Trend Analysis

Transcription

Trend Analysis

SAINTwriter Assessment Report
Report Generated: March 20, 2013
1.0 Introduction
On March 20, 2013, at 10:38 AM, a heavy vulnerability assessment was conducted using the SAINT 7.15.7
vulnerability scanner. The scan discovered a total of two live hosts, and detected 18 critical problems, 195 areas
of concern, and 48 potential problems. The hosts and problems detected are discussed in greater detail in the
following sections.
2.0 Summary
The following vulnerability severity levels are used to categorize the vulnerabilities:
CRITICAL PROBLEMS
Vulnerabilities which pose an immediate threat to the network by allowing a remote attacker to directly
gain read or write access, execute commands on the target, or create a denial of service.
AREAS OF CONCERN
Vulnerabilities which do not directly allow remote access, but do allow privilege elevation attacks,
attacks on other targets using the vulnerable host as an intermediary, or gathering of passwords or
configuration information which could be used to plan an attack.
POTENTIAL PROBLEMS
Warnings which may or may not be vulnerabilities, depending upon the patch level or configuration of
the target. Further investigation on the part of the system administrator may be necessary.
SERVICES
Network services which accept client connections on a given TCP or UDP port. This is simply a count
of network services, and does not imply that the service is or is not vulnerable.
The following host and vulnerability status categories are used to categorize the hosts and vulnerabilities across
data sets for trend analysis:
NEW
Present in the current scan but none of the previous scans.
REMOVED
Present in a previous scan but not the current scan.
PREEXISTING (or REMAINING)
Present in the current scan and also the preceding scan.
REINTRODUCED
Present in the current scan and a previous scan, but not the scan preceding the current scan.
1
The sections below summarize the results of the scan.
2.1 Status of Current Vulnerabilities
Includes critical problems, areas of concern, and potential problems.
2.2 Status of Old Vulnerabilities
2.3 Status of All Vulnerabilities
2
2.4 Vulnerability Status by Severity
2.5 Vulnerability History
3
2.6 Host History
4
hosts
detected
Mar 19 2013
Mar 20 2013
2
2
hosts with
critical
problems
2
2
hosts with
areas of
concern
0
0
hosts with
potential
problems
0
0
hosts with
services
only
0
0
hosts with
no services
0
0
2.7 History of Vulnerabilities by Class
This section shows the number of vulnerabilities detected per scan in each of the following classes.
Class
Web
Mail
File Transfer
Login/Shell
Print Services
RPC
DNS
Databases
Networking/SNMP
Windows OS
Passwords
Other
Description
Vulnerabilities in web servers, CGI programs, and any other software offering an HTTP interface
Vulnerabilities in SMTP, IMAP, POP, or web-based mail services
Vulnerabilities in FTP and TFTP services
Vulnerabilities in ssh, telnet, rlogin, rsh, or rexec services
Vulnerabilities in lpd and other print daemons
Vulnerabilities in Remote Procedure Call services
Vulnerabilities in Domain Name Services
Vulnerabilities in database services
Vulnerabilities in routers, switches, firewalls, or any SNMP service
Missing hotfixes or vulnerabilities in the registry or SMB shares
Missing or easily guessed user passwords
Any vulnerability which does not fit into one of the above classes
Mar 19 2013
Mar 20 2013
5
3.0 Overview
The following tables present an overview of the hosts discovered on the network and the vulnerabilities contained
therein.
3.1 Host List
This table presents an overview of the hosts discovered on the network.
Host Name
Netbios Name
win2003unpatch.sainttest.l WIN2003UNP
ocal
ATCH
mandrake32
IP
Address
10.7.0.11
10.7.0.153
Host Type
Windows Server
2003 SP2
Linux
2.4.22-10mdksmp
- Mandriva 9.2
Critical
Problems
11
7
Areas of
Concern
187
Potential
Problems
32
8
16
Status
preexisting
preexisting
3.2 Vulnerability List
This table presents an overview of the vulnerabilities detected on the network.
Host Name
Severity
Vulnerability /
Service
Status
CVE
win2003unpatch.sainttest.local
critical
preexisting
critical
Microsoft IIS ASP
Remote Code
Execution vulnerability
Microsoft Remote
Desktop Protocol Denial
of Service Vulnerability
(MS11-065)
preexisting
6
Exploit
Available?
CVE-2008-0075
Max.
CVSSv2
Base
Score
10.0
CVE-2011-1968
7.1
no
no
critical
critical
critical
critical
critical
critical
critical
critical
critical
concern
Microsoft Windows
TCP/IP remote code
execution vulnerability
(MS09-048)
Multiple buffer overflows
in SMB
preexisting
CVE-2006-2379
CVE-2008-4609
CVE-2009-1926
9.3
no
preexisting
10.0
no
SSL and TLS
Protocols Vulnerable
Implementation
(MS12-006)
Windows RPC
authentication denial of
service
Windows SMB Server
Transaction Vulnerability
Windows Server
Service MS08-067
buffer overflow
Windows networking
components remote
code execution
(MS12-054)
Windows print spooler
remote code execution
vulnerability (MS12-054)
preexisting
CVE-2008-4114
CVE-2008-4834
CVE-2008-4835
CVE-2011-3389
4.3
no
preexisting
CVE-2007-2228
7.8
no
preexisting
CVE-2011-0661
10.0
no
preexisting
CVE-2008-4250
10.0
yes
preexisting
CVE-2012-1850
5.0
no
preexisting
CVE-2012-1851
10.0
no
vulnerable version of
SMB Server
(MS10-012) dated
2007-2-17
IIS file update
notification privilege
elevation
preexisting
CVE-2010-0020
CVE-2010-0021
CVE-2010-0022
CVE-2010-0231
CVE-2008-0074
10.0
no
7.2
no
preexisting
7
concern
Internet Explorer 6
vulnerable version,
mshtml.dll dated
2007-2-17
preexisting
8
CVE-2007-0218
CVE-2007-0942
CVE-2007-0944
CVE-2007-0945
CVE-2007-1091
CVE-2007-1750
CVE-2007-1751
CVE-2007-2216
CVE-2007-2221
CVE-2007-2222
CVE-2007-3027
CVE-2007-3041
CVE-2007-3091
CVE-2007-3826
CVE-2007-3892
CVE-2007-3893
CVE-2007-3902
CVE-2007-3903
CVE-2007-4790
CVE-2007-5158
CVE-2007-5344
CVE-2007-5347
CVE-2008-0076
CVE-2008-0077
CVE-2008-0078
CVE-2008-1085
CVE-2008-1442
CVE-2008-1544
CVE-2008-2254
CVE-2008-2255
CVE-2008-2256
CVE-2008-2257
CVE-2008-2258
CVE-2008-2259
CVE-2008-2947
CVE-2008-3472
CVE-2008-3473
CVE-2008-3474
CVE-2008-3475
CVE-2008-3476
CVE-2008-4261
CVE-2008-4844
CVE-2009-0550
CVE-2009-0551
CVE-2009-0552
CVE-2009-0553
CVE-2009-0554
CVE-2009-1140
CVE-2009-1141
CVE-2009-1528
CVE-2009-1547
CVE-2009-1917
CVE-2009-1918
CVE-2009-1919
CVE-2009-2493
CVE-2009-2529
CVE-2009-2530
CVE-2009-2531
CVE-2009-3672
CVE-2010-0244
CVE-2010-0247
CVE-2010-0248
CVE-2010-0249
CVE-2010-0255
CVE-2010-0267
CVE-2010-0488
CVE-2010-0489
CVE-2010-0490
CVE-2010-0491
CVE-2010-0494
CVE-2010-0805
CVE-2010-0806
CVE-2010-0808
CVE-2010-1258
CVE-2010-1259
CVE-2010-1262
CVE-2010-2556
CVE-2010-2557
CVE-2010-2558
CVE-2010-2560
CVE-2010-3325
CVE-2010-3326
CVE-2010-3327
CVE-2010-3328
CVE-2010-3330
CVE-2010-3331
CVE-2010-3340
CVE-2010-3342
CVE-2010-3343
CVE-2010-3346
CVE-2010-3348
CVE-2010-3962
CVE-2010-3971
CVE-2011-0035
CVE-2011-0036
CVE-2011-0094
CVE-2011-0346
CVE-2011-1244
CVE-2011-1245
CVE-2011-1250
CVE-2011-1254
CVE-2011-1255
CVE-2011-1256
CVE-2011-1257
CVE-2011-1258
CVE-2011-1261
CVE-2011-1345
CVE-2011-1960
CVE-2011-1961
CVE-2011-1962
CVE-2011-1964
CVE-2011-1993
CVE-2011-1995
CVE-2011-1996
CVE-2011-1997
CVE-2011-2000
CVE-2011-2001
CVE-2011-2383
CVE-2011-3404
CVE-2012-0010
CVE-2012-0168
CVE-2012-0170
CVE-2012-0171
CVE-2012-0172
CVE-2012-1523
CVE-2012-1526
9
CVE-2012-1872
CVE-2012-1876
CVE-2012-1877
CVE-2012-1878
CVE-2012-1879
CVE-2012-1880
CVE-2012-1882
CVE-2012-2521
CVE-2012-2522
CVE-2012-4781
CVE-2012-4792
CVE-2012-4969
CVE-2013-0087
CVE-2013-0088
CVE-2013-0089
CVE-2013-0090
CVE-2013-0092
CVE-2013-0093
CVE-2013-0094
10.0
yes
9.3
no
9.3
no
concern
Internet Explorer 6
vulnerable version,
mshtmled.dll dated
2007-2-17
preexisting
concern
preexisting
concern
Internet Explorer
VBScript and JScript
decoding vulnerability
Internet Explorer
VBScript and JScript
memory reallocation
CVE-2013-0015
CVE-2013-0018
CVE-2013-0021
CVE-2013-0027
CVE-2013-0028
CVE-2013-0029
CVE-2008-0083
preexisting
CVE-2011-0663
9.3
no
concern
preexisting
CVE-2007-1749
CVE-2011-1266
9.3
no
concern
preexisting
CVE-2009-1920
9.3
no
concern
preexisting
CVE-2013-0030
9.3
no
concern
preexisting
CVE-2007-0675
7.6
no
concern
preexisting
CVE-2007-5587
6.9
no
concern
preexisting
CVE-2011-1978
4.3
no
concern
preexisting
CVE-2010-3958
9.3
no
concern
Internet Explorer
vulnerable VML version
dated 2007-2-17
Jscript.dll buffer
overflow vulnerability
Microsoft Vector
Markup Language
Remote Code
Execution Vulnerability
(MS13-010)
sapi.dll ActiveX
vulnerability
Macrovision SafeDisc
driver local privilege
elevation
Information disclosure
vulnerability in .NET
Framework
MS11-028 Vulnerability
in .NET Framework
Could Allow Remote
Code Execution
in .NET Framework
Could Allow Remote
Code Execution
preexisting
CVE-2011-0664
9.3
no
10
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
in .NET Framework
Could Allow Remote
Code Execution
in .NET Framework
Could Allow Remote
Code Execution
Microsoft .NET CLR
virtual method delegate
vulnerability
Microsoft .NET
Common Language
Runtime Could Allow
Remote Code
Execution
Microsoft .NET
Framework 1.1 privilege
elevation vulnerabilities
(MS13-004)
Microsoft .NET
Framework 1.1 remote
code execution
preexisting
CVE-2011-1271
5.1
no
preexisting
CVE-2011-1253
9.3
no
preexisting
CVE-2010-1898
9.3
no
preexisting
CVE-2009-0090
CVE-2009-0091
CVE-2009-2497
9.3
no
preexisting
CVE-2013-0001
CVE-2013-0002
CVE-2013-0004
9.3
no
preexisting
CVE-2012-1895
CVE-2012-2519
9.3
no
Microsoft .NET
Framework 1.1
serialization
vulnerabilities
(MS12-035)
Microsoft .NET
Framework 2.0 remote
code execution
preexisting
CVE-2012-0160
CVE-2012-0161
9.3
no
preexisting
CVE-2012-1895
CVE-2012-1896
CVE-2012-2519
CVE-2012-4776
9.3
no
Microsoft .NET
Framework 2.0
serialization
vulnerabilities
(MS12-035)
Microsoft .NET
Framework Could Allow
Tampering
Microsoft .NET
Framework Parameter
Validation Vulnerability
(MS12-025)
Microsoft .NET
Framework WinForms
Callback Elevation
preexisting
CVE-2012-0160
CVE-2012-0161
9.3
no
preexisting
CVE-2009-0217
5.0
no
preexisting
CVE-2012-0163
9.3
no
preexisting
CVE-2013-0073
10.0
no
Microsoft .NET
Framework privilege
(MS13-004)
Microsoft .NET
Framework remote
code execution
preexisting
CVE-2013-0001
CVE-2013-0002
CVE-2013-0003
CVE-2013-0004
CVE-2012-1855
9.3
no
9.3
yes
11
preexisting
concern
Microsoft .NET
Framework unmanaged
objects vulnerability
(MS12-016)
vulnerabilities in .NET
Framework (MS11-100)
preexisting
CVE-2012-0014
CVE-2012-0015
9.3
no
concern
preexisting
9.3
no
concern
Microsoft outlook ATL
preexisting
10.0
yes
concern
preexisting
9.3
no
concern
preexisting
CVE-2008-1448
7.1
no
concern
preexisting
5.8
no
concern
preexisting
5.8
no
concern
preexisting
5.8
no
concern
concern
concern
concern
concern
concern
concern
concern
concern
Outlook Express Could
Allow Remote Code
Execution (MS10-030)
Windows MHTML
protocol handler
vulnerability
fraudulent Comodo
certificates not in
disallowed store
fraudulent DigiNotar
certificates not in
disallowed store
fraudulent Enforced
Licensing certificates not
in disallowed store
Telnet Authentication
Reflection
Insecure Library
Loading in Outlook
Express WAB.EXE
Could Allow Remote
Code Execution
Outlook Express
vulnerable version,
inetcomm.dll dated
2007-2-17
Elevation of Privilege
Vulnerabilities in
Windows Kerberos
(MS11-013)
Ancillary Function
Driver Vulnerability
(MS11-046)
Ancillary Function
Driver Vulnerability
(MS11-080)
Blended threat privilege
elevation vulnerability
DirectX MJPEG
decompression remote
code execution
vulnerability
DirectX SAMI-MJPEG
parsing remote code
execution for DirectX
9.0c
CVE-2011-3414
CVE-2011-3415
CVE-2011-3416
CVE-2011-3417
CVE-2008-0015
CVE-2008-0020
CVE-2009-0901
CVE-2009-2493
CVE-2009-2494
CVE-2010-0816
12
preexisting
CVE-2009-1930
10.0
yes
preexisting
CVE-2010-3147
9.3
no
preexisting
9.3
no
preexisting
CVE-2006-2111
CVE-2007-2225
CVE-2007-2227
CVE-2007-3897
CVE-2011-0043
7.2
no
preexisting
CVE-2011-1249
7.2
no
preexisting
CVE-2011-2005
7.2
no
preexisting
CVE-2008-2540
9.3
no
preexisting
CVE-2009-0084
9.3
no
preexisting
CVE-2008-0011
9.3
no
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
DirectX parsing remote
code execution for
DirectX 9.0c
Vulnerabilities in
Windows (MS09-012)
Vulnerabilities in
Windows (MS10-015)
Vulnerabilities in
Windows (MS11-062)
Insecure Library
