Detailed Report

Transcription

Detailed Report

SAINTwriter Assessment Report
Report Generated: March 21, 2013
Scan Completed: March 20, 2013 10:38 AM
Scan Level: heavy
Scanner Version: 7.15.7
1.0 Details
The following sections provide details on the specific vulnerabilities detected on each host.
1.1 win2003unpatch.sainttest.local
IP Address: 10.7.0.11
Scan time: Mar 20 10:38:23 2013
Host type: Windows Server 2003 SP2
Netbios Name: WIN2003UNPATCH
Microsoft IIS ASP Remote Code Execution vulnerability
Severity: Critical Problem
CVE: CVE-2008-0075
Updated 09/14/10
Impact
An attacker could send a specially constructed request which crashes the server or executes arbitrary code
with the privileges of the web server.
Background
Microsoft IIS web servers accept requests for a number of different types of files. The most common methods
of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server
additional information called headers which are not seen by the user. Information in the header can include
browser type, content type, content length, and other information.
Some of the file types for which IIS may accept requests are .HTR files (for remote administration of
passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files
(printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active
Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is
executed on the server, regardless of whether or not the requested file actually exists on the server.
IIS supports redirection, which allows a user to specify that requests for a particular URL on the server
should be redirected such that the user's browser loads a file from another directory, a network share, or a
URL on another web server.
The Problems
ASP Remote Code Execution vulnerability
1
02/14/08
CVE 2008-0075
Microsoft Security Bulletin 08-006 announced a vulnerability in IIS that could allow remote code execution. The
vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who could exploit the
vulnerability could perform actions on the IIS server with the same rights as the Worker Process Identity (WPI).
Resolutions
Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-062, and
10-065.
For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security
Bulletin 02-050 must also be installed if client side certificates are to function.
IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the
permanent redirection option under the Home Directory tab in the web site properties.
Where can I read more about this?
More information on the ASP Remote Code Execution vulnerability in Windows 2003 and XP is available in
Microsoft Security Bulletin 08-006, (US) CERT Technical Alert TA08-043C, Hewlett-Packard security bulletin
HPSBST02314 / SSRT080016, Secunia advisory 28893, Security Focus Bugtraq ID 27676, and Security
Tracker Alert ID 1019385.
Technical Details
Service: netbios
IIS 6.0 running; asp.dll dated 2007-2-17, older than 2007-11-26
Microsoft Remote Desktop Protocol Denial of Service Vulnerability (MS11-065)
CVE: CVE-2011-1968
Updated 03/12/13
CVE 1999-0662
Impact
The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers
or malicious web sites.
Background
Microsoft releases updates for each of its Windows operating systems to fix a variety of problems which are
discovered after the operating system is released. Some of these updates are released to address security
issues which, if left unfixed, could have serious security implications.
There are three levels of updates released by Microsoft. Hotfixes are updates that fix a single issue or a few
closely related issues. Service Packs (SP) are major updates of the operating system, which include all the
hotfixes released since the last service pack. Rollup Packages are a collection of security hotfixes released
since the last service pack. Rollup packages are used to ease the process of bringing a computer up to date in
between the release of service packs.
The Problems and Resolutions
2
One or more of the following security updates is not installed on the target system. The resolution is to install
the needed updates. This can be done either by following the links in the table, or by visiting the Windows
Update service which will automatically determine which updates are needed for your system and help you
install them. It is a good idea to make a backup of the system before installing an update, especially for
service packs. After the system has been brought up to date, check Microsoft's web site regularly for new
critical updates.
Note: The links below apply to the standard editions of Windows operating systems. If you are using a
Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding
Microsoft Security Bulletins for patch information.
Update Name
Microsoft Remote Desktop Protocol
Denial of Service Vulnerability
(MS11-065)
Description
Fix
If the Remote Desktop Protocol is XP 32-bit SP3
enabled but not patched, a
2570222
maliciously-crafted sequence of
XP 64-bit SP2
RDP packets sent by a remote,
2570222
unauthenticated attacker could cause2003 32-bit
a denial of service and possibly
SP2 2570222
restart the target system. (CVE
2003 64-bit
2011-1968)
SP2 2570222
2003 Itanium
SP2 2570222
Bulletin
11-065
For more information on critical updates, see the Windows critical update pages which are available for
Windows 2000, Windows NT 4.0, Windows XP, Windows Server 2003, Windows Vista, Windows Server
2008, and Windows 7.
Technical Details
Service: netbios
rdpwd.sys dated 2007-2-17, older than 2011-6-22
Microsoft Windows TCP/IP remote code execution vulnerability (MS09-048)
CVE: CVE-2006-2379 CVE-2008-4609
CVE-2009-1926
Updated 03/12/13
CVE 1999-0662
Impact
Background
3
critical updates.
Update Name
Windows TCP/IP remote code
execution vulnerability
Microsoft Windows TCP/IP remote
code execution vulnerability
Description
Fix
Bulletin
Fixes vulnerability in Windows TCP 2000: 917953
06-032
/IP IP Source Routing code which XP: 917953
allows for remote code execution. 2003: 917953 or
(CVE 2006-2379)
SP2
Fixes several vulnerabilities in
2003: 967723
09-048
Transmission Control Protocol
Vista: 967723
/Internet Protocol (TCP/IP)
2008: 967723
processing. The vulnerabilities could
allow remote code execution if an
attacker sent specially crafted TCP
/IP packets over the network to a
computer with a listening service.
(CVE 2008-4609, CVE 2009-1925,
CVE 2009-1926)
Technical Details
Service: netbios
tcpip.sys dated 2007-2-17, older than 2009-8-14
Multiple buffer overflows in SMB
CVE: CVE-2008-4114 CVE-2008-4834
CVE-2008-4835
Updated 03/12/13
CVE 1999-0662
Impact
4
Background
critical updates.
Update Name
Multiple Windows SMB
vulnerabilities
Description
Fixes multiple SMB buffer overflow
vulnerabilities that could give an
attacker administrative rights to the
system. (CVE 2008-4114 CVE
2008-4834 CVE 2008-4835)
Fix
Bulletin
2000: 958687
09-001
(32 bit)
XP: 958687 (32
bit) or 958687 (64
bit)
2003: 958687
(32 bit), 958687
(64 bit), or
958687 Itanium
Vista: 958687
(32 bit) or 958687
(64 bit)
2008: 958687
(32 bit), 958687
(64 bit), or
958687 Itanium
Technical Details
5
Service: netbios
Target accepts specially crafted SMB call
SSL and TLS Protocols Vulnerable Implementation (MS12-006)
CVE: CVE-2011-3389
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
SSL and TLS Protocols
Vulnerable Implementation
Description
A vulnerability exists within the
SSL 3.0 and TLS 1.0 protocols
through which an attacker who has
access to an active (encrypted)
SSL connection — a
“man-in-the-middle” attack — may
be able to break the encryption and
read the content being transmitted.
No actual exploit was known until
2011, when an exploit tool named
“BEAST” demonstrated a
block-wise chosen-plaintext attack
using vulnerable Web browsers and
6
Fix
XP 32-bit SP3
2585542
XP 64-bit SP2
2585542,
2638806
2003 32-bit
SP2 2585542,
2638806
2003 64-bit
SP2 2585542,
2638806
2003 Itanium
SP2 2585542,
Bulletin
12-006
a crafted Web site.
SSL 3.0 and TLS 1.0, using CBC
mode, are vulnerable. TLS 1.1 and
1.2, and all encryption methods
which do not use CBC mode, are
unaffected by this vulnerability.
(CVE 2011-3389)
2638806
Vista 32-bit
SP2 2585542
Vista 64-bit
SP2 2585542
2008 32-bit
SP2 2585542
2008 64-bit
SP2 2585542
2008 Itanium
SP2 2585542
W7 32-bit to
SP1 2585542
W7 64-bit to
SP1 2585542
2008 R2 64-bit
to SP1 2585542
2008 R2
Itanium to SP1
2585542
Technical Details
Service: netbios
Schannel.dll dated 2007-2-17, older than 2011-11-14
Windows RPC authentication denial of service
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2007-2228
Impact
Background
7
critical updates.
Update Name
Description
Windows RPC Authentication denial Fixes vulnerability in Windows RPC
of service
for Windows that allows for a denial
of service to be caused in the RPC
authentication. (CVE 2007-2228)
Fix
2000: 933729
XP: 933729
2003: 933729
Vista: 933729
Bulletin
07-058
Technical Details
Service: netbios
rpcrt4.dll dated 2007-2-17, older than 2007-7-7
Windows SMB Server Transaction Vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-0661
Impact
Background
8
critical updates.
Update Name
Windows SMB Server Transaction
Vulnerability
Description
Fixes multiple vulnerabilities in SMB
server and SMB client which could
allow remote code execution. (CVE
2011-0661)
Fix
Bulletin
XP: 2508429
11-020
(32-bit), 2508429
(64-bit)
2003: 2508429
(32-bit), 2508429
(64-bit),
Vista: 2508429
(32-bit), 2508429
(64-bit),
2008: 2508429
(32-bit), 2508429
(64-bit),
Windows 7:
2508429 (32-bit),
2508429 (64-bit),
Windows 7
SP1: 2508429
(32-bit), 2508429
(64-bit),
2008 R2:
2508429 (64-bit),
2008 R2 SP1:
2508429 (64-bit)
Technical Details
Service: netbios
srv.sys dated 2007-2-17, older than 2011-2-16
Windows Server Service MS08-067 buffer overflow
CVE: CVE-2008-4250
Updated 03/12/13
9
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Windows Server Service MS08-067 Fixes a buffer overflow in the
buffer overflow
Windows Server service which
could allow remote attackers to take
complete control of the computer.
(CVE 2008-4250)
Fix
2000: 958644
XP: 958644
2003: 958644
Vista: 958644
2008: 958644
Bulletin
08-067
Technical Details
Service: 445:TCP
NetprPathCompare returned 0
Windows networking components remote code execution (MS12-054)
CVE: CVE-2012-1850
Updated 03/12/13
10
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows networking components
remote code execution
Description
Multiple vulnerabilities exist in
Windows remote administration
protocol that can lead to remote
code execution. Attackers that
successfully exploit any of these
vulnerabilities could take complete
control of the system or cause a
denial of service. (CVE 2012-1850)
(CVE 2012-1852) (CVE 2012-1853)
Fix
XP: 2705219
2003: 2705219
Vista: 2705219
2008: 2705219
7: 2705219
2008 R2:
2705219
Bulletin
12-054
Technical Details
Service: netbios
netapi32.dll dated 2007-2-17, older than 2012-6-27
11
Windows print spooler remote code execution vulnerability (MS12-054)
CVE: CVE-2012-1851
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
Windows print spooler remote code A vulnerability exists in the
XP: 2712808
execution vulnerability
Windows print spooler service that 2003: 2712808
can lead to remote code execution. Vista: 2712808
Attackers that successfully exploit 2008: 2712808
this vulnerability could take complete 7: 2712808
control of the system. (CVE
2008 R2:
2012-1851)
2712808
Bulletin
12-054
Technical Details
Service: netbios
localspl.dll dated 2007-2-17, older than 2012-5-12
12
vulnerable version of SMB Server (MS10-012) dated 2007-2-17
CVE: CVE-2010-0020 CVE-2010-0021
CVE-2010-0022 CVE-2010-0231
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Multiple vulnerabilities (MS10-012) Fixes 4 vulnerabilities announced in
Microsoft bulletin MS10-012, the
most critical of which could allow
remote code execution. The
vulnerabilities are due to weak
entropy used in encryption, bounds
checking on path names, and null
pointers. (CVE 2010-0020 CVE
2010-0021 CVE 2010-0022 CVE
2010-0231)
13
Fix
2000 (all
versions):
971468
XP: 971468
2003 (all
versions):
971468
Vista (all
versions):
971468
Windows 7 (all
versions):
971468
2008 (all
versions):
971468
Bulletin
10-012
Technical Details
Service: netbios
IIS file update notification privilege elevation
Severity: Area of Concern
Updated 01/15/13
CVE: CVE-2008-0074
Impact
Vulnerabilities in IIS allow privilege elevation, and code execution.
Background
Internet Information Services (IIS) is a Microsoft software product that comprises various Internet services
including World Wide Web Publishing Service, FTP Publishing Service, and Network News Transport Protocol
(NNTP).
The Problems
File change notification privilege elevation
02/14/08
CVE 2008-0074
IIS is vulnerable in the way that it handles file change notifications in the FTPRoot, NNTPFile\Root, and
WWWRoot folders. A local attacker would have to be able to create or modify a file in one of these
directories. A remote attacker would have to be able to upload a script to an affected IIS server, and be able
to run the script. This uploaded script would need write access to the FTPRoot, NNTPFile\Root, or
WWWRoot folders. An attacker who successfully exploits this vulnerability could execute arbitrary code in the
context of local system. Unpatched versions of IIS are vulnerable on: Windows 2000 with IIS web server,
FTP or NNTP services enabled; Windows XP with IIS web server or FTP services enabled; Windows
Server 2003 with FTP or NNTP services enabled; and Vista with FTP service enabled.
Resolution
For the File change notification privilege elevation vulnerability, apply the appropriate patch for the operating
system and IIS version:
Windows 2000 IIS 5.0: KB942831
Widows XP IIS 5.1: KB942831
Windows Server 2003 IIS 6.0: KB93281
Windows Vista IIS 7.0: KB93281
14
The file change notification privilege elevation vulnerability was reported in Microsoft Security Bulletin
MS08-005.
Technical Details
Service: netbios
IIS services (W3SVC, NntpSvc, or MSFTPSVC) enabled without IIS patch KB942831
Internet Explorer 6 vulnerable version, mshtml.dll dated 2007-2-17
CVE: CVE-2007-0218 CVE-2007-0942
CVE-2007-0944 CVE-2007-0945
CVE-2007-1091 CVE-2007-1750
CVE-2007-1751 CVE-2007-2216
CVE-2007-2221 CVE-2007-2222
CVE-2007-3027 CVE-2007-3041
CVE-2007-3091 CVE-2007-3826
CVE-2007-3892 CVE-2007-3893
CVE-2007-3902 CVE-2007-3903
CVE-2007-4790 CVE-2007-5158
CVE-2007-5344 CVE-2007-5347
CVE-2008-0076 CVE-2008-0077
CVE-2008-0078 CVE-2008-1085
CVE-2008-1442 CVE-2008-1544
CVE-2008-2254 CVE-2008-2255
CVE-2008-2256 CVE-2008-2257
CVE-2008-2258 CVE-2008-2259
CVE-2008-2947 CVE-2008-3472
CVE-2008-3473 CVE-2008-3474
CVE-2008-3475 CVE-2008-3476
CVE-2008-4261 CVE-2008-4844
CVE-2009-0550 CVE-2009-0551
CVE-2009-0552 CVE-2009-0553
CVE-2009-0554 CVE-2009-1140
CVE-2009-1141 CVE-2009-1528
CVE-2009-1547 CVE-2009-1917
CVE-2009-1918 CVE-2009-1919
CVE-2009-2493 CVE-2009-2529
CVE-2009-2530 CVE-2009-2531
CVE-2009-3672 CVE-2010-0244
CVE-2010-0247 CVE-2010-0248
CVE-2010-0249 CVE-2010-0255
CVE-2010-0267 CVE-2010-0488
CVE-2010-0489 CVE-2010-0490
CVE-2010-0491 CVE-2010-0494
CVE-2010-0805 CVE-2010-0806
CVE-2010-0808 CVE-2010-1258
CVE-2010-1259 CVE-2010-1262
CVE-2010-2556 CVE-2010-2557
CVE-2010-2558 CVE-2010-2560
CVE-2010-3325 CVE-2010-3326
CVE-2010-3327 CVE-2010-3328
CVE-2010-3330 CVE-2010-3331
15
CVE-2010-3340 CVE-2010-3342
CVE-2010-3343 CVE-2010-3346
CVE-2010-3348 CVE-2010-3962
CVE-2010-3971 CVE-2011-0035
CVE-2011-0036 CVE-2011-0094
CVE-2011-0346 CVE-2011-1244
CVE-2011-1245 CVE-2011-1250
CVE-2011-1254 CVE-2011-1255
CVE-2011-1256 CVE-2011-1257
CVE-2011-1258 CVE-2011-1261
CVE-2011-1345 CVE-2011-1960
CVE-2011-1961 CVE-2011-1962
CVE-2011-1964 CVE-2011-1993
CVE-2011-1995 CVE-2011-1996
CVE-2011-1997 CVE-2011-2000
CVE-2011-2001 CVE-2011-2383
CVE-2011-3404 CVE-2012-0010
CVE-2012-0168 CVE-2012-0170
CVE-2012-0171 CVE-2012-0172
CVE-2012-1523 CVE-2012-1526
CVE-2012-1872 CVE-2012-1876
CVE-2012-1877 CVE-2012-1878
CVE-2012-1879 CVE-2012-1880
CVE-2012-1882 CVE-2012-2521
CVE-2012-2522 CVE-2012-4781
CVE-2012-4792 CVE-2012-4969
CVE-2013-0087 CVE-2013-0088
CVE-2013-0089 CVE-2013-0090
CVE-2013-0092 CVE-2013-0093
CVE-2013-0094
Updated 03/12/13
CVE 1999-0662
Impact
A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious
web site hosted by the attacker.
Background
Microsoft Internet Explorer is an HTML web browser which comes by default with Microsoft Windows
operating systems.
The Problems
Internet Explorer is missing critical patches which fix multiple vulnerabilities, the most critical of which could
allow code execution with the privileges of the user when a user visits a malicious web site or opens an
HTML e-mail message. In some cases patches are not used, with the user being required to upgrade the
version of Internet Explorer to avoid the vulnerability. Specifically:
03/12/13
CVE 2013-0087 CVE 2013-0088 CVE 2013-0089 CVE 2013-0090
CVE 2013-0091 CVE 2013-0092 CVE 2013-0093 CVE 2013-0094
CVE 2013-1288
16
The March Cumulative Security Update (MS13-021) for Internet Explorer resolves nine privately
reported vulnerabilities that could allow remote code execution if a user views a specially crafted web
page. These vulnerabilities are known as OnResize, saveHistory,
CMarkupBehaviorContext, CCaret, CElement, GetMarkupPtr, onBeforeCopy,
removeChild, CTreeNode use after free vulnerabilities and affect Internet Explorer versions 6
through 10. An attacker who successfully exploits any of these vulnerabilities could gain the same
user rights as the current user.
01/14/13
CVE 2012-4792
The out-of-cycle January 2013 security update (MS13-008) for Internet Explorer fixed a use after free
vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory which ha
not been correctly initialized or has been deleted. The vulnerability may corrupt memory in such a way that an
attacker could execute arbitrary code in the context of the current user.
12/11/12
CVE 2012-4781
CVE 2012-4782
CVE 2012-4787
The December 2012 cumulative security update (MS12-077) for Internet Explorer resolves three privately
reported vulnerabilities that could allow remote code execution if a user views a specially crafted web page.
These vulnerabilities are known as InjectHTMLStream, CMarkup, and Improper Ref Counting
use-after-free vulnerabilities and affect Internet Explorer versions 6 through 10. An attacker who
successfully exploits any of these vulnerabilities could gain the same user rights as the current user.
09/21/12
CVE 2012-1529
CVE 2012-2546
CVE 2012-2548
CVE 2012-2557
CVE 2012-4969
The out-of-cycle September 2012 cumulative security update for Internet Explorer fixed five vulnerabilities
which could allow command execution with the permissions of the current user if the user opens a specially
crafted web page. Public exploits are available for one of the five vulnerabilities, CVE-2012-4969.
08/14/12
CVE 2012-1526
CVE 2012-2521
CVE 2012-2522
CVE 2012-2523
The August 2012 cumulative security update for Internet Explorer resolves four privately reported
vulnerabilities that could allow remote code execution if a user views a specially crafted webpage. An attacke
who successfully exploited any of these vulnerabilities could gain the same user rights as the current user.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights.
06/12/12
CVE 2012-1523
CVE 2012-1858
CVE 2012-1872
CVE 2012-1873
CVE 2012-1874
CVE 2012-1875
CVE 2012-1876
17
CVE 2012-1877
CVE 2012-1878
CVE 2012-1879
CVE 2012-1880
CVE 2012-1881
CVE 2012-1882
The June 2012 cumulative security update for Internet Explorer fixes thirteen privately reported
vulnerabilities. Successful exploitation of these vulnerabilities could result in information disclosure and
remote code execution on the target host.
04/10/12
CVE 2012-0168
CVE 2012-0169
CVE 2012-0170
CVE 2012-0171
CVE 2012-0172
This security update resolves five privately reported vulnerabilities in Internet Explorer. The most severe
vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet
Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights a
the current user. Users whose accounts are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.
02/14/12
CVE 2012-0010
CVE 2012-0011
CVE 2012-0012
CVE 2012-0155
This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe
vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet
Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights a
the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
12/13/11
CVE 2011-3404
A Content-Disposition Information Disclosure Vulnerability exists in MS IE 6, 7, 8, and 9, affecting MS
Windows XP, Vista, and Windows 7, and MS Windows Server 2003, 2008, and 2008 R2. An attacker who
crafts a malicious Web page and who can convince an unsuspecting user to visit that Web page may be able
to exploit this vulnerability to disclose (to the attacker) information, possibly sensitive information, which is
available to the user but normally unavailable to the attacker.
10/11/11
CVE 2011-1993
CVE 2011-1995
CVE 2011-1996
CVE 2011-1997
CVE 2011-1998
CVE 2011-1999
CVE 2011-2000
CVE 2011-2001
The October 2011 Cumulative Security Update (MS11-081) resolves eight privately reported vulnerabilities in
Internet Explorer that could allow remote code execution. An attacker who successfully exploited any of these
vulnerabilities could gain the same user rights as the local user.
18
08/10/11
CVE 2011-1257
CVE 2011-1960
CVE 2011-1961
CVE 2011-1962
CVE 2011-1963
CVE 2011-1964
CVE 2011-2383
The August 2011 Cumulative Security Update (MS11-057) fixed seven vulnerabilities that could allow remote
code execution. Remote attackers can exploit these vulnerabilities by persuading target users to visit a
maliciously crafted web page.
06/14/11
CVE 2011-1246
CVE 2011-1250
CVE 2011-1251
CVE 2011-1252
CVE 2011-1254
CVE 2011-1255
CVE 2011-1256
CVE 2011-1258
CVE 2011-1260
CVE 2011-1261
CVE 2011-1262
MS11-050 fixed a memory reallocation vulnerability that could allow remote code execution and Information
Disclosure. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code
in the context of the logged-on user. The vulnerable IE versions could allow script to gain access to
information in another domain or Internet Explorer zone.
04/12/11
CVE 2011-0094
CVE 2011-0346
CVE 2011-1244
CVE 2011-1245
CVE 2011-1345
The April 2011 Cumulative Security Update (MS11-018) fixed five vulnerabilities that could allow remote code
execution. Remote attackers can exploit these vulnerabilities by persuading target users to visit a maliciously
crafted web page.
02/08/11
CVE 2011-0035
CVE 2011-0036
CVE 2011-0038
Remote code execution vulnerability exists when an attacker constructed a web page viewed by a user with a
legal account, in the way that Internet Explorer accesses an object that has not been correctly initialized or ha
been deleted.
12/23/10
CVE 2010-3971
Internet Explorer 6, 7, and 8 are affected by a vulnerability in the CSharedStyleSheet::Notify function in the
Cascading Style Sheets (CSS) parser. The vulnerability could allow command execution when a user loads a
web page which has multiple @import calls.
12/14/10
19
CVE 2010-3340
CVE 2010-3342
CVE 2010-3343
CVE 2010-3345
CVE 2010-3346
CVE 2010-3348
CVE 2010-3962
The December 2010 Cumulative Security Update (MS10-090) fixed seven vulnerabilities that could
allow remote code execution. Remote attackers can exploit these vulnerabilities by persuading target
users to visit a maliciously crafted web page.
10/12/10
CVE 2010-0808
CVE 2010-3243
CVE 2010-3324
CVE 2010-3325
CVE 2010-3326
CVE 2010-3327
CVE 2010-3328
CVE 2010-3329
CVE 2010-3330
CVE 2010-3331
The October 2010 Cumulative Security Bulletin (MS10-071) fixed 10 vulnerabilities in Internet
Explorer. The security update addressed these vulnerabilities by correcting the way Internet Explorer
handles objects in memory, CSS special characters, HTML sanitization, the AutoComplete feature,
the Anchor element, and script during certain processes.
08/10/10
CVE 2010-1258
CVE 2010-2556
CVE 2010-2557
CVE 2010-2558
CVE 2010-2559
CVE 2010-2560
The August 2010 Cumulative Security Update (MS10-053) fixed six vulnerabilities in Internet
Explorer, including five memory corruption vulnerabilities and one cross-domain vulnerability.
06/08/10
CVE 2010-0255
CVE 2010-1257
CVE 2010-1259
CVE 2010-1260
CVE 2010-1261
CVE 2010-1262
The June 2010 Cumulative Security Update (MS10-035) fixed six vulnerabilities in Internet Explorer,
including four memory corruption vulnerabilities and two information disclosure vulnerabilities.
03/30/10
CVE 2010-0267
CVE 2010-0488
CVE 2010-0489
CVE 2010-0490
CVE 2010-0491
CVE 2010-0492
CVE 2010-0494
CVE 2010-0805
CVE 2010-0806
20
CVE 2010-0807
The March 2010 Cumulative Security Update fixed ten vulnerabilities in Internet Explorer, including
an information disclosure vulnerability, and memory corruption vulnerabilities.
02/04/10
CVE 2010-0255
A security bypass vulnerability exists in Microsoft Internet Explorer. The vulnerability is due to a design error
when performing redirection of the file:// URIs in a web page. Remote attackers can exploit this
vulnerability by persuading target users to visit a maliciously crafted web page. Successful exploitation would
result in disclosure of arbitrary files on the affected client system and being rendered as HTML content thereb
executing any script content they might contain.
01/21/10
CVE 2009-4074
CVE 2010-0027
CVE 2010-0244
CVE 2010-0245
CVE 2010-0246
CVE 2010-0247
CVE 2010-0248
CVE 2010-0249
The January 2010 Cumulative Security Update fixed eight vulnerabilities in Internet Explorer, including a XSS
filter script handling vulnerability, a URL validation vulnerability, uninitialized memory corruption vulnerabilities
and HTML object memory corruption vulnerabilities.
01/18/10
CVE 2010-0249
A code execution vulnerability exists in Microsoft Internet Explorer. The flaw is due to a use-after-free
error within the HTML engine. A remote attacker can exploit this vulnerability by enticing a target user to
open a maliciously crafted HTML document.
12/09/09
CVE 2009-2493
CVE 2009-3671
CVE 2009-3672
CVE 2009-3673
CVE 2009-3674
The December 2009 cumulative security update (MS09-072) for Internet Explorer fixed 5 vulnerabilities. The
security update addressed these vulnerabilities by correcting the control and by modifying the way Internet
Explorer handles objects in memory.
10/13/09
CVE 2009-1547
CVE 2009-2529
CVE 2009-2530
CVE 2009-2531
Multiple vulnerabilities (MS09-054) in Internet Explorer 5,6,7, and 8 have been discovered that allow an
attacker to execute remote code via memory/header corruption and invalid handling of HTML Components.
07/28/09
CVE 2009-1917
CVE 2009-1918
CVE 2009-1919
The out of band security update (MS09-034) for Internet Explorer fixed three vulnerabilities. The security
21
update addressed these vulnerabilities by modifying the way Internet Explorer handles objects in
memory and table operations.
06/10/09
CVE 2007-3091
CVE 2009-1140
CVE 2009-1141
CVE 2009-1528
CVE 2009-1529
CVE 2009-1530
CVE 2009-1531
CVE 2009-1532
The June 2009 cumulative security update (MS09-019) for Internet Explorer fixed eight vulnerabilities.
The security update addressed these vulnerabilities by modifying the way Internet Explorer handles
scripts, caches data and initializes memory.
04/15/09
(CVE 2008-2540 CVE 2009-0550 CVE 2009-0551 CVE 2009-0552 CVE 2009-0553 CVE 2009-0554)
The April 2009 cumulative security update (MS09-014) for Internet Explorer fixed six vulnerabilities. The
security update addressed these vulnerabilities by modifying the way Internet Explorer searches the system fo
files to load, performs authentication reply validation, handles transition errors when navigating between Web
pages, and handles memory objects.
12/18/08
(CVE 2008-4844)
The December 2008 cumulative security update (MS08-078) for Internet Explorer 5, 6, 7, and 8 fixed a
vulnerability which could allow remote code execution if a user viewed a specially crafted Web page using
Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.
12/09/08
(CVE 2008-4258 CVE 2008-4259 CVE 2008-4260 CVE 2008-4261)
The December 2008 cumulative security update (MS08-073) for Internet Explorer 5, 6 and 7 fixed four
vulnerabilities which could allow remote code execution if a user viewed a specially crafted Web page using
Internet Explorer. Windows Server 2003 and 2008 run Internet Explorer in Enhanced Security Configuration
Mode by default, which helps mitigate the issue.
10/14/08
The October 2008 cumulative security update (MS08-058) for Internet Explorer 5, 6 and 7 fixed six
vulnerabilities which could allow information disclosure or remote code execution if a user viewed a specially
crafted Web page using Internet Explorer.
08/13/08
The August 2008 cumulative security update (MS08-045) for Internet Explorer 5, 6 and 7 fixed six
vulnerabilities which could allow remote code execution if a user viewed a specially crafted Web page using
Internet Explorer.
06/10/08
(CVE 2008-1442 CVE 2008-1544) The June 2008 cumulative security update (MS08-031) for Internet
Explorer 5, 6 and 7 fixed two vulnerabilities which could allow remote code execution and information disclosu
if a user viewed a specially crafted Web page using Internet Explorer.
22
04/14/08
Internet Explorer 8 has two vulnerabilities in Beta 1 (8.0.6001.17184), a persistent denial of service in
the browser caused by prototype hijacking of the XDomainRequest Object (the user must reboot
the operating system to get rid of the problem) and multiple issues in the res:// protocol including
script injections.
04/08/08
(CVE 2008-1086) The April 2008 "Security Update of ActiveX kill bits" adds kill bits to stop specific
instantiations of the Microsoft Help Visuals (Visual components such as TOC and Index) library for MS Help
engine (hxvz.dll). These specific ActiveX objects, when instantiated in Internet Explorer, could cause memory
corruption, leading to command execution.
(CVE 2008-1085) The April 2008 cumulative security update (MS08-024) for Internet Explorer 5, 6, 7 and
Vista fixed a vulnerability on the way it processes data streams which could allow remote code execution if a
user viewed a specially crafted Web page using Internet Explorer.
04/01/08
(CVE 2008-1544 CVE 2008-1545) Internet Explorer 7 has vulnerabilities related to the ability to modify
certain headers using the setRequestHeader() JavaScript function. The results include exposing the
browser to HTTP Request Splitting and Smuggling attacks.
02/13/08
(CVE 2007-4790 CVE 2008-0076 CVE 2008-0077 CVE 2008-0078) The February 2008 cumulative security
update (MS08-010) for Internet Explorer 5, 6, 7 and Vista fixed four memory corruption vulnerabilities includin
the stack-based buffer overflow in a certain ActiveX control in FPOLE.OCX in the Microsoft Visual FoxPro 6.0
which allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
12/12/07
(CVE 2007-3902 CVE 2007-3903 CVE 2007-5344 CVE 2007-5347) The December 2007 cumulative
security update (MS07-069) for Internet Explorer 5, 6, and 7 fixed four vulnerabilities that could allow remote
code execution if a user viewed a specially crafted Web page using Internet Explorer.
10/09/07
(CVE 2007-1091 CVE 2007-3826 CVE 2007-3892 CVE 2007-3893) The October 2007 cumulative security
update (MS07-057)for Internet Explorer 5, 6, and 7 fixed four vulnerabilities including a memory corruption
which can lead to code execution and three address bar spoofing vulnerabilities.
10/03/07
(CVE 2007-5158)
Internet Explorer 6 has a file focus stealing vulnerability. This allows for web pages to disclose sensitive
information and upload files.
08/14/07
(CVE 2007-0943 CVE 2007-2216 CVE 2007-3041)
The August 2007 cumulative security update for Internet Explorer 5, 6, and 7 fixed three vulnerabilities,
including a command execution vulnerability when parsing certain CSS strings, incorrect implementation of
IObjectsafety by the tblinf32.dll ActiveX control, and memory corruption by the pdwizard.ocx
ActiveX control.
07/24/07
CVE 2007-3826
Internet Explorer 7 is affected by a vulnerability which allows remote attackers to prevent users from leaving a
site, spoof the address bar, and conduct phishing and other attacks via repeated document.open function
calls after a user requests a new page, but before the onBeforeUnload function is called.
06/12/07
The June 2007 Cumulative Security Update (MS07-033) fixed multiple vulnerabilities in Internet Explorer 5, 6,
23
and 7, including vulnerabilities in COM object instantiation, CSS tags, language pack instantiation,
uninitialized memory, navigation cancel pages, and speech control.
06/11/07
(CVE 2007-3091)
Microsoft Internet Explorer 6 and 7 are affected by a race condition vulnerability. The vulnerability is
due to the way Internet Explorer builds DOM objects during page updating. A remote attacker may
leverage this vulnerability by interrupting page loading in a way that would allow spoofing of the
URL address bar, and page properties including SSL certificates. This would enable remote
attackers to conduct phishing attacks on the vulnerable clients.
05/08/07
(CVE 2007-0942 CVE 2007-0944 CVE 2007-0945 CVE 2007-0946 CVE 2007-0947 CVE
2007-2221)
Microsoft Internet Explorer 5, 6, and 7 are affected by multiple vulnerabilities including a COM object
instantiation memory corruption, memory corruption when accessing an object which is not initialized,
memory corruption when handling a property method, HTML objects memory corruption, and an
arbitrary file rewrite vulnerability in the mdsauth.dll control.
03/05/07
(CVE 2007-1091 CVE 2007-1094)
Microsoft Internet Explorer 6 and 7 are vulnerable in the use of the onUnload JavaScript handler.
These vulnerabilities allow for visited crafted web pages to either cause a denial of service by
crashing the browser or keeping the user from leaving the page.
10/25/04
The Shell.Explorer ActiveX object allows window objects to read and write files on the local file
system. In conjunction with other vulnerabilities, such as the drag and drop vulnerability mentioned
below, this could allow command execution by a malicious web page or HTML e-mail message.
Resolution
To use Internet Explorer securely, take the following steps:
(The vulnerabilities in IE 8, Beta 1 have not yet been patched)
(The response splitting and smuggling related to setRequestHeader() has not yet been patched)
(The file focus stealing vulnerability has not yet been patched)
(The stack overflow vulnerability has not yet been patched.)
(The document.open spoofing vulnerability has not yet been patched.)
(The CSS parser vulnerability has not yet been patched.)
Install the appropriate cumulative patch for your version of Internet Explorer as outlined in Microsoft
Security Bulletins 07-009, 07-061, 08-022, 08-032, 08-052, 10-002, 11-031, 12-063, 12-071,
12-077, 13-008, 13-010, and 13-021.
Fix the Security Zone Bypass vulnerability (CVE-2010-0255) as described in Microsoft Security
Advisory (980088)
Prevent WPAD proxy server interception as described in Microsoft Knowledge Base Article 934864
Disable the Javaprxy.dll object
Disable the ADODB.Stream object
Disable the Shell.Explorer object
Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article
870669.
24
To disable the Shell.Explorer object, set the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}
Compatibility Flags = 400 (type dword, radix hex)
To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.
For more information on all Internet Explorer security fixes, see the Internet Explorer Critical Updates page.
The Security Zone Bypass vulnerability (CVE-2010-0255) was reported in Microsoft Security Advisory
(980088).
The CSS parser vulnerability (CVE-2010-3971) was reported in Microsoft Security Advisory (2488013).
