7093106.0.0.0106.0.0.05.0.2195.70975.0.3841.19006.0.2900.29125.2.3790.26975.1.2600.29026.0.2800.155510\.0+\..*10.0.0.37045.2.3790.5299.0.0.89425.6.0.88315.1.2600.18366.0.3790.27066.0.3790.5365.2.3790.27095.2.3790.26975.2.3790.5295.1.2600.18429.0.0.89435.1.2600.26965.1.2600.17115.2.3790.24655.1.2600.26955.1.2600.18735.1.2600.29515.0.2195.70575.05.1.2600.2710Service Pack 25.2.3790.5525.2.3790.27345.1.2600.29355.1.2600.18605.0.2195.71005.2.3790.3485.15.1.2600.1698Service Pack 1ia645.25.2.3790.360.*CoPNGFilter Class5.2.3790.5585.2.3790.27442003.1100.8029.05.2.3790.5365.1.2600.29125.0.2195.70855.1.2600.18475.2.3790.27066.0.2800.18736.0.2900.29516.0.3790.5595.0.3900.71056.0.3790.2746.*10.0.6811.09.0.0.894811.0.8036.02003.1100.8020.05.1.2600.18295.0.2195.70845.1.2600.28896.0.3790.5206.0.3790.2684606.0.2900.29626.0.3790.27575.2.3790.5595.1.2600.18745.0.2195.71055.2.3790.27475.1.2600.29528.0.0.97165.2.3790.5265.0.2195.70875.1.2600.18325.2.3790.26915.1.2600.28935.0.2195.71025.0.2195.70986.4.99.726.0.2900.29636.0.2800.15616.0.3790.27596.0.3790.5545.0.3842.30005.1.2600.18635.2.3790.27455.1.2600.29385.2.3790.5585.0.2195.71005.0.2195.70995.2.3790.5565.1.2600.29455.1.2600.18695.2.3790.27419\..*11.0.0.09.0.0.011.0.8028.010.0.6804.010.0.0.09.0.0.89449.0.0.894610.0.6809.011.0.8033.05.25.15.2.3790.27485.2.3790.5605.1.2600.1285.1.2600.13405.1.2600.1365.1.2600.13635.1.2600.1555.1.2600.15645.1.2600.1375.1.2600.13645.1.2600.1485.1.2600.15174.0.1381.335674.0.1381.726915.0.2195.69295.0.2195.68956.0.2900.25785.50.4956.500.*OFFICE10.*10.0.6772.010.0.6764.05.0.2195.70695.2.3790.3965.1.2600.1733Mozilla Firefox (1.0.7)1\.0\.7 .*6.0.3790.3835.0.2195.70619.0.0.89306.0.2800.17246.1.3940.42.*OFFICE9.*5.5.3201.05.0.3900.70715.1.2600.27435.0.3833.2005.0.2195.70659.0.0.89389.0.0.89365.2.3790.4629.0.0.893811.0.8012.011.0.8012.02001.12.4720.4801.8.20060.42618Mozilla Firefox (1.5.0.2)1\.5\.0\.2 .*62496.0.6618.42001.12.4414.652001.12.4414.3117.0.19.05.0.44.02000.2.3535.06.5.7650.297638Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-7]\))(0\.[0-9].*|1\.0($|\s).*|1\.0\.[1-7]($|\s).*)1.8.20060.30804Mozilla Firefox (1.5.0.1)1\.5\.0\.1 .*Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-7]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-7]($|\s).*([0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*|1\.7\.1[0-2]($|\s).*)Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.1[0-2]\))1\.5($|\s).*Mozilla Thunderbird \(1\.5\)1.8.20060.30803(1\.0[ab].*|1\.0[^\.].*)SeaMonkey \((1\.0[ab]|1\.0)\)6.5.7233.6972265.1.3102.13559.0.0.821610.0.5815.010.0.6789.05.2.3790.25165.1.0.85135,1,0,8513.*-OEM-.*10.0.6775.0[0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).*Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-2]\))Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-4]\))Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-8]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-2]\))[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-6]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-6]\))[0-1]\.0($|\s).*|[0-1]\.0\.[0-1]($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-1]\))[0-1]\.0($|\s).*Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\))[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-5]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-5]\))[0-1]\.0($|\s).*Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\))0\.[6-9]($|\s).*Mozilla Thunderbird \(0\.[6-9]\)0\.[0-8]($|\s).*Mozilla Thunderbird \(0\.[0-8]\)1\.7($|\s).*|1\.7\.[0-3]($|\s).*Mozilla (\(1\.7\)|\(1\.[0-7]\.[0-3]\))0\.9($|\s).*Mozilla Firefox \(0\.9.*\)0\.[6-8]($|\s).*Mozilla Thunderbird \(0\.[6-8]\)0\.[0-9]($|\s).*Mozilla Firefox \(0\.[0-9].*\)[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-4]($|\s).*Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-4]\))5.2.3790.24775.1.2600.16996.0.3790.24915.1.2600.17155.1.2600.27165.2.3790.24835.2.3790.24655.0.2195.70535.1.2600.17015.1.2600.26985.2.3790.3475.2.3790.2464[0-1]\.0($|\s).*|[0-1]\.0\.[0-4]($|\s).*[0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*5.1.2600.13715.2.3790.1616.0.6603.06.0.6617.471^4\.[0]*9\.[0]+\.[0]*900^4\.[0]*9\.[0]+\.[0]*9015.2.3790.1215.1.2600.17275.2.3790.4265.2.3790.4266.5.6749.06.5.3790.06.5.3790.25195.1.2600.27705.0.3900.70786.0.6617.862.81.1124.05.1.2600.27363.5.0.1176.5.2600.06.5.2600.27495.0.2195.70695.0.2195.68986.1.9.7266.1.9.7325.1.2600.17205.1.2600.1720111.15.2.3790.4685.0.1460.95.0.1462.222.80.1062.05.1.2600.17346.0.2800.1751Service Pack 45.0.2195.70595.0.2195.70595.1.2.2756.1.1002.06.4.3790.06.4.3790.3995.1.2600.28275.0.2195.70735.1.2600.28186.4.2600.06.4.2600.1738^4\.[0]*8\..*6.3.1.889^4\.[0]*9\..*6.0.2900.28026.0.2900.28696.0.3790.418.*OFFICE11.*11.0.6566.05.2.3790.25495.2.3790.25496.0.3790.25416.0.2900.27696.0.3790.449Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.10\))([0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*|1\.7\.10($|\s).*)(0\.[0-9].*|1\.0($|\s).*|1\.0\.[1-6]($|\s).*)Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-6]\))5.1.2600.17625.1.2600.17625.2.3790.26065.1.2600.27265.1.2600.2726112.71.9053.06.2.4.06.0.2900.27635.1.2600.27446.0.3790.4136.0.2800.15226.0.2800.15236\..