Loading in Internet
Connection Signup
Wizard Could Allow
Remote Code
Execution
Kernel-Mode Drivers
vulnerabilities
preexisting
CVE-2007-3895
9.3
no
preexisting
CVE-2008-1436
CVE-2009-0078
CVE-2009-0079
CVE-2010-0232
CVE-2010-0233
9.0
no
7.2
no
preexisting
CVE-2011-1974
7.2
no
preexisting
CVE-2010-3144
9.3
no
preexisting
7.2
no
MDAC ADO cachesize
heap overflow
(MS12-045)
MHTML
Mime-formatted
information disclosure
MPEG 4 codec remote
code execution
preexisting
CVE-2011-0086
CVE-2011-0087
CVE-2011-0088
CVE-2011-0089
CVE-2011-0090
CVE-2012-1891
9.3
no
preexisting
CVE-2011-1894
4.3
no
preexisting
CVE-2010-0818
9.3
no
MS Windows
DirectPlay Heap
Overflow Vulnerabilities
(MS12-082)
MS Windows
Kernel-Mode Drivers
vulnerabilities
(MS12-041)
MS Windows
Kernel-Mode Drivers
vulnerabilities
(MS12-047)
preexisting
CVE-2012-1537
9.3
no
preexisting
CVE-2012-1864
CVE-2012-1865
CVE-2012-1866
CVE-2012-1867
7.2
no
preexisting
CVE-2012-1890
CVE-2012-1893
7.2
no
13
preexisting
concern
MS Windows
Kernel-Mode Drivers
vulnerabilities
(MS13-016)
preexisting
concern
MS Windows
Kernel-Mode Drivers
preexisting
concern
concern
concern
concern
MS Windows
Kernel-Mode Drivers
Font Parsing
Vulnerabilities
(MS12-078)
MS Windows
Kernel-Mode Drivers
Remote Code
(MS12-008)
MS Windows
Kernel-Mode Drivers
Remote Code
(MS12-018)
MS Windows
Kernel-Mode Drivers
Remote Code
Execution vulnerabilities
(MS12-075)
14
CVE-2013-1248
CVE-2013-1249
CVE-2013-1250
CVE-2013-1251
CVE-2013-1252
CVE-2013-1253
CVE-2013-1254
CVE-2013-1255
CVE-2013-1256
CVE-2013-1257
CVE-2013-1258
CVE-2013-1259
CVE-2013-1260
CVE-2013-1261
CVE-2013-1262
CVE-2013-1263
CVE-2013-1264
CVE-2013-1265
CVE-2013-1266
CVE-2013-1267
CVE-2013-1268
CVE-2013-1269
CVE-2013-1270
CVE-2013-1271
CVE-2013-1272
CVE-2013-1273
CVE-2013-1274
CVE-2013-1275
CVE-2013-1276
CVE-2013-1277
CVE-2012-2527
4.9
no
7.2
no
preexisting
CVE-2012-2556
CVE-2012-4786
10.0
no
preexisting
CVE-2011-5046
CVE-2012-0154
9.3
no
preexisting
CVE-2012-0157
7.2
no
preexisting
CVE-2012-2530
CVE-2012-2553
CVE-2012-2897
10.0
no
concern
MS11-034
Vulnerabilities in
Windows Kernel-Mode
Drivers Could Allow
preexisting
concern
preexisting
concern
concern
concern
concern
concern
MS11-077
Vulnerabilities in
Windows Kernel-Mode
Drivers Could Allow
Remote Code
Execution
MS11-087
Vulnerabilities in
Windows Kernel-Mode
Drivers Could Allow
Remote Code
Execution
in Windows Kernel
Could Allow Security
Feature Bypass
MS12-009
Vulnerabilities in
Ancillary Function
Driver Could Allow
Microsoft AFD Kernel
Overwrite vulnerability
Microsoft Active
Accessibility Insecure
Library Loading
Vulnerability (MS11-075)
concern
Microsoft Agent URL
parsing vulnerability
15
CVE-2011-0662
CVE-2011-0665
CVE-2011-0666
CVE-2011-0667
CVE-2011-0670
CVE-2011-0671
CVE-2011-0672
CVE-2011-0674
CVE-2011-0675
CVE-2011-0676
CVE-2011-0677
CVE-2011-1225
CVE-2011-1226
CVE-2011-1227
CVE-2011-1228
CVE-2011-1229
CVE-2011-1230
CVE-2011-1231
CVE-2011-1232
CVE-2011-1233
CVE-2011-1234
CVE-2011-1235
CVE-2011-1236
CVE-2011-1237
CVE-2011-1238
CVE-2011-1239
CVE-2011-1240
CVE-2011-1241
CVE-2011-1242
CVE-2011-1985
CVE-2011-2003
CVE-2011-2011
7.2
no
9.3
no
preexisting
CVE-2011-3402
9.3
no
preexisting
CVE-2012-0001
9.3
no
preexisting
CVE-2012-0148
CVE-2012-0149
7.2
no
preexisting
CVE-2008-3464
7.2
no
preexisting
CVE-2011-1247
9.3
no
preexisting
CVE-2007-1205
9.3
no
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
Microsoft Data Access
Component remote
code execution
(MS11-002)
Microsoft DirectShow
Quartz AVI buffer
overflow
Microsoft DirectShow
QuickTime Movie
Parsing Code
Execution
Microsoft Graphics
Rendering Engine
Thumbnail Image Stack
Buffer Overflow
Microsoft Image Color
Management System
vulnerable version,
mscms.dll dated
2007-2-17
Microsoft Office
ClickOnce Vulnerability
(MS12-005)
Microsoft Paint Integer
Overflow vulnerability
Microsoft Video
ActiveX Control Stack
Buffer Overflow
Microsoft Windows
DHTML remote code
(MS09-046)
Microsoft Windows
OpenType CFF
preexisting
CVE-2011-0026
CVE-2011-0027
9.3
no
preexisting
CVE-2010-0250
9.3
no
preexisting
CVE-2009-1537
CVE-2009-1538
CVE-2009-1539
9.3
yes
preexisting
CVE-2010-3970
9.3
yes
preexisting
CVE-2008-2245
9.3
no
preexisting
CVE-2012-0013
9.3
yes
preexisting
CVE-2010-0028
9.3
no
preexisting
CVE-2008-0015
9.3
yes
preexisting
CVE-2009-2519
9.3
no
preexisting
CVE-2011-0034
9.3
no
Microsoft Windows
OpenType Compact
Font Format driver
Remote Code
Microsoft Windows Shell
vulnerability, shell32.dll
dated 2007-2-17
Microsoft Windows
vulnerable version,
msconv97.dll dated
2006-3-22
Microsoft XML Core
Services vulnerable
version dated 2007-2-17
preexisting
CVE-2011-0033
9.3
no
preexisting
CVE-2010-2568
CVE-2012-0175
9.3
yes
preexisting
CVE-2009-2506
9.3
no
preexisting
CVE-2007-0099
CVE-2007-2223
CVE-2008-4029
CVE-2008-4033
CVE-2010-2561
CVE-2012-1889
CVE-2013-0006
CVE-2013-0007
9.3
yes
16
concern
Multiple GDI
vulnerabilities fixed by
MS07-017
preexisting
concern
preexisting
concern
concern
concern
concern
concern
concern
Object Linking and
Embedding Vulnerability
(MS11-093)
OpenType Font format
driver remote code
execution
Over-the-network SMB
packet vulnerabilities in
Windows system
(MS10-054)
Shell32.dll Windows
URI handling Remote
Code Execution
Uniscribe Font Parsing
Engine Memory
Corruption (MS10-063)
Vulnerabilities in
SChannel could allow
Remote Code
Execution
Vulnerabilities in
Windows Kernel-Mode
Drivers Could Allow
(MS11-054)
concern
preexisting
concern
Vulnerabilities in
Windows Kernel-Mode
Drivers Could Allow
(MS13-027)
Vulnerability in TLS
Could Disclose
Information (MS12-049)
concern
concern
concern
Vulnerability in the
OpenType Compact
Font Format Driver
Could Allow Elevation
of Privilege
Vulnerable ActiveX
Control enabled
(MS11-090)
Win32 API parameter
validation vulnerability
17
CVE-2006-5586
CVE-2006-5758
CVE-2007-0038
CVE-2007-1211
CVE-2007-1212
CVE-2007-1213
CVE-2007-1215
CVE-2011-3400
9.3
yes
9.3
yes
CVE-2010-3956
CVE-2010-3957
CVE-2010-3959
CVE-2010-2550
CVE-2010-2551
CVE-2010-2552
9.3
no
10.0
no
preexisting
CVE-2007-3896
9.3
yes
preexisting
CVE-2010-2738
9.3
no
preexisting
CVE-2009-3555
CVE-2010-2566
9.3
no
preexisting
CVE-2011-1874
CVE-2011-1875
CVE-2011-1876
CVE-2011-1877
CVE-2011-1878
CVE-2011-1879
CVE-2011-1880
CVE-2011-1881
CVE-2011-1882
CVE-2011-1883
CVE-2011-1884
CVE-2011-1885
CVE-2011-1886
CVE-2011-1887
CVE-2011-1888
CVE-2013-1285
CVE-2013-1286
CVE-2013-1287
7.2
no
7.2
no
preexisting
CVE-2012-1870
4.3
no
preexisting
CVE-2010-0819
CVE-2010-2740
CVE-2010-2741
7.2
no
preexisting
CVE-2011-3397
9.3
no
preexisting
CVE-2007-2219
9.3
no
preexisting
preexisting
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
Windows 2003 GDI
vulnerable version,
gdi32.dll dated
2007-2-17
Windows ASN1
spoofing vulnerability
Windows Authenticode
Signature Verification
(MS10-019) version,
wintrust.dll dated
2007-2-17
Windows Authenticode
Signature Verification
(MS12-024)
Windows Briefcase
vulnerabilities
(MS12-072), synceng.dll
dated 2007-2-17
preexisting
9.3
yes
7.5
no
preexisting
CVE-2008-1083
CVE-2008-1087
CVE-2008-2249
CVE-2008-3465
CVE-2009-2510
CVE-2009-2511
CVE-2010-0486
9.3
no
preexisting
CVE-2012-0151
9.3
no
preexisting
CVE-2012-1527
CVE-2012-1528
9.3
no
Windows CSRSS
(MS11-010) vulnerable
version, csrsrv.dll dated
2007-2-17
Windows CSRSS
version, winsrv.dll dated
2007-2-17
preexisting
CVE-2011-0030
4.7
no
preexisting
7.2
no
Windows CSRSS
version, winsrv.dll dated
2007-2-17
Windows CSRSS
version, csrsrv.dll dated
2007-2-17
Windows CSRSS
version
Windows CSRSS
Local (MS10-011)
vulnerable version,
csrsrv.dll dated
2007-2-17
Windows CSRSS
Windows Cabinet File
Viewer (MS10-019)
version, cabview.dll
dated 2007-2-17
Windows Client Server
Runtime Subsystem
Could Allow Elevation
of Privilege
Windows DNS Client
Spoofing vulnerability
(MS08-037)
Windows DNS
Resolution Vulnerability
preexisting
CVE-2011-1281
CVE-2011-1282
CVE-2011-1283
CVE-2011-1284
CVE-2011-1870
CVE-2011-1967
7.2
no
preexisting
CVE-2011-3408
7.2
no
preexisting
CVE-2012-0005
6.9
no
preexisting
CVE-2010-0023
6.9
no
preexisting
6.9
no
preexisting
CVE-2006-6696
CVE-2006-6797
CVE-2010-0487
9.3
no
preexisting
CVE-2010-1891
6.9
no
preexisting
CVE-2008-1447
6.4
no
preexisting
CVE-2011-0657
7.5
no
18
preexisting
concern
Windows DNS
Spoofing vulnerability
Windows DirectShow
AVI Filter buffer
overflow
Windows DirectShow
Media Decompression
preexisting
CVE-2008-0087
8.8
no
concern
preexisting
CVE-2010-0250
9.3
no
concern
preexisting
CVE-2013-0077
9.3
no
concern
Windows DirectShow
media file parsing
preexisting
CVE-2012-0004
9.3
no
concern
preexisting
CVE-2009-0231
CVE-2009-0232
9.3
no
concern
preexisting
CVE-2010-3974
CVE-2010-4701
7.6
yes
concern
preexisting
CVE-2010-1885
9.3
yes
concern
preexisting
CVE-2011-1991
9.3
no
concern
Windows Embedded
OpenType Font Engine
vulnerabilities
Windows Fax Cover
Page Remote Code
(MS11-024)
Windows Help and
Support Center trusted
document whitelist
bypass (MS10-042)
Windows IME
vulnerable to library
injection (MS11-071)
Windows ISATAP
Component spoofing
preexisting
CVE-2010-0812
6.4
no
concern
preexisting
CVE-2009-3677
10.0
no
concern
preexisting
CVE-2007-1206
7.2
no
concern
preexisting
CVE-2012-0180
CVE-2012-1848
7.2
no
concern
Windows Internet
Authentication Service
vulnerabilities
Windows Kernel
privilege elevation
(ms07-022) vulnerability
Windows Kernel-Mode
Drivers vulnerability
(MS12-034)
Windows LPC
preexisting
CVE-2010-3222
7.2
no
concern
preexisting
CVE-2009-3675
6.8
no
concern
preexisting
CVE-2011-0039
7.2
no
concern
preexisting
CVE-2007-5352
7.2
no
concern
Windows LSASS
IPSEC
Denial-of-Service
Vulnerability
Windows LSASS
length validation
vulnerability
Windows LSASS
vulnerability
Windows MHTML
script injection
preexisting
CVE-2011-0096
4.3
no
19
concern
Windows MPEG
Layer-3 Audio Decoder
vulnerable version,
l3codecx.ax dated
2006-3-22
Windows MPEG layer
3 codec vulnerable
version, l3codecx.ax
dated 2006-3-22
Windows Media Format
ASF file parsing
vulnerability
Windows Media Player
ASX Playlist Parsing
Buffer Overflow
Memory Corruption
preexisting
CVE-2010-1882
9.3
no
concern
preexisting
CVE-2010-0480
9.3
no
concern
preexisting
CVE-2007-0064
9.3
no
concern
preexisting
CVE-2006-4702
CVE-2006-6134
7.5
no
concern
preexisting
CVE-2010-2745
9.3
no
concern
Skin parsing and
decompression remote
code execution
Windows Media
decompression
vulnerabilities
Windows Multimedia
Library MIDI
preexisting
CVE-2007-3035
CVE-2007-3037
7.6
no
concern
preexisting
CVE-2010-1879
CVE-2010-1880
9.3
no
concern
preexisting
CVE-2012-0003
9.3
yes
concern
Windows OLE
Automation Underflow
preexisting
CVE-2011-0658
9.3
no
concern
preexisting
CVE-2007-0065
CVE-2007-2224
CVE-2013-1313
10.0
no
concern
Windows OLE
Automation remote
code execution
vulnerability, oleaut32.dll
dated 2007-2-17
Windows Object
Packager Insecure
Executable Launching
preexisting
CVE-2012-0009
9.3
yes
concern
Windows RDP Remote
Code Execution
preexisting
CVE-2012-0173
9.3
no
concern
preexisting
CVE-2009-0568
10.0
no
concern
preexisting
CVE-2010-2567
9.3
no
concern
preexisting
CVE-2009-1133
CVE-2009-1929
9.3
no
concern
Windows RPC
Marshalling Engine
vulnerability
Windows RPC Memory
Corruption vulnerability
Windows Remote
Desktop Connection
vulnerabilities
Windows SMB Client
vulnerabilities
(MS10-006)
preexisting
CVE-2010-0016
9.3
no
20
concern
Windows SMB Client
vulnerabilities
(MS10-020)
preexisting
concern
preexisting
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
Windows SMB Client
vulnerabilities
(MS11-019)
Windows SMB Client
vulnerabilities
(MS11-043)
Windows SMB Remote
Code Execution
Windows SMB
credential reflection
vulnerability
Windows Schannel
digital signature parsing
vulnerability
Windows Schannel
Windows Shell Handler
vulnerability
Windows VB script
vulnerable version,
vbscript.dll dated
2007-2-17
Windows Virtual
Address Descriptor
integer overflow
Windows WMA Voice
codec vulnerability
Windows WordPad
Converter (MS11-033)
vulnerable version,
mswrd8.wpc dated
2007-2-17
Windows atl.dll
vulnerable (MS09-037)
concern
Windows dhtmled.ocx
preexisting
concern
preexisting
concern
concern
Windows event system
subscription request and
pointer array
vulnerabilities
Windows filename
(MS12-081)
Windows kernel GDI
validation vulnerabilities
21
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
CVE-2011-0654
CVE-2011-0660
10.0
no
10.0