For more information on specific vulnerabilities, see Microsoft Security Bulletins 03-004, 03-015, 03-020,
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Also see CERT advisories CA-2003-22, TA04-033A, TA04-163A, TA04-212A, TA04-293A, TA04-315A,
TA04-336A, TA05-165A, TA05-221A, and US-CERT Vulnerability Note VU#378604.
The IE 8, Beta 1 vulnerabilities were reported in Bugtraq ID 28580 and Bugtraq ID 28581.
The setRequestHeader() related vulnerabilities were reported in Secunia Advisory SA29453.
The document.open spoofing vulnerability was reported in Secunia Advisory SA26069.
More information on the race condition building DOM objects vulnerability was reported in Secunia Advisory
SA25564.
More information on the Unload JavaScript vulnerabilities may be found at Bugtraq ID 22678 and Bugtraq ID
22680.
Unfixed variants of the drag and drop vulnerability and the Shell.Explorer object were discussed in NTBugtraq
and Full Disclosure.
Technical Details
Service: netbios
mshtml.dll dated 2007-2-17, older than 2013-2-4
Internet Explorer 6 vulnerable version, mshtmled.dll dated 2007-2-17
CVE: CVE-2013-0015 CVE-2013-0018
CVE-2013-0021 CVE-2013-0027
CVE-2013-0028 CVE-2013-0029
25
Updated 03/12/13
CVE 1999-0662
Impact
A remote attacker could execute arbitrary commands on a client system when the client browses to
a malicious web site hosted by the attacker.
Background
Microsoft Internet Explorer is an HTML web browser which comes by default with Microsoft
Windows operating systems.
The Problems
Internet Explorer is missing critical patches which fix multiple vulnerabilities, the most critical of which
could allow code execution with the privileges of the user when a user visits a malicious web site or
opens an HTML e-mail message. In some cases patches are not used, with the user being required
to upgrade the version of Internet Explorer to avoid the vulnerability. Specifically:
02/13/13
CVE 2013-0015 CVE 2013-0018 CVE 2013-0019 CVE 2013-0020
CVE 2013-0021 CVE 2013-0022 CVE 2013-0023 CVE 2013-0024
CVE 2013-0025 CVE 2013-0026 CVE 2013-0027 CVE 2013-0028
CVE 2013-0029
The Cumulative Security Update for Internet Explorer of February 2013 (MS13-009)
resolves thirteen confirmed vulnerabilities, the most severe of which could permit remote
code execution if a user visits a maliciously-crafted Web page. Twelve of the thirteen are
caused by “use after free” memory management errors; the thirteenth vulnerability is
caused by an error in text processing using the “Shift JIS” encoding, an encoding of the
Japanese langauge older than (and incompatible with) Unicode. Internet Explorer versions
6 through 10, inclusive, are vulnerable.
04/14/08
Internet Explorer 8 has two vulnerabilities in Beta 1 (8.0.6001.17184), a persistent denial of service in the
browser caused by prototype hijacking of the XDomainRequest Object (the user must reboot the operating
system to get rid of the problem) and multiple issues in the res:// protocol including script injections.
10/25/04
The Shell.Explorer ActiveX object allows window objects to read and write files on the local file system. In
conjunction with other vulnerabilities, such as the drag and drop vulnerability mentioned below, this could allo
command execution by a malicious web page or HTML e-mail message.
Resolution
26
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
mshtmled.dll dated 2007-2-17, older than 2013-1-7
Internet Explorer VBScript and JScript decoding vulnerability
CVE: CVE-2008-0083
Updated 03/12/13
CVE 1999-0662
27
Impact
Background
operating systems.
The Problems
04/14/08
04/08/08
(CVE 2008-0083) Versions 5.1 and 5.6 of the VBScript and JScript engines are affected by a vulnerability
which could allow command execution when Internet Explorer decodes scripts. Version 5.7 of the VBScript
and JScript engine, which is included in Internet Explorer 7, is not affected by this vulnerability.
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
28
870669.
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
jscript.dll dated 2007-2-17, older than 2007-12-12
Internet Explorer VBScript and JScript memory reallocation vulnerability (MS11-031)
CVE: CVE-2011-0663
Updated 03/12/13
CVE 1999-0662
Impact
Background
operating systems.
29
The Problems
04/12/11
CVE 2011-0663
MS11-031 fixed a memory reallocation vulnerability that could allow remote code execution. VBScript and
JScript 5.6 (IE 6), 5.7 (IE 7) and 5.8 (IE 8 only) are vulnerable. Remote attackers could exploit this
vulnerability by persuading target users to visit a specially crafted malicious web site.
04/14/08
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
30
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
Internet Explorer vulnerable VML version dated 2007-2-17
CVE: CVE-2007-1749 CVE-2011-1266
Updated 03/12/13
CVE 1999-0662
Impact
Background
operating systems.
The Problems
06/14/11
31
CVE 2011-1266
A memory corruption vulnerability when processing Vector Markup Language (VML) allows command
execution when an object that has not been initialized or has been deleted is accessed by Internet
Explorer.
04/14/08
script injections.
08/14/07
CVE 2007-1749
A buffer overrun vulnerability in the Vector Markup Language (VML) implementation in Microsoft
Windows could allow command execution by a specially crafted page loaded into Internet Explorer.
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
32
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
vgx.dll dated 2007-2-17, older than 2011-4-27
Jscript.dll buffer overflow vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-1920
Impact
Background
operating systems.
The Problems
09/09/09
CVE 2009-1920
A vulnerability (MS09-045) in JScript.dll 5.6, 5.7 and 5.8 has been identified that affects all versions of Interne
Explorer up to and including Internet Explorer 8. Vulnerable systems include Windows 2000, Windows XP,
Window Server 2003, 2008 and Windows Vista.
33
Windows 7 is not affected.
04/14/08
script injections.
02/14/07
(CVE 2006-4697 CVE 2007-0219)
Microsoft Internet Explorer 5.01, 6, and 7 are vulnerable in the way IE instantiates, as ActiveX
controls, COM objects that were never intended to be instantiated in IE. These COM objects come
from Imjpcksid.dll, Msb1fren.dll, Htmlmm.ocx, and EF="http://cve.mitre.org">CVE
2009-1920
A vulnerability in JScript.dll 5.6, 5.7 and 5.8 has been identified that affects all versions of Internet
Explorer up to and including Internet Explorer 8. Vulnerable systems include Windows 2000,
Windows XP, Window Server 2003, 2008 and Windows Vista.
Windows 7 is not affected.
/ specially crafted web page could execute arbitrary code on the user's machine. These vulnerabilities and
their patches were described in the February 2007 Microsoft Security Bulletin (MS07-016).
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
34
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
Microsoft Vector Markup Language Remote Code Execution Vulnerability (MS13-010)
CVE: CVE-2013-0030
Updated 03/12/13
CVE 1999-0662
Impact
Background
operating systems.
The Problems
35
02/12/13
CVE 2013-0030
MS13-010 fixed a vulnerability in the Microsoft implementation of Vector Markup Language (VML). The
vulnerability could allow remote code execution if a user viewed a specially crafted webpage using Internet
Explorer.
04/14/08
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
36
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
vgx.dll dated 2007-2-17, older than 2012-12-25
sapi.dll ActiveX vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2007-0675
Impact
Background
operating systems.
The Problems
06/11/08
(CVE 2007-0675) The June 2008 "Security Update of ActiveX kill bits" adds kill bits to stop specific
instantiations of the vulnerable control (sapi.dll). The vulnerability could allow remote code execution if a user
viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in
Windows enabled.
37
04/14/08
script injections.
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
870669.
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
38
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{47206204-5eca-11d2-960f-00c04f8ee628}\Compatibility Flags is not 0x400 or
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{3bee4890-4fe9-4a37-8c1e-5e7e12791c1f}\Compatibility Flags is not 0x400
Macrovision SafeDisc driver local privilege elevation
CVE: CVE-2007-5587
Created 12/12/07
Impact
A vulnerability in Macrovision SafeDisc allows arbitrary code to be executed by local users.
Background
Macrovision SafeDisc is used to validate the authenticity of games and prohibits copies being played on
Windows.
The Problems
secdrv.sys local privilege elevation
12/12/07
CVE 2007-5587
Windows XP and 2003 have a local privilege elevation caused by incorrect handling of configuration
parameters by secdrv.sys. Exploitation of this vulnerability allows for local users to receive administrator
privileges.
Resolution
The secdrv.sys file should be updated through either Macrovision or Microsoft (XP/2003).
The secdrv.sys local privilege elevation was reported in MS07-067.
Technical Details
39
Service: netbios
secdrv.sys dated 2006-3-22, older than 2007-11-10
Information disclosure vulnerability in .NET Framework
CVE: CVE-2011-1978
Updated 02/12/13
Impact
On a workstation, a remote attacker could execute arbitrary commands when a user opens a specially crafted
web page. On a server, a remote attacker could cause a denial of service, execute arbitrary code, or gain
unauthorized access to configuration files.
Background
The .NET Framework is a programming model for building Windows applications.
The Problem
Information Disclosure Vulnerability fixed in MS11-069
08/09/11
CVE 2011-1978
MS11-069 resolved a socket restriction bypass vulnerability. The vulnerability arises because the .NET
Framework fails to properly validate the trust level within the System.Net.Sockets namespace. Exploitation of
this vulnerability could result in information disclosure or redirection of network traffic from the vulnerable
system.
Resolution
Install the patch referenced in Microsoft Security Bulletins:
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-039 (Silverlight 4)
11-069 (.NET Framework 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
For more information, see Microsoft Security Bulletins 07-040, 09-036, 09-061, 10-041, 10-060, 11-028,
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
40
system.dll dated 2005-9-23, older than 2011-4-26
MS11-028 Vulnerability in .NET Framework Could Allow Remote Code Execution
CVE: CVE-2010-3958
Updated 02/12/13
Impact
Background
The Problem
Remote Code Execution Vulnerability fixed in MS11-028
04/12/11
CVE 2010-3958
MS11-028 resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could
allow remote code execution on a client system if a user views a specially crafted Web page using a Web
browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who operate with administrative user rights. The
vulnerability could also allow remote code execution on a server system running IIS, if that server allows
processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that
server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could
also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
41
Service: netbios
mscorlib.dll dated 2005-9-23, older than 2010-10-28
CVE: CVE-2011-0664
Updated 02/12/13
Impact
Background
The Problem
06/14/11
CVE 2011-0664
The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web
page using a Web browser that can run XAML Browser Applications or Silverlight applications. Users whose
accounts are configured to have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
42
CVE: CVE-2011-1271
Updated 02/12/13
Impact
Background
The Problem
06/15/11
CVE 2011-1271
browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who operate with administrative user rights. The
vulnerability could also allow remote code execution on a server system running IIS, if that server allows
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
43
Service: netbios
CVE: CVE-2011-1253
Updated 02/12/13
Impact
Background
The Problem
10/11/11
CVE 2011-1253
browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The vulnerability could also allow remote code execution on a server system running IIS, if that server allows
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
44
Technical Details
Service: netbios
Microsoft .NET CLR virtual method delegate vulnerability
CVE: CVE-2010-1898
Updated 02/12/13
Impact
Background
The Problem
CLR virtual method delegate vulnerability
08/10/10
CVE 2010-1898
MS10-060 resolves a vulnerability in the Microsoft .NET Framework 2.0 and 3.5 in the handling of CLR
virtual method delegates. The vulnerability could allow command execution when a user loads a specially
crafted web page.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
45
Service: netbios
Microsoft .NET Common Language Runtime Could Allow Remote Code Execution
CVE: CVE-2009-0090 CVE-2009-0091
CVE-2009-2497
Updated 02/12/13
Impact
Background
The Problem
Common Language Runtime Remote Code Execution Vulnerability
10/14/09
CVE 2009-0090
CVE 2009-0091
CVE 2009-2497
MS09-061 resolves three vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow remote
code execution on a client system if a user views a specially crafted Web page using a Web browser that can
run XAML Browser Applications, or if an attacker succeeds in persuading a user to run a specially crafted
Microsoft .NET application.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
46
Technical Details
Service: netbios
Microsoft .NET Framework 1.1 privilege elevation vulnerabilities (MS13-004)
CVE: CVE-2013-0001 CVE-2013-0002
CVE-2013-0004
Updated 02/12/13
Impact
Background
The Problem
Privilege elevation vulnerabilities fixed in MS13-004
01/08/13
CVE 2013-0001
CVE 2013-0002
CVE 2013-0003
CVE 2013-0004
Microsoft Security Bulletin MS13-004 fixed four vulnerabilities in Microsoft .NET Framework 1.0, 1.1, 2.0, 3.5,
3.5.1, 4, and 4.5, including a System Drawing information disclosure vulnerability, a Windows Forms buffer
overflow vulnerability, an S.DS.P buffer overflow vulnerability, and a double construction vulnerability.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
47
13-007, and 13-015.
Technical Details
Service: netbios
Mscorsvr.dll dated 2007-2-17, older than 2012-10-7
Microsoft .NET Framework 1.1 remote code execution vulnerability (MS12-074)
CVE: CVE-2012-1895 CVE-2012-2519
Updated 02/12/13
Impact
Background
The Problem
Remote code execution vulnerabilities fixed in MS12-074
11/14/12
CVE 2012-1895
CVE 2012-1896
CVE 2012-2519
CVE 2012-4776
CVE 2012-4777
Microsoft Security Bulletin MS12-074 fixed five vulnerabilities in Microsoft .NET Framework 1.0, 1.1, 2.0, 3.5,
3.5.1, 4, and 4.5:
the way that .NET Framework validates the permissions of certain objects performing reflection
the improper sanitization of output when a function is called from partially trusted code
the way that the .NET Framework handles the loading of DLL files
the way that the .Net Framework retrieves the default web proxy settings
the way that the .Net Framework validates permissions for objects involved with reflection
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
48
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
Microsoft .NET Framework 1.1 serialization vulnerabilities (MS12-035)
CVE: CVE-2012-0160 CVE-2012-0161
Updated 02/12/13
Impact
Background
The Problem
Serialization Vulnerabilities fixed in MS12-035
05/08/12
CVE 2012-0160
CVE 2012-0161
Microsoft Security Bulletin MS12-035 fixed two vulnerabilities in Microsoft .NET Framework versions 1.0 SP3,
1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5 SP1, 3.5.1, and 4 due to improper serialization of untrusted input. The
vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage
using a web browser that can run XAML Browser Applications (XBAPs).
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
49
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
Microsoft .NET Framework 2.0 remote code execution vulnerability (MS12-074)
CVE: CVE-2012-1895 CVE-2012-1896
CVE-2012-2519 CVE-2012-4776
Updated 02/12/13
Impact
Background
The Problem
Remote code execution vulnerabilities fixed in MS12-074
11/14/12
CVE 2012-1895
CVE 2012-1896
CVE 2012-2519
CVE 2012-4776
CVE 2012-4777
Microsoft Security Bulletin MS12-074 fixed five vulnerabilities in Microsoft .NET Framework 1.0, 1.1, 2.0, 3.5,
3.5.1, 4, and 4.5:
the way that .NET Framework validates the permissions of certain objects performing reflection
the improper sanitization of output when a function is called from partially trusted code
the way that the .NET Framework handles the loading of DLL files
the way that the .Net Framework retrieves the default web proxy settings
the way that the .Net Framework validates permissions for objects involved with reflection
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
50
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
System.dll dated 2005-9-23, older than 2012-8-28
Microsoft .NET Framework 2.0 serialization vulnerabilities (MS12-035)
CVE: CVE-2012-0160 CVE-2012-0161
Updated 02/12/13
Impact
Background
The Problem
Serialization Vulnerabilities fixed in MS12-035
05/08/12
CVE 2012-0160
CVE 2012-0161
Microsoft Security Bulletin MS12-035 fixed two vulnerabilities in Microsoft .NET Framework versions 1.0 SP3,
1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5 SP1, 3.5.1, and 4 due to improper serialization of untrusted input. The
vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage
using a web browser that can run XAML Browser Applications (XBAPs).
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
51
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
Microsoft .NET Framework Could Allow Tampering
CVE: CVE-2009-0217
Updated 02/12/13
Impact
Background
The Problem
Data Tampering Vulnerability
06/08/10
CVE 2009-0217
MS10-041 resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering
of signed XML content without being detected. In custom applications, the security impact depends on how the
signed content is used in the specific application.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
52
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
System.Security.dll dated 2007-2-17, older than 2010-3-3
Microsoft .NET Framework Parameter Validation Vulnerability (MS12-025)
CVE: CVE-2012-0163
Updated 02/12/13
Impact
Background
The Problem
Parameter Validation Vulnerability fixed in MS12-025
04/10/12
CVE 2012-0163
Microsoft Security Bulletin 12-025 fixes a remote code execution vulnerability in Microsoft .NET Framework.
The vulnerability exists in the way that Microsoft .NET Framework validates parameters when passing data to
a function. An attacker who successfully exploited this vulnerability could take complete control of an affected
system.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
53
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
System.Drawing.dll dated 2007-2-17, older than 2012-1-18
Microsoft .NET Framework WinForms Callback Elevation vulnerability (MS13-015)
CVE: CVE-2013-0073
Updated 02/12/13
Impact
Background
The Problem
WinForms Callback Elevation vulnerability fixed in MS13-015
02/12/13
CVE 2013-0073
Microsoft Security Bulletin MS13-015 fixed a vulnerability in Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.0
and 4.5. The vulnerability exists due to the way that the .NET Framework improperly elevating the
permissions of a callback function when a particular Windows Forms object is created. An attacker who
successfully exploited this vulnerability could take complete control of an affected system.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
54
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
system.design.dll dated 2005-9-23, older than 2012-12-5
Microsoft .NET Framework privilege elevation vulnerabilities (MS13-004)
CVE: CVE-2013-0001 CVE-2013-0002
CVE-2013-0003 CVE-2013-0004
Updated 02/12/13
Impact
Background
The Problem
Privilege elevation vulnerabilities fixed in MS13-004
01/08/13
CVE 2013-0001
CVE 2013-0002
CVE 2013-0003
CVE 2013-0004
Microsoft Security Bulletin MS13-004 fixed four vulnerabilities in Microsoft .NET Framework 1.0, 1.1, 2.0, 3.5,
3.5.1, 4, and 4.5, including a System Drawing information disclosure vulnerability, a Windows Forms buffer
overflow vulnerability, an S.DS.P buffer overflow vulnerability, and a double construction vulnerability.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
55
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
Microsoft .NET Framework remote code execution vulnerability (MS12-038)
CVE: CVE-2012-1855
Updated 02/12/13
Impact
Background
The Problem
Remote code execution vulnerability fixed in MS12-038
06/12/12
CVE 2012-1855
Microsoft Security Bulletin MS12-038 fixed a vulnerability in Microsoft .NET Framework 2.0, 3.5.1 and 4.0.
The vulnerability could allow command execution with the privileges of the logged-in user when a user loads a
malicious web site or runs a malicious application.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
56
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
system.design.dll dated 2005-9-23, older than 2012-3-18
Microsoft .NET Framework unmanaged objects vulnerability (MS12-016)
CVE: CVE-2012-0014 CVE-2012-0015
Updated 02/12/13
Impact
Background
The Problem
Unmanaged Objects and Heap Corruption vulnerabilities
02/14/12
CVE 2012-0014
CVE 2012-0015
Microsoft Security Bulletin 12-016 fixed two vulnerabilities in Microsoft .NET Framework. The first is caused by
improper use of unmanaged objects. The second is due to improper calculation of a buffer length. Both
vulnerabilities could lead to remote code execution.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
57
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
vulnerabilities in .NET Framework (MS11-100)
CVE: CVE-2011-3414 CVE-2011-3415
CVE-2011-3416 CVE-2011-3417
Updated 02/12/13
Impact
Background
The Problem
Multiple Vulnerabilities fixed in MS11-100
12/29/11
CVE 2011-3414
CVE 2011-3415
CVE 2011-3416
CVE 2011-3417
Microsoft Security Bulletin 11-100 fixed multiple vulnerabilities in the .NET Framework, including a denial of
service vulnerability caused by hash table collisions, an insecure redirect in .NET form authentication, an
authentication bypass vulnerability in ASP.NET forms, and an authentication ticket caching vulnerability in
ASP.NET forms.
Resolution
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
58
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
Technical Details
Service: netbios
system.web.dll dated 2007-2-17, older than 2011-12-23
Microsoft outlook ATL vulnerability (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494
Updated 05/11/10
Impact
A vulnerability could allow remote attackers to bypass security restrictions and execute remote code.
Background
Microsoft Outlook is a personal information manager which is part of the Microsoft Office suite. It is mainly
used as an e-mail application.
Microsoft Outlook Express is an e-mail application that is included as part of Microsoft Internet Explorer and
Microsoft Windows. It is related to, but less capable than, Microsoft Outlook.
The Problems
Multiple ATL vulnerabilities
08/12/09
CVE 2008-0015
CVE 2008-0020
CVE 2009-0901
CVE 2009-2493
CVE 2009-2494
Microsoft security update MS09-037 fixes vulnerabilities in Microsoft Outlook Express that could allow an
attacker to execute remote code. These vulnerabilities exist due to errors in the Microsoft Active Template
Library (ATL).
Resolution
Apply the appropriate patch as indicated in Microsoft Security Bulletin MS10-030.
59
The multiple ATL vulnerabilities were reported in Microsoft Security Bulletin MS09-037.
Technical Details
Service: netbios
msoe.dll dated 2007-2-17, older than 2009-7-8
Outlook Express Could Allow Remote Code Execution (MS10-030)
CVE: CVE-2010-0816
Updated 05/11/10
Impact
Background
The Problems
Integer Overflow via POP3 or IMAP vulnerability
05/11/10
CVE 2010-0816
Microsoft Security Update MS10-030 fixes an integer overflow vulnerability in Microsoft Outlook Express. A
remote attacker attempting to exploit this vulnerability would need to send specially crafted POP3/IMAP
responses to trigger the vulnerability in the client mail program. The attacker could do this by (a) setting up a
malicious e-mail server and manipulating the client to connect to this machine, possibly by DNS poisoning or
social engineering; or (b) intercepting POP3/IMAP messages (man-in-the-middle attack). A remote attacker who
is able to successfully exploit this vulnerability could gain the same user rights on the affected system as the
logged-on user.
Resolution
The Integer Overflow via POP3 or IMAP vulnerability was reported in Microsoft Security Bulletin MS10-030.
Technical Details
Service: netbios
msoe.dll dated 2007-2-17, older than 2010-1-31
Windows MHTML protocol handler vulnerability
CVE: CVE-2008-1448
60
Updated 05/11/10
Impact
Background
The Problems
MHTML protocol handler component
08/13/08
CVE 2008-1448
Microsoft Security Update MS08-048 fixes a vulnerability in Microsoft Outlook Express. This vulnerability allows
remote attackers to bypass security restrictions via crafted HTTP headers.
Resolution
The MHTML protocol handler component vulnerability was reported in Microsoft Security Bulletin MS08-048.
Technical Details
Service: registry
SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB951066 not found
fraudulent Comodo certificates not in disallowed store
Updated 06/04/12
Impact
Vulnerability on all supported releases of Microsoft Windows may be used to conduct spoofing attacks, perform
phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet
Explorer.
Background
The operating system stores a certificate locally on the computer's storage location called the certificate store on
a computer that has the Windows operating system. A certificate store has numerous certificates which were
issued from different certification authorities (CAs). The root certificate for the CA is installed in the Trusted
Root Certification Authorities certificate store.
61
The Problems
Fraudulent Comodo certificates
05/27/11
There are nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted
Root Certification Authorities Store in all supported releases of Microsoft Windows. These nine certificates had
been signed on behalf of a third party without sufficiently validating its identity and therefore can be used to
conduct spoofing attacks, perform phishing attacks, or allow man-in-middle attacks.
Resolution
For Fraudulent Comodo certificates, Microsoft has issued an update to address this issue.
The Fraudulent Comodo certificates vulnerability was reported in Microsoft Security Advisory 2524375.
Technical Details
Service: registry
SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CEA586B2CE593EC7D939898337C5781
4708AB2BE not found
fraudulent DigiNotar certificates not in disallowed store
Updated 06/04/12
Impact
Explorer.
Background
The Problems
Fraudulent DigiNotar certificates
10/07/11
All Microsoft's Operating System from Windows XP to Windows 7 are affected by fraudulent certificates issued
by multiple certificate authorities operated by DigiNotar. Microsoft is aware of this issue and has provided an
update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root
certificates by placing them into the Microsoft Untrusted Certificate Store:
DigiNotar Root CA
62
DigiNotar Root CA G2
DigiNotar PKIoverheid CA Overheid
DigiNotar PKIoverheid CA Organisatie - G2
DigiNotar PKIoverheid CA Overheid en Bedrijven
DigiNotar Root CA Issued by Entrust (2 certificates)
DigiNotar Services 1024 CA Issued by Entrust
DigiNotar Cyber CA Issued by GTE CyberTrust (3 certificates)
Resolution
For Fraudulent DigiNotar certificates, Microsoft has issued an update to address this issue.
The Fraudulent DigiNotar certificates vulnerability was reported in Microsoft Security Advisory 2607712.
Technical Details
Service: registry
SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\367D4B3B4FCBBC0B767B2EC0CDB2
A36EAB71A4EB and
SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\40AA38731BD189F9CDB5B9DC35E213
6F38777AF4 not found
fraudulent Enforced Licensing certificates not in disallowed store
Updated 06/04/12
Impact
Explorer.
Background
The Problems
Fraudulent Enforced Licensing Intermediate PCA and SHA1 certificates
06/04/12
Microsoft issued an update for all supporting releases of Microsoft Windows to revoke the trust of the following
intermediate CA certificates:
Microsoft Enforced Licensing Intermediate PCA (2 certificates)
Microsoft Enforced Licensing Registration Authority CA (SHA1)
The unauthorized digital certificates derived from a Microsoft Certificate Authority could be used to spoof
63
content, perform phishing attacks, or perform man-in-the-middle attacks.
Resolution
For Fraudulent Enforced Licensing Intermediate PCA and SHA1 certificates, Microsoft has issued an update
to address this issue.
The Fraudulent Enforced Licensing Intermediate PCA and SHA1 certificates were reported in Microsoft
Security Advisory 2718704.
Technical Details
Service: registry
SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FA6660A94AB45F6A88C0D7874D89A86
3D74DEE97 not found
Telnet Authentication Reflection
Updated 08/11/09
CVE: CVE-2009-1930
Impact
A remote user could execute arbitrary commands on the server, cause the telnet server to stop responding, or
gain information that could be used in an attempt to find Guest accounts.
Background
Microsoft Windows 2000, XP, 2003, 2008, and Vista come with a telnet service. Similar to the telnet service
on a Unix system, the Microsoft telnet service prompts a user to provide a login name and password.
Following successful authentication, the server displays a shell prompt, allowing the user to run commands on
the server.
When a telnet session is initiated, the server creates a named pipe, which allows bi-directional communication
between two processes. When the named pipe is created, any code associated with the pipe is executed.
The Problems
Microsoft Windows Telnet Credential Reflection
08/11/09
CVE 2009-1930
An attacker can craft a special request to the telnet server that will prompt any logged in administrator with an
authentication box. If the logged in administrator enters their credentials they are reflected back to the attacker.
An attacker can use this vulnerability to gain unauthorized access by generating a reverse shell.
Resolution
Apply the patches referenced in Microsoft Security Bulletins 09-042, 01-031 and 02-004.
64
For more information, see Microsoft Security Bulletins 09-042, 01-031 and 02-004.
Technical Details
Service: netbios
telnet.exe dated 2007-2-17, older than 2009-6-8
Insecure Library Loading in Outlook Express WAB.EXE Could Allow Remote Code Execution
CVE: CVE-2010-3147
Updated 12/15/10
CVE 1999-0662
Impact
There are several vulnerabilities in e-mail clients, the most severe of which could allow a remote attacker to
execute arbitrary commands by sending a specially crafted e-mail message.
Background
Microsoft Outlook is an e-mail client which also provides calendar, scheduling, contact management, and
information sharing capabilities. Outlook Express is a free e-mail client based on Outlook.
The Problems
Insecure Library Loading in Outlook Express WAB.EXE Could Allow Remote Code Execution
12/15/10
CVE 2010-3147
Microsoft Security Update MS10-096 resolves an insecure library loading vulnerability in Windows Address
Book that can lead to remote code execution. Successful exploitation requires an attacker to convince their
victim to load the WAB.EXE file on a remote WebDAV or network drive.
Resolution
Install the patches referenced in Microsoft Security Bulletin 01-038 and 08-015 for Outlook. Also, for Outlook
2002, install the patches referenced in 02-067, 03-003, and 04-009, or Office XP service pack 3.
For Outlook Express:
Install the patches referenced in Microsoft Security Bulletin 07-034 and 07-056.
Windows XP users should also install patch 900930 for Outlook Express.
The Windows Address Book patches are available in 10-096.
05-030, 06-003, 06-016, 06-043, 06-076, 07-003, 07-034, 07-056, 08-015, and 10-096, US-CERT Alert
TA04-070A, and Microsoft Knowledge Base Article 900930.
Technical Details
Service: netbios
wab.exe dated 2007-2-17, older than 2010-10-10
65
Outlook Express vulnerable version, inetcomm.dll dated 2007-2-17
CVE: CVE-2006-2111 CVE-2007-2225
CVE-2007-2227 CVE-2007-3897
Updated 12/15/10
CVE 1999-0662
Impact
There are several vulnerabilities in e-mail clients, the most severe of which could allow a remote attacker to
execute arbitrary commands by sending a specially crafted e-mail message.
Background
Microsoft Outlook is an e-mail client which also provides calendar, scheduling, contact management, and
information sharing capabilities. Outlook Express is a free e-mail client based on Outlook.
The Problems
Network News Transfer Protocol (NNTP) Memory Corruption
10/09/07
CVE 2007-3897
Microsoft Security Update MS07-056 fixed a memory corruption vulnerability in Outlook Express. This
vulnerability in the processing of a malformed NNTP response on a web page can lead to remote code
execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the
logged-on user.
Outlook Express vulnerabilities fixed by MS07-034
06/12/07
CVE 2006-2111
CVE 2007-2225
CVE 2007-2227
Microsoft Security Update MS07-034 fixed three information disclosure vulnerabilities in Outlook Express.
These vulnerabilities in the MHTML protocol handler can be exploited by having the user go to a crafted web
page from Outlook Express. Outlook Express 6 for XP and 2003 are vulnerable.
Resolution
Install the patches referenced in Microsoft Security Bulletin 01-038 and 08-015 for Outlook. Also, for Outlook
2002, install the patches referenced in 02-067, 03-003, and 04-009, or Office XP service pack 3.
For Outlook Express:
Install the patches referenced in Microsoft Security Bulletin 07-034 and 07-056.
Windows XP users should also install patch 900930 for Outlook Express.
The Windows Address Book patches are available in 10-096.
05-030, 06-003, 06-016, 06-043, 06-076, 07-003, 07-034, 07-056, 08-015, and 10-096, US-CERT Alert
TA04-070A, and Microsoft Knowledge Base Article 900930.
Technical Details
66
Service: netbios
Inetcomm.dll dated 2007-2-17, older than 2007-8-14
Elevation of Privilege Vulnerabilities in Windows Kerberos (MS11-013)
CVE: CVE-2011-0043
Updated 10/09/12
Impact
A remote attacker with valid logon credentials could cause a denial of service and elevation of privilege.
Background
Kerberos is used to provide strong authentication and encryption between a client and a server. Kerberos is
the default authentication protocol used by Windows operating systems beginning with Windows 2000.
The Problems
Kerberos Elevation of Privilege Vulnerabilities
02/08/11
CVE 2011-0043
CVE 2011-0091
Fixes vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows
KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos
communication between client and server.
Resolution
Apply the fixes referenced in Microsoft Security Bulletins 05-042, 10-014, and 12-069.
These vulnerabilities were reported in Microsoft Security Bulletins 05-042, 10-014, 11-013, and 12-069.
Technical Details
Service: netbios
kerberos.dll dated 2007-2-17, older than 2010-12-15
Ancillary Function Driver Vulnerability (MS11-046)
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-1249
Impact
Background
67
critical updates.
Update Name
Ancillary Function Driver
Description
Fixes a vulnerability in the Microsoft