*6.0.3790.25775.2.3790.3865.1.2600.17555.1.2600.13315.2.3790.4535.2.3790.3745.2.3790.3746.0.3790.25345.0.3835.22003.0.2.6295.1.2600.17891.15.0.2195.70715.1.2600.28216.0.2900.28695.0.3837.12006.1.3790.15.1.2600.17926.1.2600.36.0.2800.18166.0.2800.18076.2.2551.02.82.2644.06.0.3790.266210.0.6790.06.0.3790.5036.0.3790.26666.0.3790.26636.0.3790.5045\.0\..*5.0.3839.2200^2\.53.*$2.53.6306.02.71.9053.02.80.1062.0^2\.81.*$2.81.1124.05\.50\..*5.50.4963.17006.0.3790.5079.0.0.79245.6.0.85135,6,0,85139.0.0.69265.0.3900.70099.0.0.63285.50.4942.4006.0.2800.15565.1.06395.1.0.63910.0.8326.01.19.00.00.29809.0.0.325010.0.6754.05.2.3790.3249.00.93279.00.93279.0.0.89295.0.3504.25006.0.3264.06.0.3790.1685.1.2600.15155.0.3528.70010.0.8326.06.0.3790.25911.0.3216.56149.0.0.82165.0.3900.69225.0.2195.6991115.1.2600.1175.1.2600.12436.0.2600.1516.0.2800.14916.0.2800.14924.72.3841.11005.2.3669.06.0.3264.011.0.5614.010.0.6714.05.1.2600.16065.1.2600.13636.0.2800.141111.0.6502.03.0.1200.408KB88825810.0.2609.04.0.1381.73124.0.1381.335986.0.3790.241136.2.02085.0.3825.7005.2.3790.224MSN Messenger 6.26\.2\.020[5-9]5.5.2658.3410.0.5815.0Mozilla Thunderbird \((0\..*|1\.0\..*\))(0\..*|1\.0\..*)Mozilla Firefox \((0\..*|1\.0\..*\))(0\..*|1\.0\..*).*Mozilla \(.*\)5.2.3790.4198.0.1.99041.8.20060.11112Mozilla Firefox \(1\.5\)1\.5($|\s).*SeaMonkey \(1\.0[ab]\)1\.0[ab].*5.2.3790.26175.1.2600.17905.2.3790.24925.2.3790.24925.1.2600.27775.1.2600.27775.2.3790.25426.0.3790.25216.0.2900.26045.0.2195.70715.0.2195.70735.2.3790.25916.0.2800.15287.0.8002.016.0.2800.14986.0.2800.14996.0.3790.3736.0.3790.24916.0.2900.27225.5.0.85135,5,0,8513.*6\.0\..*6.0.3790.26636.5.6756.05.0.3831.18005.2.3790.1255.2.3790.25066.0.2716.22005.0.2195.68986\..*6.0.2800.15436.0.2900.28736.0.2716.22006.5.6980.570windows5.05.1.2600.1375.1.2600.13626.0.2800.14094.2.764.14.0.1381.70581Microsoft Exchange 20006.0.5700.210002000.80.650.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.628.05.0.3541.2700^4\.07.*5.0.2195.69271^4\.08\.00.*5.0.2258.4101^4\.08\.01.*5.1.2600.8911^4\.08\.02.*5.2.3677.1441^4\.09\.00.*5.3.0.90316.0.3790.13714.0.1381.7202145.2.3790.1375.2.3790.1418.502000.81.9001.402000.81.9041.40^2\.7.*4.0.1381.72634.0.1381.335625.0.2195.70591.0.0.45.0.2195.3649^([1-5]\.[0-9].*|6\.(0.*|1|1\.([0-9]($|\..*)|[0-1][0-9]($|\..*)|20($|\..*)|21($|\..*))))$6.0.2750.1676.0.2800.15845.1.2600.1285.1.2600.13435.131.2600.11235.2.3790.24532000.2.3511.05.1.2600.1325.1.2600.13312001.12.4720.1305.0.2195.29562001.12.4414.535.1.2600.17155.1.2600.27165.0.2195.69052000.80.636.02000.80.636.0^Windows.