no
preexisting
CVE-2011-1268
10.0
no
preexisting
CVE-2008-4038
10.0
no
preexisting
CVE-2008-4037
9.3
yes
preexisting
CVE-2007-2218
9.3
no
preexisting
CVE-2009-0085
7.1
no
preexisting
CVE-2010-0027
9.3
no
preexisting
CVE-2010-0483
CVE-2011-0031
7.6
no
preexisting
CVE-2008-4036
7.2
no
preexisting
CVE-2009-0555
CVE-2009-2525
CVE-2011-0028
9.3
no
9.3
no
CVE-2008-0015
CVE-2008-0020
CVE-2009-0901
CVE-2009-2493
CVE-2009-2494
CVE-2008-0015
CVE-2008-0020
CVE-2009-0901
CVE-2009-2493
CVE-2009-2494
CVE-2008-1456
CVE-2008-1457
10.0
yes
10.0
yes
9.0
no
preexisting
CVE-2012-4774
9.3
no
preexisting
CVE-2009-0081
CVE-2009-0082
CVE-2009-0083
9.3
no
preexisting
preexisting
concern
Windows kernel
NDProxy privilege
(MS10-099)
Windows kernel desktop
validation vulnerabilities
preexisting
CVE-2010-3963
7.2
no
concern
preexisting
7.2
no
Windows kernel
embedded font
vulnerabilities
Windows kernel
exception handler
vulnerability (MS11-098),
ntoskrnl.exe dated
2007-2-17
preexisting
9.3
no
preexisting
CVE-2009-1123
CVE-2009-1124
CVE-2009-1125
CVE-2009-1126
CVE-2009-1127
CVE-2009-2513
CVE-2009-2514
CVE-2011-2018
concern
concern
7.2
no
concern
Windows kernel integer
overflow (MS12-068)
Windows kernel integer
overflow (MS13-017)
preexisting
CVE-2012-2529
7.2
no
concern
preexisting
7.2
no
concern
Windows kernel multiple
privilege elevation
vulnerabilities
(MS10-048)
preexisting
7.2
no
concern
preexisting
7.2
no
concern
privilege elevation
vulnerabilities
(MS10-073)
privilege elevation
vulnerabilities
(MS10-098)
CVE-2013-1278
CVE-2013-1279
CVE-2013-1280
CVE-2010-1887
CVE-2010-1894
CVE-2010-1895
CVE-2010-1896
CVE-2010-1897
CVE-2010-2743
CVE-2010-2744
7.2
no
concern
preexisting
7.2
no
concern
preexisting
7.2
no
concern
Windows kernel
property validation
vulnerabilities
Windows kernel user
mode callback
vulnerability
Windows kernel
vulnerabilities
(MS12-042), ntoskrnl.exe
dated 2007-2-17
CVE-2010-3939
CVE-2010-3940
CVE-2010-3941
CVE-2010-3942
CVE-2010-3943
CVE-2008-2250
CVE-2008-2251
CVE-2008-2252
CVE-2008-1084
preexisting
CVE-2012-1515
8.3
no
concern
Windows kernel
version, ntoskrnl.exe
dated 2007-2-17
preexisting
7.2
no
concern
Windows kernel
version, ntoskrnl.exe
dated 2007-2-17
preexisting
CVE-2010-0234
CVE-2010-0235
CVE-2010-0236
CVE-2010-0237
CVE-2010-0238
CVE-2010-0481
CVE-2010-0482
CVE-2010-0810
CVE-2010-4398
7.2
no
22
preexisting
concern
concern
concern
concern
concern
concern
concern
concern
concern
concern
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
Windows kernel
vulnerable version,
ntoskrnl.exe dated
2007-2-17
Windows media file
processing vulnerable
(MS09-038)
Windows print spooler
vulnerabilities
Word 97 Converter
vulnerable version,
mswrd8.wpc dated
2007-2-17
WordPad Word 97
Text Converter
(MS10-067) version,
mswrd8.wpc dated
2007-2-17
Wordpad COM
validation (MS10-083)
version, ole32.dll dated
2007-2-17
Workstation Service
comctl32.dll remote code
(MS10-081)
mfc40.dll remote code
(MS10-074)
t2embed.dll remote code
(MS10-076)
AV Information:
AntiVirus software not
found (AVG F-Secure
Forefront McAfee
Symantec TrendMicro)
Microsoft IIS ASP
repeated parameter
request denial of service
Microsoft IIS
Authentication Method
Disclosed
ICMP timestamp
requests enabled
ICMP redirects are
allowed
Internet Explorer
Shell.Explorer object
enabled
last user name shown
in login box
SMB digital signing is
disabled
password complexity
policy disabled
weak account lockout
policy (0)
23
preexisting
CVE-2009-2515
CVE-2009-2516
CVE-2009-2517
7.2
no
preexisting
CVE-2009-1545
CVE-2009-1546
9.3
no
preexisting
CVE-2009-0229
CVE-2009-0230
CVE-2008-4841
CVE-2009-0235
9.0
no
9.3
yes
preexisting
CVE-2010-2563
9.3
no
preexisting
CVE-2010-1263
9.3
no
preexisting
CVE-2009-1544
9.0
no
preexisting
CVE-2010-2746
7.6
no
preexisting
CVE-2010-3227
9.3
no
preexisting
CVE-2010-1883
9.3
no
2.6
no
4.3
no
2.6
no
0.0
no
preexisting
2.6
no
preexisting
2.6
no
10.0
no
2.6
no
preexisting
preexisting
preexisting
CVE-2010-1899
preexisting
preexisting
preexisting
CVE-1999-0524
CVE-1999-0592
preexisting
preexisting
CVE-1999-0535
10.0
no
preexisting
CVE-1999-0582
5.0
no
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
potential
mandrake32
critical
mandrake32
critical
mandrake32
critical
weak minimum
password age policy (0
days)
weak minimum
password length policy
(0)
weak password history
policy (0)
non-administrative users
can bypass traverse
checking
non-administrative users
can replace a process
level token
account management
auditing disabled
account management
failure auditing disabled
logon failure auditing
disabled
object access auditing
disabled
object access failure
auditing disabled
policy change auditing
disabled
policy change failure
auditing disabled
system event auditing
disabled
system event failure
auditing disabled
Windows administrator
account not renamed
Windows guest account
not renamed
Password never expires
for user localuser
Windows TCP/IP
Stack not hardened
Microsoft Windows
Insecure Library
Loading vulnerability
Microsoft Windows
Service Isolation
Bypass Local Privilege
Escalation
Multiple Windows TCP
/IP vulnerabilities
(MS08-001)
Windows Embedded
OpenType Font Engine
Vulnerability
default device password
(root:attack)
Account root has no
password
Guessed password to
account (root:password)
24
preexisting
CVE-1999-0535
10.0
no
preexisting
CVE-1999-0535
10.0
no
preexisting
CVE-1999-0535
10.0
no
preexisting
CVE-1999-0534
4.6
no
preexisting
CVE-1999-0534
4.6
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0575
7.5
no
preexisting
CVE-1999-0585
2.1
no
preexisting
0.9
no
preexisting
0.9
no
preexisting
2.6
no
preexisting
2.6
no
preexisting
CVE-2010-1886
6.8
no
preexisting
CVE-2007-0066
CVE-2007-0069
9.3
no
preexisting
CVE-2010-0018
9.3
no
preexisting
CVE-1999-0507
CVE-1999-0508
CVE-1999-0502
7.5
no
7.5
yes
CVE-1999-0501
CVE-2006-5288
10.0
no
preexisting
preexisting
mandrake32
critical
mandrake32
critical
mandrake32
critical
mandrake32
critical
Guessed password to
account (root:root)
Guessed password to
account
(testadmin:testadmin)
Vulnerable Linux
Kernel version: 2.4.22
preexisting
CVE-1999-0501
4.6
no
removed
CVE-1999-0501
4.6
no
preexisting
10.0
no
OpenSSH 3.6.1p2 is
vulnerable
preexisting
CVE-2008-1673
CVE-2008-2136
CVE-2008-2137
CVE-2008-2812
CVE-2008-3077
CVE-2008-5025
CVE-2008-5079
CVE-2008-5700
CVE-2008-5713
CVE-2009-0031
CVE-2009-0065
CVE-2009-0269
CVE-2009-0322
CVE-2009-0605
CVE-2009-0778
CVE-2009-0859
CVE-2009-0935
CVE-2009-1072
CVE-2009-1360
CVE-2009-1633
CVE-2009-2692
CVE-2009-2903
CVE-2009-2909
CVE-2009-3547
CVE-2009-3621
CVE-2010-4083
CVE-2003-0190
CVE-2003-0386
CVE-2003-0682
CVE-2003-0693
CVE-2003-0695
CVE-2003-1562
CVE-2004-2069
CVE-2005-2797
CVE-2005-2798
CVE-2006-0225
CVE-2006-4924
CVE-2006-4925
CVE-2006-5051
CVE-2006-5052
CVE-2007-4752
CVE-2008-1483
CVE-2008-1657
CVE-2008-3259
CVE-2008-5161
10.0
no
25
mandrake32
critical
possible vulnerability in
ProFTP 1.2.8
preexisting
CVE-2003-0831
CVE-2004-0346
CVE-2004-1602
CVE-2005-2390
CVE-2005-4816
CVE-2006-5815
CVE-2006-6170
CVE-2006-6171
CVE-2006-6563
CVE-2007-2165
CVE-2008-4242
CVE-2010-3867
CVE-2010-4652
CVE-2011-4130
CVE-2012-6095
CVE-2010-0405
10.0
no
mandrake32
concern
preexisting
mandrake32
concern
bzip2 vulnerable
version: 1.0.2
vulnerable Emacs
version: 21.3.1
5.1
no
7.8
no
7.5
no
10.0
no
7.5
no
7.5
no
preexisting
CVE-2007-2833
CVE-2008-1694
CVE-2008-2142
CVE-2006-0300
CVE-2006-6097
CVE-2007-4131
CVE-2007-4476
CVE-2006-3746
CVE-2006-6169
CVE-2006-6235
CVE-2007-1263
CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
CVE-2009-2624
CVE-2010-0001
CVE-2007-5116
CVE-2008-1927
CVE-2009-3626
CVE-2011-1487
CVE-2011-2728
CVE-2011-2939
CVE-2012-6329
CVE-2007-2953
mandrake32
concern
vulnerable GNU tar
version: 1.13.25
preexisting
mandrake32
concern
vulnerability in GnuPG
version 1.2.3
preexisting
mandrake32
concern
vulnerable gzip version:
1.2.4
preexisting
mandrake32
concern
perl: 5.8.1
preexisting
mandrake32
concern
mandrake32
concern
mandrake32
potential
mandrake32
potential
mandrake32
potential
mandrake32
potential
Vim Helptags remote
code execution
Vim PySys_SetArgv
Remote Command
Execution
account lockout policy is
weak (0)
default maximum
password age policy is
weak (99999 days)
default minimum
password age policy is
weak (0 days)
minimum password
length policy is weak (6)
6.8
no
preexisting
CVE-2009-0316
6.9
no
preexisting
0.9
no
preexisting
0.9
no
preexisting
0.9
no
preexisting
0.9
no
mandrake32
potential
password history policy
is weak (0)
preexisting
0.9
no
preexisting
26
mandrake32
potential
FTP server does not
support AUTH
ftp receives cleartext
password
ICMP timestamp
requests enabled
ICMP redirects are
allowed
Python: 2.3
preexisting
2.6
no
mandrake32
potential
preexisting
2.6
no
mandrake32
potential
0.0
no
mandrake32
potential
2.6
no
mandrake32
potential
10.0
no
mandrake32
mandrake32
potential
potential
Remote OS available
rpc.statd is enabled and
may be vulnerable
preexisting
preexisting
2.6
10.0
no
no
mandrake32
potential
preexisting
7.5
no
mandrake32
potential
0.0
no
mandrake32
potential
10.0
no
mandrake32
potential
SSH Protocol Version
1 Supported
The sunrpc portmapper
service is running
sunrpc services may be
vulnerable
TCP timestamp
requests enabled
2.6
no
preexisting
CVE-1999-0524
preexisting
preexisting
preexisting
preexisting
preexisting
CVE-2006-4980
CVE-2007-4965
CVE-2008-1721
CVE-2008-1887
CVE-2008-2316
CVE-2008-4864
CVE-2008-5031
CVE-2012-0845
CVE-2012-1150
CVE-1999-0018
CVE-1999-0019
CVE-1999-0210
CVE-1999-0493
CVE-2000-0666
CVE-2000-0800
CVE-2001-0361
CVE-2001-1473
CVE-1999-0632
CVE-2002-0391
CVE-2003-0028
4.0 Details
The following sections provide details on the specific vulnerabilities detected on each host.
4.1 Account Policy
Impact
Weak password policies could make it easier for an attacker to gain unauthorized access to user accounts.
Resolution
Edit the account policy, which requires different methods on different varieties of Unix-derived systems. Most
current UNIX-style systems use the shadow file method to store encrypted passwords and some user settings
(in the /etc/shadow file). Most of these systems also use Pluggable Authentication Module (PAM) modules
to control minimum password length, password history, password complexity requirements, and account lockout.
Linux systems have a file /etc/login.defs that contains various default settings, e.g., for minimum and
maximum password age, which are inserted into the /etc/password file when a new user is created.
Change the account policy settings to the recommended values. In a typical organization, these are:
27
Minimum password length: 8 characters
Enforce password history: 24 passwords remembered
Maximum password age: 42 days
Minimum password age: 2 days
Account lockout threshold: 3 invalid logon attempts
PCI requires that passwords contain letters and digits, but a stronger policy is to require three or four different
types of characters, e.g., upper case letters, lower case letters, numbers, and symbols.
Note that the minimum and maximum password age settings are really defaults that can generally be
overridden for individual users.
Also note that SAINT currently performs these checks only for Mac OS X starting with 10.5 Leopard, and
Linux systems using standard Linux security and PAM modules.
Where can I read more about this?
See Hitachi ID Systems' white paper Password Policy Guidelines and documentation for your particular
operating system.
4.2 AntiVirus Information
Impact
The system may be susceptible to viruses, worms, and other types of malware.
Resolution
Install and enable anti-virus software. Turn on automatic updates and periodic scans. Enable logging.
If an anti-virus server or manager is present, make sure that all clients can communicate with it so that the
client is as up to date as possible and can send crucial information to the master installation.
If more information is needed about the anti-virus software running on the network and a server or manager is
present, it is a good place to look for information about the anti-virus clients.
If more than one instance of anti-virus software is installed on a system, remove all but one. Multiple anti-virus
programs may interfere with each other and cause the system to run poorly.
For additional information about viruses and anti-virus products, see Virus Bulletin.