Windows Ancillary Function Driver
(AFD). A local user with valid login
credentials could exploit this
vulnerability to elevate privileges by
executing a specially crafted
application. (CVE 2011-1249)
Fix
Bulletin
XP 2503665,
11-046
2503665 (64-bit)
2003 2503665,
2503665 (64-bit)
Vista 2503665,
2503665 (64-bit)
2008 2503665,
2503665 (64-bit)
Windows 7:
2503665,
2503665 (64-bit)
2008 R2:
2503665 (64-bit)
Technical Details
Service: netbios
afd.sys dated 2007-2-17, older than 2011-2-9
Ancillary Function Driver Vulnerability (MS11-080)
Updated 03/12/13
CVE: CVE-2011-2005
68
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fixes a vulnerability in the Microsoft
Windows Ancillary Function Driver
(AFD). A local user with valid login
credentials could exploit this
vulnerability to elevate privileges by
executing a specially crafted
application. (CVE 2011-2005)
Fix
Bulletin
XP 2592799,
11-080
2592799 (64-bit)
2003 2592799,
2592799 (64-bit)
Technical Details
Service: netbios
Blended threat privilege elevation vulnerability
69
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-2540
Impact
Background
critical updates.
Update Name
Blended threat privilege elevation
vulnerability
Description
Fix
Fixes a privilege elevation
2000: 959426
vulnerability in Windows 2000,
XP: 959426 (32
2003, XP, Vista, and 2008. The
bit), or 959426
vulnerability exists due to a faulty
(64 bit)
SearchPath function used for
2003: 959426
locating and opening files on
(32 bit), 959426
windows. An attacker could exploit (64 bit), or
the vulnerability by enticing a user 959426 Itanium
to download a crafted file to a
Vista: 959426
specific location and then have them (32 bit), or
open an application that uses the
959426 (64 bit)
file. (CVE 2008-2540)
2008: 959426
(32 bit), 959426
(64 bit), or
959426 Itanium
Bulletin
09-015
70
Technical Details
Service: netbios
DirectX MJPEG decompression remote code execution vulnerability
CVE: CVE-2009-0084
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
DirectX MJPEG decompression
Description
Corrects the way the DirectShow
component of DirectX
decompresses media files. CVE
2009-0084)
71
Fix
2000 (8.1):
961373
2000
(9.0->9.0c):
961373
XP: 32-bit:
961373
64-bit: 96173
2003: 32-bit:
Bulletin
09-011
961373
64-bit: 961373
Itanium: 961373
Technical Details
Service: netbios
DirectX SAMI-MJPEG parsing remote code execution for DirectX 9.0c
CVE: CVE-2008-0011
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
DirectX SAMI-MJPEG Parsing
Remote Code Execution
Description
Fix
Fixed vulnerabilities that could allow 2000: 951698
remote code execution parsing
XP: 951698
72
Bulletin
08-033
MJPEG and SAMI files. (CVE
2008-0011 CVE 2008-1444)
2003: 951698
Vista: 951698
2008: 951698
Technical Details
Service: netbios
DirectX parsing remote code execution for DirectX 9.0c
CVE: CVE-2007-3895
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
DirectX Parsing Remote Code
Execution
Description
Fix
Fixed vulnerabilities that could allow 2000 (7.0):
remote code execution parsing
941568 2000
73
Bulletin
07-064
SAMI, WAV or AVI files. (CVE
2007-3895 CVE 2007-3901)
(8.0): 941568
2000 (9.0c):
941568 XP:
941568
2003: 941568
Vista: 941568
Technical Details
Service: netbios
Elevation of Privilege Vulnerabilities in Windows (MS09-012)
CVE: CVE-2008-1436 CVE-2009-0078
CVE-2009-0079
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
74
Update Name
Description
Elevation of Privilege Vulnerabilities Fixes multiple privilege elevation
in Windows
vulnerabilities. (CVE 2008-4036
CVE 2008-1436 CVE 2009-0078
CVE 2009-0079 CVE 2009-0080 )
Fix
2000: 952004
XP: 952004
2003: 952004
Vista: 952004
2008: 952004
Bulletin
08-064
09-012
Technical Details
Service: netbios
msdtcprx.dll dated 2007-2-17, older than 2008-7-23
CVE: CVE-2010-0232 CVE-2010-0233
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
75
Update Name
Description
Windows kernel vulnerable version Fixes multiple vulnerabilities which
allow authenticated users to elevate
privileges on Windows 2000,
Windows XP, Windows Server
2003, Windows Vista, Windows
Server 2008, and Windows 7.
(CVE 2009-2515 CVE 2009-2516
CVE 2009-2517 CVE 2010-0232
CVE 2010-0233 )
Fix
2000: 977165
XP: 977165
2003: 977165
Vista: 977165
2008: 977165
Windows 7:
977165
Bulletin
09-058
10-015
Technical Details
Service: netbios
ntoskrnl.exe dated 2007-2-17, older than 2009-12-14
CVE: CVE-2011-1974
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
76
Update Name
Description
Elevation of Privilege Vulnerabilities Fixes a vulnerability in Remote
in Windows (MS11-062)
Access Service NDISTAPI driver.
(CVE 2011-1974)
Fix
Bulletin
XP 2566454,
11-062
2566454 (64-bit)
2003 2566454,
2566454 (64-bit)
Technical Details
Service: netbios
ndistapi.sys dated 2007-2-17, older than 2011-7-6
Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code
Execution
CVE: CVE-2010-3144
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
77
Update Name
Insecure Library Loading in
Internet Connection Signup Wizard
Could Allow Remote Code
Execution
Description
Fixes a vulnerability that could allow
remote code execution if a user
opens an .ins or .isp file
located in the same network folder
as a specially crafted library file.
For an attack to be successful, a
user must visit an untrusted remote
file system location or WebDAV
share and open a document from
this location that is then loaded by
a vulnerable application. (CVE
2010-3144)
Fix
Bulletin
XP: KB2443105 10-097
2003:
KB2443105
Technical Details
Service: netbios
isign32.dll dated 2007-2-17, older than 2010-11-18
Kernel-Mode Drivers vulnerabilities
CVE: CVE-2011-0086 CVE-2011-0087
CVE-2011-0088 CVE-2011-0089
CVE-2011-0090
Updated 03/12/13
CVE 1999-0662
Impact
Background
78
critical updates.
Update Name
Vulnerabilities in Windows
Kernel-Mode Drivers Could Allow
Elevation of Privilege
Description
Fix
Bulletin
Fixes vulnerabilities which could
XP: KB2506223 11-034
allow elevation of privilege if an
2003:
11-012
attacker logged on locally and ran a KB2506223
specially crafted application. An
Vista:
attacker must have valid logon
KB2506223
credentials and be able to log on
2008:
locally to exploit these vulnerabilities.KB2506223
(CVE 2011-0662 CVE 2011-0665 Windows 7:
CVE 2011-0666 CVE 2011-0667
KB2506223
CVE 2011-0670 CVE 2011-0671
CVE 2011-0672 CVE 2011-0673
CVE 2011-0674 CVE 2011-0675
CVE 2011-0676 CVE 2011-0677
CVE 2011-1225 CVE 2011-1226
CVE 2011-1227 CVE 2011-1228
CVE 2011-1229 CVE 2011-1230
CVE 2011-1231 CVE 2011-1232
CVE 2011-1233 CVE 2011-1234
CVE 2011-1235 CVE 2011-1236
CVE 2011-1237 CVE 2011-1238
CVE 2011-1239 CVE 2011-1240
CVE 2011-1241 CVE 2011-1242)
Also fixes five vulnerabilities which
could allow elevation of privileges if
an attacker logged on locally and
was able to execute a specially
crafted program. (CVE 2011-0086
CVE 2011-0087 CVE 2011-0088
CVE 2011-0089 CVE 2011-0090)
Technical Details
Service: netbios
79
win32k.sys dated 2007-2-17, older than 2010-12-30
MDAC ADO cachesize heap overflow (MS12-045)
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2012-1891
Impact
Background
critical updates.
Update Name
MDAC ADO cachesize heap
overflow
Description
Microsoft Data Access Components
(MDAC) ActiveX Data Objects
(ADO) could allow command
execution when parsing specially
crafted XML code due to an
attempt to access an uninitialized
object. (CVE 2012-1891)
Fix
XP: 2698365
2003: 2698365
Vista: 2698365
2008: 2698365
7: 2698365
2008 R2:
2698365
Bulletin
12-045
Technical Details
80
Service: netbios
msado15.dll dated 2007-2-17, older than 2012-5-26
MHTML Mime-formatted information disclosure
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-1894
Impact
Background
critical updates.
Update Name
MHTML Mime-formatted
information disclosure (MS11-037)
Description
Fixes an information disclosure
vulnerability in the way that
MHTML protocol handler interprets
MIME-formatted requests. (CVE
2011-1894)
81
Fix
Bulletin
XP 2544893,
11-037
2544893 (64-bit)
2003 2544893,
2544893 (64-bit)
Vista 2544893,
2544893 (64-bit)
2008 2544893,
2544893 (64-bit)
Windows 7
2544893,
2544893 (64-bit)
2008 R2
2544893 (64-bit)
Technical Details
Service: netbios
MPEG 4 codec remote code execution vulnerability (MS10-062)
CVE: CVE-2010-0818
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
MPEG 4 remote code execution
vulnerability
Description
Fixes a remote code execution
vulnerability that exists due to the
way the MPEG-4 codec handles
supported format files. (CVE
82
Fix
XP 975558
XP x64 975558
2003 975558
2003 x64
Bulletin
10-062
2010-0818)
975558
Vista 975558
Vista x64
975558
2008 975558
2008 x64
975558
Technical Details
Service: netbios
mpg4ds32.ax dated 2006-3-22, older than 2010-3-28
MS Windows DirectPlay Heap Overflow Vulnerabilities (MS12-082)
CVE: CVE-2012-1537
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
83
Update Name
Description
Vulnerability in DirectPlay Could Fixes a vulnerability in Microsoft
Allow Remote Code Execution
Windows. The vulnerability could
attacker convinces a user to view a
specially crafted Office document
with embedded content. An attacker
who successfully exploits this
vulnerability could gain the same
(CVE 2012-1537)
Fix
Bulletin
XP:KB2770660 12-082
2003:KB277066
0
Vista:KB277066
0
2008:KB277066
0
7:KB2770660
2008 R2 (64
bit):KB2770660
Window
8:KB2770660
2012:KB277066
0
Technical Details
Service: netbios
Dpnet.dll dated 2007-2-17, older than 2012-11-2
MS Windows Kernel-Mode Drivers Elevation of Privilege vulnerabilities (MS12-041)
CVE: CVE-2012-1864 CVE-2012-1865
CVE-2012-1866 CVE-2012-1867
Updated 03/12/13
CVE 1999-0662
Impact
Background
84
critical updates.
Update Name
Description
Fix
MS Windows Kernel-Mode Drivers One publicly disclosed and one
XP
Elevation of Privilege vulnerabilities privately reported vulnerability exist 32-bit:KB271852
in Microsoft Windows kernel-mode 3
drivers which could allow elevation XP
of privilege if an attacker logs on to 64-bit:KB271852
the system and runs a specially
3
crafted application. An attacker must 2003
have valid logon credentials and be 32-bit:KB271852
able to log on locally to exploit this 3
vulnerability.
2003
(CVE 2012-1890 CVE 2012-1893) 64-bit:KB271852
The vulnerabilities could allow
3
elevation of privilege if an attacker Vista
logs on to a system and runs a
32-bit:KB271852
3
Vista
64-bit:KB271852
locally to exploit any of these
3
2008
CVE 2012-1865 CVE 2012-1866
32-bit:KB271852
CVE 2012-1867 CVE 2012-1868) 3
A vulnerability exists in kernel-mode 2008
drivers which, if exploited, could
64-bit:KB271852
give an attacker the ability to
3
execute arbitrary program code on W7
the vulnerable computer.
32-bit:KB271852
(CVE 2012-0157)
3
W7
64-bit:KB271852
3
2008
R2:KB2718523
Bulletin
12-018
12-041
12-047
Technical Details
85
Service: netbios
CVE: CVE-2012-1890 CVE-2012-1893
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
XP
3
vulnerability.
2003
(CVE 2012-1890 CVE 2012-1893) 64-bit:KB271852
3
86
Bulletin
12-018
12-041
12-047
CVE 2012-1865 CVE 2012-1866
CVE 2012-1867 CVE 2012-1868)
A vulnerability exists in kernel-mode
execute arbitrary program code on
(CVE 2012-0157)
32-bit:KB271852
3
Vista
64-bit:KB271852
3
2008
32-bit:KB271852
3
2008
64-bit:KB271852
3
W7
32-bit:KB271852
3
W7
64-bit:KB271852
3
2008
R2:KB2718523
Technical Details
Service: netbios
CVE: CVE-2013-1248 CVE-2013-1249
CVE-2013-1250 CVE-2013-1251
CVE-2013-1252 CVE-2013-1253
CVE-2013-1254 CVE-2013-1255
CVE-2013-1256 CVE-2013-1257
CVE-2013-1258 CVE-2013-1259
CVE-2013-1260 CVE-2013-1261
CVE-2013-1262 CVE-2013-1263
CVE-2013-1264 CVE-2013-1265
CVE-2013-1266 CVE-2013-1267
CVE-2013-1268 CVE-2013-1269
CVE-2013-1270 CVE-2013-1271
CVE-2013-1272 CVE-2013-1273
CVE-2013-1274 CVE-2013-1275
CVE-2013-1276 CVE-2013-1277
Updated 03/12/13
CVE 1999-0662
Impact
87
Background
critical updates.
Update Name
Kernel-Mode Driver Privilege
Escalation Vulnerabilities
Description
Fix
Bulletin
This security update resolves 30
XP: 2778344 (32 13-016
privately reported vulnerabilities in bit), 2778344 (64
Microsoft Windows. These
bit)
vulnerabilities exist when the
Server 2003:
Windows kernel-mode driver
2778344 (32 bit),
improperly handles objects in
2778344 (64 bit)
memory. An attacker who
Vista: 2778344
successfully exploited these
(32 bit), 2778344
vulnerabilities could gain elevated (64 bit)
privileges and read arbitrary
Server 2008:
amounts of kernel memory. An
2778344 (32 bit),
2778344 (64 bit)
Windows 7:
locally to exploit these vulnerabilities.2778344 (32 bit),
(CVE 2013-1248 CVE 2013-1249 2778344 (64 bit)
CVE 2013-1250 CVE 2013-1251
Server 2008
CVE 2013-1252 CVE 2013-1253
R2: 2778344 (64
CVE 2013-1254 CVE 2013-1255
bit)
CVE 2013-1256 CVE 2013-1257
CVE 2013-1258 CVE 2013-1259
CVE 2013-1260 CVE 2013-1261
CVE 2013-1262 CVE 2013-1263
CVE 2013-1264 CVE 2013-1265
CVE 2013-1266 CVE 2013-1267
CVE 2013-1268 CVE 2013-1269
CVE 2013-1270 CVE 2013-1271
88
CVE 2013-1272 CVE 2013-1273
CVE 2013-1274 CVE 2013-1275
CVE 2013-1276 CVE 2013-1277)
Technical Details
Service: netbios
MS Windows Kernel-Mode Drivers Elevation of Privilege vulnerability (MS12-055)
CVE: CVE-2012-2527
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fixes three vulnerabilities in
Microsoft Windows. The most
89
Fix
Bulletin
XP
12-055
(32-bit):KB27612212-075
severe of these vulnerabilities could
allow remote code execution if a
user opens a specially crafted
document or visits a malicious
webpage that embeds TrueType
font files. (CVE 2012-2530 CVE
2012-2553 CVE 2012-2897 )
Also fixes a “use after free” coding
error. The error could allow an
authenticated local user to raise his
privileges to administrator (or
potentially even kernel) levels.
(CVE2012-2527)
6
XP
(64-bit):KB276122
6
2003
(32-bit):KB276122
6
2003
(64-bit):KB276122
6
Vista
(32-bit):KB276122
6
Vista
(64-bit):KB276122
6
2008
(32-bit):KB276122
6
2008
(64-bit):KB276122
6
Win 7
(32-bit):KB276122
6
Win 7
(64-bit):KB276122
6
2008
R2:KB2761226
Win 8
(32-bit):KB276122
6
Win 8
(64-bit):KB276122
6
2012:KB276122
6
Technical Details
Service: netbios
MS Windows Kernel-Mode Drivers Font Parsing Vulnerabilities (MS12-078)
CVE: CVE-2012-2556 CVE-2012-4786
Updated 03/12/13
90
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Microsoft Windows Kernel-Mode
There are vulnerabilities in the
Drivers Font Parsing Vulnerabilities handling of both “OpenType” and
“TrueType” fonts, such that
attempting to render characters
from a specially-crafted malicious
font file, even from a remote Web
page, may give an attacker
complete control of the victim's
computer. (CVE 2012-2556, CVE
2012-4786)
91
Fix
Bulletin
KB2753842
12-078
(OT),
KB2779030 (TT)
XP: x86 (OT
TT), x64 (OT
TT)
2003: x86 (OT
TT), x64 (OT
TT), IA64 (OT
TT)
Vista: x86 (OT
TT), x64 (OT
TT)
2008: x86 (OT
TT), x64 (OT
TT), IA64 (OT
TT)
W7: x86 (OT
TT), x64 (OT
TT)
2008 R2: x64
(OT TT), IA64
(OT TT)
W8: x86 (OT
TT), x64 (OT
TT)
2012: x64 (OT
TT)
Technical Details
Service: netbios
MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerability (MS12-008)
CVE: CVE-2011-5046 CVE-2012-0154
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
92
Update Name
MS Windows Kernel-Mode Drivers
Vulnerability
Description
Two vulnerabilities exist in
kernel-mode drivers which, if
exploited, could give an attacker the
ability to execute arbitrary program
code on the vulnerable computer.
(CVE 2011-5046, CVE
2012-0154)
Fix
Bulletin
KB2660465
12-008
XP: 32-bit,
64-bit
2003: 32-bit,
64-bit, Itanium
Vista: 32-bit,
64-bit
2008: 32-bit,
64-bit, Itanium
Win 7: 32-bit,
64-bit
2008 R2: 64-bit,
Itanium
Technical Details
Service: netbios
MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerability (MS12-018)
CVE: CVE-2012-0157
Updated 03/12/13
CVE 1999-0662
Impact
Background
93
critical updates.
Update Name
Description
Fix
XP
3
vulnerability.
2003
(CVE 2012-1890 CVE 2012-1893) 64-bit:KB271852
3
32-bit:KB271852
3
Vista
64-bit:KB271852
3
2008
CVE 2012-1865 CVE 2012-1866
32-bit:KB271852
CVE 2012-1867 CVE 2012-1868) 3
A vulnerability exists in kernel-mode 2008
64-bit:KB271852
3
execute arbitrary program code on W7
32-bit:KB271852
(CVE 2012-0157)
3
W7
64-bit:KB271852
3
2008
R2:KB2718523
Bulletin
12-018
12-041
12-047
Technical Details
Service: netbios
94
MS Windows Kernel-Mode Drivers Remote Code Execution vulnerabilities (MS12-075)
CVE: CVE-2012-2530 CVE-2012-2553
CVE-2012-2897
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fixes three vulnerabilities in
Microsoft Windows. The most
document or visits a malicious
webpage that embeds TrueType
font files. (CVE 2012-2530 CVE
2012-2553 CVE 2012-2897 )
Also fixes a “use after free” coding
error. The error could allow an
authenticated local user to raise his
privileges to administrator (or
potentially even kernel) levels.
(CVE2012-2527)
95
Fix
Bulletin
XP
12-055
(32-bit):KB27612212-075
6
XP
(64-bit):KB276122
6
2003
(32-bit):KB276122
6
2003
(64-bit):KB276122
6
Vista
(32-bit):KB276122
6
Vista
(64-bit):KB276122
6
2008
(32-bit):KB276122
6
2008
(64-bit):KB276122
6
Win 7
(32-bit):KB276122
6
Win 7
(64-bit):KB276122
6
2008
R2:KB2761226
Win 8
(32-bit):KB276122
6
Win 8
(64-bit):KB276122
6
2012:KB276122
6
Technical Details
Service: netbios
MS11-034 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
CVE: CVE-2011-0662 CVE-2011-0665
CVE-2011-0666 CVE-2011-0667
CVE-2011-0670 CVE-2011-0671
CVE-2011-0672 CVE-2011-0674
CVE-2011-0675 CVE-2011-0676
CVE-2011-0677 CVE-2011-1225
CVE-2011-1226 CVE-2011-1227
CVE-2011-1228 CVE-2011-1229
CVE-2011-1230 CVE-2011-1231
CVE-2011-1232 CVE-2011-1233
CVE-2011-1234 CVE-2011-1235
CVE-2011-1236 CVE-2011-1237
CVE-2011-1238 CVE-2011-1239
CVE-2011-1240 CVE-2011-1241
CVE-2011-1242
Updated 03/12/13
CVE 1999-0662
96
Impact
Background
critical updates.
Update Name
Description
Fix
Bulletin
XP: KB2506223 11-034
2003:
11-012
attacker logged on locally and ran a KB2506223
Vista:
KB2506223
2008:
locally to exploit these vulnerabilities.KB2506223
(CVE 2011-0662 CVE 2011-0665 Windows 7:
CVE 2011-0666 CVE 2011-0667
KB2506223
CVE 2011-0670 CVE 2011-0671
CVE 2011-0672 CVE 2011-0673
CVE 2011-0674 CVE 2011-0675
CVE 2011-0676 CVE 2011-0677
CVE 2011-1225 CVE 2011-1226
CVE 2011-1227 CVE 2011-1228
CVE 2011-1229 CVE 2011-1230
CVE 2011-1231 CVE 2011-1232
CVE 2011-1233 CVE 2011-1234
CVE 2011-1235 CVE 2011-1236
CVE 2011-1237 CVE 2011-1238
CVE 2011-1239 CVE 2011-1240
CVE 2011-1241 CVE 2011-1242)
97
Also fixes five vulnerabilities which
could allow elevation of privileges if
an attacker logged on locally and
was able to execute a specially
crafted program. (CVE 2011-0086
CVE 2011-0087 CVE 2011-0088
CVE 2011-0089 CVE 2011-0090)
Technical Details
Service: netbios
MS11-077 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
CVE: CVE-2011-1985 CVE-2011-2003
CVE-2011-2011
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
98
Update Name
Windows kernel multiple privilege
elevation vulnerabilities fixed by
MS11-077
Description
Fixes multiple vulnerabilities which
could allow privilege elevation and
this vulnerability could allow an
attacker to run arbitrary code in
kernel mode, then install programs;
view, change, or delete data; or
create new accounts with full
administrative rights. (CVE
2011-1874, CVE 2011-1875, CVE
2011-1876, CVE 2011-1877, CVE
2011-1878, CVE 2011-1879, CVE
2011-1880, CVE 2011-1881, CVE
2011-1882, CVE 2011-1883, CVE
2011-1884, CVE 2011-1885, CVE
2011-1886, CVE 2011-1887, CVE
2011-1888, CVE 2011-1985, CVE
2011-2002, CVE 2011-2003, CVE
2011-2011.)
Fix
Bulletin
XP:KB2567053 11-054
2003:KB256705 11-077
3
Vista:KB256705
3
2008:KB256705
3
Win
7:KB2567053
Technical Details
Service: netbios
MS11-087 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
CVE: CVE-2011-3402
Updated 03/12/13
CVE 1999-0662
Impact
Background
99
critical updates.
Update Name
Windows TrueType font parsing
vulnerability
Multiple vulnerabilities fixed by
MS12-034
Description
Fix
Fixes a vulnerability in Windows
KB2639417
Kernel-Mode Drivers that could
XP: 32-bit,
allow privilege elevation and this
64-bit
vulnerability could allow an attacker 2003: 32-bit,
to run arbitrary code in kernel
64-bit
mode, then install programs; view, Vista: 32-bit,
change, or delete data; or create
64-bit
new accounts with full administrative 2008: 32-bit,
rights. (CVE 2011-3402)
64-bit
Win 7: 32-bit,
64-bit
2008 R2: 64-bit
MS12-034 fixed multiple
MS12-034
vulnerabilities in Windows, Office,
GDI+, .NET, and Silverlight. (CVE
2011-3402 CVE 2012-0159 CVE
2012-0165 CVE 2012-0167 CVE
2012-0180 CVE 2012-0181 CVE
2012-1848)
Bulletin
11-087
12-034
Technical Details
Service: netbios
MS12-001 Vulnerability in Windows Kernel Could Allow Security Feature Bypass
CVE: CVE-2012-0001
Updated 03/12/13
CVE 1999-0662
Impact
100
Background
critical updates.
Update Name
Windows Kernel Security Feature
Bypass Vulnerability
Description
Fixes a vulnerability in Microsoft
Windows. The vulnerability could
allow an attacker to bypass the
SafeSEH security feature in a
software application. An attacker
could then use other vulnerabilities
to leverage the structured exception
handler to run arbitrary code.
(CVE 2012-0001)
Fix
Bulletin
2003:KB264461 12-001
5
Vista:KB264461
5
2008:KB264461
5
Win
7:KB2644615
Technical Details
Service: netbios
ntdll.dll dated 2007-2-17, older than 2011-11-21
MS12-009 Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
CVE: CVE-2012-0148 CVE-2012-0149
101
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fixes two vulnerabilities in Microsoft
Windows. The vulnerabilities could
attacker logs on to a user's system
and runs a specially crafted
application. An attacker must have
valid logon credentials and be able
to log on locally to exploit the
CVE 2012-0149)
102
Fix
Bulletin
XP x64
12-009
Edition:KB2645
640
2003:KB264564
0
2003 x64
Edition:KB2645
640
Vista x64
Edition:KB2645
640
2008:KB264564
0
Windows
7:KB2645640
2008
R2:KB2645640
Technical Details
Service: netbios
Microsoft AFD Kernel Overwrite vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-3464
Impact
Background
critical updates.
Update Name
AFD Kernel Overwrite vulnerability
Description
Fix
XP: 956803
vulnerability in the Ancillary
2003: 956803
Function Driver which occurs when
passing data from user to kernel
mode. (CVE 2008-3464)
103
Bulletin
08-066
Technical Details
Service: netbios
Microsoft Active Accessibility Insecure Library Loading Vulnerability (MS11-075)
CVE: CVE-2011-1247
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Microsoft Active Accessibility
Insecure Library Loading
Vulnerability
Description
A remote code execution
vulnerability exists in the way that
the Microsoft Active Accessibility
component handles the loading of
DLL files. An attacker who
successfully exploited this
vulnerability could take complete
104
Fix
Bulletin
XP: 2564958
11-075
(32-bit), 2564958
(64-bit)
2003: 2564958
(32-bit), 2564958
(64-bit)
Vista: 2564958
control of an affected system.
(CVE 2011-1247)
(32-bit), 2564958
(64-bit)
2008: 2564958
(32-bit), 2564958
(64-bit)
Win 7: 2564958
(32-bit), 2564958
(64-bit)
2008 R2:
2564958 (64-bit)
Technical Details
Service: netbios
Oleacc.dll dated 2007-2-17, older than 2011-9-24
Microsoft Agent URL parsing vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2007-1205
Impact
Background
critical updates.
105
Update Name
Microsoft Agent URL parsing
vulnerability
Description
Agent that allows remote code
execution when reading a crafted
URL (CVE 2007-1205)
Fix
2000: 932168
XP: 932168
2003: 932168
Bulletin
07-020
Technical Details
Service: netbios
agentdpv.dll dated 2007-2-17, older than 2007-3-10
Microsoft Data Access Component remote code execution (MS11-002)
CVE: CVE-2011-0026 CVE-2011-0027
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
106
Update Name
Description
Fix
Bulletin
Microsoft Data Access Component Fixes two vulnerabilities which could XP: 2419632
11-002
remote code execution (MS11-002) allow remote execution in the way it (32-bit), 2419632
validates third-party API usage and (64-bit)
memory allocation. (CVE
2003: 2419635
2011-0026 CVE 2011-0027)
(32-bit), 2419635
(64-bit),
Vista: 2419640
(32-bit), 2419640
(64-bit),
2008: 2419640
(32-bit), 2419640
(64-bit),
Windows 7:
2419640 (32-bit),
2419640 (64-bit),
2008 R2:
2419640 (64-bit)
Technical Details
Service: netbios
msadco.dll dated 2007-2-17, older than 2010-11-2
Microsoft DirectShow Quartz AVI buffer overflow
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-0250
Impact
Background
107
critical updates.
Update Name
DirectShow AVI buffer overflow
Description
Fixes vulnerabilities in DirectShow
which could allow code execution
when a user opens a crafted AVI
file. (CVE 2010-0250)
Fix
977914 and
975560
Bulletin
10-013
Technical Details
Service: netbios
Microsoft DirectShow QuickTime Movie Parsing Code Execution
CVE: CVE-2009-1537 CVE-2009-1538
CVE-2009-1539
Updated 03/12/13
CVE 1999-0662
Impact
Background
108
critical updates.
Update Name
Microsoft DirectShow QuickTime
Movie Parsing Code Execution
Description
Fix
Fixes three vulnerabilities which
2000: 971633
could allow code execution when
XP: 971633
DirectShow parses Quicktime media 2003: 971633
files, validates pointer values and
size fields. (CVE 2009-1537 CVE
2009-1538 CVE 2009-1539)
Bulletin
09-028
Technical Details
Service: netbios
Microsoft Graphics Rendering Engine Thumbnail Image Stack Buffer Overflow
CVE: CVE-2010-3970
Updated 03/12/13
CVE 1999-0662
Impact
Background
109
critical updates.
Update Name
Microsoft Graphics Rendering
Engine Thumbnail Image Stack
Buffer Overflow
Description
Fixes a vulnerability in the Windows
Graphics Rendering Engine. An
attacker who successfully exploited
this vulnerability could run arbitrary
code in the security context of the
logged-on user. (CVE 2010-3970)
Fix
Bulletin
XP: 2483185
11-006
(32-bit), 2483185
(64-bit)
2003: 2483185
(32-bit), 2483185
(64-bit), 2483185
(Itanium)
Vista: 2483185
(32-bit), 2483185
(64-bit)
2008: 2483185
(32-bit), 2483185
(64-bit), 2483185
(Itanium)
Technical Details
Service: netbios
shimgvw.dll dated 2007-2-17, older than 2011-1-19
Microsoft Image Color Management System vulnerable version, mscms.dll dated 2007-2-17
CVE: CVE-2008-2245
Updated 03/12/13
CVE 1999-0662
Impact
110
Background
critical updates.
Update Name
Description
Microsoft Image Color Management Fixes a vulnerability which could
System vulnerable version
allow remote command execution
on Windows 2000, Windows XP
and Windows Server 2003. (CVE
2008-2245)
Fix
2000: 952954
XP: 952954
2003: 952954
Bulletin
08-046
Technical Details
Service: netbios
mscms.dll dated 2007-2-17, older than 2008-6-23
Microsoft Office ClickOnce Vulnerability (MS12-005)
CVE: CVE-2012-0013
Updated 03/12/13
CVE 1999-0662
Impact
111
Background
critical updates.
Update Name
Microsoft Office ClickOnce
Vulnerability
Description
vulnerability exists in the Microsoft
Office ClickOnce embedded
application feature due to the way
Windows validates package
contents. (CVE 2012-0013)
Fix
Bulletin
XP: 2584146
12-005
(32-bit), 2584146
(64-bit)
2003: 2584146
(32-bit), 2584146
(64-bit)
Vista: 2584146
(32-bit), 2584146
(64-bit)
2008: 2584146
(32-bit), 2584146
(64-bit)
Windows 7:
2584146 (32-bit),
2584146 (64-bit)
2008 R2:
2584146 (64-bit)
Technical Details
112
Service: netbios
Packager.exe dated 2007-2-17, older than 2011-11-17
Microsoft Paint Integer Overflow vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-0028
Impact
Background
critical updates.
Update Name
Microsoft Paint Integer Overflow
vulnerability
Description
Fix
2000: 978706
vulnerability if a user viewed a
XP: 978706
specially crafted JPEG image file
(32-bit), 978706
using Microsoft Paint in Windows
(64-bit)
2000, XP and Server 2003. An
2003: 978706
attacker who successfully exploited (32-bit), 978706
this vulnerability could take complete (64-bit), 978706
control of an affected system and
(Itanium)
could then install programs; view,
change, or delete data; or create
new accounts. (CVE 2010-0028)
113
Bulletin
10-005
Technical Details
Service: netbios
mspaint.exe dated 2007-2-17, older than 2009-12-14
Microsoft Video ActiveX Control Stack Buffer Overflow
CVE: CVE-2008-0015
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Microsoft Video ActiveX Control
Stack Buffer Overflow
Description
Fix
Bulletin
A buffer overflow vulnerability exists Video ActiveX 09-032
in Microsoft DirectShow. The flaw Control: 972890
is due to the way Microsoft Video
ActiveX Control parses image files.
An attacker can persuade the
target user to open a malicious web
page to exploit this vulnerability.
114
(CVE 2008-0015)
Technical Details
Service: netbios
msvidctl.dll dated 2007-2-17, older than 2007-2-19
Microsoft Windows DHTML remote code execution vulnerability (MS09-046)
CVE: CVE-2009-2519
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
DHTML Editing Component
ActiveX Control Vulnerability
Description
vulnerability in the DHTML Editing
Component ActiveX Control
brought on by users visiting a
115
Fix
2000: 956844
XP: 956844
(32-bit), 956844
(64-bit)
Bulletin
09-046
specially crafted web page. (CVE
2009-2519)
2003: 956844
(32-bit), 956844
(64-bit), 956844
(Itanium)
Technical Details
Service: netbios
Microsoft Windows OpenType CFF vulnerability (MS11-032)
CVE: CVE-2011-0034
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
116
Bulletin
Windows OpenType CFF
vulnerability
Fixes a vulnerability which could
allow remote code execution in the
way that the OpenType Font
(OTF) driver improperly parses
specially crafted OpenType fonts.
An attacker could then install
programs; view, change, or delete
data; or create new accounts with
full user rights. (CVE 2011-0034)
XP 2507618,
11-032
2507618 (64-bit)
2003 2507618,
2507618 (64-bit)
Vista: 2507618,
2507618 (64-bit)
2008: 2507618,
2507618 (64-bit)
Windows 7:
2507618,
2507618 (64-bit)
2008 R2:
2507618 (64-bit)
Technical Details
Service: netbios
atmfd.dll dated 2007-2-17, older than 2011-2-12
Microsoft Windows OpenType Compact Font Format driver Remote Code Execution Vulnerability
CVE: CVE-2011-0033
Updated 03/12/13
CVE 1999-0662
Impact
Background
117
critical updates.
Update Name
OpenType Font format driver
Description
could allow remote command
execution on Windows Vista, 2008,
and 7, and privilege elevation on
earlier operating systems. (CVE
2010-3956 CVE 2010-3957 CVE
2010-3959)
Also fixes a vulnerability in the
Windows OpenType Compact Font
Format (CFF) driver. The
vulnerability could allow remote
code execution if a user views
content rendered in a specially
crafted CFF font. (CVE 2011-0033)
Fix
Bulletin
XP: KB2485376 10-091
2003:
11-007
KB2485376
Vista:
KB2485376
2008:
KB2485376
Windows 7:
KB2485376
Technical Details
Service: netbios
Microsoft Windows Shell remote code execution vulnerability, shell32.dll dated 2007-2-17
CVE: CVE-2010-2568 CVE-2012-0175
Updated 03/12/13
CVE 1999-0662
Impact
Background
118
critical updates.
Update Name
Microsoft Windows Shell Remote
Code Execution Vulnerability
Microsoft Windows Shell Remote
Description
Fix
XP: 2286198
vulnerability exists in Windows
2003: 2286198
Shell, a component of Microsoft
Vista: 2286198
Windows. The vulnerability exists
2008: 2286198
because Windows incorrectly parses 7: 2286198
shortcuts in such a way that
2008 R2:
malicious code may be executed
2286198
when the icon of a specially crafted
shortcut is displayed. This
vulnerability is most likely to be
exploited through removable drives.
(CVE 2010-2568)
XP: 2691442
vulnerability exists in Windows
2003: 2691442
Shell, a component of Microsoft
Vista: 2691442
Windows. The vulnerability exists
2008: 2691442
because Windows incorrectly
7: 2691442
handles files and directories with
2008 R2:
specially crafted names. Attackers 2691442
can use this vulnerability to gain
complete control of the system if a
user is logged on with administrative
user rights. (CVE 2012-0175)
Bulletin
10-046
12-048
Technical Details
Service: netbios
shell32.dll dated 2007-2-17, older than 2012-6-6
Microsoft Windows vulnerable version, msconv97.dll dated 2006-3-22
119
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-2506
Impact
Background
critical updates.
Update Name
WordPad and Text converters
Description
Fixes Microsoft WordPad and
Microsoft Office text converters
memory corruption. (CVE
2008-4841 CVE 2009-0087 CVE
2009-0235 CVE 2009-2506)
Fix
2000: 973904
XP: 973904
2003: 973904
Bulletin
09-010
09-073
Technical Details
Service: netbios
msconv97.dll dated 2006-3-22, older than 2009-7-28
Microsoft XML Core Services vulnerable version dated 2007-2-17
120
CVE: CVE-2007-0099 CVE-2007-2223
CVE-2008-4029 CVE-2008-4033
CVE-2010-2561 CVE-2012-1889
CVE-2013-0006 CVE-2013-0007
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Microsoft XML Core Services
Description
Fixes a vulnerability in the XML
Core services which allowed for
remote code execution on
processing of a crafted file. (CVE
2007-2223)
XML Core Services 3.0 which
allows command execution when a
user loads a specially crafted
HTML page. (CVE 2010-2561)
could allow code execution when
XML content is parsed. (CVE
2007-0099 CVE 2008-4029 CVE
2008-4033)
Fixes a vulnerability in the XML
121
Fix
Windows XP
Service Pack
3, Microsoft
XML Core
Services
4.0:KB2758694
Windows XP
Service Pack
3, Microsoft
XML Core
Services
6.0:KB2757638
Windows XP
Professional
x64 Edition
Service Pack
Bulletin
07-042
08-069
10-051
12-043
13-002
Core services which allowed for
remote code execution if a user
views a specially crafted webpage
using Internet Explorer. (CVE
2012-1889 CVE 2013-0006 CVE
2013-0007)
122
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows XP
Professional
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows XP
Professional
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2003
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2003
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2003
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
6.0:KB2758696
Windows Vista
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows Vista
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
123
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
for 32-bit
Systems
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
for 32-bit
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
124
for Itanium-based
Systems Service
Pack 2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
for
Itanium-based
Systems
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
for
Itanium-based
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows 7 for
32-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 7 for
32-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows 7 for
32-bit Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows 7 for
32-bit Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows 7 for
x64-based
Systems,
Microsoft XML
125
Core Services
3.0:KB2757638
Windows 7 for
x64-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 7 for
x64-based
Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
3.0:KB2757638
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
126
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
R2 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
127
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems
Service Pack
1, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
R2 for
Itanium-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows 8 for
32-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 8 for
32-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows 8 for
64-bit Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows 8 for
128
64-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 8 for
64-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2012,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2012,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2012,
Microsoft XML
Core Services
6.0:KB2757638
Technical Details
Service: netbios