*425.50.4952.28005.0.2195.668515.50.4616.2005.50.4701.24006.1.0.92315.2.3790.3595.1.2600.16845.2.3790.24375.1.2600.16835.1.2600.26736.0.2900.26689.1.9800.948164565.0.2195.66996.0.2800.15056.0.2800.15062000.80.608.05.0.2195.70576.0.2800.15156.0.2800.151615.2.3790.16735.1.2600.11515.0.2195.70545.2.3790.2483145.2.3790.3664.0.1381.72685.0.2195.69585.0.1558.66084.71.1979.115.0.3810.045.2.3790.34615.0.3214.2000113316.0.2600.15796.0.2600.1654.0.1381.7125114.0.1381.72145.0.3502.47185.0.2195.69025.0.2195.69924.0.1381.71524.0.1381.70925.1.2600.16095.1.2600.25986.0.3790.3266.1.0.92324.0.1381.72654.0.1381.3356314.72.3843.31004.0.1381.72674.0.1381.33565.50.4923.25005.1.2600.15554.0.1381.711615.0.2195.69024.2.776.115.1.2600.15805.1.2600.15805.1.2600.1665.2.3790.2525.131.2600.1175.131.2600.12434.0.1381.335654.0.1381.335745.1.2600.16205.0.2195.5971125.131.3659.0105.0.2195.278414.0.1381.72246.0.2800.14415.2.3790.1425.2.3790.12805.0.2195.36451
^.*idq\.dll.*$
1335.131.2195.67585.05.0.2195.5880145.0.2195.68105.1.2600.16055.1.2600.1185.1.2600.12555.5.2558.10226534.0.1381.72036.0.2800.12645.0.2195.69455.2.3790.2205.0.2195.68615.0.2195.68616.1.5.132114.2.788.1
^http:*,PERMANENT,*
163844.0.1381.335455.1.2600.25772000.80.223.02000.80.223.02000.80.223.02000.80.223.02000.80.818.02000.80.765.02000.80.765.02000.80.765.05.1.2600.25956.0.2800.14581.0.1.212514.0.1381.72684.0.1381.72805.1.2600.1596655.0.2195.69281.0.0.54.0.1381.72995.2.3677.144^4\.08\.02.*$15.3.0.903^4\.09.*$15.2.3790.16315.0.2195.70055.1.2600.25635.0.2195.70215.0.2195.597415.0.2195.60116.0.3790.1816.0.3790.1856,0,3790,015.0.1558.607245.1.2600.1205.1.2600.1301^4\.08\.01.*$15.2.3790.163^5\.[1-2]$2000.80.578.02000.80.561.02.53.6202.05.2.3790.28010.0.6735.010.2.511015.0.2195.69665.0.2195.6110116.4.9.11248.0.0.44828.0.0.4482116.4.9.11216.4.9.112115.1.2600.12545.0.2195.567115.0.2195.70212.62.9119.15.1.2600.16175.0.2195.67535.0.2195.490512000.80.818.02000.80.811.02000.80.765.02000.80.818.02000.80.818.02000.80.818.02000.80.818.02000.80.816.02000.80.800.02000.80.778.02000.80.798.02000.80.818.02000.80.765.02000.80.765.02000.80.765.015.1.2600.16134.0.1381.72864.0.1381.3357716.0.2800.12336.0.2600.1155.0.2195.69525.0.2195.69225.2.3790.2335.0.2195.61592000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.606.02000.80.628.02000.80.650.02000.80.650.05.1.2600.15604.0.1381.722416.0.2713.11005.2.3790.2255.2.3790.2278.0.0.44778.0.0.449015.50.4943.4005.2.3790.2455.1.2600.15675.1.2600.15555.1.2600.270915.1.2600.1205.1.2600.130111.0.6252.7Installed5.1.2600.15975.0.2195.38811106.0.2742.2005.1.2600.1125.1.2600.11931145.0.2195.679914.71.2195.69206.0.2800.164315.2.3790.2331
4