4.3 bzip2 vulnerability
Impact
Vulnerability in BZIP2 could allow a remote attacker to execute arbitrary commands which may cause a denial
of service.
Resolution
28
Upgrade to bzip2 1.0.6 or higher when available.
The Integer Overflow Vulnerability was reported in Bugtraq ID 43331.
4.4 default device password
Impact
A remote attacker could gain access to the device, allowing him or her to cause a denial of service, change
the configuration, install malicious firmware, or gain unauthorized access to the internal network.
Resolution
Change the password to something other than the default. A recommended password would be one which is
at least eight characters long, contains both letters and numbers, and is not based on any associated
information such as account names, user's names, or DNS names.
If the password cannot be changed, contact your vendor for a firmware fix, or block access to all affected
services at the network perimeter.
08/26/02
NOTE: In some cases, notably the Gateway GS-400 server vulnerability, changing the password may void
the manufacturer's warranty.
Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords. Although it
focuses on UNIX, the password guidelines presented in this paper are applicable to all devices.
Specific information is available for Symantec Messaging Gateway, ZyXEL Prestige routers, Gateway
GS-400, Avaya switches, X-Micro WLAN routers, NetGear WG602 Accesspoint, NetGear WG602
Accesspoint change, Edimax WAP, NetGear DG834G, Axis, Dynalink RTA 230, Asante FM2008 switch,
Vertical Horizon switch, UTStarcom VoIP WIFI Phone, Cisco ACE, 3Com OfficeConnect, Alien Technology
ALR-9900, Comcast DOCSIS, Modicon Quantum, GE D20, and Micrologix.
4.5 Emacs vulnerabilities
Impact
Vulnerabilities in Emacs allow for application crash when loading a malformed crafted file, and arbitrary code
execution.
Resolution
See UBUNTU:USN-919-1 for more information on CVE-2010-0825.
Emacs should be updated to a version higher than 24.1 when available.
A patch for CVE-2007-5795 is available.
29
A patch for CVE-2008-1694 is available.
Contact your Linux vendor for upgrades within version 22.
The "enable-local-variables" Variable Processing vulnerability was reported in Secunia Advisory
SA50157.
The EDE Automatic Project Loading vulnerability was reported in Secunia Advisory SA47515.
The Improper file permission check Vulnerability was reported in Bugtraq ID 39039.
The fast-lock-mode" file processing vulnerability was reported in Secunia Advisory SA30199.
The Privilege Elevation from vcdiff with SCCS was reported in Secunia Advisory SA29905.
The version 22.1 vulnerabilities were reported in Secunia Advisory SA27508 and Gentoo Linux Security
Advisory 200712-03.
The GIF image size denial of service was reported in Bugtraq ID 24570.
4.6 FTP Security Extensions
Impact
Passwords could be stolen if an attacker is able to capture network traffic to and from the FTP server.
Resolution
Enable FTP Security Extensions on the FTP server. If the FTP server does not support Security
Extensions, change to a different FTP server.
More information about FTP Security Extensions is available in RFC2228.
4.7 FTP server
Impact
Passwords could be stolen if an attacker is able to capture network traffic to and from the FTP server.
Resolution
Disable the FTP server and use a more secure program such as SCP or SFTP to transfer files. If FTP
cannot be disabled, restrict access using iptables or TCP Wrappers such that only addresses on a local, trusted
network can connect.
30
For more information, see Protocols - The Problem With Cleartext.
4.8 GNU tar vulnerabilities
Impact
GNU Tar may be halted (denial of service) from a malformed TAR file. This vulnerability may also allow for
the execution of arbitrary code. GNU Tar allows for directory traversal from a malformed TAR file.
Resolution
The slash slash dot dot directory traversal can be patched.
Upgrade to a version higher than GNU tar 1.16.
The crashing stack buffer overflow was reported in Secunia Advisory SA26674.
The GNU Tar slash slash dot dot directory traversal was reported in Bugtraq ID 25417.
The GNUTYPE_NAMES remote directory traversal vulnerability was reported in Bugtraq ID 21235.
The PAX extended header vulnerability was reported in Bugtraq ID 16764.
4.9 GnuPG vulnerabilities
Impact
Vulnerabilities in GnuPG allow for denial of service or execution of arbitrary code when processing a
malformed file.
Resolution
Upgrade to GnuPG version 1.4.9 or higher or 2.0.17 or higher.
Another option is to upgrade from your Linux vendor.
The GPGSM Tool Certificate Importing Remote Code Execution vulnerability was reported in Bugtraq ID
41945.
The deduplication of user IDs memory corruption was reported in Secunia Advisory SA29568 and oCERT
#2008001.
The content forgery vulnerability was reported in Secunia Advisory SA24365.
The stack overwrite vulnerability was reported in Bugtraq ID 21462.
The make_printable_string overflow vulnerability was reported in Secunia Advisory SA23094.
31
The message packet length handling integer overflow vulnerability was reported to Bugtraq ID 19110.
4.10 guessed account password
Impact
An attacker who is able to guess the password to a user account could gain shell access to the system with
the privileges of the user. From there it is often trivial to gain complete control of the system.
Resolution
Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are
eight characters long, including numeric and non-alphanumeric characters, and which are not based on the login
name or any other personal information about the user. Enforce this policy using a utility such as npasswd in
place of the default UNIX passwd program. Check the strength of all account passwords periodically using a
password cracking utility such as Crack for Unix.
For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in
cisco-air-20061013-wla.
Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.
The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID
20490.
The IBM Totalstorage DS400 default password was posted to Full Disclosure.
4.11 gzip vulnerabilities
Impact
Vulnerabilities in gzip allow for denial of service or execution of remote code when a file is decompacted using
gunzip.
Resolution
Upgrade to a version of gzip higher than 1.3.12 when available.
The multiple vulnerabilities in gzip 1.3.12 and prior were reported in Bugtraq ID 37886, Bugtraq ID 37888.
The denial of service and remote code execution in 1.3.5 were reported in Secunia Advisory SA21996.
4.12 http IIS access
Impact
An attacker could send a specially constructed request which crashes the server or executes arbitrary code
32
with the privileges of the web server.
Resolutions
To fix the directory stream authentication bypass vulnerability, apply the patch referenced in Microsoft Security
Bulletin 10-065.
For the Extended Protection for Authentication vulnerability, apply the patch referenced in Microsoft Security
Bulletin 10-040.
Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-062, and
10-065.
For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security
Bulletin 02-050 must also be installed if client side certificates are to function.
IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the
permanent redirection option under the Home Directory tab in the web site properties.
The ASP Repeated Parameter Request Denial of Service and FastCGI Request Header Buffer Overflow
were reported in Microsoft Security Bulletin 10-065.
The directory stream authentication bypass was reported in Microsoft Security Bulletin 10-065 and Secunia
Advisory 40412.
The Extended Protection for Authentication vulnerability was reported in Microsoft Security Bulletin 10-040.
More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.
More information on the ASP Remote Code Execution vulnerability in Windows 2003 and XP is available in
Microsoft Security Bulletin 08-006, (US) CERT Technical Alert TA08-043C, Hewlett-Packard security bulletin
HPSBST02314 / SSRT080016, Secunia advisory 28893, Security Focus Bugtraq ID 27676, and Security
Tracker Alert ID 1019385.
More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.
More information on the ASP Upload Command Execution vulnerability is available in Microsoft Security
Bulletin 06-034, (US) CERT Vulnerability Note VU#395588, Neohapsis 2006 July message #0316, OSVDB
record 27152, Secunia Advisory 21006, Security Focus Bugtraq ID 18858 and exploit, and Security Tracker
Alert ID 1016466.
More information on the .dll request denial of service was reported in Secunia Advisory SA18106.
More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin
02-028.
The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.
More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09,
Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.
More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and
33
01-033, CERT advisories 2001-10 and 2001-13. General information on securing IIS 5.0 can be found in the
IIS 5 security checklist.
More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin
00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from
Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.
More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and
from Microsoft Knowledge Base article Q234905.
More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086
and NSFOCUS Security Advisory 2000-07.
More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and
01-044.
4.13 http IIS authentication
Impact
An attacker could determine which authentication scheme is required for confidential web pages. This can be
used for brute force attacks against known User IDs.
Resolutions
Use Fix information in Considerations for IIS authentication.
More information on the IIS Authorization method disclosure is available in Considerations for IIS
authentication.
4.14 ICMP information disclosure
Impact
A remote attacker could obtain sensitive information about the network.
Resolution
Configure the system or firewall not to allow ICMP timestamp requests (message type 13) or ICMP netmask
requests (message type 17). Instructions for doing this on specific platforms are as follows:
Windows:
Block these message types using the Windows firewall as described in Microsoft TechNet.
Linux:
Use ipchains or iptables to filter ICMP netmask requests using the command:
ipchains -A input -p icmp --icmp-type address-mask-request -j DROP
Use ipchains or iptables to filter ICMP timestamp requests using the commands:
34
pre> ipchains -A input -p icmp --icmp-type timestamp-request -j DROP ipchains -A output -p icmp --icmp-type
timestamp-reply -j DROP
To ensure that this change persists after the system reboots, put the above command into the system's
boot-up script (typically /etc/rc.local).
Cisco:
Block ICMP message types 13 and 17 as follows:
deny icmp any any 13
deny icmp any any 17
For more information about ICMP, see RFC792.
4.15 ICMP redirects
Impact
An attacker could change the routing of packets from the target such that transmitted data could potentially be
monitored or modified.
Resolution
Disable ICMP redirects. On Windows, this is done by setting the following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: EnableICMPRedirect
Type: REG_DWORD
Data: 0
To disable ICMP redirects on Linux, use the following commands:
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
To make the above settings permanent, also set the following lines in the /etc/sysctl.conf file:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
For more information about ICMP redirects, see Ask Ubuntu and Windows Reference.
For more information on securing the Linux kernel, see Linux Kernel /etc/sysctl.conf Security Hardening.
4.16 IIS vulnerabilities
Impact
35
Vulnerabilities in IIS allow privilege elevation, and code execution.
Resolution
To fix the denial of service vulnerability reported in MS13-007, patch as designated in Microsoft Security
Bulletin 13-007. To fix the multiple vulnerabilities reported in MS12-073, patch as designated in Microsoft
Security Bulletin 12-073.
To fix the FTP Server telnet IAC heap overflow, patch as designated in Microsoft Security Bulletin 11-004.
For the FTP Server Remote Buffer Overflow vulnerability, patch as designated in Microsoft Security Bulletin
09-053.
For the File change notification privilege elevation vulnerability, apply the appropriate patch for the operating
system and IIS version:
Windows 2000 IIS 5.0: KB942831
Widows XP IIS 5.1: KB942831
Windows Server 2003 IIS 6.0: KB93281
Windows Vista IIS 7.0: KB93281
More details on the denial of service vulnerability reported in MS13-007 can be found in Microsoft Security
Bulletin 13-007. More details on the multiple vulnerabilities reported in MS12-073 can be found in Microsoft
Security Bulletin 12-073.
The FTP service telnet IAC heap overflow was reported in 11-004.
The FTP Server Remote Buffer Overflow vulnerability was reported in Microsoft Security Bulletin 09-053.
The FTP Server Remote Buffer Overflow was reported in Bugtraq ID 36189.
The file change notification privilege elevation vulnerability was reported in Microsoft Security Bulletin
MS08-005.
4.17 Internet Explorer vulnerabilities
Impact
A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious
web site hosted by the attacker.
Resolution
To use Internet Explorer securely, take the following steps:
(The vulnerabilities in IE 8, Beta 1 have not yet been patched)
(The response splitting and smuggling related to setRequestHeader() has not yet been patched)
(The file focus stealing vulnerability has not yet been patched)
36
(The stack overflow vulnerability has not yet been patched.)
(The document.open spoofing vulnerability has not yet been patched.)
(The CSS parser vulnerability has not yet been patched.)
Install the appropriate cumulative patch for your version of Internet Explorer as outlined in Microsoft
Security Bulletins 07-009, 07-061, 08-022, 08-032, 08-052, 10-002, 11-031, 12-063, 12-071,
12-077, 13-008, 13-010, and 13-021.
Fix the Security Zone Bypass vulnerability (CVE-2010-0255) as described in Microsoft Security
Advisory (980088)
Prevent WPAD proxy server interception as described in Microsoft Knowledge Base Article 934864
Disable the Javaprxy.dll object
Disable the ADODB.Stream object
Disable the Shell.Explorer object
Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article
870669.
To disable the Shell.Explorer object, set the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}
Compatibility Flags = 400 (type dword, radix hex)
To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.
To mitigate the impact of the ActiveX instantiation heap memory corruption, set the kill bit for the following
CLSIDs:
3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D
4682C82A-B2FF-11D0-95A8-00A0C92B77A9
8E71888A-423F-11D2-876E-00A0C9082467
E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29
233A9694-667E-11D1-9DFB-006097D50408
BE4191FB-59EF-4825-AEFC-109727951E42
6E3197A3-BBC3-11D4-84C0-00C04F7A06E5
606EF130-9852-11D3-97C6-0060084856D4
F849164D-9863-11D3-97C6-0060084856D4
To fix the ADODB.connection vulnerability, install the fix at MS07-009. or mitigate the impact by setting the
kill bit for the following CLSID: 00000514-0000-0010-8000-00AA006D2EA4.
For more information on all Internet Explorer security fixes, see the Internet Explorer Critical Updates page.
The Security Zone Bypass vulnerability (CVE-2010-0255) was reported in Microsoft Security Advisory
(980088).
The CSS parser vulnerability (CVE-2010-3971) was reported in Microsoft Security Advisory (2488013).
For more information on specific vulnerabilities, see Microsoft Security Bulletins 03-004, 03-015, 03-020,
37
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010,
12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, and 13-021.
Also see CERT advisories CA-2003-22, TA04-033A, TA04-163A, TA04-212A, TA04-293A, TA04-315A,
TA04-336A, TA05-165A, TA05-221A, and US-CERT Vulnerability Note VU#378604.
The IE 8, Beta 1 vulnerabilities were reported in Bugtraq ID 28580 and Bugtraq ID 28581.
The setRequestHeader() related vulnerabilities were reported in Secunia Advisory SA29453.
The URL handling vulnerability in IE7 was reported in Microsoft Security Advisory 943521 and Secunia
Advisory SA27007.
The document.open spoofing vulnerability was reported in Secunia Advisory SA26069.
More information on the race condition building DOM objects vulnerability was reported in Secunia Advisory
SA25564.
More information on the WPAD proxy server interception vulnerability was reported in NIST Vulnerability
Database (CVE-2007-1692).
More information on the navcancl.htm cross-site scripting vulnerability may be found at Phishing using IE7
and Secunia Advisory SA24535.
More information on the Unload JavaScript vulnerabilities may be found at Bugtraq ID 22678 and Bugtraq ID
22680.
More information on the DirectAnimation ActiveX remote integer overflow may be found at XSec Security
Advisory XSec-06-10.
More information on the ActiveX instantiation heap memory corruption may be found at XSec Security
Advisories: XSec-06-02, XSec-06-03, XSec-06-04, XSec-06-06, XSec-06-08.
More information on the IsComponentInstalled buffer overflow may be found in Bugtraq ID 16870.
More information on the Stack overflow vulnerability may be found in Bugtraq ID 16687.
Information on the createTextRange vulnerability may be found in Bugtraq ID 17196.
More information on the object tag, modal dialog, and information disclosure vulnerabilities may be found in
Bugtraq ID 17658, Bugtraq ID 17713, and Bugtraq ID 17717.
More information on the VML buffer overflow may be found in Bugtraq ID 20096.
The ADODB.Stream object vulnerability was reported in US-CERT alert 04-184A.