msxml3.dll dated 2007-2-17, older than 2012-6-4
Multiple GDI vulnerabilities fixed by MS07-017
CVE: CVE-2006-5586 CVE-2006-5758
CVE-2007-0038 CVE-2007-1211
CVE-2007-1212 CVE-2007-1213
CVE-2007-1215
Updated 03/12/13
CVE 1999-0662
Impact
Background
129
critical updates.
Update Name
Description
Fix
Multiple GDI vulnerabilities fixed by Multiple vulnerabilities in parts of the 2000: 925902
MS07-017
Graphic Design Interface including XP: 925902
remote code execution.
2003: 925902
(CVE 2006-5586 CVE 2006-5758 Vista: 925902
CVE 2007-0038 CVE 2007-1211
CVE 2007-1212 CVE 2007-1213
CVE 2007-1215)
Bulletin
07-017
Technical Details
Service: netbios
Object Linking and Embedding Vulnerability (MS11-093)
CVE: CVE-2011-3400
Updated 03/12/13
CVE 1999-0662
Impact
Background
130
critical updates.
Update Name
Object Linking and Embedding
(OLE) Vulnerability
Description
Fixes an error in the handling of
OLE objects in compound
documents. An attacker could
leverage this bug to corrupt
memory and gain control of
execution over the target system.
(CVE 2011-3400)
Fix
XP 2624667
2003 2624667
Bulletin
11-093
Technical Details
Service: netbios
ole32.dll dated 2007-2-17, older than 2011-10-30
OpenType Font format driver remote code execution
CVE: CVE-2010-3956 CVE-2010-3957
CVE-2010-3959
Updated 03/12/13
CVE 1999-0662
Impact
131
Background
critical updates.
Update Name
OpenType Font format driver
Description
could allow remote command
execution on Windows Vista, 2008,
and 7, and privilege elevation on
earlier operating systems. (CVE
2010-3956 CVE 2010-3957 CVE
2010-3959)
Also fixes a vulnerability in the
Windows OpenType Compact Font
Format (CFF) driver. The
code execution if a user views
content rendered in a specially
crafted CFF font. (CVE 2011-0033)
Fix
Bulletin
XP: KB2485376 10-091
2003:
11-007
KB2485376
Vista:
KB2485376
2008:
KB2485376
Windows 7:
KB2485376
Technical Details
Service: netbios
132
Over-the-network SMB packet vulnerabilities in Windows system (MS10-054)
CVE: CVE-2010-2550 CVE-2010-2551
CVE-2010-2552
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Over-the-network SMB packet
vulnerabilities in Windows
Description
Fixes 3 vulnerabilities announced in
Microsoft bulletin MS10-054, the
most critical of which could allow
remote code execution. (CVE
2010-2550 CVE 2010-2551 CVE
2010-2552)
Fix
XP: 982214
2003: 982214
Vista: 982214
2008: 982214
7: 982214
2008 R2:
982214
Bulletin
10-054
Technical Details
Service: netbios
133
Shell32.dll Windows URI handling Remote Code Execution
CVE: CVE-2007-3896
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Shell32.dll Windows URI handling
Description
Fix
Fixes vulnerability in Windows URI XP: 943460
handling that can lead to remote
2003: 943460
code execution. (CVE 2007-3896)
Bulletin
07-061
Technical Details
Service: netbios
134
Uniscribe Font Parsing Engine Memory Corruption (MS10-063)
CVE: CVE-2010-2738
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Uniscribe Font Parsing Engine
Memory Corruption
Description
Fixes a memory corruption
vulnerability that exists because
Windows and Office incorrectly
parse specific font types. The
code execution if a user viewed a
specially crafted document or Web
page with an application that
supports embedded OpenType
fonts. (CVE 2010-2738)
135
Fix
XP: 981322
(32-bit), 981322
(64-bit)
2003: 981322
(32-bit), 981322
(64-bit), 981322
(Itanium)
Vista: 981322
(32-bit), 981322
(64-bit)
2008: 981322
(32-bit), 981322
(64-bit), 981322
(Itanium)
Office XP:
2288608
Office 2003:
2288613
Bulletin
10-063
2007 Office
Suite: 2288621
Technical Details
Service: netbios
usp10.dll dated 2007-2-17, older than 2010-4-18
Vulnerabilities in SChannel could allow Remote Code Execution
CVE: CVE-2009-3555 CVE-2010-2566
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Vulnerabilities in SChannel could
allow Remote Code Execution
Description
Fix
Fixes two vulnerabilities in the
XP: 980436,
Secure Channel (SChannel) security 2003: 980436,
package in Windows. The more
Vista: 980436,
136
Bulletin
10-049
user visits a specially crafted Web
site that is designed to exploit these
vulnerabilities through an Internet
Web browser. In all cases,
however, an attacker would have
no way to force users to visit these
Web sites. Instead, an attacker
would have to convince users to
visit the Web site, typically by
getting them to click a link in an
e-mail message or in an Instant
Messenger message that takes
users to the attacker's Web site.
(CVE 2009-3555 CVE 2010-2566)
2008: 980436,
Windows 7:
980436,
2008 R2:
980436.
Technical Details
Service: netbios
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (MS11-054)
CVE: CVE-2011-1874 CVE-2011-1875
CVE-2011-1876 CVE-2011-1877
CVE-2011-1878 CVE-2011-1879
CVE-2011-1880 CVE-2011-1881
CVE-2011-1882 CVE-2011-1883
CVE-2011-1884 CVE-2011-1885
CVE-2011-1886 CVE-2011-1887
CVE-2011-1888
Updated 03/12/13
CVE 1999-0662
Impact
Background
137
critical updates.
Update Name
MS11-077
Description
could allow privilege elevation and
this vulnerability could allow an
attacker to run arbitrary code in
kernel mode, then install programs;
create new accounts with full
administrative rights. (CVE
2011-1874, CVE 2011-1875, CVE
2011-1876, CVE 2011-1877, CVE
2011-1878, CVE 2011-1879, CVE
2011-1880, CVE 2011-1881, CVE
2011-1882, CVE 2011-1883, CVE
2011-1884, CVE 2011-1885, CVE
2011-1886, CVE 2011-1887, CVE
2011-1888, CVE 2011-1985, CVE
2011-2002, CVE 2011-2003, CVE
2011-2011.)
Fix
Bulletin
XP:KB2567053 11-054
2003:KB256705 11-077
3
Vista:KB256705
3
2008:KB256705
3
Win
7:KB2567053
Technical Details
Service: netbios
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (MS13-027)
CVE: CVE-2013-1285 CVE-2013-1286
CVE-2013-1287
Updated 03/12/13
CVE 1999-0662
138
Impact
Background
critical updates.
Update Name
Description
Windows Kernel-Mode Drivers
Three privately reported
Elevation of Privilege vulnerabilities vulnerabilities in Microsoft Windows
kernel-mode drivers could allow
elevation of privilege if an attacker
logs on to the system and runs a
locally to exploit this vulnerability.
(CVE 2013-1285 CVE 2013-1286
CVE 2013-1287)
139
Fix
Bulletin
XP
13-027
32-bit:KB280798
6
XP
64-bit:KB280798
6
2003
32-bit:KB280798
6
2003
64-bit:KB280798
6
Vista
32-bit:KB280798
6
Vista
64-bit:KB280798
6
2008
32-bit:KB280798
6
2008
64-bit:KB280798
6
W7
32-bit:KB280798
6
W7
64-bit:KB280798
6
2008
R2:KB2807986
W8
32-bit:KB280798
6
W8
64-bit:KB280798
6
2012:KB280798
6
Technical Details
Service: netbios
usb8023.sys dated 2007-2-17, older than 2013-2-10
Vulnerability in TLS Could Disclose Information (MS12-049)
CVE: CVE-2012-1870
Updated 03/12/13
CVE 1999-0662
Impact
Background
140
critical updates.
Update Name
Description
Vulnerability in TLS Could Disclose Fixes a vulnerability which could
Information
allow information disclosure if an
attacker intercepts encrypted web
traffic served from an affected
system. (CVE 2012-1870)
Fix
Bulletin
XP:2655992
12-049
(32-bit), 2655992
(64-bit)
2003:2655992
(32-bit), 2655992
(64-bit)
Vista:2655992
(32-bit), 2655992
(64-bit)
2008:2655992
(32-bit), 2655992
(64-bit)
Win 7:2655992
(32-bit), 2655992
(64-bit)
2008
R2:2655992
(64-bit)
Technical Details
Service: netbios
Vulnerability in the OpenType Compact Font Format Driver Could Allow Elevation of Privilege
CVE: CVE-2010-0819 CVE-2010-2740
CVE-2010-2741
Updated 03/12/13
CVE 1999-0662
Impact
141
Background
critical updates.
Update Name
Vulnerability in the OpenType
Compact Font Format Driver
Could Allow Elevation of Privilege
Description
OpenType Compact Font Format
(CFF) driver. The vulnerability
could allow elevation of privilege if a
user views content rendered in a
specially crafted CFF font. An
locally to exploit this vulnerability.
The vulnerability could not be
exploited remotely or by
anonymous users. (CVE 2010-0819
CVE 2010-2740 CVE 2010-2741)
Fix
2000: 980218
(Note: Windows
2000 is past its
maintenance
window)
XP: 2279986
(32-bit), 2279986
(64-bit)
2003: 2279986
(32-bit), 2279986
(64-bit), 2279986
(Itanium)
Vista: 980218
2008: 980218
Windows 7:
980218
Bulletin
10-037
10-078
(supersedes
10-037 on XP
and 2003)
Technical Details
Service: netbios
142
Vulnerable ActiveX Control enabled (MS11-090)
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-3397
Impact
Background
critical updates.
Update Name
Multiple ActiveX Control
vulnerabilities
Multiple ActiveX Control
vulnerabilities
Description
Fixes multiple vulnerabilities in
Windows Data Analyzer ActiveX
Control and Internet Explorer 8
Development Tools ActiveX
Control that could allow an attacker
to execute arbitrary code. (CVE
2010-0252 CVE 2010-0811)
Fixes multiple vulnerabilities in the
Microsoft Time ActiveX Control
that could allow an attacker to gain
the same privileges as the logged
on user. (CVE 2011-3397)
143
Fix
Bulletin
ActiveX:980195 10-034
KB2618451
XP: 32-bit,
64-bit
2003: 32-bit,
64-bit, Itanium
Vista: 32-bit,
64-bit
2008: 32-bit,
64-bit, Itanium
Win 7: 32-bit,
11-090
64-bit
2008 R2: 64-bit,
Itanium
Technical Details
Service: registry
Kill bit not set for Class ID 33FDA1EA-80DF-11d2-B263-00A0C90D6111
Win32 API parameter validation vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2007-2219
Impact
Background
critical updates.
Update Name
Win32 API parameter validation
vulnerability
Description
allow command execution by a
144
Fix
2000: 935839
XP: 935839
Bulletin
07-035
specially crafted web site. (CVE
2007-2219)
2003: 935839
Technical Details
Service: netbios
Windows 2003 GDI vulnerable version, gdi32.dll dated 2007-2-17
CVE: CVE-2008-1083 CVE-2008-1087
CVE-2008-2249 CVE-2008-3465
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows GDI remote code
execution
Description
Fixes several vulnerabilities: (1)
stack overflow vulnerability in the
145
Fix
2000: 956802
XP: 956802
Bulletin
08-071
08-021
way Graphics Device Interface
2003: 956802
(GDI) handles filename parameters Vista: 956802
in EMF image files; (CVE
2008: 956802
2008-1087) (2) heap overflow
vulnerability in the way GDI
handles integer calculations; (CVE
2008-1083) (3) remote code
execution vulnerability in the way
that GDI handles integer
calculations; (CVE 2008-2249) (4)
remote code execution vulnerability
in the way that GDI handles file
size parameters in WMF files.
(CVE 2008-3465)
Technical Details
Service: netbios
gdi32.dll dated 2007-2-17, older than 2008-10-22
Windows ASN1 spoofing vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-2510 CVE-2009-2511
Impact
Background
146
critical updates.
Update Name
Windows ASN1 spoofing
vulnerability
Description
Fixes vulnerabilities in Windows
CryptoAPI component when
parsing ASN.1. (CVE 2009-2510
CVE 2009-2511)
Fix
2000: 974571
XP: 974571
XP (64-bit):
974571
2003: 974571
2003 (64-bit):
974571
Vista: 974571
Bulletin
09-056
Technical Details
Service: netbios
Windows Authenticode Signature Verification (MS10-019) version, wintrust.dll dated 2007-2-17
CVE: CVE-2010-0486
Updated 03/12/13
CVE 1999-0662
Impact
Background
147
critical updates.
Update Name
Description
Windows Authenticode Verification Fixes vulnerabilities which could
allow remote code execution when
a user modifies an existing signed
executable file. (CVE 2010-0486
CVE 2010-0487 )
148
Fix
Bulletin
For
10-019
Authenticode
Signature
Verification:
2000 978601
XP 978601
XP x64 978601
2003 978601
2003 x64
978601
Vista 978601
Vista x64
978601
2008 978601
2008 x64
978601
Windows 7
978601
Windows 7 x64
978601
2008 R2 x64
978601
For Cabinet
File Viewer:
2000 979309
XP 979309
XP x64 979309
2003 979309
2003 x64
979309
Vista 979309
Vista x64
979309
2008 979309
2008 x64
979309
Windows 7
979309
Windows 7 x64
979309
2008 R2 x64
979309
Technical Details
Service: netbios
wintrust.dll dated 2007-2-17, older than 2009-12-21
Windows Authenticode Signature Verification (MS12-024)
CVE: CVE-2012-0151
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Authenticode Signature
Verification function bypass
Description
Fix
Bulletin
The WinVerifyTrust function
XP:KB2653956 12-024
improperly validates the signature of 2003:KB265395
an executable file, allowing for the 6
potential execution of untrusted
Vista:KB265395
149
code. (CVE 2012-0151)
6
Win
7:KB2653956
2008:KB265395
6
2008
R2:KB2653956
Technical Details
Service: netbios
wintrust.dll dated 2007-2-17, older than 2012-2-27
Windows Briefcase remote code execution vulnerabilities (MS12-072), synceng.dll dated 2007-2-17
CVE: CVE-2012-1527 CVE-2012-1528
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
150
Update Name
Description
Microsoft Windows Briefcase
Fixes two privately reported
remote code execution vulnerabilitiesvulnerabilities by modifying the way
that Microsoft Windows handles a
specially crafted briefcase. (CVE
2012-1527 CVE 2012-1528)
Fix
Bulletin
XP: 2727528 (32 12-072
bit), 2727528 (64
bit)
2003: 2727528
(32 bit), 2727528
(64 bit)
Vista: 2727528
(32 bit), 2727528
(64 bit)
2008: 2727528
(32 bit), 2727528
(64 bit)
7: 2727528 (32
bit), 2727528 (64
bit)
2008 R2:
2727528 (64 bit)
8: 2727528 (32
bit), 2727528 (64
bit)
2012: 2727528
(32 bit)
Technical Details
Service: netbios
synceng.dll dated 2007-2-17, older than 2012-9-24
Windows CSRSS (MS11-010) vulnerable version, csrsrv.dll dated 2007-2-17
CVE: CVE-2011-0030
Updated 03/12/13
CVE 1999-0662
Impact
Background
151
critical updates.
Update Name
Description
Vulnerability in Windows CSRSS
could Allow Elevation of Privilege.
(CVE 2011-0030)
Fix
XP:2476687
XP:2476687
(64-bit)
2003:2476687
2003:2476687
(64-bit)
Bulletin
11-010
Technical Details
Service: netbios
csrsrv.dll dated 2007-2-17, older than 2010-12-7
Windows CSRSS (MS11-056) vulnerable version, winsrv.dll dated 2007-2-17
CVE: CVE-2011-1281 CVE-2011-1282
CVE-2011-1283 CVE-2011-1284
CVE-2011-1870
Updated 03/12/13
CVE 1999-0662
Impact
Background
152
critical updates.
Update Name
Description
(CVE 2011-1281 CVE 2011-1282
CVE 2011-1283 CVE 2011-1284
CVE 2011-1870)
Fix
Bulletin
XP:2507938
11-056
XP:2507938
(64-bit)
2003:2507938
2003:2507938
(64-bit)
Vista:2507938
Vista:2507938
(64-bit)
2008:2507938
2008:2507938
(64-bit)
Windows
7:2507938
Windows
7:2507938 (64-bit)
2008
R2:2507938
(64-bit)
Technical Details
Service: netbios
winsrv.dll dated 2007-2-17, older than 2011-4-26
153
Windows CSRSS (MS11-063) vulnerable version, winsrv.dll dated 2007-2-17
CVE: CVE-2011-1967
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows CSRSS Privilege
Escalation Vulnerability
Description
Fixes a local privilege escalation
vulnerability in the Windows Client
/Server Run-time Subsystem
(CSRSS). Authenticated users may
be able to execute code under the
context of other users. (CVE
2011-1967)
Fix
Bulletin
XP 2567680,
11-063
2567680 (64-bit)
2003 2567680,
2567680 (64-bit)
Vista 2567680,
2567680 (64-bit)
2008 2567680,
2567680 (64-bit)
Windows 7
2567680,
2567680 (64-bit)
2008 R2
2567680 (64-bit)
154
Technical Details
Service: netbios
Windows CSRSS (MS11-097) vulnerable version, csrsrv.dll dated 2007-2-17
CVE: CVE-2011-3408
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
(CVE 2011-3408)
155
Fix
XP:2620712
XP:2620712
(64-bit)
2003:2620712
2003:2620712
(64-bit)
Vista:2620712
Vista:2620712
(64-bit)
2008:2620712
Bulletin
11-097
2008:2620712
(64-bit)
Windows
7:2620712
Windows
7:2620712 (64-bit)
2008
R2:2620712
(64-bit)
Technical Details
Service: netbios
Windows CSRSS (MS12-003) vulnerable version
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2012-0005
Impact
Background
critical updates.
156
Update Name
Windows CSRSS Privilege
Escalation Vulnerability
Description
Fixes a local privilege escalation
vulnerability in the Windows Client
(CSRSS). Authenticated users may
be able to execute code under the
context of other users. (CVE
2012-0005)
Fix
XP 2646524
2003 2646524
Vista 2646524
2008 2646524
Bulletin
12-003
Technical Details
Service: netbios
Windows CSRSS Local (MS10-011) vulnerable version, csrsrv.dll dated 2007-2-17
CVE: CVE-2010-0023
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
157
Update Name
CSRSS Local Privilege Elevation
Description
Fixes a vulnerability in Client
(CSRSS). (CVE 2010-0023)
Fix
2000: 978037
XP: 978037,
978037 (64-bit)
2003: 978037,
978037 (64-bit)
Bulletin
10-011
Technical Details
Service: netbios
Windows CSRSS remote code execution
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2006-6696 CVE-2006-6797
Impact
Background
critical updates.
158
Update Name
Windows CSRSS remote code
execution
Description
Fixes vulnerabilities in the Windows
Client/Server Run-time Subsystem
(CSRSS) that include remote code
execution. (CVE 2006-6696 CVE
2006-6797 CVE 2007-1209)
Fix
2000: 930178
XP: 930178
2003: 930178
Vista: 930178
Bulletin
07-021
Technical Details
Service: netbios
Windows Cabinet File Viewer (MS10-019) version, cabview.dll dated 2007-2-17
CVE: CVE-2010-0487
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
159
Update Name
Description
Windows Authenticode Verification Fixes vulnerabilities which could
a user modifies an existing signed
executable file. (CVE 2010-0486
CVE 2010-0487 )
Fix
Bulletin
For
10-019
Authenticode
Signature
Verification:
2000 978601
XP 978601
XP x64 978601
2003 978601
2003 x64
978601
Vista 978601
Vista x64
978601
2008 978601
2008 x64
978601
Windows 7
978601
Windows 7 x64
978601
2008 R2 x64
978601
For Cabinet
File Viewer:
2000 979309
XP 979309
XP x64 979309
2003 979309
2003 x64
979309
Vista 979309
Vista x64
979309
2008 979309
2008 x64
979309
Windows 7
979309
Windows 7 x64
979309
2008 R2 x64
979309
160
Technical Details
Service: netbios
cabview.dll dated 2007-2-17, older than 2010-1-11
Windows Client Server Runtime Subsystem Could Allow Elevation of Privilege
CVE: CVE-2010-1891
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Client/Server Runtime
Subsystem Could Allow Elevation
of Privilege
Description
attacker logged on to an affected
system that is configured with a
Chinese, Japanese, or Korean
system locale. An attacker who
vulnerability could then install
programs; view, change, or delete
data; or create new accounts with
full user rights. (CVE 2010-1891 )
161
Fix
Bulletin
XP: KB2121546 10-069
2003:
KB2121546
Technical Details
Service: netbios
Windows DNS Client Spoofing vulnerability (MS08-037)
CVE: CVE-2008-1447
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows DNS Client Spoofing
vulnerability
Description
Fix
Fixes a vulnerability in the Windows 2000: 951748
DNS client. This vulnerability could XP: 951748
allow a remote unauthenticated
2003: 951748
attacker to quickly and reliably spoof
162
Bulletin
08-037
responses and insert records into
the client cache, thereby redirecting
Internet traffic. (CVE 2008-1447)
Technical Details
Service: netbios
dnsapi.dll dated 2007-2-17, older than 2008-6-19
Windows DNS Resolution Vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-0657
Impact
Background
critical updates.
Update Name
Windows DNS Resolution
Vulnerability
Description
Fix
Bulletin
Fixes a vulnerability in the DNS
XP: 2509553
11-030
client which could allow remote code (32-bit), 2509553
163
execution if an attacker is able to
deliver specially crafted LLMNR
broadcast packets to the target
system. (CVE 2011-0657)
(64-bit)
2003: 2509553
(32-bit), 2509553
(64-bit),
Vista: 2509553
(32-bit), 2509553
(64-bit),
2008: 2509553
(32-bit), 2509553
(64-bit),
Windows 7:
2509553 (32-bit),
2509553 (64-bit),
2008 R2 SP1:
2509553 (64-bit)
Technical Details
Service: netbios
Windows DNS Spoofing vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-0087
Impact
Background
164
critical updates.
Update Name
Windows DNS Spoofing Attack
vulnerability
Description
DNS client that leads to a lack of
entropy in the randomness of the
choice of transaction IDs which
could allow an attacker to send
malicious responses to DNS
requests. (CVE 2008-0087)
Fix
2000: 945553
XP: 945553
2003: 945553
Vista: 945553
Bulletin
08-020
Technical Details
Service: netbios
Windows DirectShow AVI Filter buffer overflow
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-0250
Impact
Background
165
critical updates.
Update Name
DirectShow AVI buffer overflow
Description
Fixes vulnerabilities in DirectShow
which could allow code execution
when a user opens a crafted AVI
file. (CVE 2010-0250)
Fix
977914 and
975560
Bulletin
10-013
Technical Details
Service: netbios
avifil32.dll dated 2007-2-17, older than 2009-11-24
Windows DirectShow Media Decompression vulnerability (MS13-011)
CVE: CVE-2013-0077
Updated 03/12/13
CVE 1999-0662
Impact
Background
166
critical updates.
Update Name
Description
Windows DirectShow Media
Decompression vulnerability fixed by allow remote code execution if a
MS13-011
media file (such as an .mpg file),
opens a Microsoft Office document
(such as a .ppt file) that contains
a specially crafted embedded media
file, or receives specially crafted
streaming content. (CVE
2013-0077)
Fix
Bulletin
XP: 2780091
13-011
(32-bit), 2780091
(64-bit)
2003: 2780091
(32-bit), 2780091
(64-bit)
Vista: 2780091
(32-bit), 2780091
(64-bit)
2008: 2780091
(32-bit), 2780091
(64-bit)
Technical Details
Service: netbios
quartz.dll dated 2007-2-17, older than 2012-12-31
Windows DirectShow media file parsing vulnerability (MS12-004)
CVE: CVE-2012-0004
Updated 03/12/13
CVE 1999-0662
Impact
Background
167
critical updates.
Update Name
Windows Multimedia Library MIDI
Vulnerability
Windows DirectShow media file
parsing vulnerability
Description
Fixes a vulnerability in the way that
Windows Multimedia Library parses
MIDI files. Windows Multimedia
Library is used by applications such
as Windows Media Player to work
with audio and video. An attacker
who convinces a user to open a
specially crafted MIDI file could run
arbitrary code in the context of the
current user. (CVE 2012-0003)
Fix
Bulletin
XP: 2628259
12-004
(Windows XP
Media Center
Edition 2005),
2598479 (32-bit),
2598479 (64-bit)
2003: 2598479
(32-bit), 2598479
(64-bit)
Vista: 2598479
(32-bit), 2598479
(64-bit)
2008: 2598479
(32-bit), 2598479
(64-bit)
Fixes a vulnerability in the way that XP: 2631813
12-004
Windows DirectShow (a component (32-bit), 2631813
of Windows DirectX) handles media (64-bit)
files. An attacker who convinces a 2003: 2631813
user to open a specially crafted
(32-bit), 2631813
media file could run arbitrary code (64-bit)
in the context of the current user.
Vista: 2631813
(CVE 2012-0004)
(32-bit), 2631813
(64-bit), 2628642
(32-bit), 2628642
(64-bit)
2008: 263183
(32-bit), 2603381
(64-bit)
7: 263183
(32-bit), 263183
(64-bit)
2008R2: 263183
168
Technical Details
Service: netbios
qdvd.dll dated 2007-2-17, older than 2011-11-1
Windows Embedded OpenType Font Engine vulnerabilities
CVE: CVE-2009-0231 CVE-2009-0232
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Embedded OpenType
Font Engine vulnerabilities
Description
Fixes a vulnerability allowing
command execution when a user
opens a file or web page containing
Embedded OpenType fonts. (CVE
169
Fix
2000: 961371
XP: 961371
2003: 961371
Vista: 961371
Bulletin
09-029
2009-0231 CVE 2009-0232)
2008: 961371
Technical Details
Service: netbios
fontsub.dll dated 2007-2-17, older than 2009-6-13
Windows Fax Cover Page Remote Code Execution Vulnerability (MS11-024)
CVE: CVE-2010-3974 CVE-2010-4701
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Fax Cover Page Remote
(MS11-024)
Description
Fix
XP
Fax Cover Page Editor which
32-bit:2491683
improperly parses malformed cover and 2506212
pages. Successful exploitation could XP
170
Bulletin
11-024
give the attacker the same
privileges as the logged on user.
(CVE 2010-3974 CVE 2010-4701)
64-bit:2491683
and 2506212
2003
32-bit:2491683
and 2506212
2003
64-bit:2491683
and 2506212
Vista
32-bit:2491683
and 2506212
Vista
64-bit:2491683
and 2506212
2008
32-bit:2491683
and 2506212
2008
64-bit:2491683
and 2506212
Windows 7
32-bit:2491683
and 2506212
Windows 7
64-bit:2491683
and 2506212
2008
R2:2491683 and
2506212
Technical Details
Service: netbios
mfc42.dll dated 2007-2-17, older than 2011-3-9
Windows Help and Support Center trusted document whitelist bypass (MS10-042)
CVE: CVE-2010-1885
Updated 03/12/13
CVE 1999-0662
Impact
Background
171
critical updates.
Update Name
Description
Fix
Bulletin
Windows Help and Support Center The MPC:HexToNum function in
XP: KB2229593 10-042
trusted document whitelist bypass helpctr.exe in Windows Help
XP Pro x64:
and Support Center on Windows
KB2229593
XP and Windows Server 2003
2003:
does not properly handle malformed KB2229593
escape sequences, thereby allowing 2003 x64:
a remote attacker to bypass the
KB2229593
trusted documents whitelist and
2003 Itanium:
execute arbitrary commands if a
KB2229593
user is enticed to open a specially
crafted hcp:// URL. (CVE
2010-1885)
Technical Details
Service: netbios
Windows IME vulnerable to library injection (MS11-071)
CVE: CVE-2011-1991
Updated 03/12/13
CVE 1999-0662
172
Impact
Background
critical updates.
Update Name
Windows IME Library Injection
Vulnerability
Description
An insecure library loading
vulnerability exists in several
Windows components. An attacker
may exploit this vulnerability by
placing a malicious library file (DLL)
in the same folder as documents
with the following extensions: .txt,
.rft, .doc. (CVE 2011-1991)
Fix
Bulletin
XP: 2570947
11-071
(32-bit), 2570947
(64-bit)
2003: 2570947
(32-bit), 2570947
(64-bit)
Vista: 2570947
(32-bit), 2570947
(64-bit)
2008: 2570947
(32-bit), 2570947
(64-bit)
Windows 7:
2570947 (32-bit),
2570947 (64-bit)
2008 R2:
2570947 (64-bit)
173
Technical Details
Service: registry
Windows ISATAP Component spoofing vulnerability (MS10-029)
CVE: CVE-2010-0812
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows ISATAP Component
spoofing vulnerability
Description
Fixes a spoofing vulnerability which
exists in the Microsoft Windows
IPv6 stack due to the way that
Windows checks the inner packet's
IPv6 source address in a tunneled
ISATAP packet. (CVE 2010-0812)
174
Fix
Bulletin
XP: 978338,
10-029
978338 (64-bit)
2003: 978338,
978338 (64-bit),
978338 (Itanium)
Vista: 978338,
978338 (64-bit)
2008: 978338,
978338 (64-bit),
978338 (Itanium)
Technical Details
Service: netbios
tcpip6.sys dated 2007-2-17, older than 2010-2-8
Windows Internet Authentication Service vulnerabilities
CVE: CVE-2009-3677
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Internet Authentication
Service vulnerabilities
Description
Fix
Fixes vulnerabilities in the Windows 2000: 974318
PEAP and MS-CHAPv2 protocol
XP: 974318
implementations, which could lead to2003: 974318
remote code execution in Windows Vista: 974318
175
Bulletin
09-071
2008, privilege elevation in other
server operating systems, and
potential vulnerabilities in
workstations. (CVE 2009-2505
CVE 2009-3677)
2008: 974318
Technical Details
Service: netbios
rastls.dll dated 2007-2-17, older than 2009-10-6
Windows Kernel privilege elevation (ms07-022) vulnerability
CVE: CVE-2007-1206
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
176
Bulletin
Windows Kernel privilege elevation Fixes a vulnerability that allows an
vulnerability
attacker who has successfully
logged into the system to take
control of a host. Note: Different
than MS05-055 and MS06-049.
(CVE 2007-1206)
2000: 931784
XP: 931784
2003: 931784
07-022
Technical Details
Service: netbios
Ntoskrnl.exe dated 2007-2-17, older than 2007-3-3
Windows Kernel-Mode Drivers vulnerability (MS12-034)
CVE: CVE-2012-0180 CVE-2012-1848
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
177
Update Name
Multiple vulnerabilities fixed by
MS12-034
Description
MS12-034 fixed multiple
vulnerabilities in Windows, Office,
GDI+, .NET, and Silverlight. (CVE
2011-3402 CVE 2012-0159 CVE
2012-0165 CVE 2012-0167 CVE
2012-0180 CVE 2012-0181 CVE
2012-1848)
Fix
MS12-034
Bulletin
12-034
Technical Details
Service: netbios
Windows LPC Elevation of Privilege vulnerability (MS10-084)
CVE: CVE-2010-3222
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
178
Update Name
Windows LPC Elevation of
Privilege vulnerability
Description
elevation of privilege if an attacker
logs on to an affected system and
runs specially crafted code that
sends an LPC message to the
local LRPC Server. (CVE
2010-3222)
Fix
Bulletin
XP: 2360937,
10-084
2360937 (64-bit)
2003: 2360937,
2360937 (64-bit),
2360937 (Itanium)
Technical Details
Service: netbios
Windows LSASS IPSEC Denial-of-Service Vulnerability
CVE: CVE-2009-3675
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
179
Update Name
Windows LSASS IPSEC
Denial-of-Service Vulnerability
Description
Fixes a vulnerability in the Local
Security Authority Subsystem
Service (LSASS) which could allow
a denial of service. (CVE
2009-3675)
Fix
2000: 974392
2003: 974392
(32-bit), 974392
(64-bit), 974392
(Itanium)
XP: 974392
(32-bit), 974392
(64-bit)
Bulletin
09-069
Technical Details
Service: netbios
oakley.dll dated 2007-2-17, older than 2009-10-6
Windows LSASS length validation vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-0039
Impact
Background
180
critical updates.
Update Name
Windows LSASS length validation
vulnerability
Description
Fix
XP: 2478960
vulnerability which could allow an
2003: 2478960
authenticated user to take complete
control of the system. (CVE
2011-0039)
Bulletin
11-014
Technical Details
Service: netbios
lsasrv.dll dated 2007-2-17, older than 2010-12-18
Windows LSASS vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2007-5352
Impact
Background
181
critical updates.
Update Name
Windows LSASS vulnerability
Description
an attacker to gain elevated
privileges. (CVE 2007-5352)
Fix
2000: 943485
XP: 943485
2003: 943485
Bulletin
08-002
Technical Details
Service: netbios
lsasrv.dll dated 2007-2-17, older than 2007-11-6
Windows MHTML script injection vulnerability (MS11-026)
CVE: CVE-2011-0096
Updated 03/12/13
CVE 1999-0662
Impact
Background
182
critical updates.
Update Name
Windows MHTML Script Injection
Vulnerability
Description
allow an attacker to run
MIME-formated MHTML requests
in the wrong security context. This
may result in an information
disclosure, similar to a cross-site
scripting attack. (CVE 2011-0096)
Fix
Bulletin
XP:2503658
11-026
(32-bit), 2503658
(64-bit)
2003:2503658
(32-bit), 2503658
(64-bit)
Vista:2503658
(32-bit), 2503658
(64-bit)
2008:2503658
(32-bit), 2503658
(64-bit)
Win 7:2503658
(32-bit), 2503658
(64-bit)
2008
R2:2503658
(64-bit)
Technical Details
Service: netbios
Windows MPEG Layer-3 Audio Decoder vulnerable version, l3codecx.ax dated 2006-3-22
CVE: CVE-2010-1882
Updated 03/12/13
CVE 1999-0662
Impact
Background
183
critical updates.
Update Name
Description
Fix
Bulletin
Technical Details
Service: netbios
l3codecx.ax dated 2006-3-22, older than 2010-6-13
Windows MPEG layer 3 codec vulnerable version, l3codecx.ax dated 2006-3-22
CVE: CVE-2010-0480
Updated 03/12/13
CVE 1999-0662
Impact
Background
184
critical updates.
Update Name
Windows MPEG layer 3 codec
vulnerable
Description
Fixes remote code execution
vulnerability in MPEG Layer-3
codecs. (CVE 2010-0480)
Fix
2000: 977816,
XP: 977816
(32-bit), 977816
(64-bit),
2003: 977816
(32-bit), 977816
(64-bit),
Vista: 977816
(32-bit), 977816
(64-bit),
2008: 977816
(32-bit), 977816
(64-bit)
Bulletin
10-026
Technical Details
Service: netbios
l3codecx.ax dated 2006-3-22, older than 2010-1-31
Windows Media Format ASF file parsing vulnerability
CVE: CVE-2007-0064
Updated 03/12/13
CVE 1999-0662
Impact
Background
185
critical updates.
Update Name
Windows Media Format ASF file
Description
Fix
Bulletin
Fixes a vulnerability allowing
Windows Media 07-068
command execution when Windows Format: 941569
Media Player or Media Services
Windows Media
processes malformed content. (CVE Services:
2007-0064)
944275
Technical Details
Service: registry
KB941569 not installed
Windows Media Player ASX Playlist Parsing Buffer Overflow
CVE: CVE-2006-4702 CVE-2006-6134
Updated 03/12/13
CVE 1999-0662
Impact
Background
186
critical updates.
Update Name
Windows Media Format ASX
Parsing Buffer Overflow
Description
Media Format which could allow
command execution when parsing
ASF and ASX files. (CVE
2006-4702 CVE 2006-6134)
Fix
Bulletin
2000: 923689 or 06-078
925398 (WMP
6.4)
XP: 923689 or
925398 (WMP
6.4)
2003: 923689 or
925398 (WMP
6.4)
Technical Details
Service: netbios
SOFTWARE\Microsoft\Updates\Windows Media Player 6.4\SP0\KB925398_WMP64 not found
Windows Media Player Memory Corruption Vulnerability (MS10-082)
CVE: CVE-2010-2745
Updated 03/12/13
CVE 1999-0662
Impact
187
Background
critical updates.
Update Name
Memory Corruption Vulnerability in
Windows Media Player 9.x, 10.x,
11.x
Description
Fixes a memory corruption
vulnerability in Windows Media
Player (WMP). The vulnerability can
be triggered if an attacker is able to
entice their victim into opening
specially crafted media content from
a malicious web site. A successful
attack would result in the attacker
executing code in the context of the
logged in user. (CVE 2010-2745)
188
Fix
Bulletin
XP: 2378111
10-082
(WMP 9, 10 or
11)
XP 64-bit:
2378111 (WMP
10) or 2378111
(WMP 11)
2003 SP2:
2346411 (WMP
10)
2003 SP2
64-bit: 2346411
(WMP 10)
Vista SP1 and
SP2: 2346411
(WMP 11)
Vista SP1 and
SP2 64-bit:
2346411 (WMP
11)
2008 and SP2:
2346411 (WMP
11)
2008 and SP2
64-bit: 2346411
(WMP 11)
7: 2346411
(WMP 12)
7 64-bit:
2346411 (WMP
12)
2008 R2 64-bit:
2346411 (WMP
12)
Technical Details
Service: netbios
wmp.dll dated 2007-2-17, older than 2010-8-28
Windows Media Player Skin parsing and decompression remote code execution
CVE: CVE-2007-3035 CVE-2007-3037
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
189
Update Name
Windows Media Player Skin parsing
and decompression remote code
execution
Description
Media Player which could allow
command execution when a user
opens a media file with a
malformed skin. (CVE 2007-3035
CVE 2007-3037)
Fix
936782
Bulletin
07-047
Technical Details
Service: netbios
Windows Media decompression vulnerabilities
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-1879 CVE-2010-1880
Impact
Background
190
critical updates.
Update Name
Windows Media decompression
vulnerabilities
Description
Fixes multiple vulnerabilities in
DirectX, Windows Media Format
and Encoder, and Asycfilt.dll
allowing command execution when
invalid compression data in media
files is processed. (CVE 2010-1879
CVE 2010-1880)
Fix
Bulletin
10-033
10-033
(KB975562
superseded by
MS13-011 on
Windows XP and
Windows Server
2003)
Technical Details
Service: netbios
asycfilt.dll dated 2007-2-17, older than 2010-3-3
Windows Multimedia Library MIDI vulnerability (MS12-004)
CVE: CVE-2012-0003
Updated 03/12/13
CVE 1999-0662
Impact
Background
191
critical updates.
Update Name
Windows Multimedia Library MIDI
Vulnerability
Windows DirectShow media file
Description
Fixes a vulnerability in the way that
Windows Multimedia Library parses
MIDI files. Windows Multimedia
Library is used by applications such
as Windows Media Player to work
with audio and video. An attacker
who convinces a user to open a
specially crafted MIDI file could run
arbitrary code in the context of the
current user. (CVE 2012-0003)
Fix
Bulletin
XP: 2628259
12-004
(Windows XP
Media Center
Edition 2005),
2598479 (32-bit),
2598479 (64-bit)
2003: 2598479
(32-bit), 2598479
(64-bit)
Vista: 2598479
(32-bit), 2598479
(64-bit)
2008: 2598479
(32-bit), 2598479
(64-bit)
Fixes a vulnerability in the way that XP: 2631813
12-004
Windows DirectShow (a component (32-bit), 2631813
of Windows DirectX) handles media (64-bit)
files. An attacker who convinces a 2003: 2631813
user to open a specially crafted
(32-bit), 2631813
media file could run arbitrary code (64-bit)
in the context of the current user.
Vista: 2631813
(CVE 2012-0004)
(32-bit), 2631813
(64-bit), 2628642
(32-bit), 2628642
(64-bit)
2008: 263183
(32-bit), 2603381
(64-bit)
7: 263183
(32-bit), 263183
(64-bit)
2008R2: 263183
Technical Details
Service: netbios
winmm.dll dated 2007-2-17, older than 2011-10-12
192
Windows OLE Automation Underflow vulnerability (MS11-038)