1,0,4322,01.1.4322.203711.1.4322.10851^2\.1.*$2.12.5118.014.0.1381.73045.2.3790.2425.0.3900.7036110.0.4205.010.0.4205.05.2.3790.239WinNT4.2.764.11Windows ME5.0.2195.498015.2.3790.3155.2.3790.24275.2.3790.24356.0.2900.26276.0.2900.21806.0.2800.15805.1.2600.16935.1.2600.2685^Service Pack [0-2]$6.1.0.92326.0.3790.1985.1.2600.26224.0.1381.72704.0.1381.336305.2.3790.764.0.1381.73235.50.4913.11002003.1100.6252.010.0.4330.05.0.2195.49194.0.1381.335915.2.3644.05.2.3644.05.2.3644.016.5.6981.315.0.2195.70233.0.1200.2573.0.1200.25733106626.0.3790.2802004.10.25.05.1.2600.1095.0.33668.1146.0.3790.1985.0.2195.69465.0.3900.69704.0.1381.336185.1.0.104415.0.2195.2103115.1.2600.17106.0.2722.9005.2.3790.220635.2.3790.2055.2.3790.2055.1.2600.1619
^.*ism\.dll.*$
5.1.2600.25254.0.1381.8425.0.2195.67131.0.0.3115.2.3790.30915.0.2195.70445.0.2195.70176.0.3790.279Microsoft ISA Server 2000 Updates3.0.1200.430KB8997535.2.3790.8015.0.3510.11005.0.3900.7032C:\Program Files\Windows NT\hypertrm.exe /t %15.0.2195.700016.1.0.923114.0.1381.3356616.0.3790.21233.0.1200.2911144.0.1381.7345^Service Pack [0-4]$5.0.2195.7035^Service Pack [1-9]|\d{2,}$5.1.2600.16345.0.2195.662414.0.1381.732914.0.1381.335872.0.390.1615.0.3539.240012000.80.309.02000.80.760.08.00.1945.2.3790.1985.0.3513.900115.0.2195.680225.0.3826.2400111.0.3705.5561,0,3705,21,0,3705,31.0.3705.6021115.0.0.7995.00.2919.8005.00.2919.38005.00.2919.63075.00.2920.00005.00.3103.10005.00.3105.01065.00.3314.21015.0.3502.485614.0.1381.70644.0.1381.709716.0.3790.20615.5.1877.7915.1.2600.15675.1.2600.15555.1.2600.1495.1.2600.1585.0.3819.3005.0.3532.3006.0.3790.191116.0.2743.6005.0.3523.17003.70.11.463.70.11.4614.0.1381.3357816.0.2800.15806.0.2750.1665.0.3810.17005.50.4934.16006.0.3790.21114^2\.6.*$2000.80.747.02000.80.747.06.0.2800.12766.0.2723.25006.0.2900.262045.0.2195.686215.0.3809.08.0.0.9315.hta6.0.3790.2746.0.3790.9415.0.2195.61061145.0.2195.697215.2.3790.3295.2.3790.244214.0.2.75236.0.3790.3276.0.3790.24404.0.1381.7140RASPHONE.PBK145.0.2195.49835.00.3315.10006.0.3790.21916.0.2800.15841.*zipfldr\.dll.*5.0.893.11055.0.3526.80014.0.1381.3363245.0.2195.6823^Service Pack [4-9]|\d{2,}$5.0.2195.6672115.2.3790.1735.2.3790.1845.2.3790.1935.2.3790.1934.0.1381.71774.0.1381.71774.0.1381.72024.0.1381.7207110.0.803.215.0.3813.8005.50.4937.8005.50.4922.9005.0.2195.68702000.80.296.0214.0.1381.73425.2.3790.22715.2.3790.31616.0.2734.1600^Service Pack [4-9]|\d{2,}$114.0.2.75234.0.2.75235.50.4945.28006.0.2737.8006.00.2900.21806.0.2900.25236.0.2900.25241^2\.70.*$2000.81.9002.02000.81.9002.0^2\.71.*$2000.81.9042.02000.81.9042.05.0.2195.56951Installed15.2.3790.247615.50.4134.01005.50.4134.06005.50.4522.18005.50.4725.21006.0.2800.14001^2\.8.