Unfixed variants of the drag and drop vulnerability and the Shell.Explorer object were discussed in NTBugtraq
and Full Disclosure.
The three vulnerabilities which are exploited by the Download.Ject trojan were reported in Bugtraq ID 10472,
38
Bugtraq ID 10473, and Bugtraq ID 10514.
The memory overflow error on the window() function is reported in a Computer Terrorism article.
More information on the ADODB.connection vulnerability is reported in US-CERT Vulnerability Note
VU#589272 and Bugtraq ID 20704.
4.18 last user name disclosure
Impact
An attacker with physical access to the computer could determine a valid user name on the system, thus
facilitating password guessing attacks.
Resolution
Run regedt32, and in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, set
DontDisplayLastUserName equal to 1.
More information is available in The Registry Guide for Windows.
4.19 Linux Kernel vulnerabilities
Impact
A remote attacker could execute arbitrary code, cause information disclosure, bypass certain security
restrictions, or cause a denial of service.
Resolution
Install an updated kernel package from your Linux vendor, or upgrade Linux kernel to a version higher than
2.6.39.4 for 2.6.x, 3.0.69 or higher for 3.0.x, 3.2.41 or higher for 3.2.x, 3.4.36 or higher for 3.4.x, or 3.8.3 or
higher for 3.8.x when available.
The Race Condition and Integer Overflow vulnerabilities were reported in Secunia Advisory SA52441.
The "chase_port()" USB Unplugging Denial of Service vulnerability was reported in Secunia Advisory
SA52343.
The "pciback_enable_msi()" Log Message Flooding Denial of Service vulnerability was reported in
Secunia Advisory SA52188.
The "__sock_diag_rcv_msg()" and "shmem_remount_fs()" vulnerabilities were reported in Secunia
Advisory SA52289.
The "call_console_drivers()" Function Log Prefix Stripping Denial of Service was reported in
39
The Bluetooth HIDP "hidp_setup_hid()" Information Disclosure vulnerability was reported in Secunia
Advisory SA52340.
The Extended Verification Module NULL Pointer Dereference Local Denial of Service was reported in
The ptrace Privilege Escalation vulnerability was reported in Secunia Advisory SA52269.
The "xen_iret()" IRET Handling vulnerability was reported in Secunia Advisory SA52270.
The "__skb_recv_datagram()" Denial of Service vulnerability was reported in Secunia Advisory
SA52170.
The "xen_failsafe_callback()" IRET Handling Denial of Service was reported in Secunia Advisory
SA51906.
The "uname()" Kernel Memory Disclosure vulnerability was reported in Secunia Advisory SA50895.
The HFS+ Privilege Escalation vulnerability was reported in Secunia Advisory SA50849.
The "compat_put_timeval()" Argument Passing vulnerability was reported in Secunia Advisory
SA50790.
The two vulnerabilities fixed in Linux Kernel 3.4.10 were reported in Secunia Advisory SA50421.
The multiple vulnerabilities fixed in 2.6.34.13 were reported in Secunia Advisory SA50340.
The Netlink Message Handling Privilege Escalation vulnerability was reported in Secunia Advisory
SA50323.
The "madvise_remove()" Use-After-Free vulnerability was reported in Secunia Advisory SA50310.
The SFC Driver TCP MSS Option Handling Denial of Service vulnerability was reported in Secunia Advisory
SA50081.
The UDF File System Denial of Service vulnerabilities were reported in Secunia Advisory SA49742.
The epoll descriptor Denial of Service vulnerability was reported in Secunia Advisory SA49737.
The Kernel DOS vulnerability in NFS was reported in Secunia Advisory SA24215.
The Huge Pages Memory Leak Denial of Service vulnerability was reported in Secunia Advisory SA49191.
The NFSv4 Denial of Service vulnerability was reported in Secunia Advisory SA49149.
The mmap_sem Denial of Service vulnerability was reported in Secunia Advisory SA49187.
The "ext4_fill_flex_info()" Denial of Service vulnerability was reported in Secunia Advisory
SA48645.
The "__split_huge_page()" Race Condition Denial of Service vulnerability was reported in Secunia
Advisory SA48404.
40
The "/proc/<pid>/mem" Privilege Escalation vulnerability was reported in Secunia Advisory SA47378.
The "igmp_heard_query()" Denial of Service vulnerability was reported in Secunia Advisory SA47472.
The KVM "syscall" Emulation Denial of Service vulnerability was reported in Secunia Advisory SA47482.
The DRM "drm_mode_dirtyfb_ioctl()" Integer Overflow vulnerability was reported in Secunia
Advisory SA47486.
The "xfs_acl_from_disk()" Integer Overflow vulnerability was reported in Secunia Advisory SA47488.
The KVM KVM_ASSIGN_PCI_DEVICE IOCTL Denial of Service vulnerability was reported in Secunia
Advisory SA47431.
The "SG_IO" SCSI IOCTL Privilege Escalation vulnerability was reported in Secunia Advisory SA47296.
The KVM PIT Denial of Service vulnerability was reported in Secunia Advisory SA47293.
The B.A.T.M.A.N. "bat_socket_read()" Buffer Overflow vulnerability was reported in Secunia
Advisory SA47199.
The "journal_get_superblock()" Denial of Service vulnerabilities were reported in Secunia Advisory
SA46802.
The two Denial of Service vulnerabilities in 2.6.x were reported in Secunia Advisory SA46803.
The ghash NULL Pointer Dereference vulnerability was reported in Secunia Advisory SA46584.
The XFS "xfs_readlink()" Buffer Overflow vulnerability was reported in Secunia Advisory SA46591.
The ext4 Extent Splitting Denial of Service vulnerability was reported in Secunia Advisory SA46489.
The "apparmor_setprocattr()" Denial of Service vulnerability was reported in Secunia Advisory
SA46423.
The CIFS DFS Denial of Service vulnerability was reported in Secunia Advisory SA45936.
The CIFSFindNext Signedness Error Denial of Service vulnerability was reported in Secunia Advisory
SA45695.
The Event Overflows Denial of Service vulnerability was reported in Secunia Advisory SA45533.
The "perf" Privilege Escalation vulnerability was reported in Secunia Advisory SA45489.
The GRO "skb_gro_header_slow()" Denial of Service vulnerability was reported in Secunia Advisory
SA45420.
The Xtensa "ptrace_setxregs()" Memory Disclosure vulnerability was reported in Secunia Advisory
SA45267.
The GFS2 / ext4 Denial of Service vulnerabilities were reported in Secunia Advisory SA45193.
The Transparent Hugepage Support Denial of Service vulnerability was reported in Secunia Advisory
41
SA44986.
The "key_replace_session_keyring()" NULL Pointer Dereference Denial of Service vulnerability
was reported in Secunia Advisory SA44747.
The KSM Denial of Service vulnerability was reported in Secunia Advisory SA44754.
The "ip_expire()" Denial of Service vulnerability was reported in Secunia Advisory SA44625.
The Bluetooth Multiple Local Information Disclosure vulnerabilities were reported in Secunia Advisory
SA44466.
The Denial of Service and Privilege Escalation vulnerabilities were reported in Secunia Advisory SA44248.
The "bcm_release()" NULL Pointer Dereference vulnerability was reported in Secunia Advisory
SA44220.
The 'next_pidmap()' Local Denial of Service vulnerability was reported in Secunia Advisory SA44164.
The "mremap()" Denial of Service vulnerability was reported in Secunia Advisory SA44094.
The "inotify_init1()" Denial of Service vulnerability was reported in Secunia Advisory SA44091.
The OCFS2 Sparse Writes Information Disclosure vulnerability was reported in Secunia Advisory SA43966.
The 'iriap.c' Remote Buffer Overflow vulnerabilities were reported in Bugtraq ID 46980.
The Netfilter and Econet Local Information Disclosure vulnerabilities were reported in Bugtraq ID
46919.
The ROSE multiple vulnerabilities were reported in Secunia Advisory SA43846.
The TPM Information Disclosure vulnerability was reported in Secunia Advisory SA43576.
The "ldm_frag_add()" Buffer Overflow vulnerability was reported in Secunia Advisory SA43738.
The InfiniBand Request Handling Denial of Service vulnerability was reported in Secunia Advisory
SA43693.
The epoll Denial of Service vulnerability was reported in Secunia Advisory SA43522.
The 'dns_key.c' NULL Pointer Dereference Denial of Service vulnerability was reported in Secunia
Advisory SA43594.
The "/proc/<pid>/" Permissions Handling weakness was reported in Secunia Advisory SA43496.
The World-Writable sysfs and procfs Files weaknesses were reported in Secunia Advisory SA43405.
The 'fs/btrfs/ioctl.c' Local Privilege Escalation vulnerability was reported in Bugtraq ID 46301.
The 'security_filter_rule_init()' Local Security Bypass vulnerability was reported in Bugtraq ID
46323.
The I/O-Warrior USB Device Heap Buffer Overflow vulnerability was reported in Bugtraq ID 46069.
42
The "drivers/media/dvb/ttpci/av7110_ca" IOCTL Local Privilege Escalation vulnerability was
reported in Bugtraq ID 45986.
The ETHTOOL_GRXCLSRLALL Local Information Disclosure vulnerability was reported in Bugtraq ID 44427.
The 'kvm_vcpu_events.interrupt.pad' Field Local Information Disclosure vulnerability was reported in
Bugtraq ID 45676.
The "blk_rq_map_user_iov()" Local Denial of Service vulnerability was reported in Bugtraq ID 45660.
The SCTP Local Race Condition vulnerability was reported in Bugtraq ID 45661.
The 'pipe_fcntl()' Local Denial of Service vulnerability was reported in Bugtraq ID 45125.
The Unix Sockets Local Denial of Service vulnerability was reported in Bugtraq ID 45037.
The "hmid_ds structure" Local Information Disclosure vulnerability was reported in Bugtraq ID 45054.
The Econet Protocol Multiple Local vulnerabilities were reported in Bugtraq ID 45072.
The 'perf_event_mmap()' Local Denial of Service vulnerability was reported in Bugtraq ID 44861.
The 'net/core/filter.c' Local Information Disclosure vulnerability was reported in Bugtraq ID 44758.
The Futex Macros Local Denial of Service vulnerability was reported in Bugtraq ID 44754.
The CAN Protocol Information Disclosure vulnerability was reported in Bugtraq ID 44661.
The 'x25_parse_facilities()' Remote Denial of Service vulnerability was reported in Bugtraq ID
44642.
The 'io_submit_one()' NULL Pointer Dereference Denial of Service vulnerability was reported in
Bugtraq ID 44755.
The Reliable Datagram Sockets Protocol Local Integer Overflow vulnerability was reported in Bugtraq ID
44549.
The setup_arg_pages() Denial of Service vulnerability was reported in Bugtraq ID 44301.
The VIDIOCSMICROCODE IOCTL Local Memory Overwrite vulnerability was reported in Bugtraq ID 44242.
The Reliable Datagram Sockets Protocol Local Privilege Escalation vulnerability was reported in Bugtraq ID
44219.
The ALSA 'sound/core/control.c' Local Integer Overflow vulnerability was reported in Bugtraq ID
43787.
The 915 GEM IOCTL Local Memory Overwrite vulnerability was reported in Bugtraq ID 44067.
The FBIOGET_VBLANK 'drivers/video/sis/sis_main.c' Information Disclosure vulnerability was
The 'ipc/sem.c' Information Disclosure vulnerability was reported in Bugtraq ID 43809.
43
The TIOCGICOUNT 'usb/serial/mos*.c' Information Disclosure vulnerability was reported in Bugtraq
ID 43803.
The SCTP HMAC Handling Memory Corruption vulnerability was reported in Bugtraq ID 43701.
The OCFS2 Fast Symlink Memory Corruption vulnerability was reported in Bugtraq ID 43611.
The set_ftrace_filter File Local Denial of Service vulnerability was reported in Bugtraq ID 43684.
The 'PKT_CTRL_CMD_STATUS' Invalid Pointer Dereference Denial of Service vulnerability was reported in
Bugtraq ID 43551.
The multiple Information Disclosure vulnerabilities fixed in 2.6.36-rc5 were reported in Secunia Advisory
SA41440.
The Rose Protocol 'srose_ndigis' Heap Memory Corruption vulnerability was reported in Bugtraq ID
43368.
The Ptrace Local Privilege Escalation vulnerability was reported in Bugtraq ID 43355.
The 'do_io_submit()' Integer Overflow vulnerability was reported in Bugtraq ID 43353.
The 'video4linux' IOCTL and IP Multicast 'getsockopt' Privilege Escalation vulnerability was
The snd_seq_oss_open() Multiple Local Memory Corruption vulnerabilities were reported in Bugtraq ID
43062.
The XFS_IOC_FSGETXATTR Information Disclosure vulnerability was reported in Bugtraq ID 43022.
The SIOCGIWSSID IOCTL Local Information Disclosure vulnerability was reported in Bugtraq ID 42885.
The irda_bind() Object Cleanup vulnerability was reported in Bugtraq ID 42900.
The keyctl_session_to_parent() Null Pointer Dereference Denial of Service vulnerability was reported
in Bugtraq ID 42932.
The Controller Area Network Protocol Local Privilege Escalation vulnerability was reported in Bugtraq ID
42585.
The JFS xattr Namespace Rules Security Bypass vulnerability was reported in Bugtraq ID 42589.
The KVM Intel VT-x Extension NULL Pointer Denial of Service vulnerability was reported in Bugtraq ID
42582.
The EXT4 Multiple Local Denial of Service vulnerabilities were reported in Bugtraq ID 42477.
The Userspace Stack Growth Memory Corruption vulnerability was reported in Secunia Advisory SA40965.
The Btrfs Overwrite Append-Only Files Local Security Bypass vulnerability was reported in Bugtraq ID
41847.
The CIFS DNS Lookup Cache Poisoning vulnerability was reported in Bugtraq ID 41904.
44
The GFS2 Access Control List (ACL) Security Bypass vulnerability was reported in Bugtraq ID 41516.
The btrfs File Permissions Security Bypass vulnerability was reported in Bugtraq ID 41467.
The Donor File Security Bypass vulnerability was reported in Bugtraq ID 41466.
The time/clocksource.c Denial of Service vulnerability was reported in Bugtraq ID 41079.
The pppol2tp_xmit Null Pointer Deference Denial of Service vulnerability was reported in Bugtraq ID
41077.
The ethtool 'info.rule_cnt' Local Buffer Overflow vulnerability was reported in Bugtraq ID 41223.
The Linux Kernel XSF 'SWAPEXT' IOCTL Local Information Disclosure vulnerability was reported in
Bugtraq ID 40920.
The 'knfsd' 'current->mm' Modifier Local Denial of Service vulnerability was reported in Bugtraq ID
40377.
The GFS2 File Attribute Security Bypass vulnerability was reported in Bugtraq ID 40356.
The Btrfs Cloned File Security Bypass vulnerability was reported in Bugtraq ID 40241.
The sctp_process_unk_param() Remote Denial of Service vulnerability was reported in Bugtraq ID
39794.
The gfs2_quota Structure Write Local Privilege Escalation vulnerability was reported in Bugtraq ID 39715.
The find_keyring_by_name() Local Memory Corruption vulnerability was reported in Bugtraq ID 39719.
The proc_oom_score() Local Denial of Service vulnerability was reported in Bugtraq ID 39477.
The release_one_tty() Local Information Disclosure vulnerability was reported in Bugtraq ID 39480.
The VM/VFS 'invalidatepage()' Local Denial of Service vulnerability was reported in Bugtraq ID
39569.
The ReiserFS Security Bypass vulnerability was reported in Bugtraq ID 39344.