CVE: CVE-2011-0658
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows OLE Automation Heap
Overrun
Description
Fixes a heap-based buffer overflow
in Object Linking and Embedding
(OLE) automation that could allow
remote attackers to execute
arbitrary code via a crafted request.
(CVE 2007-0065)
Windows OLE Automation
Underflow vulnerability (MS11-038) vulnerability in OLE Automation.
(CVE 2011-0658)
193
Fix
2000: 943055
XP: 943055
2003: 943055
Vista: 943055
Bulletin
08-008
XP 2476490,
11-038
2476490 (64-bit)
2003 2476490,
2476490 (64-bit)
Vista 2476490,
2476490 (64-bit)
2008 2476490,
2476490 (64-bit)
Windows 7
2476490,
2476490 (64-bit)
2008 R2
2476490 (64-bit)
Technical Details
Service: netbios
oleaut32.dll dated 2007-2-17, older than 2010-12-16
Windows OLE Automation remote code execution vulnerability, oleaut32.dll dated 2007-2-17
CVE: CVE-2007-0065 CVE-2007-2224
CVE-2013-1313
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows OLE Automation remote
code execution
Description
Fixes a vulnerability in the OLE
automation which allowed for
remote code execution on
194
Fix
2000: 921503
XP: 921503
2003: 921503
Bulletin
07-043
processing of a crafted file. (CVE
2007-2224)
Windows OLE Automation Heap
Fixes a heap-based buffer overflow
Overrun
in Object Linking and Embedding
(OLE) automation that could allow
remote attackers to execute
arbitrary code via a crafted request.
(CVE 2007-0065)
Windows OLE Automation Remote This update corrects a memory
corruption vulnerability in the Object
Linking and Embedding (OLE)
Automation library. (CVE
2013-1313)
2000: 943055
XP: 943055
2003: 943055
Vista: 943055
08-008
Windows XP:
2802968
13-020
Technical Details
Service: netbios
oleaut32.dll dated 2007-2-17, older than 2007-12-11
Windows Object Packager Insecure Executable Launching Vulnerability (MS12-002)
CVE: CVE-2012-0009
Updated 03/12/13
CVE 1999-0662
Impact
Background
195
critical updates.
Update Name
Description
Fix
Bulletin
Windows Object Packager Insecure Fixes a vulnerability in the way that XP: KB2598479 12-002
Executable Launching Vulnerability Windows registers and uses the
(32-bit), 2603381
Windows Object Packager that
(64-bit)
could allow remote code execution if 2003: 2603381
a user opens a legitimate file with
(32-bit), 2603381
an embedded packaged object that (64-bit)
is located in the same network
directory as a specially crafted
executable file. An attacker who
vulnerability could take complete
(CVE 2012-0009)
Technical Details
Service: registry
Windows RDP Remote Code Execution Vulnerability (MS12-036)
CVE: CVE-2012-0173
Updated 03/12/13
CVE 1999-0662
Impact
Background
196
critical updates.
Update Name
Description
Windows RDP Remote Code
MS12-036 fixed a vulnerability in
Execution Vulnerability (MS12-036) the Remote Desktop Protocol which
allowed for potential remote code
execution. (CVE 2012-0173)
197
Fix
Bulletin
XP SP3
12-036
(32-bit):KB26859
39
XP SP2
(64-bit)KB268593
9
Vista SP2
(32-bit)KB268593
9
Vista SP2
(64-bit)KB268593
9
7
(32-bit)KB268593
9
7 SP1
(32-bit)KB268593
9
7
(64-bit)KB268593
9
7 SP1
(64-bit)KB268593
9
2003 SP2
(32-bit)KB268593
9
2003 SP2
(64-bit)KB268593
9
2003 SP2
(Itanium)KB2685
939
2008 SP2
(32-bit)KB268593
9
2008 SP2
(64-bit)KB268593
9
2008 SP2
(Itanium)KB2685
939
2008 R2
(64-bit)KB268593
9
2008 R2 SP1
(64-bit)KB268593
9
2008 R2
(Itanium)KB2685
939
Technical Details
Service: netbios
rdpwd.sys dated 2007-2-17, older than 2012-4-30
Windows RPC Marshalling Engine vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-0568
Impact
Background
198
critical updates.
Update Name
Windows RPC Marshalling Engine
vulnerability
Description
Fixes an elevation of privilege
vulnerability by correcting the way
RPC Marshalling Engine updates
its internal state. (CVE 2009-0568)
Fix
2000: 970238
XP: 970238
2003: 970238
Vista: 970238
2008: 970238
Bulletin
09-026
Technical Details
Service: netbios
Windows RPC Memory Corruption vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-2567
Impact
Background
199
critical updates.
Update Name
Windows RPC Memory Corruption
vulnerability
Description
An unauthenticated remote code
execution vulnerability exists in the
way that the Remote Procedure
Call (RPC) client implementation
allocates memory when parsing
specially crafted RPC responses.
An attacker who successfully
exploited this vulnerability could
execute arbitrary code and take
complete control of an affected
system. (CVE 2010-2567)
Fix
XP: 982802
(32-bit), 982802
(64-bit)
2003: 982802
(32-bit), 982802
(64-bit), 982802
(Itanium)
Bulletin
10-066
Technical Details
Service: netbios
Windows Remote Desktop Connection vulnerabilities
CVE: CVE-2009-1133 CVE-2009-1929
Updated 03/12/13
CVE 1999-0662
Impact
Background
200
critical updates.
Update Name
Windows Remote Desktop
Connection vulnerabilities
Description
Fix
Fixes two heap overflow
970927
vulnerabilities which could allow
command execution when the client
receives a specially crafted
response from a RDP server or
web site. (CVE 2009-1133 CVE
2009-1929)
Bulletin
09-044
Technical Details
Service: netbios
Mstscax.dll dated 2007-2-17, older than 2009-6-4
Windows SMB Client vulnerabilities (MS10-006)
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-0016
Impact
Background
201
critical updates.
Update Name
Description
Windows SMB Client vulnerabilities Fixes vulnerabilities which could
a user initiates an SMB connection
with a malicious server. (CVE
2010-0016 CVE 2010-0017)
Fix
Bulletin
2000: 978251
10-006
XP: 978251,
978251 (64-bit)
2003: 978251,
978251 (64-bit)
Vista: 978251,
978251 (64-bit)
Windows 7:
978251, 978251
(64-bit)
2008: 978251,
978251 (64-bit)
Technical Details
Service: netbios
CVE: CVE-2009-3676 CVE-2010-0269
CVE-2010-0270 CVE-2010-0476
CVE-2010-0477
Updated 03/12/13
CVE 1999-0662
Impact
202
Background
critical updates.
Update Name
Description
a user initiates an SMB connection
with a malicious server. (CVE
2009-3676 CVE 2010-0269 CVE
2010-0270 CVE 2010-0476 CVE
2010-0477)
Fix
Bulletin
2000: 980232
10-020
XP: 980232,
980232 (64-bit)
2003: 980232,
980232 (64-bit),
980232 (Itanium)
Vista: 980232,
980232 (64-bit)
2008: 980232,
980232 (64-bit),
980232 (Itanium)
Windows 7:
980232, 980232
(64-bit)
2008 R2:
980232 (64-bit),
980232 (Itanium)
Technical Details
Service: netbios
203
mrxsmb.sys dated 2007-2-17, older than 2010-2-22
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-0654 CVE-2011-0660
Impact
Background
critical updates.
Update Name
Description
attacker sent a specially crafted
SMB response to a client-initiated
SMB request. To exploit these
vulnerabilities, an attacker must
convince the user to initiate an
SMB connection to a specially
crafted SMB server. (CVE
2011-0654 CVE 2011-0660)
204
Fix
Bulletin
XP: 2511455,
11-019
2511455 (64-bit)
2003: 2511455,
2511455 (64-bit)
Vista: 2511455,
2511455 (64-bit)
2008: 2511455,
2511455 (64-bit)
Windows 7:
2511455,
2511455 (64-bit)
2008 R2:
2511455 (64-bit)
Technical Details
Service: netbios
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2011-1268
Impact
Background
critical updates.
Update Name
Description
attacker sent a specially crafted
SMB response to a client-initiated
SMB request. To exploit these
vulnerabilities, an attacker must
convince the user to initiate an
205
Fix
Bulletin
XP: 2536276,
11-043
2536276 (64-bit)
2003: 2536276,
2536276 (64-bit)
2536276 (Itanium)
Vista: 2536276,
2536276 (64-bit)
SMB connection to a specially
crafted SMB server. (CVE
2011-1268)
2008: 2536276,
2536276 (64-bit)
2536276 (Itanium)
Windows 7:
2536276,
2536276 (64-bit)
2008 R2:
2536276 (64-bit)
2008 R2:
2536276 (Itanium)
Technical Details
Service: netbios
Windows SMB Remote Code Execution
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-4038
Impact
Background
critical updates.
206
Update Name
Windows SMB Remote Code
Execution
Description
Server Message Block (SMB)
Protocol. The vulnerability could
allow remote code execution on a
server that is sharing files or
folders. An attacker who
vulnerability could install programs;
create new accounts with full user
rights. (CVE 2008-4038)
Also fixes other two vulnerabilities.
A null pointer dereference in
srv.sys allows an attacker to
remotely crash the system. A
validated attacker can execute code
as administrator. (CVE 2006-3942
CVE 2006-4696)
Fix
2000: 957095
XP: 957095
2003: 957095
Vista: 957095
2008: 957095
Bulletin
08-063
06-063
Technical Details
Service: netbios
Windows SMB credential reflection vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-4037
Impact
Background
207
critical updates.
Update Name
Description
Windows SMB credential reflection Fixes validation of NTLM
vulnerability
authentication replies to ensure that
a user's credentials are not
reflected back to an attacker. (CVE
2008-4037)
Fix
2000: 957097
XP: 957097
2003: 957097
Vista: 957097
2008: 957097
Bulletin
08-068
Technical Details
Service: netbios
Windows Schannel digital signature parsing vulnerability
CVE: CVE-2007-2218
Updated 03/12/13
CVE 1999-0662
Impact
Background
208
critical updates.
Update Name
Description
Windows Schannel digital signature Fixes a vulnerability affecting
applications which use SSL/TLS
allowing code execution on
Windows XP and denial of service
on Windows 2000 and 2003. (CVE
2007-2218)
Fix
2000: 935840
XP: 935840
2003: 935840
Bulletin
07-031
Technical Details
Service: netbios
Windows Schannel spoofing vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-0085
Impact
Background
209
critical updates.
Update Name
Windows Schannel spoofing
vulnerability
Description
Fixes a spoofing vulnerability in
windows 2000, 2003, XP, Vista,
and 2008. The vulnerability is only
harmful if the attacker gains access
to the certificate after having
obtained the public key component
through other means. (CVE
2009-0085)
Fix
2000: 960225
XP: 960225 (32
bit), or 960225
(64 bit)
2003: 960225
(32 bit), 960225
(64 bit), or
960225 Itanium
Vista: 960225
(32 bit), or
960225 (64 bit)
2008: 960225
(32 bit), 960225
(64 bit), or
960225 Itanium
Bulletin
09-007
Technical Details
Service: netbios
Windows Shell Handler vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2010-0027
210
Impact
Background
critical updates.
Update Name
Description
Fix
Windows Shell Handler vulnerability Fixes a remote code execution
2000: 975713
vulnerability in Windows 2000, XP XP: 975713
and Server 2003; if an application (32-bit), 975713
such as a Web browser passes
(64-bit)
specially crafted data to the
2003: 975713
ShellExecute API function through (32-bit), 975713
the Windows Shell Handler. An
(64-bit), 975713
attacker who successfully exploited (Itanium)
this vulnerability could take complete
(CVE 2010-0027)
Bulletin
10-007
Technical Details
Service: netbios
shlwapi.dll dated 2007-2-17, older than 2009-10-13
211
Windows VB script vulnerable version, vbscript.dll dated 2007-2-17
CVE: CVE-2010-0483 CVE-2011-0031
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows VB script vulnerable
JScript and VBScript information
disclosure vulnerability
Description
Fixes remote code execution
vulnerability which exists due to the
way VB Script interacts with help
files in Internet Explorer. (CVE
2010-0483)
Fixes an information disclosure
vulnerability due to a memory
corruption error. (CVE 2011-0031)
Fix
Bulletin
Apply the
10-022
appropriate patch
Win 7: 2475792 11-009
(32-bit) 2475792
(64-bit)
2008 R2:
2475792
212
Technical Details
Service: netbios
vbscript.dll dated 2007-2-17, older than 2010-3-7
Windows Virtual Address Descriptor integer overflow
CVE: CVE-2008-4036
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Elevation of Privilege Vulnerabilities Fixes multiple privilege elevation
in Windows
CVE 2008-1436 CVE 2009-0078
CVE 2009-0079 CVE 2009-0080 )
Fix
2000: 952004
XP: 952004
2003: 952004
Vista: 952004
2008: 952004
Bulletin
08-064
09-012
213
Technical Details
Service: netbios
Ntoskrnl.exe dated 2007-2-17, older than 2008-8-11
Windows WMA Voice codec vulnerability
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-0555 CVE-2009-2525
Impact
Background
critical updates.
Update Name
Windows WMA Voice codec
vulnerability
Description
Media Runtime that could allow
remote code execution (CVE
2009-0555 CVE 2009-2525)
214
Fix
Bulletin
2000, XP and
09-051
2003 (Voice
codec): 969878
2000 WMF 9:
954155
2000 WMP 9:
975025
2000, XP and
2003 (Decoder):
969878
XP SP2 WMF
9, 9.5 and 11:
954155
XP
(Compression
Manager):
975025
2000 WMP 9:
975925
Technical Details
Service: netbios
wmspdmod.dll dated 2007-2-17, older than 2009-3-30
Windows WordPad Converter (MS11-033) vulnerable version, mswrd8.wpc dated 2007-2-17
CVE: CVE-2011-0028
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
215
Update Name
WordPad Text Converter
Vulnerability
Description
user opens a specially crafted Word
file that includes a malformed
structure. An attacker could then
install programs; view, change, or
delete data; or create new accounts
with full user rights. (CVE
2011-0028)
Fix
Bulletin
XP 2485663,
11-033
2485663 (64-bit)
2003 2485663,
2485663 (64-bit)
Technical Details
Service: netbios
mswrd8.wpc dated 2007-2-17, older than 2010-12-20
Windows atl.dll vulnerable (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494
Updated 03/12/13
CVE 1999-0662
Impact
Background
216
critical updates.
Update Name
Description
Multiple Windows ATL vulnerability Fixes multiple vulnerabilities in
Windows Active Template Library
that could allow an attacker to
execute arbitrary code. (CVE
2008-0015 CVE 2008-0020 CVE
2009-0901 CVE 2009-2493 CVE
2009-2494)
Fix
Bulletin
Outlook:973354 09-037
Media
09-055
Player:973540
ATL
Component:973
507
DHTML
Component:973
869
ActiveX:
973525
Technical Details
Service: netbios
atl.dll dated 2006-3-22, older than 2009-7-15
Windows dhtmled.ocx vulnerable (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494
Updated 03/12/13
CVE 1999-0662
Impact
Background
217
critical updates.
Update Name
Description
Multiple Windows ATL vulnerability Fixes multiple vulnerabilities in
Windows Active Template Library
that could allow an attacker to
execute arbitrary code. (CVE
2008-0015 CVE 2008-0020 CVE
2009-0901 CVE 2009-2493 CVE
2009-2494)
Fix
Bulletin
Outlook:973354 09-037
Media
09-055
Player:973540
ATL
Component:973
507
DHTML
Component:973
869
ActiveX:
973525
Technical Details
Service: netbios
dhtmled.ocx dated 2007-2-17, older than 2009-7-26
Windows event system subscription request and pointer array vulnerabilities
CVE: CVE-2008-1456 CVE-2008-1457
Updated 03/12/13
CVE 1999-0662
Impact
Background
218
critical updates.
Update Name
Event System vulnerabilities
Description
Fixes two vulnerabilities which allow
authenticated users to execute
arbitrary code on Windows 2000,
2003, Windows Vista, and Windows
Server 2008. (CVE 2008-1456
CVE 2008-1457)
Fix
2000: 950974
XP: 950974
XP
Professional
x64: 950974
2003: 950974
2003 x64
950974
Vista: 950974
Vista x64:
950974
2008: 950974
2008 x64:
950974
Bulletin
08-049
Technical Details
Service: netbios
Windows filename parsing vulnerability (MS12-081)
CVE: CVE-2012-4774
Updated 03/12/13
CVE 1999-0662
219
Impact
Background
critical updates.
Update Name
Microsoft Windows File Handling
Component vulnerability
Description
Fixes a vulnerability in Windows file
handling component which could
user browses to a folder that
contains a file or subfolder with a
specially crafted name. An attacker
who successfully exploited this
vulnerability could gain the same
(CVE 2012-4774)
Fix
Bulletin
XP: 2758857 (32 12-081
bit), 2758857 (64
bit)
2003: 2758857
(32 bit), 2758857
(64 bit)
Vista: 2758857
(32 bit), 2758857
(64 bit)
2008: 2758857
(32 bit), 2758857
(64 bit)
7: 2758857 (32
bit), 2758857 (64
bit)
2008 R2:
2758857 (64 bit)
220
Technical Details
Service: netbios
kernel32.dll dated 2007-2-17, older than 2012-10-1
Windows kernel GDI validation vulnerabilities
CVE: CVE-2009-0081 CVE-2009-0082
CVE-2009-0083
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows kernel validation
Description
Fixes vulnerabilities by validating
input passed from user mode
through the kernel component of
GDI, correcting the way that the
kernel validates handles, and
changing the way that the Windows
kernel handles specially crafted
invalid pointers. (CVE 2009-0081
CVE 2009-0082 CVE 2009-0083)
221
Fix
2000: 958690
XP: 958690
2003: 958690
Vista: 958690
2008: 958690
Bulletin
09-006
08-061
Fixes vulnerabilities by correcting
window property validation passed
during the new window creation
process, calls from multiple threads
are handled, and validation of
parameters passed to the Windows
Kernel from user mode. (CVE
2008-2250 CVE 2008-2251 CVE
2008-2252)
Technical Details
Service: netbios
Windows kernel NDProxy privilege elevation vulnerability (MS10-099)
CVE: CVE-2010-3963
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
222
Update Name
Description
Fix
Windows kernel NDProxy privilege Fixes a buffer overflow vulnerability XP: 2440591
elevation vulnerability
which could allow privilege elevation 2003: 2440591
when a local user runs a specially
crafted application. (CVE
2010-3963)
Bulletin
10-099
Technical Details
Service: netbios
ndproxy.sys dated 2007-2-17, older than 2010-11-1
Windows kernel desktop validation vulnerabilities
CVE: CVE-2009-1123 CVE-2009-1124
CVE-2009-1125 CVE-2009-1126
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
223
Update Name
Description
Windows kernel desktop validation Fixes four vulnerabilities by
vulnerabilities
correcting the methods used in
validating a change in kernel object,
the input passed from user mode to
the kernel and the argument passed
to the system call. (CVE
2009-1123 CVE 2009-1124 CVE
2009-1125 CVE 2009-1126)
Fix
2000: 968537
XP: 968537
2003: 968537
Vista: 968537
2008: 968537
Bulletin
09-025
Technical Details
Service: netbios
Windows kernel embedded font vulnerabilities
CVE: CVE-2009-1127 CVE-2009-2513
CVE-2009-2514
Updated 03/12/13
CVE 1999-0662
Impact
Background
224
critical updates.
Update Name
Windows kernel embedded font
vulnerabilities
Description
vulnerability that could allow a
remote attacker to execute arbitrary
code with the permissions of the
user loading a specially crafted
Embedded OpenType (EOT) font.
(CVE 2009-1127) (CVE 2009-2513)
(CVE 2009-2514)
Fix
2000: 969947
XP: 969947
(32-bit), 969947
(64-bit)
2003: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Vista: 969947
(32-bit), 969947
(64-bit)
2008: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Bulletin
09-065
Technical Details
Service: netbios
Windows kernel exception handler vulnerability (MS11-098), ntoskrnl.exe dated 2007-2-17
CVE: CVE-2011-2018
Updated 03/12/13
CVE 1999-0662
Impact
Background
225
critical updates.
Update Name
Description
Windows Kernel Exception Handler A privilege elevation vulnerability
Vulnerability
exists in Windows due to the
kernel's failure to initialize some
objects in memory. An attacker
would have to log on locally to an
affected system and run a specially
crafted application designed to
exploit the vulnerability. The
vulnerability could not be exploited
remotely or by anonymous users.
(CVE 2011-2018)
Fix
Bulletin
XP: 2633171
11-098
(32-bit)
2003: 2633171
(32-bit)
Vista: 2633171
(32-bit)
2008: 2633171
(32-bit)
Windows 7:
2633171 (32-bit)
Technical Details
Service: netbios
Windows kernel integer overflow (MS12-068)
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2012-2529
Impact
226
Background
critical updates.
Update Name
Windows Kernel integer overflow
Description
allow a logged-on user to gain
administrative privileges. (CVE
2012-2529)
Fix
XP: 2724197
2003: 2724197
Vista: 2724197
2008: 2724197
7: 2724197
2008 R2:
2724197
Bulletin
12-068
Technical Details
Service: netbios
Windows kernel integer overflow (MS13-017)
CVE: CVE-2013-1278 CVE-2013-1279
CVE-2013-1280
Updated 03/12/13
CVE 1999-0662
Impact
227
Background
critical updates.
Update Name
Windows Kernel integer overflow
Description
allow a logged-on user to gain
administrative privileges. (CVE
2013-1278) (CVE 2013-1279)
(CVE 2013-1280)
Fix
XP: 2799494
2003: 2799494
Vista: 2799494
2008: 2799494
7: 2799494
2008 R2:
2799494
8: 2799494
2012: 2799494
Bulletin
13-017
Technical Details
Service: netbios
Windows kernel multiple privilege elevation vulnerabilities (MS10-048)
CVE: CVE-2010-1887 CVE-2010-1894
228
CVE-2010-1895 CVE-2010-1896
CVE-2010-1897
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
elevation vulnerabilities
Description
privileges on Windows XP,
Windows Server 2003, Windows
Vista, Windows Server 2008,
Windows Server 2008 R2, and
Windows 7. (CVE 2010-1887
CVE 2010-1894 CVE 2010-1895
CVE 2010-1896 CVE 2010-1897)
229
Fix
XP 2160329
XP x64
2160329
2003 2160329
2003 x64
2160329
2003 Itanium
2160329
Vista 2160329
Vista x64
2160329
2008 2160329
2008 x64
2160329
2008 Itanium
2160329
Windows 7
2160329
Bulletin
10-048
Windows 7 x64
2160329
2008 R2 x64
2160329
2008 R2
Itanium 2160329
Technical Details
Service: netbios
CVE: CVE-2010-2743 CVE-2010-2744
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
230
Update Name
elevation vulnerabilities
Description
privileges on Windows XP,
Windows Server 2003, Windows
Vista, Windows Server 2008,
Windows Server 2008 R2, and
Windows 7. (CVE 2010-2549
CVE 2010-2743 CVE 2010-2744)
Fix
Bulletin
XP: 981957
10-073
(32-bit), 981957
(64-bit)
2003: 981957
(32-bit), 981957
(64-bit), 981957
(Itanium)
Vista: 981957
(32-bit), 981957
(64-bit)
2008: 981957
(32-bit), 981957
(64-bit), 981957
(Itanium)
Win 7: 981957
(32-bit), 981957
(64-bit)
2008 R2:
981957 (64-bit),
981957 (Itanium)
Technical Details
Service: netbios
CVE: CVE-2010-3939 CVE-2010-3940
CVE-2010-3941 CVE-2010-3942
CVE-2010-3943
Updated 03/12/13
CVE 1999-0662
Impact
Background
231
critical updates.
Update Name
MS10-098
Description
could allow privilege elevation when
a local user runs a specially crafted
application. (CVE 2010-3939, CVE
2010-3940, CVE 2010-3941, CVE
2010-3942, CVE 2010-3943, CVE
2010-3944)
Fix
XP: 2436673
2003: 2436673
Vista: 2436673
2008: 2436673
7: 2436673
2008 R2:
2436673
Bulletin
10-098
Technical Details
Service: netbios
Windows kernel property validation vulnerabilities
CVE: CVE-2008-2250 CVE-2008-2251
CVE-2008-2252
Updated 03/12/13
CVE 1999-0662
Impact
Background
232
critical updates.
Update Name
Windows kernel validation
Description
Fixes vulnerabilities by validating
input passed from user mode
through the kernel component of
GDI, correcting the way that the
kernel validates handles, and
changing the way that the Windows
kernel handles specially crafted
invalid pointers. (CVE 2009-0081
CVE 2009-0082 CVE 2009-0083)
Fixes vulnerabilities by correcting
window property validation passed
during the new window creation
process, calls from multiple threads
are handled, and validation of
parameters passed to the Windows
Kernel from user mode. (CVE
2008-2250 CVE 2008-2251 CVE
2008-2252)
Fix
2000: 958690
XP: 958690
2003: 958690
Vista: 958690
2008: 958690
Bulletin
09-006
08-061
Technical Details
Service: netbios
Windows kernel user mode callback vulnerability
233
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2008-1084
Impact
Background
critical updates.
Update Name
Description
Windows kernel user mode callback Fixes a privilege elevation
vulnerability
vulnerability caused by insufficient
validation of input passed from user
mode to the kernel. (CVE
2008-1084)
Fix
2000: 941693
XP: 941693
2003: 941693
Vista: 941693
2008: 941693
Bulletin
08-025
Technical Details
Service: netbios
Windows kernel vulnerabilities (MS12-042), ntoskrnl.exe dated 2007-2-17
234
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2012-1515
Impact
Background
critical updates.
Update Name
Windows Kernel Elevation of
Privilege Vulnerability
Description
Fix
Bulletin
Fixes a vulnerability that could allow XP SP3:
12-042
elevation of privilege if an attacker 2707511 (32-bit)
logs on to an affected system and 2003 SP2:
runs a specially crafted application 2707511 (32-bit)
that exploits the vulnerability. This Window 7:
vulnerability affects all 32-bit editions 2709715 (64-bit)
of Windows XP and Windows
2008 R2:
Server 2003: (CVE 2012-0217),
2709715 (64-bit)
and it also affects Windows 7 for
x64-based Systems, and Windows
Server 2008 R2 for x64-based
Systems: (CVE 2012-1515)
235
Technical Details
Service: netbios
Windows kernel vulnerable (MS10-021) version, ntoskrnl.exe dated 2007-2-17
CVE: CVE-2010-0234 CVE-2010-0235
CVE-2010-0236 CVE-2010-0237
CVE-2010-0238 CVE-2010-0481
CVE-2010-0482 CVE-2010-0810
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
(CVE 2010-0232 CVE 2010-0233
CVE 2010-0234 CVE 2010-0235
236
Fix
XP: KB2393802
2003:
KB2393802
Vista:
KB2393802
2008:
KB2393802
Windows 7:
Bulletin
10-021
10-047
11-011
CVE 2010-0236 CVE 2010-0237
KB2393802
CVE 2010-0238 CVE 2010-0481
CVE 2010-0481 CVE 2010-0482
CVE 2010-0810)
Fixes three vulnerabilities in the
Windows kernel. A data initialization
bug may be exploited when
creating new threads. A double free
error may be exploited during error
handling. These two vulnerabilities
may allow a local attacker to
execute arbitrary code in kernel
mode. A kernel object ACL
validation routine lacks sufficient
sanity checking, which may allow a
local attacker to cause the system
to reboot or become unresponsive.
(CVE 2010-1888 CVE 2010-1889
CVE 2010-1890)
Also fixes vulnerabilities which could
attacker logged on locally and ran a
locally to exploit these vulnerabilities.
(CVE 2010-4398 CVE 2011-0045)
Technical Details
Service: netbios
Windows kernel vulnerable (MS11-011) version, ntoskrnl.exe dated 2007-2-17
CVE: CVE-2010-4398
Updated 03/12/13
CVE 1999-0662
Impact
Background
237
critical updates.
Update Name
Description
Fix
Windows kernel vulnerable version Fixes multiple vulnerabilities which XP: KB2393802
allow authenticated users to elevate 2003:
KB2393802
Vista:
KB2393802
2008:
(CVE 2010-0232 CVE 2010-0233 KB2393802
CVE 2010-0234 CVE 2010-0235
Windows 7:
CVE 2010-0236 CVE 2010-0237
KB2393802
CVE 2010-0238 CVE 2010-0481
CVE 2010-0481 CVE 2010-0482
CVE 2010-0810)
Fixes three vulnerabilities in the
Windows kernel. A data initialization
bug may be exploited when
creating new threads. A double free
error may be exploited during error
handling. These two vulnerabilities
may allow a local attacker to
execute arbitrary code in kernel
mode. A kernel object ACL
validation routine lacks sufficient
sanity checking, which may allow a
local attacker to cause the system
to reboot or become unresponsive.
(CVE 2010-1888 CVE 2010-1889
CVE 2010-1890)
Also fixes vulnerabilities which could
attacker logged on locally and ran a
238
Bulletin
10-021
10-047
11-011
locally to exploit these vulnerabilities.
(CVE 2010-4398 CVE 2011-0045)
Technical Details
Service: netbios
Windows kernel vulnerable version, ntoskrnl.exe dated 2007-2-17
CVE: CVE-2009-2515 CVE-2009-2516
CVE-2009-2517
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
239
Bulletin
(CVE 2009-2515 CVE 2009-2516
CVE 2009-2517 CVE 2010-0232
CVE 2010-0233 )
2000: 977165
XP: 977165
2003: 977165
Vista: 977165
2008: 977165
Windows 7:
977165
09-058
10-015
Technical Details
Service: netbios
Windows media file processing vulnerable (MS09-038)
CVE: CVE-2009-1545 CVE-2009-1546
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
240
Update Name
Windows media file processing
vulnerable
Description
Fixes a vulnerability that allows
remote code execution due to
improper handling of specially
crafted AVI format files. (CVE
2009-1545 CVE 2009-1546)
Fix
2000: 971557
XP: 971557
(32-bit), 971557
(64 bit)
2003: 971557
(32-bit), 971557
(64 bit), 971557
(Itanium)
Vista: 971557
(32-bit), 971557
(64-bit)
2008: 971557
(32-bit), 971557
(64-bit), 971557
(Itanium)
Bulletin
09-038
Technical Details
Service: netbios
avifil32.dll dated 2007-2-17, older than 2009-6-8
Windows print spooler vulnerabilities
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-0229 CVE-2009-0230
Impact
Background
241
critical updates.
Update Name
Description
Windows print spooler vulnerabilities Fixes two privilege elevation
vulnerabilities in the Windows print
spooler, and one remote command
execution vulnerability on Windows
2000. (CVE 2009-0228 CVE
2009-0229 CVE 2009-0230)
Fix
2000: 961501
XP: 961501
2003: 961501
Vista: 961501
2008: 961501
Bulletin
09-022
Technical Details
Service: netbios
Word 97 Converter vulnerable version, mswrd8.wpc dated 2007-2-17
CVE: CVE-2008-4841 CVE-2009-0235
Updated 03/12/13
CVE 1999-0662
Impact
Background
242
critical updates.
Update Name
WordPad and Text converters
Description
Fixes Microsoft WordPad and
Microsoft Office text converters
memory corruption. (CVE
2008-4841 CVE 2009-0087 CVE
2009-0235 CVE 2009-2506)
Fix
2000: 973904
XP: 973904
2003: 973904
Bulletin
09-010
09-073
Technical Details
Service: netbios
WordPad Word 97 Text Converter (MS10-067) version, mswrd8.wpc dated 2007-2-17
CVE: CVE-2010-2563
Updated 03/12/13
CVE 1999-0662
Impact
Background
243
critical updates.
Update Name
WordPad Word 97 Text Converter
Memory Corruption Vulnerability
Description
Fixes a vulnerability in
mswrd8.wpc which could allow
remote code execution. (CVE
2010-2563)
Fix
XP 2259922
XP x64
2259922
2003 2259922
2003 x64
2259922
Bulletin
10-067
Technical Details
Service: netbios
Wordpad COM validation (MS10-083) version, ole32.dll dated 2007-2-17
CVE: CVE-2010-1263
Updated 03/12/13
CVE 1999-0662
Impact
Background
244
critical updates.
Update Name
Description
Windows Wordpad COM validation Fixes a vulnerability in a way
vulnerability
WordPad validate COM object
instantiation. (CVE 2010-1263)
Fix
Bulletin
XP: 979687
10-083
(32-bit), 979687
(64-bit)
2003: 979687
(32-bit), 979687
(64-bit), 979687
(Itanium)
Vista: 979687
(32-bit), 979687
(64-bit)
2008: 979687
(32-bit), 979687
(64-bit), 979687
(Itanium)
Win 7: 979687
(32-bit), 979687
(64-bit)
2008 R2:
979687 (64-bit),
979687 (Itanium)
Technical Details
Service: netbios
ole32.dll dated 2007-2-17, older than 2010-6-26
Workstation Service Elevation of Privilege
Updated 03/12/13
CVE 1999-0662
CVE: CVE-2009-1544
245
Impact
Background
critical updates.
Update Name
Workstation Service Elevation of
Privilege
Description
Fix
Fixes an overflow vulnerability
971657
which could allow remote command
execution when the client receives
a specially crafted RPC message.
(CVE 2009-1544)
Bulletin
09-041
Technical Details
Service: netbios
Wkssvc.dll dated 2007-2-17, older than 2009-6-8
comctl32.dll remote code execution vulnerability (MS10-081)
CVE: CVE-2010-2746
Updated 03/12/13
CVE 1999-0662
246
Impact
Background
critical updates.
Update Name
Windows Common Control Library
SVG vulnerability
Description
which could allow remote code
execution if an attacker gets a user
to open a document containing a
malicious Scalable Vector Graphic
image using a variety of third-party
image viewers or editors. (CVE
2010-2746)
Fix
Bulletin
XP: 2296011
10-081
(32-bit), 2296011
(64-bit)
2003: 2296011
(32-bit), 2296011
(64-bit)
Vista: 2296011
(32-bit), 2296011
(64-bit)
2008: 2296011
(32-bit), 2296011
(64-bit)
7: 2296011
(32-bit), 2296011
(64-bit)
2008 R2:
2296011 (64-bit)
247
Technical Details
Service: netbios
Comctl32.dll dated 2007-2-17, older than 2010-9-6
mfc40.dll remote code execution vulnerability (MS10-074)
CVE: CVE-2010-3227
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows MFC Document Title
Update vulnerability
Description
MFC libraries which could allow
remote code execution if an
attacker is able to control the title of
an application written using the
Microsoft Foundation Class (MFC)
Library. (CVE 2010-3227)
248
Fix
Bulletin
XP: 2387149
10-074
(32-bit), 2387149
(64-bit)
2003: 2387149
(32-bit), 2387149
(64-bit)
Vista: 2387149
(32-bit), 2387149
(64-bit)
2008: 2387149
(32-bit), 2387149
(64-bit)
7: 2387149
(32-bit), 2387149
(64-bit)
2008 R2:
2387149 (64-bit)
Technical Details
Service: netbios
Mfc40.dll dated 2006-3-22, older than 2010-8-30
t2embed.dll remote code execution vulnerability (MS10-076)
CVE: CVE-2010-1883
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
249
Update Name
Description
Fix
Embedded OpenType Font Engine Fixes a vulnerability in Windows
XP: 982132
vulnerability
which could allow remote code
(32-bit), 982132
execution if an attacker gets a user (64-bit)
to open a document containing a
2003: 982132
malicious embedded open-type font. (32-bit), 982132
(CVE 2010-1883)
(64-bit)
Vista: 982132
(32-bit), 982132
(64-bit)
2008: 982132
(32-bit), 982132
(64-bit)
7: 982132
(32-bit), 982132
(64-bit)
2008 R2:
982132 (64-bit)
Bulletin
10-076
Technical Details
Service: netbios
T2embed.dll dated 2007-2-17, older than 2010-8-25
AV Information: AntiVirus software not found (AVG F-Secure Forefront McAfee Symantec
TrendMicro)
Severity: Potential Problem
Created 04/13/10
Impact
The system may be susceptible to viruses, worms, and other types of malware.
Background
A virus is a self-replicating program designed to spread itself across a network. A computer can become
infected with a virus when a user unknowingly installs it, usually by opening an untrustworthy e-mail
attachment. Once installed, the virus takes some action to help itself propogate, and may take other actions,
which are often harmless but sometimes malicious.
A worm is a self-replicating program designed to spread across a network without requiring any outside actions
to take place. The main difference between a worm and a virus is that a virus relies on human actions, such
as opening e-mail attachments or sharing files, to copy itself from one computer to another, whereas a worm is
able to do so independently, allowing it to spread much faster.
There are many anti-virus products available which are designed to detect and eliminate viruses, worms, and
250
other types of malware. These products work by checking files against a database of known malware patterns
known as signatures. Typically, files are checked as they are accessed, and all files on the system are checked
periodically.
Note that SAINT currently only collects information from the following AV software:
McAfee 8.5
Symantec
AVG
TrendMicro
Forefront
F-Secure
The Problem
If anti-virus software is not installed, enabled, or the database of anti-virus signatures is outdated, the system
could be vulnerable to viruses, malware, and worms.
A last scan date that is not recent could mean that there are infected files on the system, especially if your
anti-virus is disabled.
If logging is disabled in the anti-virus software, it could be hard to keep track of what was scanned at what
time, as well as determining if anything is wrong with the software.
Resolution
Install and enable anti-virus software. Turn on automatic updates and periodic scans. Enable logging.
If an anti-virus server or manager is present, make sure that all clients can communicate with it so that the
client is as up to date as possible and can send crucial information to the master installation.
If more information is needed about the anti-virus software running on the network and a server or manager is
present, it is a good place to look for information about the anti-virus clients.
If more than one instance of anti-virus software is installed on a system, remove all but one. Multiple anti-virus
programs may interfere with each other and cause the system to run poorly.
For additional information about viruses and anti-virus products, see Virus Bulletin.
Technical Details
Service: netbios
SAINT currently checks for AVG, F-Secure, Forefront, McAfee, Symantec, and TrendMicro AV software;
none were detected
Microsoft IIS ASP repeated parameter request denial of service
CVE: CVE-2010-1899
Updated 09/14/10
Impact
251
An attacker could send a specially constructed request which crashes the server or executes arbitrary code
with the privileges of the web server.
Background
Microsoft IIS web servers accept requests for a number of different types of files. The most common methods