*$2000.85.1025.02000.85.1025.015.00.3700.100015.0.3828.270015.0.2195.703515.0.2195.6987115.1.2600.16015.0.2195.34075.2.3790.336105.3000.2073.132.23.07.0.1701.443.58.0.1969.335.0.3821.280015.00.3502.10006.0.2745.280015.0.2195.68245.1.2600.1195.1.2600.127415.2.3790.884.0.1381.72554.0.1381.33554145.2.3790.996.0.3790.118114.2.775.16.0.2800.14765.0.3534.28002000.80.213.02000.80.213.02000.80.384.08.00.1942000.80.428.04.14.1.0.39344.1.0.393414410.0.5709.010.0.4333.010.0.6626.06.0.0.06.1.0.2114.0.1381.713415,50,4807,17005.50.4939.3005.0.2195.69025.2.3790.1325.1.2600.1365.1.2600.13475.0.2195.508015.131.2195.68245.0.2195.69044.0.1381.72554.0.1381.3355924.0.1381.72634.0.1381.335625.1.2600.1345.1.2600.13611Service Pack 20.9.3940.20115.1.2600.1355.1.2600.13615.2.3790.25014.87.1964.18803333x642.0.0.342315.2.3790.12415.0.2195.69014.2.769.15.131.1880.1415.0.2195.36494.0.1381.164^Service Pack [6-9]|\d{2,}$5.2.3790.1345.50.4134.01005.50.4134.06005.50.4522.18005.50.4613.1700116.0.2712.300135.2.3790.139135.50.4927.21004.0.1381.27915.0.2195.667214.1.0.39314.1.0.39325.0.2195.58074.2.780.15.2.3790.1321
^.*asp\.dll.*$
5.0.2195.526915.1.2195.68994^Service Pack [5-9]|\d{2,}$4.0.1381.133^Service Pack [3-9]|\d{2,}$5.0.2195.69066.00.2800.11066.00.3790.00005.2.3790.18515.25.2.3790.142Y^Service Pack [2-9]|\d{2,}$5.1.2600.1355.1.2600.136116.0.2715.40013333^2\.5.*$3.70.11.401^2\.6.*2000.80.746.05.50.4807.23005.50.4926.2500Service Pack 15.115.1.2600.1345.1.2600.134840114.1.0.3861x86ia644.0.8618.04.0.8618.01Terminal Server4.0^.*LanmanNT.*$^.*ServerNT.*$4.0.1381.72554.0.1381.3355911116.0.2713.1100111111111^6\.0+\.2600\.0+$6.0.2719.2200gopher://11515.1.2600.112516,0,2800,11066.0.2800.150616,0,2600,00006.0.2739.3005.01Y5.0.2195.6904Windows 984.10.2001.01\Microsoft.NET\Framework\v2.0.50727\Exchsrvr\res\system32\drivers\System32\Microsoft Shared\GRPHFLT\Microsoft.NET\Framework\Common Files\Microsoft Shared\VBA\VBA6\Common Files\System\MAPI\1033\Common Files\System\MAPI\1033\NTOFFICE11\system32\Macromed\Flash\Common Files\Microsoft Shared\CDOWinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\Help\SBSI\Training\RES\Common Files\System\MSMAPI\1033\web server extensions\50\isapi\_vti_adm\Microsoft Shared\OFFICE11\Common Files\Microsoft Shared\VGX\Windows NT\Accessories\Crystal Decisions\1.1\Managed\Microsoft Shared\OFFICE10Reader\plug_ins\Windows Media Player\system32\Drivers\Common Files\System\msadc\Microsoft Shared\web server extensions\50\bin\Microsoft Shared\TextConv\bin\syswow64\SYSTEM32\DRIVERS\microsoft shared\trieditInetPub\scripts\proxy\System\Ole DB folder\Microsoft.NET\Framework\Microsoft Shared\web server extensions\40\isapi\SysWOW64\Common Files\Microsoft Shared\TextConv\Microsoft Shared\web server extensions\40\bin\system32\Windows Media\Server\MSN Messenger\system32\drivers\system32\inetsrv\System32\System32\system