The tipc Module Local Denial of Service vulnerability was reported in Bugtraq ID 39120.
The nameidata Null Pointer Dereference vulnerability was reported in Bugtraq ID 39186.
The GFS/GFS2 Local Denial of Service vulnerability was reported in Bugtraq ID 39101.
The KVM 'hvc_console.c' Local Denial of Service vulnerability was reported in Bugtraq ID 38537.
The Video Output Status Local Denial of Service vulnerability was reported in Bugtraq ID 38607.
The TSB I-TLB Load Local Privilege Escalation vulnerability was reported in Bugtraq ID 38393.
The dvb_net_ule() Remote Denial of Service vulnerability was reported in Bugtraq ID 38479.
45
The KVM Segment Selector Loading Local Privilege Escalation vulnerability was reported in Bugtraq ID
38467.
The selinux_bprm_committing_creds() Security Bypass vulnerability was reported in Bugtraq ID
38175.
The net/ipv6/ip6_output.c NULL Pointer Dereference Denial of Service vulnerability was reported in
Bugtraq ID 38185.
The KVM 'pit_ioport_read()' Local Denial of Service vulnerability was reported in Bugtraq ID 38038.
The "mmap()" and "mremap()" multiple Denial of Service vulnerabilities were reported in Bugtraq ID 37906.
The Linux Kernel ipv6_hop_jumbo() Remote Denial of Service vulnerability was reported in Bugtraq ID
37810.
The Linux Kernel fasync_helper() Local Privilege Escalation vulnerability was reported in Bugtraq ID
37806.
The Linux Kernel ebtables Security Bypass vulnerability was reported in Bugtraq ID 37762.
The Linux Kernel print_fatal_signal() Local Information Disclosure vulnerability was reported in
Bugtraq ID 37724.
The Linux Kernel RTL8169 NIC 'RxMaxSize' Frame Size Remote Denial of Service vulnerability was
The Linux Kernel fuse_ioctl_copy_user() Local Denial of Service vulnerability was reported in
Bugtraq ID 37453.
The Linux Kernel drivers/firewire/ohci.c NULL Pointer Dereference Denial of Service vulnerability
was reported in Bugtraq ID 37339.
The Linux Kernel Ext4 move extents ioctl Local Privilege Escalation vulnerability was reported in
Bugtraq ID 37277.
The Linux Kernel KVM handle_dr() Local Denial of Service vulnerability was reported in Bugtraq ID
37221.
The Linux Kernel ip_frag_reasm() Null Pointer Deference Remote Denial of Service vulnerability was
The Linux Kernel net/mac80211/ Multiple Remote Denial of Service vulnerability was reported in Bugtraq
ID 37170.
The Linux Kernel KVM Large SMP Instruction Local Denial of Service vulnerability was reported in Bugtraq
ID 37130.
The Linux Kernel drivers/char/n_tty.c NULL Pointer Dereference Denial of Service vulnerability was
The Linux Kernel fuse_direct_io() Invalid Pointer Dereference Local Denial of Service vulnerability was
46
The Linux Kernel drivers/scsi/gdth.c Local Privilege Escalation vulnerability was reported in Bugtraq
ID 37068.
The Linux Kernel fput() NULL Pointer Dereference Local Denial of Service vulnerability was reported in
Bugtraq ID 36953.
The Linux Kernel nfs4_proc_lock() Local Denial of Service vulnerability was reported in Bugtraq ID
36936.
The Linux Kernel pipe.c Local Privilege Escalation vulnerability was reported in Bugtraq ID 36901.
The Linux Kernel unix_stream_connect() Local Denial of Service vulnerability was reported in Bugtraq
ID 36723.
The Linux Kernel net/ax25/af_ax25.c Local Denial of Service vulnerability was reported in Bugtraq ID
36635.
The Linux Kernel eCryptfs Lower Dentry Null Pointer Dereference Local Denial of Service vulnerability
The Linux Kernel KVM 'kvm_emulate_hypercall()' Local Denial of Service vulnerability was reported
The Linux Kernel O_EXCL NFSv4 Privilege Escalation vulnerability was reported in Bugtraq ID 36472.
The Linux Kernel find_ie() Function Remote Denial of Service vulnerability was reported in Bugtraq ID
36421.
The Linux Kernel perf_counter_open() Local Buffer Overflow vulnerability was reported in Bugtraq ID
36423.
The Linux Kernel AppleTalk Driver IP Over DDP Remote Denial of Service vulnerability was reported in
Bugtraq ID 36379.
The Linux Kernel 2.4 and 2.6 Multiple Local Information Disclosure vulnerabilities were reported in Bugtraq
ID 36304.
The Linux Kernel drivers/scsi/sg.c NULL Pointer Dereference Denial of Service vulnerability was
The Linux Kernel Multiple Protocols Local Information Disclosure vulnerabilities were reported in Bugtraq ID
36176.
The Linux Kernel drivers/char/tty_ldisc.c NULL Pointer Dereference Denial of Service vulnerability
The Linux Kernel net/llc/af_llc.c Local Information Disclosure vulnerability was reported in Bugtraq
ID 36126.
The Linux Kernel cmp_ies Remote Null Pointer Dereference vulnerability was reported in Bugtraq ID
36052.
The Linux Kernel udp_sendmsg MSG_MORE Flag Local Privilege Escalation vulnerability was reported in
47
Bugtraq ID 36108.
The Linux Kernel binfmt_flat.c NULL Pointer Dereference Denial of Service vulnerability was reported
The Linux Kernel sock_sendpage() NULL Pointer Dereference vulnerability was reported in Bugtraq ID
36038.
The Linux Kernel posix-timers.c NULL Pointer Dereference Denial of Service vulnerability was reported
The Linux Kernel fs/proc/base.c Local Information Disclosure vulnerability was reported in Bugtraq ID
36019.
The Linux Kernel clear_child_tid() Local Denial of Service vulnerability was reported in Bugtraq ID
35930.
The Linux Kernel eCryptfs parse_tag_11() Remote Stack Buffer Overflow vulnerability was reported
The Linux Kernel SGI GRU Driver Off By One vulnerability was reported in Bugtraq ID 35753.
The Linux Kernel tun_chr_pool() NULL Pointer Dereference vulnerability was reported in Bugtraq ID
35724.
The Linux Kernel PER_CLEAR_ON_SETID Incomplete Personality List Access Validation Weakness was
The Linux Kernel ptrace_start() And do_coredump() Deadlock Local Denial of Service vulnerability
The Linux Kernel kvm_arch_vcpu_ioctl_set_sregs() Local Denial of Service vulnerability was
The Linux Kernel RTL8169 NIC Remote Denial of Service vulnerability was reported in Bugtraq ID 35281.
The Linux Kernel splice(2) Double Lock Local Denial of Service vulnerability was reported in Bugtraq ID
35143.
The Linux Kernel e1000/e1000_main.c Remote Denial of Service vulnerability was reported in Bugtraq
ID 35185.
The Linux Kernel CIFS String Conversion multiple vulnerabilities were reported in Bugtraq ID 34989.
The Linux Kernel NFS MAY_EXEC Security Bypass vulnerability was reported in Bugtraq ID 34934.
The Linux Kernel ptrace_attach() Local Privilege Escalation vulnerability was reported in Bugtraq ID
34799.
The Linux Kernel CAP_FS_SET Incomplete Capabilities List Access Validation vulnerability was reported in
Bugtraq ID 34695.
The Linux Kernel drivers/char/agp/generic.c Local Information Disclosure vulnerability was reported
48
The Linux Kernel inet6_hashtables.c NULL Pointer Dereference Denial of Service vulnerability was
The Linux Kernel kill_something_info() Local Denial of Service vulnerability was reported in Bugtraq
ID 34558.
The Linux Kernel CIFS decode_unicode_ssetup Remote Buffer Overflow vulnerability was reported in
Bugtraq ID 34612.
The Linux Kernel CIFS Remote Buffer Overflow vulnerability was reported in Bugtraq ID 34453.
The Linux Kernel ecryptfs_write_metadata_to_contents() Information Disclosure vulnerability was
The Linux Kernel /proc/net/rt_cache Remote Denial of Service vulnerability was reported in Bugtraq
ID 34084.
The Linux Kernel nfsd CAP_MKNOD Security Bypass vulnerability was reported in Bugtraq ID 34205.
The Linux Kernel /ipc/shm.c Local Denial of Service vulnerability was reported in Bugtraq ID 34020.
The Linux Kernel seccomp System Call Security Bypass vulnerability was reported in Bugtraq ID 33948.
The Linux Kernel Audit System audit_syscall_entry() System Call Security Bypass vulnerability was
The Linux Kernel Cloned Process CLONE_PARENT Local Origin Validation Weakness vulnerability was
The Linux Kernel sock.c SO_BSDCOMPAT Option Information Disclosure vulnerability was reported in
Bugtraq ID 33846.
The Linux Kernel Kprobe Memory Corruption vulnerability was reported in Bugtraq ID 33758.
The Linux Kernel Console Selection Local Privilege Escalation vulnerability was reported in Bugtraq ID
33672.
The Linux Kernel inotify_read() Local Denial of Service vulnerability was reported in Bugtraq ID
33624.
The Linux Kernel make_indexed_dir() Local Denial of Service vulnerability was reported in Bugtraq ID
33618.
The Linux Kernel inotify Local Privilege Escalation vulnerability was reported in Bugtraq ID 33503.
The Linux Kernel dell_rbu Local Denial of Service vulnerabilities were reported in Bugtraq ID 33428.
The Linux Kernel readlink Local Privilege Escalation vulnerability was reported in Bugtraq ID 33412.
The Linux Kernel keyctl_join_session_keyring() Denial of Service vulnerability was reported in
Bugtraq ID 33339.
The Linux Kernel sys_remap_file_pages() Local Privilege Escalation vulnerability was reported in
49
Bugtraq ID 33211.
The Linux Kernel locks_remove_flock() Local Race Condition vulnerability was reported in Bugtraq ID
33237.
The Linux Kernel FWD-TSN Chunk Remote Buffer Overflow vulnerability was reported in Bugtraq ID 33113.
The Linux Kernel ib700wdt.c Buffer Underflow vulnerability was reported in Bugtraq ID 33003.
The __qdisc_run Minimum Time Delay Denial of Service vulnerability was reported in Bugtraq ID 32985.
The Linux Kernel ac_ioctl() Local Buffer Overflow was reported in Bugtraq ID 32759.
The ATM vcc Table Corruption Denial of Service and sendmsg() Local Denial of Service vulnerabilities
were reported in Secunia Advisory SA32913.
The Linux Kernel lbs_process_bss() Remote Denial of Service vulnerability was reported in Bugtraq ID
32484.
The Linux Kernel drivers/media/video/tvaudio.c Memory Corruption vulnerability was reported in
Bugtraq ID 32327.
The Linux Kernel __scm_destroy() Local Denial of Service vulnerability was reported in Bugtraq ID
32154.
The Linux Kernel ndiswrapper Remote Buffer Overflow was reported in Secunia Advisory SA32509.
The Linux Kernel VDSO Unspecified Privilege Escalation vulnerability was reported in Bugtraq ID 32099.
The Linux Kernel hfsplus_block_allocate() Local Denial of Service was reported in Secunia
Advisory SA32510.
The Linux Kernel tvaudio.c Operations NULL Pointer Dereference vulnerability was reported in Bugtraq
ID 32094.
The Linux Kernel hfsplus_find_cat() Local Denial of Service vulnerability was reported in Bugtraq ID
32093.
The Linux Kernel hfs_cat_find_brec() Buffer Overflow was reported in Secunia Advisory SA32719.
The Linux Kernel do_splice_from() Local Security Bypass vulnerability was reported in Bugtraq ID
31903.
The Linux Kernel proc_do_xprt() Local Buffer Overflow vulnerability was reported in Bugtraq ID 31937.
The Linux Kernel i915 Driver Memory Corruption vulnerability was reported in Bugtraq ID 31792.
The Linux kernel SCTP Protocol Violation Remote Denial of Service vulnerability was reported in Bugtraq ID
31848.
The Linux kernel fs/direct-io.c Local Denial of Service was reported in Secunia Advisory SA32023.
The Linux Kernel truncate() Local Privilege Escalation vulnerability was reported in Bugtraq ID 31368.
50
The Linux Kernel nfsd Subsystem Buffer Overflow was reported in Bugtraq ID 31133.
The Linux Kernel sctp_setsockopt_auth_key() Remote Denial of Service was reported in Bugtraq ID
30847.
The Linux Kernel DCCP Protocol Handler dccp_setsockopt_change Integer Overflow was reported in
Bugtraq ID 30704.
The Linux Kernel multiple vulnerabilities fixed in 2.6.26.2 were reported in Secunia Advisory SA31366.
The Linux Kernel uvc_driver.c Format Descriptor Parsing Buffer Overflow was reported in Bugtraq ID
30514.
The Linux Kernel multiple vulnerabilities fixed in 2.6.25.10 were reported in FrSIRT/ADV-2008-2063.
The Linux Kernel ASN.1 BER Decoding Vulnerability was reported in Secunia Advisory SA30580.
The Linux IPv6 Over IPv4 vulnerability was posted to Bugtraq, and Secunia.
The Linux Kernel Virtual Address Range Checking Denial of Service vulnerability was posted to Bugtraq, and
Secunia.
4.20 Macrovision SafeDisc vulnerabilities
Impact
A vulnerability in Macrovision SafeDisc allows arbitrary code to be executed by local users.
Resolution
The secdrv.sys file should be updated through either Macrovision or Microsoft (XP/2003).
The secdrv.sys local privilege elevation was reported in MS07-067.
4.21 Microsoft NET Framework
Impact
On a workstation, a remote attacker could execute arbitrary commands when a user opens a specially crafted
web page. On a server, a remote attacker could cause a denial of service, execute arbitrary code, or gain
unauthorized access to configuration files.
Resolution
Install the patch referenced in Microsoft Security Bulletins:
10-041 (.NET Framework 1.0, 1.1, 3.5)
11-039 (Silverlight 4)
11-069 (.NET Framework 3.5)
51
11-044 (.NET Framework 2.0, 3.5, 4.0)
11-066 (.NET Framework 3.5, 4.0)
12-035 (.NET Framework 1.1, 2.0, 3.5, 3.51, 4.0)
12-074 (.NET Framework 2.0, 3.5, 3.5.1, 4.0)
13-004
13-007 (.NET Framework 3.5, 3.5.1, 4.0)
13-015 (.NET Framework 2.0, 3.5, 3.5.1, 4.0, 4.5)
For more information, see Microsoft Security Bulletins 07-040, 09-036, 09-061, 10-041, 10-060, 11-028,
11-039, 11-044, 11-066, 11-069, 11-078, 11-100, 12-016, 12-025, 12-034, 12-035, 12-038, 12-074, 13-004,
13-007, and 13-015.
4.22 Microsoft outlook vulnerabilities
Impact
A vulnerability could allow remote attackers to bypass security restrictions and execute remote code.
Resolution
Apply the appropriate patch as indicated in Microsoft Security Bulletin MS10-030.
The Integer Overflow via POP3 or IMAP vulnerability was reported in Microsoft Security Bulletin MS10-030.
The multiple ATL vulnerabilities were reported in Microsoft Security Bulletin MS09-037.
The MHTML protocol handler component vulnerability was reported in Microsoft Security Bulletin MS08-048.
4.23 Microsoft System Certificates vulnerability
Impact
Vulnerability on all supported releases of Microsoft Windows may be used to conduct spoofing attacks, perform
phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet
Explorer.
Resolution
For Fraudulent Enforced Licensing Intermediate PCA and SHA1 certificates, Microsoft has issued an update
to address this issue.