of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server
additional information called headers which are not seen by the user. Information in the header can include
browser type, content type, content length, and other information.
Some of the file types for which IIS may accept requests are .HTR files (for remote administration of
passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files
(printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active
Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is
executed on the server, regardless of whether or not the requested file actually exists on the server.
IIS supports redirection, which allows a user to specify that requests for a particular URL on the server
should be redirected such that the user's browser loads a file from another directory, a network share, or a
URL on another web server.
The Problems
ASP Repeated Parameter Request Denial of Service
09/14/10
CVE 2010-1899
The ASP component of Microsoft IIS 6.0 through 7.5 is affected by a denial-of-service vulnerability. A remote
attacker could exploit this vulnerability and cause the server to stop processing requests if ASP is enabled.
Resolutions
Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-062, and
10-065.
For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security
Bulletin 02-050 must also be installed if client side certificates are to function.
IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the
permanent redirection option under the Home Directory tab in the web site properties.
The ASP Repeated Parameter Request Denial of Service and FastCGI Request Header Buffer Overflow
were reported in Microsoft Security Bulletin 10-065.
Technical Details
Service: netbios
IIS running and asp.dll dated 2007-2-17, older than 2010-6-26
Microsoft IIS Authentication Method Disclosed
252
Created 07/01/08
Impact
An attacker could determine which authentication scheme is required for confidential web pages. This can be
used for brute force attacks against known User IDs.
Background
Microsoft IIS web servers support Basic and NTLM authentication. Determination of which authentication is
used by a server may help with further intelligent attacks against the server or brute force password attacks.
The Problems
IIS Authorization Method Disclosed
07/01/08
IIS is vulnerable to information gathering as to which form of authentication is being used due to the results of
attempted connections with incorrect user ids and passwords.
Note: This vulnerability formerly mapped to CVE 2002-0419 until this vulnerability was rejected from the CVE.
Resolutions
Use Fix information in Considerations for IIS authentication.
More information on the IIS Authorization method disclosure is available in Considerations for IIS
authentication.
Technical Details
Service: http
Sent:
GET / HTTP/1.1
Host: win2003unpatch.sainttest.local
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=
Received:
401 Unauthorized returned indicating NTLM Authentication
ICMP timestamp requests enabled
Created 04/14/08
CVE: CVE-1999-0524
Impact
A remote attacker could obtain sensitive information about the network.
Background
The Internet Control Message Protocol (ICMP) is a protocol used primarily for sending diagnostic messages
and error messages between computers. The protocol defines a number of different message types, including
253
echo requests and replies (used by the ping utility) and destination unreachable messages.
The Problem
CVE 1999-0524
ICMP defines a number of message types which disclose information about a computer. These message types
were designed to help synchronize computers on a network, but in practice are rarely needed and should be
disabled to prevent attackers from using them. Such message types include:
Timestamp requests. These messages could be used by an attacker to determine the system's clock
state, which could be used to defeat authentication mechanisms which rely on certain pseudo-random
number generators.
Netmask requests. These messages could be used by an attacker to gather information about a
network's subnet structure.
Resolution
Configure the system or firewall not to allow ICMP timestamp requests (message type 13) or ICMP netmask
requests (message type 17). Instructions for doing this on specific platforms are as follows:
Windows:
Block these message types using the Windows firewall as described in Microsoft TechNet.
Linux:
Use ipchains or iptables to filter ICMP netmask requests using the command:
ipchains -A input -p icmp --icmp-type address-mask-request -j DROP
Use ipchains or iptables to filter ICMP timestamp requests using the commands:
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP
ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
To ensure that this change persists after the system reboots, put the above command into the system's
boot-up script (typically /etc/rc.local).
Cisco:
Block ICMP message types 13 and 17 as follows:
deny icmp any any 13
For more information about ICMP, see RFC792.
Technical Details
Service: icmp
timestamp=43ff1803
ICMP redirects are allowed
254
Created 01/28/13
Impact
An attacker could change the routing of packets from the target such that transmitted data could potentially be
monitored or modified.
Background
ICMP redirects are messages which tell a host to use a different gateway router to reach a certain destination.
These messages are typically sent by the host's default gateway router if the router knows of a more efficient
route.
The Problem
The target accepts ICMP redirects. This is normally unnecessary in a correctly configured network, and is
generally considered to be a security risk. An attacker could use these messages to intentionally misdirect a
target to route packets through the attacker's own host, where they can be read or modified.
Resolution
Disable ICMP redirects. On Windows, this is done by setting the following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirect
Type: REG_DWORD
Data: 0
To disable ICMP redirects on Linux, use the following commands:
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
To make the above settings permanent, also set the following lines in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
For more information about ICMP redirects, see Ask Ubuntu and Windows Reference.
For more information on securing the Linux kernel, see Linux Kernel /etc/sysctl.conf Security Hardening.
Technical Details
Service: registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
=1
Internet Explorer Shell.Explorer object enabled
Updated 03/12/13
255
CVE 1999-0662
Impact
Background
operating systems.
The Problems
04/14/08
10/25/04
Resolution
12-077, 13-008, 13-010, and 13-021.
Advisory (980088)
256
870669.
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Technical Details
Service: netbios
SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}\Compatibility Flags is not 0x400
last user name shown in login box
Created 05/06/05 CVE 1999-0592
CVE: CVE-1999-0592
Impact
An attacker with physical access to the computer could determine a valid user name on the system, thus
facilitating password guessing attacks.
Background
At the login prompt, Windows systems can be configured to automatically fill the login field with the name of
the user who most recently logged in. This eliminates the need for a user who is the primary user of a
computer to re-enter his or her user name at every login prompt.
The Problem
257
Showing the last user name at the login prompt could disclose that user name to unauthorized users. Once an
attacker has knowledge of a valid user name on a system, the chance of a successful password guessing
attack is increased.
Resolution
Run regedt32, and in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, set
DontDisplayLastUserName equal to 1.
More information is available in The Registry Guide for Windows.
Technical Details
Service: netbios
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName = 0
SMB digital signing is disabled
Created 03/26/12
Impact
If the SMB signing is disabled, malicious attackers could sniff the network traffic and could perform a man in
the middle attack to gain sensitive information.
Background
The SMB protocol is the basis for Microsoft file and print sharing and other networking operations, such as
remote Windows administration. Server Message Block (SMB) signing is a signature in the SMB protocol
designed to help improve the security of the SMB protocol. See an SMB Protocol Package Exchange
Scenario for better understanding.
The Problems
SMB Signing is disabled
03/26/12
Microsoft has put the SMB signing in SMB protocol as basis for the security setting. When this setting is
disabled, the file and print sharing and other network operations are exposed to man in the middle attacks.
Resolution
Refer to Microsoft Technet Library in Local Policies, Microsoft network server: Digitally sign communications (if
client agrees).
For more information about SMB signing configuration, see, SMB Protocol Package Exchange Scenario.
258
Technical Details
Service: netbios
NEGOTIATE_SECURITY_SIGNATURES_ENABLED=0
password complexity policy disabled
Created 04/06/05 CVE 1999-0535
CVE 1999-0582
CVE: CVE-1999-0535
Impact
Weak password policies could make it easier for an attacker to gain unauthorized access to user accounts.
Background
Microsoft operating systems have account policies which specify certain guidelines which are enforced for all
users in a computer or domain. These policies can be used to improve security. The minimum password length
and password complexity requirements help ensure that a password cannot be easily guessed or cracked. The
maximum password age helps limit the opportunity for intruders to use compromised passwords by requiring
users to change their password regularly. The minimum password age and password history limits re-use of
passwords to ensure that users cannot defeat this security precaution. Lockouts hinder brute-force password
guessing attacks by disabling an account for a period of time after a number of failed login attempts.
The Problem
One or more of the Windows account policy settings are weaker than the recommended settings. This leaves
the system insufficiently protected from password attacks.
Resolution
Edit the account policy, which is found in the Local Security Policy under Administrative Tools on most
systems.
Change the account policy settings to the recommended values. In a typical organization, these are:
Minimum password length: 8 characters
Enforce password history: 24 passwords remembered
Maximum password age: 42 days
Minimum password age: 2 days
Password complexity requirements: Enabled
Account lockout threshold: 3 invalid logon attempts
Note that if there is an Effective Setting in the local security policy, it is this setting which is used. This setting
can only be changed on the domain controller.
See Microsoft's Step-by-Step Guide to Enforcing Strong Password Policies and Account Passwords and
Policies.
Technical Details
259
Service: netbios-ssn
weak account lockout policy (0)
Created 04/06/05 CVE 1999-0535
CVE 1999-0582
CVE: CVE-1999-0582
Impact
Background
The Problem
Resolution
systems.
Policies.
Technical Details
0 > 3 or 0 = 0
260
weak minimum password age policy (0 days)
Created 04/06/05 CVE 1999-0535
CVE 1999-0582
CVE: CVE-1999-0535
Impact
Background
The Problem
Resolution
systems.
Policies.
Technical Details
0<2
weak minimum password length policy (0)
261
Created 04/06/05 CVE 1999-0535
CVE 1999-0582
CVE: CVE-1999-0535
Impact
Background
The Problem
Resolution
systems.
Policies.
Technical Details
0<8
weak password history policy (0)
Created 04/06/05 CVE 1999-0535
CVE: CVE-1999-0535
262
CVE 1999-0582
Impact
Background
The Problem
Resolution
systems.
Policies.
Technical Details
0 < 24
non-administrative users can bypass traverse checking
CVE: CVE-1999-0534
Created 04/07/05 CVE 1999-0534
Impact
263
Normal users could take actions which should be limited to administrators. These privileges could be used to
facilitate attacks or to make system resources unavailable to other users.
Background
Windows operating systems assign a set of rights to each account group. These rights determine whether a
user is allowed to perform certain actions on the computer, such as creating tokens, increasing scheduling
priority, or acting as part of the operating system.
The Problem
Certain privileges which should only be needed by administrators have been granted to non-administrative
users.
Resolution
Edit the user rights assignment, which is found in the Local Security Policy under Administrative Tools on
most systems.
See Microsoft's documentation on User Rights Assignment.
Technical Details
SeChangeNotifyPrivilege
non-administrative users can replace a process level token
CVE: CVE-1999-0534
Created 04/07/05 CVE 1999-0534
Impact
Normal users could take actions which should be limited to administrators. These privileges could be used to
facilitate attacks or to make system resources unavailable to other users.
Background
Windows operating systems assign a set of rights to each account group. These rights determine whether a
user is allowed to perform certain actions on the computer, such as creating tokens, increasing scheduling
priority, or acting as part of the operating system.
The Problem
Certain privileges which should only be needed by administrators have been granted to non-administrative
users.
Resolution
264
Edit the user rights assignment, which is found in the Local Security Policy under Administrative Tools on
most systems.
See Microsoft's documentation on User Rights Assignment.
Technical Details
SeAssignPrimaryTokenPrivilege
account management auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Intrusion attempts or other unauthorized activities could go unnoticed.
Background
Windows operating systems allow the administrator to define an auditing policy. This policy instructs the
operating system to create a log entry every time certain events occur, such as successful or failed logon
attempts or object access.
The Problem
One or more types of important security events are not audited. This leaves the administrator with no way to
know whether intrusion attempts or other unauthorized activities are occurring on the system.
Resolution
Edit the auditing policy, which is found in the Local Security Policy under Administrative Tools on most
systems.
See Microsoft's guide to setting up auditing and developing an auditing policy.
Technical Details
account management failure auditing disabled
CVE: CVE-1999-0575
265
Created 04/07/05 CVE 1999-0575
Impact
Background
The Problem
Resolution
systems.
Technical Details
logon failure auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Background
The Problem
Resolution
266
systems.
Technical Details
object access auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Background
The Problem
Resolution
systems.
Technical Details
object access failure auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
267
Impact
Background
The Problem
Resolution
systems.
Technical Details
policy change auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Background
The Problem
Resolution
268
systems.
Technical Details
policy change failure auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Background
The Problem
Resolution
systems.
Technical Details
system event auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
269
Impact
Background
The Problem
Resolution
systems.
Technical Details
system event failure auditing disabled
Created 04/07/05 CVE 1999-0575
CVE: CVE-1999-0575
Impact
Background
The Problem
Resolution
270
systems.
Technical Details
Windows administrator account not renamed
Created 09/02/08 CVE 1999-0585
CVE: CVE-1999-0585
Impact
The default administrator and guest account names give attackers a starting point for conducting brute-force
password guessing attacks.
Background
Every Windows operating system comes with two default accounts. The first, named administrator, has full
privileges on the operating system. The second, named guest, has limited privileges.
The Problem
The administrator or guest account has not been renamed. Leaving the default administrator and guest account
names unchanged allows an attacker to attempt brute-force password guessing attacks against these accounts.
Resolution
Change the name of the administrator and guest accounts. To do this on Active Directory servers, open
Active Directory Users and Computers. Click Users, then right-click on Administrator or Guest, and select
Rename. To do this on workstations, open the Local Security Policy from the Administrative Tools menu.
Choose Local Policies, then Security Options, then Accounts: Rename administrator or guest account.
For more information on securing the administrator account, see The Administrator Accounts Security Planning
Guide - Chapter 3.
Technical Details
UID 500 = Administrator
Windows guest account not renamed
271
Created 09/02/08 CVE 1999-0585
Impact
The default administrator and guest account names give attackers a starting point for conducting brute-force
password guessing attacks.
Background
Every Windows operating system comes with two default accounts. The first, named administrator, has full
privileges on the operating system. The second, named guest, has limited privileges.
The Problem
The administrator or guest account has not been renamed. Leaving the default administrator and guest account
names unchanged allows an attacker to attempt brute-force password guessing attacks against these accounts.
Resolution
Change the name of the administrator and guest accounts. To do this on Active Directory servers, open
Active Directory Users and Computers. Click Users, then right-click on Administrator or Guest, and select
Rename. To do this on workstations, open the Local Security Policy from the Administrative Tools menu.
Choose Local Policies, then Security Options, then Accounts: Rename administrator or guest account.
For more information on securing the administrator account, see The Administrator Accounts Security Planning
Guide - Chapter 3.
Technical Details
UID 501 = Guest
Password never expires for user localuser
Created 03/23/05
Impact
If a password becomes compromised, it can be used to gain unauthorized access for an unlimited period of
time.
Background
Passwords are used to authenticate users to Windows systems. The system administrator has the option to
enforce password expiration, which requires users to change their passwords at regular intervals.
The Problem
Password expiration is disabled, allowing the user to keep the same password for an unlimited time period. It is
generally considered to be a better security policy to enable password expiration, to ensure that a potential
intruder who is able to crack or sniff a user's password will be unable to log into the user's account after a
272
period of time.
Resolution
Enable password expiration for all users. This is done by removing the check mark beside password never
expires in the user's properties.
More information on best practices related to password security is available from Microsoft.
Technical Details
Password never expires for user localuser
Windows TCP/IP Stack not hardened
Created 03/11/05
Impact
A remote attacker could cause a temporary denial of service.
Background
TCP/IP is the underlying protocol used for transmission of data across networks. Each segment of data, called
a packet or datagram, includes a source and destination IP address, and a source and destination port
number. Normally, the source and destination are different. If an attacker spoofs a packet such that the source
and destination IP address and port are the same, it results in a malformed packet known as Land.
The Problem
A Land attack can be used to create a 15 to 30 second denial of service against targets running Windows
Server 2003 or Windows XP Service Pack 2.
Resolution
Apply the TCP/IP stack hardening guidelines discussed in Microsoft Knowledge Base Article 324270 for
Windows Server 2003 or 315669 for Windows XP. (Although the latter article was written for Windows 2000,
it is presumably also effective for Windows XP.) The patch referenced in Microsoft Security Bulletin 05-019
also fixes this vulnerability, but not for IPv6 interfaces.
Land was originally reported in CERT Advisory 1997-28. The Land attack relating to Windows XP Service
Pack 2 and Windows Server 2003 was posted to Bugtraq. The Land attack relating to IPv6 was posted to
NTBugtraq.
Technical Details
Service: netbios
KB324270/315669 recommendations not applied for XP SP2 or 2003
273
Microsoft Windows Insecure Library Loading vulnerability
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Microsoft Windows Insecure Library A remote attacker could execute
Loading vulnerability
DLL preloading attacks through an
SMB share or WebDAV.
Fix
Bulletin
Disable loading of 2269637
libraries from
WebDAV and
remote network
shares as
described in
Microsoft KB
2264107.
Technical Details
274
Service: netbios
SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearch does not exist
Microsoft Windows Service Isolation Bypass Local Privilege Escalation
CVE: CVE-2010-1886
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Description
Fix
Microsoft Windows Service Isolation Fixed a vulnerability which
TAPI 982316
Bypass Local Privilege Escalation leverages the Windows Service
Isolation feature to gain elevation of
privilege. (CVE 2010-1886)
Bulletin
2264072
Technical Details
275
Service: netbios
Tapisrv.dll dated 2007-2-17, older than 2010-4-22
Multiple Windows TCP/IP vulnerabilities (MS08-001)
CVE: CVE-2007-0066 CVE-2007-0069
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows TCP/IP Vulnerabilities
Multiple Windows TCP/IP
vulnerabilities
Description
allow a remote attacker to cause a
denial of service, or possibly
execute commands. (CVE
2004-0230 CVE 2004-0790 CVE
2004-1060 CVE 2005-0048 CVE
2005-0688)
Fixes two vulnerabilities: (1) an
IGMPv3 and MLDv2 vulnerability
that could allow remote code
execution; and (2) an ICMP
vulnerability that could result in
denial of service. (CVE 2007-0069,
276
Fix
Bulletin
2000: 893066 or 05-019
SP4 Update
Rollup 1
XP: 893066
2003: 893066 or
SP1
2000: 941644
XP: 941644
2003: 941644
Vista: 941644
08-001
CVE 2007-0066)
Technical Details
Service: netbios
tcpip.sys dated 2007-2-17, older than 2007-10-29
Windows Embedded OpenType Font Engine Vulnerability
CVE: CVE-2010-0018
Updated 03/12/13
CVE 1999-0662
Impact
Background
critical updates.
Update Name
Windows Embedded OpenType
Font Engine Vulnerability
Description
vulnerability in Windows 2000,
2003, XP, Vista, 7, and Server
2008. The vulnerability exists due
277
Fix
2000: 972270
2003: 972270
(32-bit), 972270
(64-bit)
Bulletin
10-001
to the way Windows Embedded
OpenType (EOT) Font Engine
decompresses specially crafted
EOT fonts. (CVE 2010-0018)
XP: 972270
(32-bit), 972270
(64-bit)
Vista: 972270
(32-bit), 972270
(64-bit)
Windows 7:
972270
2008: 972270
(32-bit), 972270
(64-bit)
Technical Details
Service: netbios
fontsub.dll dated 2007-2-17, older than 2009-10-14
1026/UDP
Severity: Service
Technical Details
DNS
Severity: Service
Technical Details
SMB
Severity: Service
Technical Details
\131\000\000\001\143
WWW
Severity: Service
Technical Details
HTTP/1.1 200 OK
Content-Length: 99
Content-Type: text/html
Content-Location: http://10.7.0.11/index.html
Last-Modified: Tue, 28 Feb 2012 16:13:03 GMT
Accept-Ranges:
278
XDM (X login)
Severity: Service
Technical Details
epmap (135/TCP)
Severity: Service
Technical Details
isakmp (500/UDP)
Severity: Service
Technical Details
microsoft-ds (445/TCP)
Severity: Service
Technical Details
microsoft-ds (445/UDP)
Severity: Service
Technical Details
netbios-dgm (138/UDP)
Severity: Service
Technical Details
netbios-ns (137/UDP)
Severity: Service
Technical Details
ntp (123/UDP)
Severity: Service
Technical Details
tftp (69/UDP)
Severity: Service
Technical Details
1.2 mandrake32
IP Address: 10.7.0.153
Scan time: Mar 20 10:38:23 2013
Host type: Linux 2.4.22-10mdksmp - Mandriva 9.2
279
default device password (root:attack)
Updated 10/02/12
CVE 1999-0507
CVE 1999-0508
CVE: CVE-1999-0507 CVE-1999-0508
Impact
A remote attacker could gain access to the device, allowing him or her to cause a denial of service, change
the configuration, install malicious firmware, or gain unauthorized access to the internal network.
Background
Routers and other networking devices often contain administrative interfaces to allow the network administrator
to make configuration changes or diagnose problems remotely. The Telnet, FTP, and HTTP protocols are
commonly used to provide such interfaces. It is usually necessary to provide a password in order to access the
device. In some cases, neither user name nor password are required.
The Problem
10/02/12
Some devices are shipped with known default passwords. If these devices are installed in an operational
environment with the default passwords still in place, they provide a remote attacker with an easy way to gain
access to the device. Once access has been gained, the attacker could create a denial of service, make
unauthorized configuration changes, install malicious firmware, or route packets to machines on the internal
network which would otherwise be blocked by the router.
Related CVE entries:
CVE 2001-1543 Axis network camera
CVE 2002-1229 Avaya Cajun switches
CVE 2002-1440 Gateway GS-400
CVE 2002-2020 NetGear Cable/DSL router
CVE 2004-1320 Asante FM2008
CVE 2004-1321 Asante FM2008
CVE 2004-1791 Edimax WAP
CVE 2004-1920 X-Micro WLAN Routers
CVE 2004-2556 NetGear WG602
CVE 2004-2557 NetGear WG602 additional
CVE 2005-0865 Samsung ADSL modem
CVE 2005-2026 Vertical Horizon switch
CVE 2005-3717 UTStarcom VoIP WIFI Phone
CVE 2009-0620 Cisco ACE
CVE 2009-0621 Cisco ACE
CVE 2011-0885 Comcast DOCSIS
CVE 2012-3579 Symantec Messaging Gateway
Modicon Quantum (Related: )
GE D20
Micrologix
Resolution
Change the password to something other than the default. A recommended password would be one which is
at least eight characters long, contains both letters and numbers, and is not based on any associated
280
information such as account names, user's names, or DNS names.
If the password cannot be changed, contact your vendor for a firmware fix, or block access to all affected
services at the network perimeter.
08/26/02
NOTE: In some cases, notably the Gateway GS-400 server vulnerability, changing the password may void
the manufacturer's warranty.
Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords. Although it
focuses on UNIX, the password guidelines presented in this paper are applicable to all devices.
Specific information is available for Symantec Messaging Gateway, ZyXEL Prestige routers, Gateway
GS-400, Avaya switches, X-Micro WLAN routers, NetGear WG602 Accesspoint, NetGear WG602
Accesspoint change, Edimax WAP, NetGear DG834G, Axis, Dynalink RTA 230, Asante FM2008 switch,
Vertical Horizon switch, UTStarcom VoIP WIFI Phone, Cisco ACE, 3Com OfficeConnect, Alien Technology
ALR-9900, Comcast DOCSIS, Modicon Quantum, GE D20, and Micrologix.
Technical Details
Service: ssh
Account root has no password
Updated 09/17/07
CVE 1999-0501
CVE 1999-0502
CVE 1999-0503
CVE 1999-0504
CVE 1999-0505
CVE 1999-0506
CVE: CVE-1999-0502
Impact
An attacker who is able to guess the password to a user account could gain shell access to the system with
the privileges of the user. From there it is often trivial to gain complete control of the system.
Background
Passwords are the most commonly used method of authenticating users to a server. The combination of a
login name and password is used to verify the identity of a user requesting access, and to determine what
parts of the server the user has permission to access.
The Problem
09/17/07
--> Administrators often set up new user accounts with no password or with a default password which is easy
to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords
and passwords that are very similar to the login name are an easy way for attackers to gain access to the
system.
281
CVE 2002-1629 Multi-Tech ProxyServer
CVE 2005-3595 Windows XP Home Edition
CVE 2007-3232 IBM Totalstorage DS400
Cisco 2700 Series Wireless Location Appliance Default Password
10/27/06
CVE 2006-5288
The Cisco 2700 Series Wireless Location appliance is an internet connectivity device. It is exposed to a default
administrative password issue. Versions prior to 2.1.34 are affected.
Resolution
Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are
eight characters long, including numeric and non-alphanumeric characters, and which are not based on the login
name or any other personal information about the user. Enforce this policy using a utility such as npasswd in
place of the default UNIX passwd program. Check the strength of all account passwords periodically using a
password cracking utility such as Crack for Unix.
For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in
cisco-air-20061013-wla.
Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.
The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID
20490.
The IBM Totalstorage DS400 default password was posted to Full Disclosure.
Technical Details
Service: ssh
uid=0(root) gid=0(root) groups=0(root)
Guessed password to account (root:password)
Updated 09/17/07
CVE 1999-0501
CVE 1999-0502
CVE 1999-0503
CVE 1999-0504
CVE 1999-0505
CVE 1999-0506
CVE: CVE-1999-0501 CVE-2006-5288
Impact
Background
282
The Problem
09/17/07
system.
10/27/06
CVE 2006-5288
Resolution
20490.
Technical Details
Service: ssh
Guessed password to account (root:root)
Updated 09/17/07
CVE 1999-0501
CVE: CVE-1999-0501
283
CVE 1999-0502
CVE 1999-0503
CVE 1999-0504
CVE 1999-0505
CVE 1999-0506
Impact
Background
The Problem
09/17/07
system.
10/27/06
CVE 2006-5288
Resolution
20490.
284
Technical Details
Service: ssh
Vulnerable Linux Kernel version: 2.4.22
CVE: CVE-2008-1673 CVE-2008-2136
CVE-2008-2137 CVE-2008-2812
CVE-2008-3077 CVE-2008-5025
CVE-2008-5079 CVE-2008-5700
CVE-2008-5713 CVE-2009-0031
CVE-2009-0065 CVE-2009-0269
CVE-2009-0322 CVE-2009-0605
CVE-2009-0778 CVE-2009-0859
CVE-2009-0935 CVE-2009-1072
CVE-2009-1360 CVE-2009-1633
CVE-2009-2692 CVE-2009-2903
CVE-2009-2909 CVE-2009-3547
CVE-2009-3621 CVE-2010-4083
Updated 03/13/13
Impact
A remote attacker could execute arbitrary code, cause information disclosure, bypass certain security
restrictions, or cause a denial of service.
Background
The Linux kernel is released under the GNU General Public License version 2 (GPLv2) and developed by
contributors worldwide. The Linux kernel is used by a family of Unix-like operating systems.
The Problems
'ipc/sem.c' Information Disclosure Vulnerability
10/21/10
CVE 2010-4083
The Linux kernel 2.6.36-rc6 and 2.4.37.9 and prior are prone to an information-disclosure vulnerability.
Successful exploits may allow attackers to obtain potentially sensitive information from the stack that may aid in
other attacks.
TSB I-TLB Load Local Privilege Escalation Vulnerability
03/31/10
The Linux kernel 2.6.32 and prior are prone to a local privilege-escalation vulnerability. Local attackers can
exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the
complete compromise of affected computers.
selinux_bprm_committing_creds() Security Bypass Vulnerability
03/19/10
285
The Linux kernel before 2.6.32.8 is prone to a security-bypass vulnerability. Local attackers can exploit this
issue to bypass certain security restrictions.
KVM 'pit_ioport_read()' Local Denial of Service Vulnerability
03/10/10
The Linux kernel 2.6.32 and prior are prone to a local denial-of-service vulnerability that affects the
Kernel-based Virtual Machine (KVM). Attackers with local access to a guest operating system can exploit this
issue to crash the host operating system. Successful exploits will deny service to legitimate users.
Linux Kernel drivers/char/n_tty.c NULL Pointer Dereference Denial of Service Vulnerability
12/22/09
The Linux kernel 2.6.32-rc7 and prior are prone to a local denial-of-service vulnerability. Attackers can exploit
this issue to crash the affected kernel, denying service to legitimate users.
Linux Kernel pipe.c Local Privilege Escalation Vulnerability
12/02/09
CVE 2009-3547
Linux kernel before 2.4.37.7 and 2.6.32-rc6 is prone to a local privilege-escalation vulnerability that is caused
by a NULL-pointer dereference. Local attackers can exploit this issue to execute arbitrary code with
kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.
Linux Kernel unix_stream_connect() Local Denial of Service Vulnerability
11/16/09
CVE 2009-3621
The Linux kernel 2.6.31.4 and prior are prone to a local denial-of-service vulnerability. Attackers can exploit
this issue to cause the affected kernel to stop responding, denying service to legitimate users.
Linux Kernel net/ax25/af_ax25.c Local Denial of Service Vulnerability
11/11/09
CVE 2009-2909
The Linux kernel before 2.6.31.2 is prone to a local denial-of-service vulnerability because it fails to properly
verify signedness of a user-supplied value. Attackers can exploit this issue to cause the kernel to crash,
denying service to legitimate users.
Linux Kernel AppleTalk Driver IP Over DDP Remote Denial of Service Vulnerability
10/21/09
CVE 2009-2903
The Linux Kernel before 2.6.31.4 is prone to a remote denial-of-service vulnerability. An attacker can exploit
this issue to cause a memory leak, denying service to legitimate users.
Linux Kernel 2.4 and 2.6 Multiple Local Information Disclosure Vulnerabilities
10/09/09
The Linux kernel is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit
these issues to obtain sensitive information that may lead to further attacks.
Linux Kernel Multiple Protocols Local Information Disclosure Vulnerabilities
09/18/09
The Linux kernel before 2.6.31-rc7 is prone to multiple local information-disclosure vulnerabilities. Local
attackers can exploit these issues to obtain sensitive information that may lead to further attacks.
Linux Kernel sock_sendpage() NULL Pointer Dereference Vulnerability
09/01/09
CVE 2009-2692
The Linux kernel is prone to a local NULL-pointer dereference vulnerability. A local attacker can exploit this
286
issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to
legitimate users. Versions prior to the Linux kernel 2.4.37.5 and 2.6.31-rc6 are vulnerable.
Linux Kernel CIFS String Conversion Multiple Vulnerabilities
06/03/09
The Linux Kernel before 2.6.30-rc5 is prone to multiple vulnerabilities affecting the CIFS (Common Internet
File System) implementation. Successfully exploiting these issues may allow remote attackers to execute
arbitrary code with kernel-level privileges, resulting in the complete compromise of affected computers.
Linux Kernel CAP_FS_SET Incomplete Capabilities List Access Validation Vulnerability
05/20/09
The Linux Kernel is prone to an unauthorized-access vulnerability because of an error in the definition of the
CAP_FS_SET capabilities mask. This issue has been demonstrated to impact the NFS and VFS filesystems;
other applications or kernel components may provide additional attack vectors.
Linux Kernel inet6_hashtables.c NULL Pointer Dereference Denial of Service Vulnerability
05/14/09
CVE 2009-1360
The Linux kernel before 2.6.29 is prone to a local denial-of-service vulnerability. Attackers can exploit this issue
to crash the affected kernel, denying service to legitimate users.
Linux Kernel CIFS decode_unicode_ssetup Remote Buffer Overflow Vulnerability
05/06/09
CVE 2009-1633
The Linux kernel 2.6.29.1 and prior are to a remote buffer-overflow vulnerability because the software fails to
perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute
arbitrary code with kernel-level privileges.
Linux Kernel /proc/net/rt_cache Remote Denial of Service
04/01/09
CVE 2009-0778
The Linux kernel before 2.6.25 is prone to a remote denial-of-service vulnerability because it fails to properly
flush the '/proc/net/rt_cache' file under some conditions. Attackers can exploit this issue to cause the kernel to
fail to respond to network traffic, denying service to legitimate users.
Linux Kernel nfsd CAP_MKNOD Security Bypass
03/24/09
CVE 2009-1072
A security bypass vulnerability exists in Linux Kernel. The vulnerability is due to an insecure design in Linux
kernel when handling the NFS request, MKNOD. By sending a crafted NFS MKNOD request to a target system,
a remote attacker can leverage this vulnerability to create a device on a target system.
Linux Kernel /ipc/shm.c Local Denial of Service Vulnerability
03/24/09
CVE 2009-0859
The Linux kernel before 2.6.28.5 is prone to a local denial-of-service vulnerability. Attackers can exploit this
issue to cause the Linux kernel to lock up, resulting in a denial-of-service condition.
Linux Kernel Kprobe Memory Corruption Vulnerability
03/03/09
CVE 2009-0605
The Linux kernel before 2.6.28.5 is prone to a memory-corruption vulnerability because of a design flaw in the
Kprobe system. Local attackers could exploit this issue to cause denial-of-service conditions.
Linux Kernel inotify_read() Local Denial of Service Vulnerability
287
02/27/09
CVE 2009-0935
The Linux kernel before 2.6.28.3 is prone to a local denial-of-service vulnerability. Attackers can exploit this
issue to cause an oops condition in the Linux kernel, which may cause a denial of service.
Linux Kernel make_indexed_dir() Local Denial of Service Vulnerability
02/27/09
The Linux kernel before 2.6.27.14 is prone to a local denial-of-service vulnerability because it fails to properly
handle malformed filesystem images. Attackers can exploit this issue to cause the kernel to crash, denying
service to legitimate users. Note that to exploit this issue, attackers must be able to mount appropriate
filesystem types, which may require membership in a privileged group or root access.
Linux Kernel dell_rbu Local Denial of Service Vulnerabilities
02/16/09
CVE 2009-0322
The Linux kernel before 2.6.28.2 is prone to two denial-of-service vulnerabilities. A local unprivileged attacker
can exploit these issues to cause a vulnerable system to crash, resulting in denial-of-service conditions.
Linux Kernel readlink Local Privilege Escalation Vulnerability
02/16/09
CVE 2009-0269
The Linux kernel before 2.6.28.1 is prone to a local privilege-escalation vulnerability. A local attacker can
exploit this issue to execute arbitrary code with superuser privileges or crash the affected kernel, denying
service to legitimate users.
Linux Kernel keyctl_join_session_keyring() Denial of Service Vulnerability
02/06/09
CVE 2009-0031
The Linux kernel before 2.6.29-rc2-git1 is prone to a denial-of-service vulnerability because it fails to
manage memory in a proper manner. Attackers can exploit this issue to cause a crash by exhausting memory
resources.
Linux Kernel FWD-TSN Chunk Remote Buffer Overflow Vulnerability
01/12/09
CVE 2009-0065
The Linux kernel 2.6.28 and prior are prone to a remote buffer-overflow vulnerability because the software
fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute
arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete
compromise of affected computers.
__qdisc_run Denial of Service
12/26/08
CVE 2008-5713
A vulnerability exists in the __qdisc_run function on kernels prior to 2.6.25 that allows a local user to send
large amounts of data in UDP stream mode which causes a denial of service.
Minimum Time SG_IO Denial of Service
12/26/08
CVE 2008-5700
Linux kernels prior to 2.6.27.9 do not set minimum times for SG_IO requests. This allows local users to cause
a denial of service by running multiple instances of an unspecified test program.
Linux Kernel ac_ioctl() Local Buffer Overflow
288
12/26/08
Linux Kernels prior to 2.6.28-rc1 are vulnerable to a denial of service caused by inadequate boundary
checking on user supplied data. Local users may be able to exploit this to crash the system or run arbitrary
code.
ATM vcc Table Corruption Denial of Service
12/26/08
CVE 2008-5079
Systems running kernels 2.6.27.8 or lower are vulnerable to a denial of service when a local user makes two
svc_listen calls for the same socket followed by reading a /proc/net/atm/*vc file. Despite the second call's
failure to return a socket, an unassigned socket is created that causes the kernel to infinitely loop during the file
read.
Linux Kernel drivers/media/video/tvaudio.c Memory Corruption
12/04/08
Linux kernels before 2.6.28-rc5 are prone to a memory-corruption vulnerability because of insufficient boundary
checks. A successful attack may cause the affected kernel to crash, effectively denying service to legitimate
users.
Linux Kernel hfs_cat_find_brec() Buffer Overflow
11/27/08
CVE 2008-5025
Linux kernels before 2.6.27.6 are prone to a DoS vulnerability. The vulnerability is caused due to a boundary
error in the hfs_cat_find_brec() function and can be exploited to cause a buffer overflow via an overly
large catalog name length.
Linux Kernel Multiple Vulnerabilities fixed in 2.6.25.10
07/17/08
CVE 2008-2812
CVE 2008-3077
The vulnerabilities fixed in 2.6.25.10 allow local users to cause a denial of service or possibly gain privileges.
Linux Kernel ASN.1 BER Decoding Vulnerability
06/26/08
CVE 2008-1673
Vulnerabilities exist in the ASN.1 BER decoder of the cifs and ip_nat_snmp_basic modules when
calculating the buffer size. This can lead to remote code execution and denial of service. This vulnerability
exists in versions prior to 2.4.36.6 of the 2.4 branch and prior to version 2.6.25.5 of the 2.6 branch.
Linux Kernel Virtual Address Range Checking Denial of Service
05/28/08
CVE 2008-2137
The vulnerability is due to an error in the virtual address range checking of mmaped regions on the sparc
architecture. Local attackers could exploit this vulnerability to corrupt the memory. Successful exploitation would
result in a denial of service condition.
Linux IPv6 Over IPv4 vulnerability
05/21/08
CVE 2008-2136
In Linux kernel 2.6, IPv6 over IPv4 tunneling is implemented in network driver sit.ko. In this driver, a
function named ipip6_rcv() processes all received IPv4 packets with protocol value 0x29. The function
extracts IPv6 data from encapsulating packets and delivers them to proper tunnel endpoint.
289
There exists a memory leak vulnerability in the Linux IPv6 over IPv4 tunneling driver. The vulnerable code
resides in function ipip6_rcv(). The minimum size of an IPv6 header is 40 bytes. If an IPv6 over IPv4
tunneling packet has less than 40 bytes of IPv4 payload, the encapsulated IPv6 packet does not have a
complete header. In this case, the vulnerable code fails to release the memory block that stores the malicious
packet. Since memory allocated by Linux kernel driver cannot be swapped out, repeating attack will eventually
exhaust all available memory resource and render the target host inaccessible.
Resolution
Install an updated kernel package from your Linux vendor, or upgrade Linux kernel to a version higher than
2.6.39.4 for 2.6.x, 3.0.69 or higher for 3.0.x, 3.2.41 or higher for 3.2.x, 3.4.36 or higher for 3.4.x, or 3.8.3 or
higher for 3.8.x when available.
The 'ipc/sem.c' Information Disclosure vulnerability was reported in Bugtraq ID 43809.
The TSB I-TLB Load Local Privilege Escalation vulnerability was reported in Bugtraq ID 38393.
The selinux_bprm_committing_creds() Security Bypass vulnerability was reported in Bugtraq ID
38175.
The KVM 'pit_ioport_read()' Local Denial of Service vulnerability was reported in Bugtraq ID 38038.
The Linux Kernel drivers/char/n_tty.c NULL Pointer Dereference Denial of Service vulnerability was
reported in Bugtraq ID 37147.
The Linux Kernel pipe.c Local Privilege Escalation vulnerability was reported in Bugtraq ID 36901.
The Linux Kernel unix_stream_connect() Local Denial of Service vulnerability was reported in Bugtraq
ID 36723.
The Linux Kernel net/ax25/af_ax25.c Local Denial of Service vulnerability was reported in Bugtraq ID
36635.
The Linux Kernel AppleTalk Driver IP Over DDP Remote Denial of Service vulnerability was reported in
Bugtraq ID 36379.
The Linux Kernel 2.4 and 2.6 Multiple Local Information Disclosure vulnerabilities were reported in Bugtraq
ID 36304.
The Linux Kernel Multiple Protocols Local Information Disclosure vulnerabilities were reported in Bugtraq ID
36176.
The Linux Kernel sock_sendpage() NULL Pointer Dereference vulnerability was reported in Bugtraq ID
36038.
The Linux Kernel CIFS String Conversion multiple vulnerabilities were reported in Bugtraq ID 34989.
The Linux Kernel CAP_FS_SET Incomplete Capabilities List Access Validation vulnerability was reported in
Bugtraq ID 34695.
The Linux Kernel inet6_hashtables.c NULL Pointer Dereference Denial of Service vulnerability was
290
reported in Bugtraq ID 34602.
The Linux Kernel CIFS decode_unicode_ssetup Remote Buffer Overflow vulnerability was reported in
Bugtraq ID 34612.
The Linux Kernel /proc/net/rt_cache Remote Denial of Service vulnerability was reported in Bugtraq
ID 34084.
The Linux Kernel nfsd CAP_MKNOD Security Bypass vulnerability was reported in Bugtraq ID 34205.
The Linux Kernel /ipc/shm.c Local Denial of Service vulnerability was reported in Bugtraq ID 34020.
The Linux Kernel Kprobe Memory Corruption vulnerability was reported in Bugtraq ID 33758.
The Linux Kernel inotify_read() Local Denial of Service vulnerability was reported in Bugtraq ID
33624.
The Linux Kernel make_indexed_dir() Local Denial of Service vulnerability was reported in Bugtraq ID
33618.
The Linux Kernel dell_rbu Local Denial of Service vulnerabilities were reported in Bugtraq ID 33428.
The Linux Kernel readlink Local Privilege Escalation vulnerability was reported in Bugtraq ID 33412.
The Linux Kernel keyctl_join_session_keyring() Denial of Service vulnerability was reported in
Bugtraq ID 33339.
The Linux Kernel FWD-TSN Chunk Remote Buffer Overflow vulnerability was reported in Bugtraq ID 33113.
The __qdisc_run Minimum Time Delay Denial of Service vulnerability was reported in Bugtraq ID 32985.
The Linux Kernel ac_ioctl() Local Buffer Overflow was reported in Bugtraq ID 32759.
The ATM vcc Table Corruption Denial of Service and sendmsg() Local Denial of Service vulnerabilities
were reported in Secunia Advisory SA32913.
The Linux Kernel drivers/media/video/tvaudio.c Memory Corruption vulnerability was reported in
Bugtraq ID 32327.
The Linux Kernel hfs_cat_find_brec() Buffer Overflow was reported in Secunia Advisory SA32719.
The Linux Kernel multiple vulnerabilities fixed in 2.6.25.10 were reported in FrSIRT/ADV-2008-2063.
The Linux Kernel ASN.1 BER Decoding Vulnerability was reported in Secunia Advisory SA30580.
The Linux IPv6 Over IPv4 vulnerability was posted to Bugtraq, and Secunia.
The Linux Kernel Virtual Address Range Checking Denial of Service vulnerability was posted to Bugtraq, and
Secunia.
Technical Details
Service: ssh
Linux Kernel version prior to 2.4.36.6 or 2.6 prior to 2.6.25.5 and patch not applied
291
OpenSSH 3.6.1p2 is vulnerable
CVE: CVE-2003-0190 CVE-2003-0386
CVE-2003-0682 CVE-2003-0693
CVE-2003-0695 CVE-2003-1562
CVE-2004-2069 CVE-2005-2797
CVE-2005-2798 CVE-2006-0225
CVE-2006-4924 CVE-2006-4925
CVE-2006-5051 CVE-2006-5052
CVE-2007-4752 CVE-2008-1483
CVE-2008-1657 CVE-2008-3259
CVE-2008-5161
Updated 02/18/11
Impact
This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions
of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a
session, or to gain remote root access to the OpenSSH server.
Background
Secure Shell, or ssh, is a program used to log into another computer over a network, execute commands on
a remote machine and move files from one machine to another. It provides strong authentication and secure
communications over unsecure communication channels. ssh is intended as a replacement for rlogin, rsh
and rcp. Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections.
Traditional BSD "r" commands, such as rsh, rlogin and rcp, are vulnerable to a variety of different
hacker attacks. A user with "root" access to certain machines on the network, or physical access to the
network itself, may be able to gain unauthorized access to systems by exploiting various vulnerabilities found in
the BSD "r" commands. Also, it may be possible for a malicious user to log all traffic to and from a target
system, including keystrokes and passwords. The X Window System also has a number of vulnerabilities
which may be exploited by hackers. The use of ssh helps to correct these vulnerabilities. Specifically, ssh
protects against these attacks: IP spoofing (where the spoofer is on either a remote or local host), IP source
routing, DNS spoofing, interception of cleartext passwords/data and attacks based on listening to X
authentication data and spoofed connections to an X11 server.
OpenSSH is an open-source implementation of the ssh protocol. It was originally developed for OpenBSD
but a portable version is available for other operating systems.
The Problems
CBC Mode Information Disclosure Vulnerability
02/01/11
CVE 2008-5161
Versions of OpenSSH before v5.2 are vulnerable to an information disclosure exploit through which a
man-in-the-middle attacker might compromise the encryption and expose unencrypted plaintext. The overall risk
posed by this vulnerability is limited because:
1.
2.
3.
the attack is unsubtle, and is likely to be noticed by an interactive user (their OpenSSH session is
disconnected by the attempt),
the probability of the attack being successful is low (a maximum of one chance in 214 = 16384), and
the quantity of plaintext that might be exposed is small (a maximum of 32 bits = 4 bytes).
292
Most vulnerable would be a non-interactive, computer-to-computer connection which is set up to tolerate an
unlimited number of disconnections and to reconnect endlessly and very quickly; the OpenSSH developers
estimate that, in such a situation, an attacker might expose an average of 44 bits (= 5-6 bytes) of plaintext per
hour.
Newer versions of OpenSSH (v5.2 and later) avoid this vulnerability. Older versions of OpenSSH can be
configured to eliminate this vulnerability.
X11UseLocalhost X11 Forwarding Session Hijacking Vulnerability
08/06/08
CVE 2008-3259
OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration
setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a
single IP address.
ForceCommand Security Bypass
04/07/08
CVE 2008-1657
Versions of OpenSSH prior to 4.9 have a vulnerability which might allow local attackers to bypass intended
security restrictions and execute commands other than those specified by ForceCommand if they are able to
write to their home directory.
Forward X connections hijack
03/31/08
CVE 2008-1483
Versions of OpenSSH prior to 4.9 allow local users to hijack forwarded X connections by causing ssh to set
DISPLAY to :10, even when another process is listening on the associated port.
X11 Security Bypass
10/26/07
CVE 2007-4752
ssh in OpenSSH before 4.7 has a problem handling the situation when an untrusted cookie cannot be created
and then in turn uses a trusted X11 cookie instead. This allows attackers to violate intended policy and gain
privileges by causing an X client to be treated as trusted.
Vulnerabilities fixed in 4.4
09/28/06
CVE 2006-4924
CVE 2006-4925
CVE 2006-5051
CVE 2006-5052
OpenSSH versions prior to 4.4 have a number of vulnerabilities including a pre-authentication denial of service
which applies only where SSHv1 is being used, a pre-authentication denial of service and information gathering,
and a pre-authentication Buffer Overflow that could result in command Execution.
Local SCP Shell Command Execution
02/05/06
CVE 2006-0225
OpenSSH 4.2 and earlier have a local SCP shell command execution issue due to a failure of the application
to properly sanitize user-supplied input prior to utilizing it in a "system()" function call.
Potential GatewayPorts and GSSAPI vulnerabilities
293
9/13/05
CVE 2005-2797
CVE 2005-2798
OpenSSH 4.2 fixed two potential vulnerabilities. Firstly, GatewayPorts could be incorrectly activated for
dynamic port forwardings when no listen address was explicitly specified. Secondly, GSSAPI credentials could
be delegated to users who log in with methods other than GSSAPI authentication. These vulnerabilities could
allow unauthorized proxy access or disclosure of credentials in certain configurations.
LoginGraceTime denial of service
CVE 2004-2069
When OpenSSH uses privilege separation, it does not properly signal the non-privileged process when a
session has been terminated after exceeding the LoginGraceTime setting, thus leaving the connection open.
This allows remote attackers to cause a denial of service by using up all available connections. OpenSSH
3.6.1p2 and 3.7.1p2 and possibly other versions are affected by this vulnerability.
PAM keyboard-interactive authentication weakness
CVE 2003-1562
OpenSSH is affected by an authentication weakness when PermitRootLogin is disabled and PAM
keyboard-interactive authentication is enabled. OpenSSH does not insert a delay after a root login attempt with
the correct password, enabling remote attackers to use timing differences to determine if the password step of a
multi-step authentication is successful. This could allow the attacker to guess the root password. OpenSSH 3.9
and earlier are affected by this vulnerability.
Multiple OpenSSH buffer management vulnerabilities
9/18/03
CVE 2003-0682
CVE 2003-0693
CVE 2003-0695
There are multiple buffer management vulnerabilities in OpenSSH that are caused by an incorrect amount of
memory being cleared. These vulnerabilities could allow remote attackers to cause a denial of service or
execute arbitrary code. OpenSSH versions 3.7.1 and earlier are vulnerable, although some of the
vulnerabilities have been fixed in version 3.7.1. To completely resolve this vulnerability, upgrade to version
3.7.2 when available, or install a fix from your vendor. Fixes are available from Red Hat, FreeBSD, SuSE,
Debian, and Cisco.
Portable OpenSSH PAM vulnerabilities
9/29/03
CVE 2003-0786
CVE 2003-0787
Portable OpenSSH server versions 3.7p1 and 3.7.1p1 contain two vulnerabilities in the new PAM (Pluggable
Authentication Module) code. The most serious problem could allow a remote attacker to authenticate as any
user by providing a null (blank) password. This is due to PAM challenge response authentication ignoring the
result of the authentication with Privilege Separation off. The second vulnerability occurs when the PAM
conversation function interprets an array of structures as an array of pointers, which allows attackers to modify
the stack and possibly gain privileges.
In order to be vulnerable, the server must satisfy all the following conditions:
294
have been compiled with PAM support
have PAM enabled
have privilege separation disabled
allow challenge-response authentication using the SSH v1 protocol.
The OpenBSD version of OpenSSH is not vulnerable. Portable OpenSSH version 3.7p1 and 3.7.1p1 are
vulnerable. Older versions are not vulnerable. Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).
12/8/04
CVE 2003-0190
Another vulnerability affects portable OpenSSH 3.6.1p1 and earlier with PAM enabled on certain operating
systems, including Linux and Mac OS. The response time when attempting to authenticate an existing user is
longer than the response time when the user does not exist, allowing an attacker to verify the existence of
account names. This could facilitate a brute-force password guessing attack.
Reverse DNS Lookup Access Control Bypass
CVE 2003-0386
OpenSSH 3.6.1 and earlier are affected by an access control bypass vulnerability. An attacker could log in
from an unauthorized host if that host's reverse DNS hostname contains the numeric IP address of an
allowed host. This vulnerability only exists if the OpenSSH service restricts host access by numeric IP
addresses and has VerifyReverseMapping disabled. An attacker would need to control the reverse DNS
server for his own IP address in order to exploit this vulnerability.
Resolution
Upgrade to OpenSSH version 5.8 or higher, or install a fix from your operating system vendor.
The CBC Mode Information Disclosure Vulnerability was announced by CPNI as Disclosure 3716 /
CPNI-957037, with details documented in this advisory. Bugtraq ID 32319 includes an archived discussion
and a page of references with links to vendors of various affected implementations of SSH. CERT posted
Vulnerability Note VU#958563, which also has links to vendors' sites. The developers of OpenSSH
summarize this issue on their security page with details and analysis in this advisory. Background information
on the Cipher Block Chaining (“CBC”) mode is available from NIST and Wikipedia.
The X11UseLocalhost X11 Forwarding Session Hijacking vulnerability was reported in Bugtraq ID 30339.
The ForceCommand Security Bypass was reported in Secunia Advisory SA29602.
The Forward X connections hijack was reported in Secunia Advisory SA29522.
The X11 Security Bypass was reported in Bugtraq ID 25628.
The vulnerabilities fixed by 4.4 were reported in OpenSSH 4.4 release.
The local SCP shell command execution vulnerability was reported in OpenSSH 4.3 release and Red Hat
Bugzilla ID 168167.
The GatewayPorts and GSSAPI vulnerabilities were reported in the OpenSSH mailing list.
295
The LoginGraceTime denial of service was posted to openssh-unix-dev.
The PAM keyboard-interactive authentication weakness was reported in Bugtraq ID 7482.
The OpenSSH buffer management vulnerabilities are described in CERT Advisory 2003-24, Red Hat
Security Advisory 2003:280, and a Bugtraq posting.
The Portable OpenSSH PAM vulnerabilities are described in the Portable OpenSSH Security Advisory, the
OpenPKG Security Advisory, and Bugtraq.
The reverse DNS lookup access control bypass was reported in Bugtraq.
Technical Details
Service: ssh
possible vulnerability in ProFTP 1.2.8
CVE: CVE-2003-0831 CVE-2004-0346
CVE-2004-1602 CVE-2005-2390
CVE-2005-4816 CVE-2006-5815
CVE-2006-6170 CVE-2006-6171
CVE-2006-6563 CVE-2007-2165
CVE-2008-4242 CVE-2010-3867
CVE-2010-4652 CVE-2011-4130
CVE-2012-6095
Updated 01/09/13
Summary
Several versions of the ProFTPD server have a variety of vulnerabilities.
Impact
Attackers exploiting these vulnerabilities may be able to execute arbitrary commands, perhaps with root
privileges, gain unauthorized access, or disrupt service on a target system.
Background
The File Transfer Protocol (FTP) is a method of transferring files between computer systems using client and
server processes, defined by Internet standard RFC 959. ProFTPD is a free-and-open-source implementation
of an FTP server.
The Problems
Race Condition Privilege Escalation Vulnerability
01/09/13
CVE 2012-6095
ProFTPD 1.3.3 and prior are prone to a vulnerability, which can be exploited by malicious, local users to gain
escalated privileges. The vulnerability is caused due to a race condition when handling the MKD and XMKD
FTP commands, which can be exploited to gain escalated privileges by e.g. overwriting arbitrary file via symlink
attacks.
296
Response Pool Use-After-Free Vulnerability
11/17/11
CVE 2011-4130
ProFTPD before 1.3.3g is prone to a vulnerability, which can be exploited by malicious users to compromise a
vulnerable system. The vulnerability is caused due to a use-after-free error when handling response pool
allocation lists and can be exploited to corrupt memory. Successful exploitation may allow execution of arbitrary
code.
'mod_sql' Remote Heap Based Buffer Overflow Vulnerability
12/03/10
CVE 2010-4652
ProFTPD 1.3.3c and prior are prone to a remote heap-based buffer-overflow vulnerability. Attackers can
exploit this vulnerability to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will
result in a denial-of-service condition.
Multiple Remote Vulnerabilities in 1.3.3
11/09/10
CVE 2010-3867
ProFTPD 1.3.3 and prior are prone to a remote stack-based buffer-overflow vulnerability and a
directory-traversal vulnerability because the application fails to perform adequate boundary checks on
user-supplied data. A remote attacker can exploit the buffer-overflow vulnerability to execute arbitrary code with
SYSTEM-level privileges. Failed exploit attempts will result in a denial-of-service condition. A remote attacker
can exploit the directory-traversal vulnerability to download and upload arbitrary files outside of the FTP server
root directory.
Authentication Delay Username Enumeration Vulnerability
07/09/10
CVE 2004-1602
A timing attack vulnerability exists in ProFTPD that could allow an attacker to enumerate the login names of
users with accounts on the system.
Long Command Handling Security
10/03/08
CVE 2008-4242
The ProFTPD 1.3.1 and prior is prone to a security vulnerability, which can be exploited by malicious people
to conduct cross-site request forgery attacks. The vulnerability is caused due to the application truncating an
overly long FTP command, and improperly interpreting the remainder string as a new FTP command.
Auth API Multiple Authentication Modules Security Bypass
07/02/07
CVE 2007-2165
The Auth API in ProFTPD 1.3.1rc2 and 1.3.0a and prior, when multiple simultaneous authentication modules
are configured, does not require that the module that checks authentication is the same as the module that
retrieves authentication data, which might allow remote attackers to bypass authentication.
Additional vulnerability in ProFTPD 1.3.0a
12/22/06
CVE 2006-6563
ProFTP version 1.3.0a and prior have a vulnerability in the mod_ctrls module. This vulnerability allows for a
297
local stack based buffer overflow. ProFTP must be compiled with the mod_ctrls support and the module must
be enabled.
Vulnerabilities in ProFTPD 1.3.0a
12/01/06
CVE 2006-6170
CVE 2006-6171
ProFTP version 1.3.0a and prior have two vulnerabilities, one when the mod_tls module is used and the other
when the CommandBufferSize option is used. The first causes a buffer overflow and remote code execution,
the second causes a buffer underflow which has unknown effects.
.message file overflows
11/30/06
CVE 2006-5815
ProFTP is subject to a vulnerability caused by an overflow in the .message files that can be set to display
whenever a user enters a directory. To be vulnerable to this vulnerability, an attacker must have authenticated
access (including anonymous) and the system must be set to display .message files on entering directories.
Versions prior to 1.3.0a are vulnerable.
mod_radius Buffer Overflow
02/14/06
CVE 2005-4816
ProFTPD's mod_radius is vulnerable to a buffer overflow issue due to insufficient boundary checking. This
only applies if mod_radius has been enabled. ProFTPD versions 1.3.0rc2 and earlier are vulnerable.
Shutdown Format String Vulnerability
08/04/05
CVE 2005-2390
ProFTPD is affected by a format string vulnerability when displaying a shutdown message containing the name
of the current directory. An FTP user could execute arbitrary commands by creating a specially crafted
directory name containing format string characters, and being in that directory when the shutdown message is
sent. ProFTPD 1.3.0rc1 and earlier are affected by this vulnerability if the shutdown message contains %C,
%R, or %U.
A second format string vulnerability affects the same versions of ProFTPD if the SQLShowInfo directive is
set and an FTP user can control the contents of the database.
ASCII mode buffer overflow
09/23/03
CVE 2003-0831
During ASCII mode file transfers, ProFTPD examines file data in 1024-byte chunks for newline characters. A
buffer overflow condition in this procedure could allow a remote attacker to execute arbitrary commands by
uploading a specially crafted file to the server, and then downloading the same file.
This vulnerability can only be exploited remotely if the attacker has access to a valid FTP account on the
server, with the ability to upload files from that account. The anonymous account can be used for this purpose
if it is enabled and configured to allow file uploads. Although ProFTPD normally downgrades itself to an
unprivileged account, it is possible to bypass this safeguard, thus allowing code execution with root privileges.
03/05/04
CVE 2004-0346
A version of ProFTPD containing a fix for the above vulnerability was released on September 23, 2003.
However, the patch introduced a new off-by-one buffer overflow, which, together with an existing off-by-one
298
buffer overflow, leads to a two-byte buffer overflow condition which could allow an authenticated user to gain
root access. ProFTPD versions prior to 1.2.9 rc3 are affected.
Resolution
Upgrade ProFTPD to 1.3.4 or higher. Please see the ProFTPD Project's general instructions on upgrading
the software.
If your copy of the ProFTPD server daemon is part of a larger software distribution, check with your software
vendor for a newer or patched version.
All FTP server processes must run as root, at least during some parts of their operation, in order to bind to
the reserved low-numbered network ports that are specified in the FTP standard. The ProFTPD Project
reminds administrators that, for greater security, the server should be configured to run under an unprivileged
user ID at all times when root privileges are not essential. Administrators with even stronger security
requirements may want to configure the server to run entirely without root privileges, at the cost of some
inconvenience.
In some cases, disallowing anonymous ftp access, or removing write permissions from all directories accessible
by anonymous ftp could serve as a workaround. However, this will only be an effective solution for those
vulnerabilities which, as noted above, require the attacker to create files or directories on the server. You will
still need to upgrade ProFTPD to fix the other vulnerabilities.
Finally, ftp access can be restricted by using TCP wrappers.
The security of FTP, in general, is discussed in RFC 2577. Security issues for ProFTPD, in specific, are
addressed in the ProFTPD User's Guide.
The Race Condition Privilege Escalation vulnerability was reported in Secunia Advisory SA51761.
The Response Pool Use-After-Free vulnerability was reported in Secunia Advisory SA46811.
The 'mod_sql' Remote Heap Based Buffer Overflow vulnerability was reported in Bugtraq ID 44933.
The multiple remote vulnerabilities in 1.3.3 were reported in Bugtraq ID 44562.
The Authentication Delay Username Enumeration Vulnerability was reported on the Bugtraq Mailing List.
Additional information is available by referencing Bugtraq ID 11430.
The Long Command Handling Security vulnerability was reported in Secunia Advisory SA31930.
The auth API multiple authentication modules security bypass was reported in Secunia Advisory SA24867.
The additional 1.3.0a vulnerabilities were reported in Bugtraq ID 21587.
The 1.3.0a vulnerabilities were reported in Secunia Advisory SA22821 and Secunia Advisory SA23141.
The .message vulnerability was reported in Bugtraq ID 20992.
More information about the vulnerabilities in ProFTPD can be found in ProFTPD bug 2658, Secunia
Advisory SA16181, ProFTPD bug 2267, Bugtraq, CA-2000-13, CA-1999-03, Bugtraq archive 160902, and
Bugtraq archive 169395.
299
Technical Details
Service: ftp
Received: 220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [linux32]
bzip2 vulnerable version: 1.0.2
Updated 09/12/11
CVE: CVE-2010-0405
Impact
Vulnerability in BZIP2 could allow a remote attacker to execute arbitrary commands which may cause a denial
of service.
Background
bzip2 is a free and open source data compressor.
The Problems
Integer Overflow Vulnerability
09/12/11
CVE 2010-0405
Bzip2 version 1.0.6 fixed an integer overflow vulnerability in which attackers could inject a specially crafted bz2
file. Successful exploits may cause a denial of service.
Resolution
Upgrade to bzip2 1.0.6 or higher when available.
The Integer Overflow Vulnerability was reported in Bugtraq ID 43331.
Technical Details
Service: ssh
Sent:
bzip2 --help
Received:
bzip2, a block-sorting file compressor. Version 1.0.2, 30-Dec-2001.
vulnerable Emacs version: 21.3.1
CVE: CVE-2007-2833 CVE-2008-1694
CVE-2008-2142
Updated 08/21/12
Impact
Vulnerabilities in Emacs allow for application crash when loading a malformed crafted file, and arbitrary code
execution.
300
Background
Emacs is a text editor.
The Problems
fast-lock-mode" File Processing Vulnerability
05/20/08
CVE 2008-2142
Emacs versions 21.x have a vulnerability if font-lock-support-mode is set to fast-lock-mode. This
vulnerability allows an attacker to execute arbitrary Emacs Lisp code by placing a corresponding .flc file in
the same directory as a source file loaded by the user of the vulnerable Emacs user.
Privilege Elevation from vcdiff with SCCS
05/13/08
CVE 2008-1694
Emacs versions 20.7, 21.x and 22.x through 22.2 have a privilege elevation due to a vulnerability in the vcdiff
utility when used with SCCS. This allows local users to overwrite arbitrary files via a symlink attack on
temporary files.
GIF Image size denial of service
09/11/07
CVE 2007-2833
Emacs version 21 has a denial of service vulnerability when attempting to load a crafted GIF image. This
vulnerability is caused by a failure to correctly calculate the GIF size.
Resolution
Emacs should be updated to a version higher than 24.1 when available.
A patch for CVE-2008-1694 is available.
Contact your Linux vendor for upgrades within version 22.
The fast-lock-mode" file processing vulnerability was reported in Secunia Advisory SA30199.
The Privilege Elevation from vcdiff with SCCS was reported in Secunia Advisory SA29905.
The GIF image size denial of service was reported in Bugtraq ID 24570.
Technical Details
Service: ssh
Sent:
emacs --version
Received:
GNU Emacs 21.3.1
vulnerable GNU tar version: 1.13.25
301
CVE: CVE-2006-0300 CVE-2006-6097
CVE-2007-4131 CVE-2007-4476
Updated 09/11/07
Impact
GNU Tar may be halted (denial of service) from a malformed TAR file. This vulnerability may also allow for
the execution of arbitrary code. GNU Tar allows for directory traversal from a malformed TAR file.
Background
The GNU tar program is the GNU version of the tar archive program.
The Problem
Crashing Stack buffer overflow
09/11/07
CVE 2007-4476
GNU tar 1.16 and prior have a buffer overflow in the safer_name_suffix function. This has unspecified
attack vectors and impact, resulting in a "crashing stack."
GNU Tar slash slash dot dot directory traversal
08/30/07
CVE 2007-4131
GNU tar 1.16 and prior have a directory traversal vulnerability which allows user-assisted remote attackers to
overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive.
GNU Tar GNUTYPE_NAMES Remote Directory Traversal Vulnerability
12/01/06
CVE 2006-6097
GNU tar 1.16 and prior allow user-assisted attackers to overwrite arbitrary files via a tar file that contains a
GNUTYPE_NAMES record with a symbolic link.
GNU Tar PAX Extended Headers Handling Buffer Overflow
03/06/06
CVE 2006-0300
A buffer overflow vulnerability exists in the GNU Tar archive utility. The flaw is specific to processing PAX
archives which contain extended headers. An attacker may cause the affected program to terminate by enticing
a user to download and process a malicious archive file. In addition, it may be possible to execute arbitrary
code with the same vulnerability. Versions 1.14, 1.14.90, 1.15, and 1.15.1 are vulnerable.
Resolution
The slash slash dot dot directory traversal can be patched.
Upgrade to a version higher than GNU tar 1.16.