For Fraudulent DigiNotar certificates, Microsoft has issued an update to address this issue.
For Fraudulent Comodo certificates, Microsoft has issued an update to address this issue.
The Fraudulent Enforced Licensing Intermediate PCA and SHA1 certificates were reported in Microsoft
52
Security Advisory 2718704.
The Fraudulent DigiNotar certificates vulnerability was reported in Microsoft Security Advisory 2607712.
The Fraudulent Comodo certificates vulnerability was reported in Microsoft Security Advisory 2524375.
4.24 Microsoft Telnet Server
Impact
A remote user could execute arbitrary commands on the server, cause the telnet server to stop responding, or
gain information that could be used in an attempt to find Guest accounts.
Resolution
Apply the patches referenced in Microsoft Security Bulletins 09-042, 01-031 and 02-004.
For more information, see Microsoft Security Bulletins 09-042, 01-031 and 02-004.
4.25 OpenSSH vulnerabilities
Impact
This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions
of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a
session, or to gain remote root access to the OpenSSH server.
Resolution
Upgrade to OpenSSH version 5.8 or higher, or install a fix from your operating system vendor.
For the Debian OpenSSH SELinux Privilege Escalation vulnerability, apply a fix when available from
Debian.
The Legacy Certificate Signing Information Disclosure vulnerability was reported in Bugtraq ID 46155.
The CBC Mode Information Disclosure Vulnerability was announced by CPNI as Disclosure 3716 /
CPNI-957037, with details documented in this advisory. Bugtraq ID 32319 includes an archived discussion
and a page of references with links to vendors of various affected implementations of SSH. CERT posted
Vulnerability Note VU#958563, which also has links to vendors' sites. The developers of OpenSSH
summarize this issue on their security page with details and analysis in this advisory. Background information
on the Cipher Block Chaining (“CBC”) mode is available from NIST and Wikipedia.
The X11UseLocalhost X11 Forwarding Session Hijacking vulnerability was reported in Bugtraq ID 30339.
The Debian OpenSSH SELinux Privilege Escalation vulnerability was reported in Bugtraq ID 30276.
The ForceCommand Security Bypass was reported in Secunia Advisory SA29602.
53
The Forward X connections hijack was reported in Secunia Advisory SA29522.
The X11 Security Bypass was reported in Bugtraq ID 25628.
The ChallengeResponseAuthentication information gathering vulnerability was reported in Bugtraq ID 23601.
The vulnerability fixed by 4.5 was reported in Bugtraq ID 20956.
The vulnerabilities fixed by 4.4 were reported in OpenSSH 4.4 release.
The local SCP shell command execution vulnerability was reported in OpenSSH 4.3 release and Red Hat
Bugzilla ID 168167.
The GatewayPorts and GSSAPI vulnerabilities were reported in the OpenSSH mailing list.
The LoginGraceTime denial of service was posted to openssh-unix-dev.
The Directory traversal vulnerability was reported in Bugtraq ID 9986.
The PAM keyboard-interactive authentication weakness was reported in Bugtraq ID 7482.
The OpenSSH buffer management vulnerabilities are described in CERT Advisory 2003-24, Red Hat
Security Advisory 2003:280, and a Bugtraq posting.
The Portable OpenSSH PAM vulnerabilities are described in the Portable OpenSSH Security Advisory, the
OpenPKG Security Advisory, and Bugtraq.
The reverse DNS lookup access control bypass was reported in Bugtraq.
For more information on the other OpenSSH vulnerabilities, see CIRC Bulletin M-026, CIRC Bulletin M-054,
CERT Advisory 2002-18, the OpenSSH Security Advisory, and the following Bugtraq postings: 2001-09-26,
2001-09-18, 2002-04-21, and 2000-06-09. The vulnerability in the insertion attack detection procedure was
reported in a CORE SDI Advisory.
4.26 Outlook and Outlook Express
Impact
There are several vulnerabilities in e-mail clients, the most severe of which could allow a remote attacker to
execute arbitrary commands by sending a specially crafted e-mail message.
Resolution
Install the patches referenced in Microsoft Security Bulletin 01-038 and 08-015 for Outlook. Also, for Outlook
2002, install the patches referenced in 02-067, 03-003, and 04-009, or Office XP service pack 3.
For Outlook Express:
Install the patches referenced in Microsoft Security Bulletin 07-034 and 07-056.
Windows XP users should also install patch 900930 for Outlook Express.
The Windows Address Book patches are available in 10-096.
54
For more information, see Microsoft Security Bulletins 01-038, 02-058, 02-067, 03-003, 04-009, 04-013,
05-030, 06-003, 06-016, 06-043, 06-076, 07-003, 07-034, 07-056, 08-015, and 10-096, US-CERT Alert
TA04-070A, and Microsoft Knowledge Base Article 900930.
4.27 perl vulnerabilities
Impact
Vulnerabilities in the perl interpreter allow arbitrary code to be executed, and cause an affected application to
crash. Also, local users may be able to modify permissions of arbitrary files, or bypass certain security
features.
Resolution
Perl should be upgraded to 5.17.7 or higher, or apply a fix from your vendor when available.
The Input Rehashing Denial of Service vulnerability was reported in Secunia Advisory SA52472.
The Locale::Maketext Code Injection vulnerabilities were reported in Secunia Advisory SA51741.
The Digest "Digest->new()" Code Injection vulnerability was reported in Secunia Advisory SA46299.
The "decode_xs()" and "File::Glob::bsd_glob()" vulnerabilities were reported in Secunia Advisory
SA46172.
The "uc()", "lc()", "lcfirst()", and "ucfirst()" Taint Mode Bypass vulnerability was
reported in Secunia Advisory SA43921.
The UTF-8 Regular Expression Processing Remote Denial of Service vulnerability was reported in Bugtraq
ID 36812.
The vulnerability in Perl 5.10 was reported in Secunia Advisory SA30790.
The Unicode quoting double free vulnerability and the Regular Expressions Unicode data buffer overflow
vulnerability were reported in Secunia Advisory SA27546.
4.28 ProFTPD vulnerabilities
Impact
Attackers exploiting these vulnerabilities may be able to execute arbitrary commands, perhaps with root
privileges, gain unauthorized access, or disrupt service on a target system.
Resolution
Upgrade ProFTPD to 1.3.4 or higher. Please see the ProFTPD Project's general instructions on upgrading
the software.
If your copy of the ProFTPD server daemon is part of a larger software distribution, check with your software
55
vendor for a newer or patched version.
All FTP server processes must run as root, at least during some parts of their operation, in order to bind to
the reserved low-numbered network ports that are specified in the FTP standard. The ProFTPD Project
reminds administrators that, for greater security, the server should be configured to run under an unprivileged
user ID at all times when root privileges are not essential. Administrators with even stronger security
requirements may want to configure the server to run entirely without root privileges, at the cost of some
inconvenience.
In some cases, disallowing anonymous ftp access, or removing write permissions from all directories accessible
by anonymous ftp could serve as a workaround. However, this will only be an effective solution for those
vulnerabilities which, as noted above, require the attacker to create files or directories on the server. You will
still need to upgrade ProFTPD to fix the other vulnerabilities.
Finally, ftp access can be restricted by using TCP wrappers.
The security of FTP, in general, is discussed in RFC 2577. Security issues for ProFTPD, in specific, are
addressed in the ProFTPD User's Guide.
The Race Condition Privilege Escalation vulnerability was reported in Secunia Advisory SA51761.
The Response Pool Use-After-Free vulnerability was reported in Secunia Advisory SA46811.
The Telnet IAC Remote Code Execution Vulnerability was reported in Secunia Advisory SA42052 and Zero
Day Initiative advisory ZDI-10-229, and has Bugtraq ID 44562. The ProFTPD Project itself tracks this
vulnerability as Bug #3521.
The Backdoor Unauthorized Access vulnerability was reported in Bugtraq ID 45150.
The 'mod_sql' Remote Heap Based Buffer Overflow vulnerability was reported in Bugtraq ID 44933.
The multiple remote vulnerabilities in 1.3.3 were reported in Bugtraq ID 44562.
The Authentication Delay Username Enumeration Vulnerability was reported on the Bugtraq Mailing List.
Additional information is available by referencing Bugtraq ID 11430.
The Server Username Handling SQL Injection vulnerability was reported in Bugtraq ID 33722.
The Long Command Handling Security vulnerability was reported in Secunia Advisory SA31930.
The auth API multiple authentication modules security bypass was reported in Secunia Advisory SA24867.
The additional 1.3.0a vulnerabilities were reported in Bugtraq ID 21587.
The 1.3.0a vulnerabilities were reported in Secunia Advisory SA22821 and Secunia Advisory SA23141.
The .message vulnerability was reported in Bugtraq ID 20992.
More information about the vulnerabilities in ProFTPD can be found in ProFTPD bug 2658, Secunia
Advisory SA16181, ProFTPD bug 2267, Bugtraq, CA-2000-13, CA-1999-03, Bugtraq archive 160902, and
Bugtraq archive 169395.
56
4.29 Python vulnerabilities
Impact
Vulnerabilities in Python allow for information disclosure, denial of service and possibly arbitrary code execution.
Resolution
Python should be upgraded to a version higher than 2.7.2 or 3.3.0 when available, or contact the vendor for a
fix.
To fix the multiple integer overflows apply the patch.
The Insecure File System Permissions vulnerability was reported in Secunia Advisory SA50960.
The Web Form Hash Collision Denial of Service vulnerability was reported in Secunia Advisory SA48347.
The SimpleXMLRPCServer Request Processing Denial of Service vulnerability was reported in Secunia
Advisory SA47810.
The Python 2.6 denial of service vulnerability was reported in Mandriva Security Advisory 2010:216.
The Expat Wrapper Library Unspecified XML Parsing Remote Denial of Service vulnerability was reported
The Multiple integer overflow vulnerabilities were reported in Bugtraq ID 31976 and CESA 2008-008.
The vulnerabilities in Python 2.5.2 and earlier were reported in Bugtraq ID 28715 and Bugtraq archive
490776.
The ImageOP Module Multiple integer overflow vulnerabilities were reported in Secunia Advisory SA26837.
The PyLocale_strxfrm image disclosure vulnerability was reported in Secunia Advisory SA25190.
The repr buffer overflow vulnerability was reported in Bugtraq ID 20376.
4.30 Remote OS available vulnerabilities
Impact
The ability to detect which operating system is running on a machine enables attackers to be more accurate in
attacks.
Resolution
Including the operating system in service banners is usually unnecessary. Therefore, change the banners of the
services which are running on accessible ports. This can be done by disabling unneeded services, modifying
the banner in a service's source code or configuration file if possible, or using TCP wrappers to modify the
banner as described in the Red Hat Knowledgebase.
57
An example of ways to remove the Remote OS and other information is at my digital life.
4.31 rpc statd access
Impact
Several vulnerabilities in statd permit attackers to gain root privileges. They can be exploited by local users.
They can also be exploited remotely without the intruder requiring a valid local account if statd is accessible
via the network.
Resolution
One resolution to this vulnerability is to install vendor patches as they become available. For the format string
bug, SUSE users should obtain the nfs-utils and package, version 0.1.9.1 or higher, from their vendor.
For the String parsing error bug, Linux users should obtain the nfs-utils or knfsdi or linuxnfs
packages, more detail information, please refer to SUSE Security Announcement web site. For the SM_MON
buffer overflow, UnixWare users should obtain the patch.
Also, if NFS is not being used, there is no need to run statd and it can be disabled. The statd (or
rpc.statd) program is often started in the system initialization scripts (such as /etc/rc* or /etc/rc*.d/*). If
you do not require statd it should be commented out from the initialization scripts. In addition, any currently
running statd processes should be identified using ps(1) and then terminated using kill(1).
More information about the statd/automountd vulnerability is available in CERT Advisory 1999-05. You
may read more about the statd buffer overflow in CERT Advisory 1997-26. The String parsing error
vulnerability detail information can be found in CVE Details. The format string vulnerability was discussed in
vendor bulletins from Red Hat, Debian, Mandrake, Trustix, and Conectiva, as well as CERT Advisory
2000.17. The SM_MON buffer overflow was announced in Caldera Security Advisory 2001-SCO.6. The file
creation and removal vulnerability was discussed in CERT Advisory 1996-09.
4.32 SMB Signing
Impact
If the SMB signing is disabled, malicious attackers could sniff the network traffic and could perform a man in
the middle attack to gain sensitive information.
Resolution
Refer to Microsoft Technet Library in Local Policies, Microsoft network server: Digitally sign communications (if
client agrees).
For more information about SMB signing configuration, see, SMB Protocol Package Exchange Scenario.
4.33 SSH protocol vulnerabilities
58
Impact
SSH protocol version 1 has a number of known vulnerabilities. Support for version 1 or enabling SSH1
Fallback renders the machines vulnerable to these issues.
Resolution
Disable SSH1 support and SSH1 fallback. See vendor website for more information including SSH, F-Secure
and OpenSSH.
For OpenSSH servers, SSH1 support and SSH1 fallback can be disabled by placing the following line in the
sshd_config file:
Protocol 2
Some of the vulnerabilities in support for SSH Protocol 1 were reported in US-CERT Vulnerability Note
VU#684820 and CIRC Bulletin M-017.
4.34 sunrpc portmapper vulnerability
Impact
The sunrpc portmapper service is an unsecured protocol that tells clients which port corresponds to each RPC
service. Access to port 111 allows the calling client to query and identify the ports where the needed server is
running.
Resolution
Disable all unnecessary RPC services, which are typically enabled in /etc/inetd.conf and in the system boot
scripts, /etc/rc*, and to block high numbered ports at the network perimeter except for those which are
needed.
More information can be obtained in, NVD for CVE-1999-0632.
4.35 sunrpc vulnerabilities
Impact
If an affected service is running, a remote attacker could execute arbitrary commands with root privileges.
Resolution
See CERT Advisories 2002-25 and 2003-10 for patch or upgrade information from your vendor. Note that it
will be necessary to recompile statically linked applications after installing the patch or upgrade.
It would also be advisable to disable all unnecessary RPC services, which are typically enabled in /etc
/inetd.conf and in the system boot scripts, /etc/rc*, and to block high numbered ports at the network
59
perimeter except for those which are needed. Of particular importance are rpc.cmsd, dmispd, and
kadmind, which are known to be exploitable and should be disabled or blocked.
These vulnerabilities were reported in CERT Advisories 2002-25 and 2003-10.
4.36 TCP timestamps
Impact
A remote attacker could possibly determine the amount of time since the computer was last booted.
Resolution
TCP timestamps are generally only useful for testing, and support for them should be disabled if not needed.
To disable TCP timestamps on Linux, add the following line to the /etc/sysctl.conf file:
net.ipv4.tcp_timestamps = 0
To disable TCP timestamps on Windows, set the following registry value:
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value: Tcp1323Opts
Data: 0 or 1
To disable TCP timestamps on Cisco, use the following command:
no ip tcp timestamp
More information on TCP timestamps and round-trip time measurement is available in RFC1323 and Microsoft
Article 224829.
4.37 Vim vulnerabilities
Impact
Vulnerabilities in Vim allow for remote code execution when loading a malformed crafted file.
Resolution
Upgrade to 7.2 and patch with patch 45.
The PySys_SetArgv Remote Command Execution vulnerability was reported in Bugtraq ID 33447.
The Helptags remote code execution vulnerability was reported in Secunia Advisory SA25941.
60
4.38 Windows account policy
Impact
Weak password policies could make it easier for an attacker to gain unauthorized access to user accounts.
Resolution
Edit the account policy, which is found in the Local Security Policy under Administrative Tools on most
systems.