The crashing stack buffer overflow was reported in Secunia Advisory SA26674.
The GNU Tar slash slash dot dot directory traversal was reported in Bugtraq ID 25417.
The GNUTYPE_NAMES remote directory traversal vulnerability was reported in Bugtraq ID 21235.
302
The PAX extended header vulnerability was reported in Bugtraq ID 16764.
Technical Details
Service: ssh
sent: tar --version
received:
tar (GNU tar) 1.13.25
vulnerability in GnuPG version 1.2.3
CVE: CVE-2006-3746 CVE-2006-6169
CVE-2006-6235 CVE-2007-1263
Updated 08/18/10
Impact
Vulnerabilities in GnuPG allow for denial of service or execution of arbitrary code when processing a
malformed file.
Background
GnuPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard. Versions 1.9.x and 2.x
have S/MIME.
The Problems
Signed Message Forgery vulnerability
03/19/07
CVE 2007-1263
GnuPG has a message forgery vulnerability where text insertion into an otherwise signed message could be
exploited to forge the content of a signed message. Versions 1.x prior to 1.4.7 and 2.x prior to 2.0.3 are
affected.
Stack Overwrite vulnerability
12/12/06
CVE 2006-6235
GnuPG has a stack overwrite vulnerability leading to arbitrary code execution. Versions 1.x before 1.4.6, 1.9.0
through 1.9.95 and 2.x before 2.0.2 are vulnerable.
make_printable_string overflow vulnerability
12/01/06
CVE 2006-6169
GnuPG 1.4 and 2.0 have a buffer overflow in the ask_outfile_name function in openfile.c which,
when running interactively, might allow attackers to execute arbitrary code via messages that cause the
make_printable_string function to return a longer string than expected while constructing a prompt.
Message Packet Length Handling Integer Overflow
08/07/06
CVE 2006-3746
GnuPG version 1.4.4 and prior and GnuPG with S/MIME 1.9.19 and prior have a vulnerability caused by
an overflow in the Message Packet Length field. The processing of a Malformed email or web page can cause
303
a crash of the vulnerable application or execution of arbitrary code in the security context of the currently
running process.
Resolution
Upgrade to GnuPG version 1.4.9 or higher or 2.0.17 or higher.
Another option is to upgrade from your Linux vendor.
The content forgery vulnerability was reported in Secunia Advisory SA24365.
The stack overwrite vulnerability was reported in Bugtraq ID 21462.
The make_printable_string overflow vulnerability was reported in Secunia Advisory SA23094.
The message packet length handling integer overflow vulnerability was reported to Bugtraq ID 19110.
Technical Details
Service: ssh
Sent:
gpg --version
Received:
gpg (GnuPG) 1.2.3
vulnerable gzip version: 1.2.4
CVE: CVE-2006-4334 CVE-2006-4335
CVE-2006-4336 CVE-2006-4337
CVE-2006-4338 CVE-2009-2624
CVE-2010-0001
Updated 02/17/10
Impact
Vulnerabilities in gzip allow for denial of service or execution of remote code when a file is decompacted using
gunzip.
Background
gzip is a compression/decompression product.
The Problems
Multiple Vulnerabilities in gzip 1.3.12 and prior
02/17/10
CVE 2009-2624
CVE 2010-0001
GNU gzip is prone to remote integer overflow and code execution vulnerabilities because it fails to sufficiently
validate an integer value before using it to index an array. An attacker can exploit this issue to execute
arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result
304
in a denial-of-service condition.
Denial of Service and Remote Code Execution in 1.3.5
09/22/06
CVE 2006-4334
CVE 2006-4335
CVE 2006-4336
CVE 2006-4337
CVE 2006-4338
There are a number of vulnerabilities in gzip which allow for remote code execution and denial of service when
running gunzip on a malicious archive file. The vulnerabilities affect files compressed with the LZH
compression, pack and other formats. Versions 1.3.5 and prior are affected.
Resolution
Upgrade to a version of gzip higher than 1.3.12 when available.
The multiple vulnerabilities in gzip 1.3.12 and prior were reported in Bugtraq ID 37886, Bugtraq ID 37888.
The denial of service and remote code execution in 1.3.5 were reported in Secunia Advisory SA21996.
Technical Details
Service: ssh
sent: gzip -V
received:
gzip 1.2.4 (18 Aug 93)
vulnerable version of perl: 5.8.1
CVE: CVE-2007-5116 CVE-2008-1927
CVE-2009-3626 CVE-2011-1487
CVE-2011-2728 CVE-2011-2939
CVE-2012-6329
Updated 03/11/13
Impact
Vulnerabilities in the perl interpreter allow arbitrary code to be executed, and cause an affected application to
crash. Also, local users may be able to modify permissions of arbitrary files, or bypass certain security
features.
Background
perl is an interpreter for the Perl language.
The Problems
Locale::Maketext Code Injection Vulnerabilities
01/11/13
CVE 2012-6329
305
Perl before 5.17.7 is prone to multiple vulnerabilities, which can be exploited by malicious users to compromise
an application using the Locale::Maketext module.
Digest "Digest->new()" Code Injection Vulnerability
10/07/11
Perl 5.14.2 and prior are prone to a vulnerability, which can be exploited by malicious people to compromise a
vulnerable system. The vulnerability is caused due to a vulnerability in the included Digest module.
"decode_xs()" and "File::Glob::bsd_glob()" Vulnerabilities
11/05/11
CVE 2011-2728
CVE 2011-2939
Perl before 5.14.2 is prone to two vulnerabilities:
An error within the "File::Glob::bsd_glob()" function when handling the
GLOB_ALTDIRFUNC flag can be exploited to cause an access violation and potentially execute
arbitrary code.
An error within the "decode_xs()" function in Encode can be exploited to cause a heap-based
buffer overflow via specially crafted input.
"uc()", "lc()", "lcfirst()", and "ucfirst()" Taint Mode Bypass Vulnerability
04/11/11
CVE 2011-1487
Perl 5.12.3 and prior are prone to a vulnerability, which can be exploited by malicious people to bypass certain
security features. The weakness is caused due to the "uc()", "lc()", "lcfirst()", and
"ucfist()" functions incorrectly laundering tainted data, which can result in the unintended use of potentially
malicious data after using these functions.
UTF-8 Regular Expression Processing Remote Denial of Service Vulnerability
11/18/09
CVE 2009-3626
Perl 5.10.1 and prior are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to
cause an affected application to crash, denying service to legitimate users.
Unicode quoting double free vulnerability
05/12/08
CVE 2008-1927
perl 5.8.8 has a double free vulnerability which allows context-dependent attackers to cause a denial of service
or execute arbitrary code via a crafted regular expression containing UTF8 characters.
Perl Regular Expressions Unicode data buffer overflow
11/13/07
CVE 2007-5116
The perl interpreter contains a boundary error within the processing of regular expressions containing Unicode
data. This can be exploited to cause a buffer overflow which can then be exploited for code execution.
Resolution
Perl should be upgraded to 5.17.7 or higher, or apply a fix from your vendor when available.
306
The Locale::Maketext Code Injection vulnerabilities were reported in Secunia Advisory SA51741.
The Digest "Digest->new()" Code Injection vulnerability was reported in Secunia Advisory SA46299.
The "decode_xs()" and "File::Glob::bsd_glob()" vulnerabilities were reported in Secunia Advisory
SA46172.
The "uc()", "lc()", "lcfirst()", and "ucfirst()" Taint Mode Bypass vulnerability was
reported in Secunia Advisory SA43921.
The UTF-8 Regular Expression Processing Remote Denial of Service vulnerability was reported in Bugtraq
ID 36812.
The Unicode quoting double free vulnerability and the Regular Expressions Unicode data buffer overflow
vulnerability were reported in Secunia Advisory SA27546.
Technical Details
Service: ssh
Sent:
perl -v
Received:
This is perl, v5.8.1 built for i386-linux-thread-multi
Vim Helptags remote code execution
Updated 02/16/09
CVE: CVE-2007-2953
Impact
Vulnerabilities in Vim allow for remote code execution when loading a malformed crafted file.
Background
Vim is an extension of the UNIX editor Vi.
The Problems
PySys_SetArgv Remote Command Execution
02/16/09
CVE 2009-0316
Vim before 7.2.45 is prone to a remote command-execution vulnerability. An attacker could exploit this issue
by enticing an unsuspecting victim to execute the vulnerable application in a directory containing a malicious
Python file. A successful exploit will allow arbitrary Python commands to run with the privileges of the currently
logged-in user.
Helptags remote code execution
08/13/07
CVE 2007-2953
307
Vim 7.1 without patch 39 and Vim 6.4 and prior are vulnerable to a remote code execution vulnerability when
a malformed crafted file is loaded due to a format string vulnerability in the processing of helptags.
Resolution
Upgrade to 7.2 and patch with patch 45.
The PySys_SetArgv Remote Command Execution vulnerability was reported in Bugtraq ID 33447.
The Helptags remote code execution vulnerability was reported in Secunia Advisory SA25941.
Technical Details
Service: ssh
Vim version: 6.2 with patches 1-72
Vim PySys_SetArgv Remote Command Execution
Updated 02/16/09
CVE: CVE-2009-0316
Impact
Vulnerabilities in Vim allow for remote code execution when loading a malformed crafted file.
Background
Vim is an extension of the UNIX editor Vi.
The Problems
PySys_SetArgv Remote Command Execution
02/16/09
CVE 2009-0316
Vim before 7.2.45 is prone to a remote command-execution vulnerability. An attacker could exploit this issue
by enticing an unsuspecting victim to execute the vulnerable application in a directory containing a malicious
Python file. A successful exploit will allow arbitrary Python commands to run with the privileges of the currently
logged-in user.
Helptags remote code execution
08/13/07
CVE 2007-2953
Vim 7.1 without patch 39 and Vim 6.4 and prior are vulnerable to a remote code execution vulnerability when
a malformed crafted file is loaded due to a format string vulnerability in the processing of helptags.
Resolution
Upgrade to 7.2 and patch with patch 45.
308
The PySys_SetArgv Remote Command Execution vulnerability was reported in Bugtraq ID 33447.
The Helptags remote code execution vulnerability was reported in Secunia Advisory SA25941.
Technical Details
Service: ssh
Vim version: 6.2 with patches 1-72
account lockout policy is weak (0)
Created 02/03/12
Impact
Background
Most Unix-derived operating systems have ways to specify parameters for users which are either default
settings used for creation of new users, or settings which can be enforced for all users. These policies can be
used to improve security. The minimum password length and password complexity requirements help ensure
that a password cannot be easily guessed or cracked. The maximum password age helps limit the opportunity
for intruders to use compromised passwords by requiring users to change their password regularly. The
minimum password age and password history limits re-use of passwords to ensure that users cannot defeat this
security precaution. Lockouts hinder brute-force password guessing attacks by disabling an account for a period
of time after a number of failed login attempts.
The Problem
One or more of the account policy settings are weaker than the recommended settings. This leaves the system
insufficiently protected from password attacks.
Resolution
Edit the account policy, which requires different methods on different varieties of Unix-derived systems. Most
current UNIX-style systems use the shadow file method to store encrypted passwords and some user settings
(in the /etc/shadow file). Most of these systems also use Pluggable Authentication Module (PAM) modules
to control minimum password length, password history, password complexity requirements, and account lockout.
Linux systems have a file /etc/login.defs that contains various default settings, e.g., for minimum and
maximum password age, which are inserted into the /etc/password file when a new user is created.
PCI requires that passwords contain letters and digits, but a stronger policy is to require three or four different
types of characters, e.g., upper case letters, lower case letters, numbers, and symbols.
309
Note that the minimum and maximum password age settings are really defaults that can generally be
overridden for individual users.
Also note that SAINT currently performs these checks only for Mac OS X starting with 10.5 Leopard, and
Linux systems using standard Linux security and PAM modules.
See Hitachi ID Systems' white paper Password Policy Guidelines and documentation for your particular
operating system.
Technical Details
Service: ssh
0 > 3 or 0 = 0
default maximum password age policy is weak (99999 days)
Created 02/03/12
Impact
Background
The Problem
Resolution
310
operating system.
Technical Details
Service: ssh
login.defs PASS_MAX_DAYS=99999 > 42
default minimum password age policy is weak (0 days)
Created 02/03/12
Impact
Background
The Problem
Resolution
311
operating system.
Technical Details
Service: ssh
login.defs PASS_MIN_DAYS=0 < 2
minimum password length policy is weak (6)
Created 02/03/12
Impact
Background
The Problem
312
Resolution
operating system.
Technical Details
Service: ssh
/lib/security/pam_cracklib.so with effective minimum length 6 < 8
password history policy is weak (0)
Created 02/03/12
Impact
Background
313
The Problem
Resolution
operating system.
Technical Details
Service: ssh
/lib/security/pam_cracklib.so with remember=0 < 24
FTP server does not support AUTH
Created 01/24/13
Impact
Passwords could be stolen if an attacker is able to capture network traffic to and from the FTP server.
314
Background
File Transfer Protocol (FTP) is a TCP protocol for transmitting files over a network. FTP Security Extensions
were added to the original protocol to address the issue of cleartext passwords traversing the network. The
FTP AUTH command invokes these extensions and allows the FTP client and server to negotiate a security
protocol such as SSL.
The Problem
The target runs an FTP server which does not support FTP Security Extensions. Therefore, there is no
mechanism for encrypting communication between the client and server, and FTP passwords could be captured
by a network sniffer.
Resolution
Enable FTP Security Extensions on the FTP server. If the FTP server does not support Security
Extensions, change to a different FTP server.
More information about FTP Security Extensions is available in RFC2228.
Technical Details
Service: ftp
Sent: AUTH SSL
Received: 500 AUTH not understood
ftp receives cleartext password
Created 01/29/13
Impact
Passwords could be stolen if an attacker is able to capture network traffic to and from the FTP server.
Background
File Transfer Protocol (FTP) is a TCP protocol for transmitting files over a network. A typical FTP session
begins with the FTP client program sending a login name and password to the FTP server using the USER
and PASS commands.
The Problem
FTP is a cleartext protocol. It does not require encryption between the client and server. Therefore, FTP
passwords and file contents could be captured by an attacker, if the attacker is able to place a network sniffer
somewhere between the client and the server.
Resolution
Disable the FTP server and use a more secure program such as SCP or SFTP to transfer files. If FTP
cannot be disabled, restrict access using iptables or TCP Wrappers such that only addresses on a local, trusted
315
network can connect.
For more information, see Protocols - The Problem With Cleartext.
Technical Details
Service: ftp
Received:
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [linux32]
500 GET not understood
221 Goodbye.
ICMP timestamp requests enabled
Created 04/14/08
CVE: CVE-1999-0524
Impact
A remote attacker could obtain sensitive information about the network.
Background
The Internet Control Message Protocol (ICMP) is a protocol used primarily for sending diagnostic messages
and error messages between computers. The protocol defines a number of different message types, including
echo requests and replies (used by the ping utility) and destination unreachable messages.
The Problem
CVE 1999-0524
ICMP defines a number of message types which disclose information about a computer. These message types
were designed to help synchronize computers on a network, but in practice are rarely needed and should be
disabled to prevent attackers from using them. Such message types include:
Timestamp requests. These messages could be used by an attacker to determine the system's clock
state, which could be used to defeat authentication mechanisms which rely on certain pseudo-random
number generators.
Netmask requests. These messages could be used by an attacker to gather information about a
network's subnet structure.
Resolution
Configure the system or firewall not to allow ICMP timestamp requests (message type 13) or ICMP netmask
requests (message type 17). Instructions for doing this on specific platforms are as follows:
Windows:
Block these message types using the Windows firewall as described in Microsoft TechNet.
Linux:
Use ipchains or iptables to filter ICMP netmask requests using the command:
ipchains -A input -p icmp --icmp-type address-mask-request -j DROP
316
Use ipchains or iptables to filter ICMP timestamp requests using the commands:
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP
ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
To ensure that this change persists after the system reboots, put the above command into the system's
boot-up script (typically /etc/rc.local).
Cisco:
Block ICMP message types 13 and 17 as follows:
For more information about ICMP, see RFC792.
Technical Details
Service: icmp
timestamp=031710d5
ICMP redirects are allowed
Created 01/28/13
Impact
An attacker could change the routing of packets from the target such that transmitted data could potentially be
monitored or modified.
Background
ICMP redirects are messages which tell a host to use a different gateway router to reach a certain destination.
These messages are typically sent by the host's default gateway router if the router knows of a more efficient
route.
The Problem
The target accepts ICMP redirects. This is normally unnecessary in a correctly configured network, and is
generally considered to be a security risk. An attacker could use these messages to intentionally misdirect a
target to route packets through the attacker's own host, where they can be read or modified.
Resolution
Disable ICMP redirects. On Windows, this is done by setting the following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirect
Type: REG_DWORD
Data: 0
317
To disable ICMP redirects on Linux, use the following commands:
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
To make the above settings permanent, also set the following lines in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
For more information about ICMP redirects, see Ask Ubuntu and Windows Reference.
For more information on securing the Linux kernel, see Linux Kernel /etc/sysctl.conf Security Hardening.
Technical Details
Service: icmp
/proc/sys/net/ipv4/conf/all/accept_redirects = 1
vulnerable version of Python: 2.3
CVE: CVE-2006-4980 CVE-2007-4965
CVE-2008-1721 CVE-2008-1887
CVE-2008-2316 CVE-2008-4864
CVE-2008-5031 CVE-2012-0845
CVE-2012-1150
Updated 10/15/12
Impact
Vulnerabilities in Python allow for information disclosure, denial of service and possibly arbitrary code execution.
Background
Python is an object-oriented programming language.
The Problems
Web Form Hash Collision Denial of Service Vulnerability
03/19/12
CVE 2012-1150
Python 3.2.2, 2.7, and prior are prone to a vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service). The vulnerability is caused due to an error within a hash generation function when
hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high
CPU consumption via a specially crafted form sent in a HTTP POST request.
SimpleXMLRPCServer Request Processing Denial of Service Vulnerability
318
02/27/12
CVE 2012-0845
Python versions 2.7.2, 3.2.2, and prior are prone to a vulnerability, which can be exploited by malicious people
to cause a DoS (Denial of Service). The vulnerability is caused due to the
"SimpleXMLRPCRequestHandler.do_POST()" method not properly handling an EOF when processing
POST requests. This can be exploited to cause high CPU consumption via a specially crafted HTTP POST
request.
Expat Wrapper Library Unspecified XML Parsing Remote Denial of Service Vulnerability
08/25/09
Python 2.6.2 and prior are prone to a denial-of-service vulnerability because it fails to properly handle crafted
XML data. Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of
an application using the vulnerable XML parsing library.
Multiple integer overflows vulnerability
01/12/09
CVE 2008-4864
CVE 2008-5031
Multiple integer overflows exist in Python versions 1.5.2 through 2.5.1 and 2.6 allowing attackers to execute
arbitrary code via large integer values.
Vulnerabilities in Python 2.5.2 and earlier
04/21/08
CVE 2008-1721
CVE 2008-1887
CVE 2008-2316
Python version 2.5.2 and earlier have integer signedness vulnerabilities that allow for arbitrary code execution.
One of these is in the PyString_FromStringAndSize function, the other in the zlib extension module.
There is also an integer overflow vulnerability in _hashopenssl.c.
ImageOP Module Multiple integer overflow vulnerabilities
11/13/07
CVE 2007-4965
Python versions 2.5.x to 2.5.1, 2.4.x to 2.4.4, 2.3.x to 2.3.6 and earlier have integer overflow vulnerabilities in
the ImageOP module. In order to successfully exploit these issues, an attacker must control arguments to the
ImageOP functions, specifically the tovideo function. This likely would be done by submitting invalid or
crafted images to applications that perform ImageOP operations on the data. A successful exploit may allow
for attacker-supplied code execution.
repr buffer overflow
10/23/06
CVE 2006-4980
Python versions 2.3.x and 2.4.x up to 2.4.3 allow context-dependent attackers to cause a denial of service and
possibly execute arbitrary code due to a buffer overflow in the repr function via crafted wide character
UTF-32/UCS-4 strings to certain scripts.
Resolution
Python should be upgraded to a version higher than 2.7.2 or 3.3.0 when available, or contact the vendor for a
fix.
To fix the multiple integer overflows apply the patch.
319
The Web Form Hash Collision Denial of Service vulnerability was reported in Secunia Advisory SA48347.
The SimpleXMLRPCServer Request Processing Denial of Service vulnerability was reported in Secunia
Advisory SA47810.
The Expat Wrapper Library Unspecified XML Parsing Remote Denial of Service vulnerability was reported
in Bugtraq ID 35988.
The Multiple integer overflow vulnerabilities were reported in Bugtraq ID 31976 and CESA 2008-008.
The vulnerabilities in Python 2.5.2 and earlier were reported in Bugtraq ID 28715 and Bugtraq archive
490776.
The ImageOP Module Multiple integer overflow vulnerabilities were reported in Secunia Advisory SA26837.
The repr buffer overflow vulnerability was reported in Bugtraq ID 20376.
Technical Details
Service: ssh
sent: python -V
received:
Python 2.3
Remote OS available
Created 05/27/08
Impact
The ability to detect which operating system is running on a machine enables attackers to be more accurate in
attacks.
Background
Many systems include specific operating system information in the data which is returned when connecting to
certain TCP ports. This data is known as the banner for a service.
The Problems
Remote OS available
05/27/08
This machine reveals its operating system type in the information which is returned when connecting to certain
TCP ports. An attacker could use this information to choose attacks which specifically target the machine's
operating system version, increasing the likelihood of success.
Resolution
Including the operating system in service banners is usually unnecessary. Therefore, change the banners of the
320
services which are running on accessible ports. This can be done by disabling unneeded services, modifying
the banner in a service's source code or configuration file if possible, or using TCP wrappers to modify the
banner as described in the Red Hat Knowledgebase.
An example of ways to remove the Remote OS and other information is at my digital life.
Technical Details
Service: ftp
Received:
rpc.statd is enabled and may be vulnerable
CVE: CVE-1999-0018 CVE-1999-0019
CVE-1999-0210 CVE-1999-0493
CVE-2000-0666 CVE-2000-0800
Updated 02/11/11
Impact
Several vulnerabilities in statd permit attackers to gain root privileges. They can be exploited by local users.
They can also be exploited remotely without the intruder requiring a valid local account if statd is accessible
via the network.
Background
statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for
the locking services on NFS.
The Problems
statd/automountd vulnerability
CVE 1999-0210
CVE 1999-0493
A vulnerability in statd allows an attacker to call arbitrary rpc services with the privileges of the statd
process. This vulnerability could be used to exploit a second vulnerability in automountd which otherwise
could only be exploited locally. The result is that the remote attacker could execute arbitrary commands.
Solaris, HP-UX, and IRIX 5.3 operating systems are affected by this vulnerability.
statd Buffer Overflow
CVE 1999-0018
Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as
remote users, it is possible to overwrite the internal stack space (where a program stores information to be
used during its execution) of the statd program while it is executing a specific rpc routine. By supplying a
carefully designed input argument to the statd program, intruders may be able to force statd to execute
arbitrary commands as the user running statd. In most instances, that user will be root. This vulnerability
can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local
account if statd is accessible via the network.
321
Solaris versions prior to version 2.6, and some versions of IRIX, Digital Unix, and AIX are vulnerable. Check
CERT Advisory 1997-26 to find out if your operating system is vulnerable.
String parsing error in rpc.kstatd
CVE 2000-0800
String parsing error in some packages of SuSE and possibly other Linux systems allows remote attackers to
gain root privileges.
Format String Bug in statd
CVE 2000-0666
A format string bug in Linux versions of rpc.statd could allow remote root access. Linux (except OpenLinux)
versions of rpc.statd prior to 0.1.9.1 are vulnerable.
SM_MON Request Buffer Overflow
A buffer overflow in the processing of SM_MON requests in the UnixWare version of statd could allow a
remote attacker to gain access to the system. SCO UnixWare 7 is affected by this vulnerability.
File Creation or Removal using statd
CVE 1999-0019
Due to lack of input validation, the statd service could be used to create or delete files with root privileges.
This vulnerability was publicized in April, 1996. Most operating systems which were available at that time are
vulnerable. See CERT Advisory 1996-09 for information about your particular operating system.
Resolution
One resolution to this vulnerability is to install vendor patches as they become available. For the format string
bug, SUSE users should obtain the nfs-utils and package, version 0.1.9.1 or higher, from their vendor.
For the String parsing error bug, Linux users should obtain the nfs-utils or knfsdi or linuxnfs
packages, more detail information, please refer to SUSE Security Announcement web site. For the SM_MON
buffer overflow, UnixWare users should obtain the patch.
Also, if NFS is not being used, there is no need to run statd and it can be disabled. The statd (or
rpc.statd) program is often started in the system initialization scripts (such as /etc/rc* or /etc/rc*.d/*). If
you do not require statd it should be commented out from the initialization scripts. In addition, any currently
running statd processes should be identified using ps(1) and then terminated using kill(1).
More information about the statd/automountd vulnerability is available in CERT Advisory 1999-05. You
may read more about the statd buffer overflow in CERT Advisory 1997-26. The String parsing error
vulnerability detail information can be found in CVE Details. The format string vulnerability was discussed in
vendor bulletins from Red Hat, Debian, Mandrake, Trustix, and Conectiva, as well as CERT Advisory
2000.17. The SM_MON buffer overflow was announced in Caldera Security Advisory 2001-SCO.6. The file
creation and removal vulnerability was discussed in CERT Advisory 1996-09.
Technical Details
Service: 929:TCP
322
SSH Protocol Version 1 Supported
Created 06/30/08
CVE: CVE-2001-0361 CVE-2001-1473
Impact
SSH protocol version 1 has a number of known vulnerabilities. Support for version 1 or enabling SSH1
Fallback renders the machines vulnerable to these issues.
Background
Secure Shell, or ssh, is a program used to log into another computer over a network, execute commands on
a remote machine and move files from one machine to another. It provides strong authentication and secure
communications over unsecure communication channels. ssh is intended as a replacement for rlogin, rsh
and rcp. SSH protocol version 1 was created in 1995 and was superseded by SSH protocol version 2 in
1996.
The Problems
SSH Protocol 1 Supported
06/30/08
CVE 2001-0361
CVE 2001-1473
The SSH Protocol 1 was depreciated due to multiple vulnerabilities and protocol design errors. These include
vulnerabilities in man-in-the-middle attacks, key recovery issues and a CRC32 compensation attack buffer
overflow.
Resolution
Disable SSH1 support and SSH1 fallback. See vendor website for more information including SSH, F-Secure
and OpenSSH.
For OpenSSH servers, SSH1 support and SSH1 fallback can be disabled by placing the following line in the
sshd_config file:
Protocol 2
Some of the vulnerabilities in support for SSH Protocol 1 were reported in US-CERT Vulnerability Note
VU#684820 and CIRC Bulletin M-017.
Technical Details
Service: ssh
Received:
22:ssh::SSH-1.99-OpenSSH_3.6.1p2
The sunrpc portmapper service is running
Created 09/01/11
CVE: CVE-1999-0632
323
Impact
The sunrpc portmapper service is an unsecured protocol that tells clients which port corresponds to each RPC
service. Access to port 111 allows the calling client to query and identify the ports where the needed server is
running.
Background
The portmapper program maps RPC program and version numbers to transport specific port numbers. The
portmapper program currently supports two protocols UDP and TCP. The portmapper is contacted by talking
to it on assigned port number 111 (SUNRPC) on either of these protocols.
The Problem
09/01/11
CVE 1999-0632
For systems that are unprotected and have portmapper running on port 111, a simple "rpcinfo -p" request will
display program, version and services that are running.
Resolution
Disable all unnecessary RPC services, which are typically enabled in /etc/inetd.conf and in the system boot
scripts, /etc/rc*, and to block high numbered ports at the network perimeter except for those which are
needed.
More information can be obtained in, NVD for CVE-1999-0632.
Technical Details
Service: sunrpc
port 111/tcp is open
sunrpc services may be vulnerable
Updated 03/20/03
CVE 2002-0391
CVE 2003-0028
CVE: CVE-2002-0391 CVE-2003-0028
Impact
If an affected service is running, a remote attacker could execute arbitrary commands with root privileges.
Background
Sun's Remote Procedure Call package (known as RPC, or sunrpc) is used by a number of network services
to communicate with programs on client hosts. It uses a protocol called External Data Representation (XDR)
which allows RPC programs to transfer data in a format which is consistent across different platforms. RPC
services usually run on high numbered TCP or UDP ports. There is also a port mapper service which tells
clients which port corresponds to each RPC service.
324
The Problem
There are two vulnerabilities in Sun's RPC implementation, a buffer overflow in the xdr_array function and
an integer overflow in the xdrmem_getbytes function. A remote attacker could execute arbitrary commands
with root privileges by passing specially crafted input to a network service which uses either of these two
functions.
Sun's libnsl library, BSD-derived libc libraries, and GNU C's glibc library 2.3.1 and earlier are affected by
these vulnerabilities. Since xdr_array and xdrmem_getbytes are found in these libraries rather than a
specific RPC program, any RPC service which uses these libraries could be affected. Additionally, any other
services which use the XDR functions, such as OpenAFS and MIT Kerberos 5, could be affected.
Resolution
See CERT Advisories 2002-25 and 2003-10 for patch or upgrade information from your vendor. Note that it
will be necessary to recompile statically linked applications after installing the patch or upgrade.
It would also be advisable to disable all unnecessary RPC services, which are typically enabled in /etc
/inetd.conf and in the system boot scripts, /etc/rc*, and to block high numbered ports at the network
perimeter except for those which are needed. Of particular importance are rpc.cmsd, dmispd, and
kadmind, which are known to be exploitable and should be disabled or blocked.
These vulnerabilities were reported in CERT Advisories 2002-25 and 2003-10.
Technical Details
Service: sunrpc
TCP timestamp requests enabled
Created 06/26/08
Impact
A remote attacker could possibly determine the amount of time since the computer was last booted.
Background
The Transmission Control Protocol (TCP) is the protocol used by services such as telnet, ftp, and smtp
to establish a connection between a client and a server. The TCP packet header includes an option field, which
can hold zero or more options. One of those options is the TCP timestamp, which is used for round-trip time
measurement. The value of the timestamp is obtained from a virtual clock which is proportional to real time.
The Problem
TCP timestamps are enabled on the remote host. This could allow a remote attacker to estimate the amount
of time since the remote host was last booted.
Resolution
325
TCP timestamps are generally only useful for testing, and support for them should be disabled if not needed.
To disable TCP timestamps on Linux, add the following line to the /etc/sysctl.conf file:
net.ipv4.tcp_timestamps = 0
To disable TCP timestamps on Windows, set the following registry value:
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value: Tcp1323Opts
Data: 0 or 1
To disable TCP timestamps on Cisco, use the following command:
no ip tcp timestamp
More information on TCP timestamps and round-trip time measurement is available in RFC1323 and Microsoft
Article 224829.
Technical Details
Service: ftp
timestamp=198844898; uptime guess=23d 0h 20m 48s
DNS
Severity: Service
Technical Details
FTP
Severity: Service
Technical Details
SSH
Severity: Service
Technical Details
SSH-1.99-OpenSSH_3.6.1p2
XDM (X login)
Severity: Service
Technical Details
sunrpc (111/TCP)
326
Severity: Service
Technical Details
sunrpc (111/UDP)
Severity: Service
Technical Details
tftp (69/UDP)
Severity: Service
Technical Details
Scan Session: autotest2; Scan Policy: heavy; Scan Data Set: 20 March 2013 10:38
Copyright 2001-2013 SAINT Corporation. All rights reserved.
327

Detailed Report

Transcription

Similar documents

Mission College

SVR302: Windows Server code name “Longhorn” Technical Overview

EZStream - ClearOne

matthias kolowrat

konfig - Auto-Trol Technology

African Youth data points – ¼ of worlds next workforce

The NCCS State Charity Office Database System

The software that controls your logistic flows The software that

Khalil Abd El