Change the account policy settings to the recommended values. In a typical organization, these are:
Minimum password length: 8 characters
Enforce password history: 24 passwords remembered
Maximum password age: 42 days
Minimum password age: 2 days
Password complexity requirements: Enabled
Account lockout threshold: 3 invalid logon attempts
Note that if there is an Effective Setting in the local security policy, it is this setting which is used. This setting
can only be changed on the domain controller.
See Microsoft's Step-by-Step Guide to Enforcing Strong Password Policies and Account Passwords and
Policies.
4.39 Windows account rights
Impact
Normal users could take actions which should be limited to administrators. These privileges could be used to
facilitate attacks or to make system resources unavailable to other users.
Resolution
Edit the user rights assignment, which is found in the Local Security Policy under Administrative Tools on
most systems.
See Microsoft's documentation on User Rights Assignment.
4.40 Windows auditing
61
Impact
Intrusion attempts or other unauthorized activities could go unnoticed.
Resolution
Edit the auditing policy, which is found in the Local Security Policy under Administrative Tools on most
systems.
See Microsoft's guide to setting up auditing and developing an auditing policy.
4.41 Windows default account names
Impact
The default administrator and guest account names give attackers a starting point for conducting brute-force
password guessing attacks.
Resolution
Change the name of the administrator and guest accounts. To do this on Active Directory servers, open
Active Directory Users and Computers. Click Users, then right-click on Administrator or Guest, and select
Rename. To do this on workstations, open the Local Security Policy from the Administrative Tools menu.
Choose Local Policies, then Security Options, then Accounts: Rename administrator or guest account.
For more information on securing the administrator account, see The Administrator Accounts Security Planning
Guide - Chapter 3.
4.42 Windows Kerberos vulnerabilities
Impact
A remote attacker with valid logon credentials could cause a denial of service and elevation of privilege.
Resolution
Apply the fixes referenced in Microsoft Security Bulletins 05-042, 10-014, and 12-069.
These vulnerabilities were reported in Microsoft Security Bulletins 05-042, 10-014, 11-013, and 12-069.
4.43 Windows password expiration
62
Impact
If a password becomes compromised, it can be used to gain unauthorized access for an unlimited period of
time.
Resolution
Enable password expiration for all users. This is done by removing the check mark beside password never
expires in the user's properties.
More information on best practices related to password security is available from Microsoft.
4.44 Windows TCPIP Hardening
Impact
A remote attacker could cause a temporary denial of service.
Resolution
Apply the TCP/IP stack hardening guidelines discussed in Microsoft Knowledge Base Article 324270 for
Windows Server 2003 or 315669 for Windows XP. (Although the latter article was written for Windows 2000,
it is presumably also effective for Windows XP.) The patch referenced in Microsoft Security Bulletin 05-019
also fixes this vulnerability, but not for IPv6 interfaces.
Land was originally reported in CERT Advisory 1997-28. The Land attack relating to Windows XP Service
Pack 2 and Windows Server 2003 was posted to Bugtraq. The Land attack relating to IPv6 was posted to
NTBugtraq.
4.45 Windows updates needed
Impact
The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers
or malicious web sites.
The Problems and Resolutions
One or more of the following security updates is not installed on the target system. The resolution is to install
the needed updates. This can be done either by following the links in the table, or by visiting the Windows
Update service which will automatically determine which updates are needed for your system and help you
install them. It is a good idea to make a backup of the system before installing an update, especially for
service packs. After the system has been brought up to date, check Microsoft's web site regularly for new
critical updates.
Note: The links below apply to the standard editions of Windows operating systems. If you are using a
Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding
63
Microsoft Security Bulletins for patch information.
Update Name
Windows NT 4.0 Post SP-6a
Security Rollup Pack
Windows 2000 Post SP 2 Security
Rollup Pack
Relative Shell Path
Description
Bundle of security hotfixes released
since Windows NT 4.0 Service
Pack 6a.
Bundle of security hotfixes released
since Windows 2000 Service Pack
2.
Fixes a problem in which an
attacker could cause an alternate
Explorer.exe program to run
when another user logs in, resulting
in arbitrary code execution. (CVE
2000-0663)
RPC Denial of Service
Fixes vulnerabilities in various
Windows RPC services which could
allow an attacker to cause a denial
of service. (CVE 2001-0509)
Unchecked Buffer in UPnP Hotfix
Fixes two vulnerabilities: (1) a buffer
overflow which would allow an
attacker to take complete control
over the computer; and (2) a
denial-of-service vulnerability. (CVE
2001-0876, CVE 2001-0877)
Fixes two vulnerabilities in Microsoft
Virtual Machine. (CVE 2002-0058
CVE 2002-0076)
Java Applet Redirect Hotfix
Windows Shell Unchecked Buffer
Hotfix
Multiple UNC Provider Hotfix
Windows debugger authentication
Hotfix
Fixes a buffer overflow condition in
the Windows shell that could allow
a local attacker to execute arbitrary
code at the user's privilege level.
(CVE 2002-0070)
Fixes a vulnerability in Windows'
Multiple Uniform Naming
Convention Provider which could
allow an attacker to gain Local
System privileges. (CVE
2002-0151)
Fixes an authentication flaw in the
Windows debugger which could
allow a local user to execute
commands with the privileges of the
64
Fix
NT: Q299444
Bulletin
2000: Q311401
or SP3 or SP4
NT: Q269049 or
Q299444
2000: Q269049
or SP2 or SP3
or SP4
XP: Not Affecte
d
NT: Q299444
2000: Q298012
or Q311401 or
SP3 or SP4
XP: Not Affecte
d
NT: Not Affecte
d
2000: Not Affect
ed
XP: Q315000 or
SP1 or SP2
NT: Q300845 or
810030
2000: Q300845
or 810030 or
SP3 or SP4
XP: Q300845 or
810030 or SP1
or SP2
NT: Q313829
2000: Q313829
or SP3 or SP4
XP: Not
Affected
NT: Q311967
2000: Q311967
or SP3 or SP4
XP: Q311967
(32 bit) or
Q311967 (32 bit
embedded) or
Q311967 (64 bit)
or SP1 or SP2
NT: Q320206
2000: Q320206
or SP3 or SP4
XP: Not
00-052
01-041
01-059
02-013
02-014
02-017
02-024
operating system. (CVE 2002-0367)
Remote Access Service Phonebook Eliminates an unchecked buffer
Hotfix
vulnerability which could allow an
unprivileged user to gain complete
control over the machine hosting
the RAS Phonebook. (CVE
2002-0366)
Network Connection Manager
Fixes a vulnerability in the Network
Hotfix
Connection Manager which could
allow a local attacker to gain Local
2002-0720)
Unchecked Buffer in Network
Share Provider Hotfix
Certificate Validation Flaw Hotfix
VM JDBC Classes Hotfix
Help Facility Hotfix
VM COM object access Hotfix
Windows XP shell buffer overflow
Hotfix
Affected
NT: Q318138
02-029
2000: Q318138
or SP3 or SP4
XP: Q318138 or
SP1 or SP2
NT: Not
Affected
2000: Q326886
or SP4
XP: Not
Affected
Eliminates an unchecked buffer
NT: Q326830
associated with the Server Message 2000: Q326830
Block (SMB) protocol that could
or SP4
lead to Denial of Service (DoS).
XP: Q326830 or
(CVE 2002-0724)
SP1 or SP2
Eliminates a security vulnerability
NT: Q329115
(associated with the validation of
2000: Q329115
digital certificate chains) that could or SP4
permit identity spoofing. (CVE
XP: Q329115 or
2002-0862)
SP2
Eliminates three vulnerabilities in
NT: Q329077 or
Microsoft Virtual Machine's Java
810030
Database Connectivity classes
2000: Q329077
which could allow code execution
or 810030 or
from a malicious web site or e-mail SP4
message. (CVE 2002-0865 CVE
XP: Q329077 or
2002-0866 CVE 2002-0867)
810030 or SP2
Fixes two vulnerabilities in the
NT: Q323255
Windows Help Facility, one in the
2000: Q323255
ActiveX Control (CVE 2002-0693) XP: Q323255
and another in the processing of
(32-bit) or
.chm files (CVE 2002-0694), which Q323255 (32-bit
could allow code execution from a Embedded w/
remote web site or mail message. SP1 or Q323255
(64-bit) or SP2
Fixes eight vulnerabilities in
NT: 810030
Microsoft Virtual Machine, including 2000: 810030 or
a vulnerability which could allow a SP4
Java applet to access COM
XP: 810030 or
objects. (CVE 2002-1257 CVE
SP2
2002-1258 CVE 2002-1260 CVE
2002-1262 CVE 2002-1286 CVE
2002-1292 CVE 2002-1295)
Fixes a buffer overflow in the
NT: not affected
Windows XP shell which could
2000: not
allow an attacker to run commands affected
via a .MP3 or .WMA file with
XP: 32-bit:
corrupt custom attributes. (CVE
Q329390 or SP2
2002-1327)
64-bit:
Q329390 or SP2
65
02-042
02-045
02-050
02-052
02-055
02-069
02-072
CA-2002-37
VM ByteCode Verifier Hotfix
Kernel Debugger Hotfix
Windows Media Player skins
filename decoding Hotfix
ntdll.dll Hotfix
NetMeeting directory traversal fix
ShellExecute API fix
HTML Converter fix
RPC buffer overflow fix
Fixes the ByteCode Verifier to
check for illegal commands when
loading Java applets, thus
preventing attacks from remote web
pages and e-mail messages. (CVE
2003-0111)
Fixes a flaw in the way the kernel
passes error messages to the
debugger which could allow a local
attacker to gain system privileges.
(CVE 2003-0112)
NT: 816093
03-011
2000: 816093 or
SP4
XP: 816093 or
SP2
NT: 811493
03-013
2000: 811493 or
SP4
XP: 32-bit:
811493 or SP2
64-bit: 811493 or
SP2
Media Player
03-017
7.1: 817787
Media Player
8.0: 817787
Fixes a problem which could allow
a web site or e-mail message to
save .wmz files to arbitrary
directories, leading to command
execution. (CVE 2003-0228)
Fixes a buffer overflow in a core
NT: 815021
operating system component which 2000: 815021 or
can be exploited through many
SP4
possible attack vectors, including IIS XP: 32-bit:
with WebDAV. (CVE 2003-0109)
815021 or SP2
64-bit: 815021 or
SP2
Fixes a directory traversal
NT: not affected
vulnerability allowing an attacker to 2000: SP4
write files anywhere on the disk,
XP: SP1 or
leading to code execution. (CVE
SP2
2003-0505 CVE 2003-0506)
2003: not
affected
NT: not affected
ShellExecute API function which
2000: SP4
could be exploitable through any
XP: not affected
application which uses the function. 2003: not
(CVE 2003-0503)
affected
NT: 823559
HTML file conversion feature which 2000: 823559 or
could allow an attacker to run
SP4 Update
commands via a malicious web
Rollup 1
page or HTML e-mail message.
XP: 32-bit:
(CVE 2003-0469)
823559 or SP2
64-bit: 823559 or
SP2
2003: 32-bit:
823559 or SP1
64-bit: 823559 or
SP1
NT: 823980
DCOM interface to RPC which
2000: 823980 or
could allow a remote attacker to
SP4 Update
execute arbitrary commands. (CVE Rollup 1
2003-0352)
XP: 32-bit:
823980 or SP2
66
03-007
Bugtraq ID 7931
SNS-65
03-023
CA-2003-14
03-026
CA-2003-16
DirectX buffer overflow fix
ActiveX Controls
RPCSS Buffer Overflow
Windows Media Player URL script
execution
64-bit: 823980 or
SP2
2003: 32-bit:
823980 or SP1
64-bit: 823980 or
SP1
Fixes a vulnerability in the Windows NT: 819696
03-030
DirectX component which could
2000: 819696 or CA-2003-18
allow an attacker to run commands SP4 Update
via a malformed MIDI file. Note: If Rollup 1 or
you have installed DirectX 9.0b or DirectX 9.0b or
higher you are not vulnerable.
later
(CVE 2003-0346)
XP: 32-bit:
819696 or SP2
or DirectX 9.0b
or later
64-bit: 819696 or
SP2 or DirectX
9.0b or later
2003: 32-bit:
819696 or
DirectX 9.0b or
later or SP1
64-bit: 819696 or
DirectX 9.0b or
later or SP1
Even if a vulnerable control is
Set the kill bit for Full Disclosure
locally patched or removed, a
the vulnerable
website can still instruct a client to CLSID to keep
download and install the vulnerable IE from
control and then exploit the hole.
downloading the
Example: mciwndx.ocx.
vulnerable control
again.
Fixes multiple buffer overflow
NT: Workstation: 03-039
vulnerabilities in the RPCSS
824146
CA-2003-23
DCOM activation code that could
NT: Server:
enable an attacker to run arbitrary 824146
code on a user's system. (CVE
2000: 824146 or
2003-0715 CVE 2003-0528 CVE
SP4 Update
2003-0605 )
Rollup 1
XP: 32-bit:
824146 or SP2
64-bit: 824146 or
SP2
64-bit Version
2003: 824146 or
SP2
2003: 32-bit:
824146 or SP1
64-bit: 824146 or
SP1
Adds protection against execution of NT: 828026
828026
unauthorized scripts embedded in 2000: 828026
audio or video streams. (CVE
XP: 828026 or
67
2003-1107)
SP2
2003: 828026
Authenticode verification vulnerabilityFixes a vulnerability which could
NT: 823182
03-041
allow an attacker to install and run 2000: 823182 or CA-2003-27
an untrusted ActiveX control, either SP4 Update
via a malicious web page or an
Rollup 1
HTML e-mail. (CVE 2003-0660)
XP: 823182 or
SP2
2003: 823182 or
SP1
NetBIOS Name Service
Fixes an Information Disclosure
NT: 824105
03-034
information disclosure
2000: 824105
attacker to receive random data
XP: 824105
from the target system's memory.
2003: 824105
(CVE 2003-0661)
Troubleshooter ActiveX control
Fixes a vulnerability in the Windows NT: 826232
03-042
vulnerability
troubleshooter application which
2000: 826232 or CA-2003-27
could allow an attacker to execute SP4 Update
Rollup 1
page or HTML e-mail. (CVE
XP: 826232 or
2003-0662)
SP2
2003: 826232 or
SP1
Windows messenger service buffer Fixes a vulnerability which could
NT: 828035
03-043
overflow
allow a remote attacker to execute 2000: 828035 or CA-2003-27
arbitrary commands with Local
SP4 Update
Rollup 1
2003-0717)
XP: 828035 or
SP2
2003: 828035 or
SP1
Workstation Service Elevation of
Fixes an overflow vulnerability
971657
09-041
Privilege
which could allow remote command
execution when the client receives
a specially crafted RPC message.
(CVE 2009-1544)
Windows workstation service buffer Fixes a vulnerability which could
NT: not affected 03-049
overflow
allow a remote attacker to execute 2000: 828749 or CA-2003-28
arbitrary commands with Local
SP4 Update
Rollup 1
2003-0812)
XP: 32-bit
/64-bit: 828749 or
SP2
64-Bit Version
2003: not
affected
2003: not
affected
Windows Help and Support Center Fixes a vulnerability in the code
NT: 825119
03-044
buffer overflow
which handles the HCP protocol
2000: 825119 or CA-2003-27
which could allow an attacker to
SP4 Update
execute commands with System
Rollup 1
privileges via a malicious web page. XP: 825119 or
(CVE 2003-0711)
SP2
68
2003: 825119 or
SP1
Windows ListBox and ComboBox
Fixes a vulnerability in Windows
NT: 824141
buffer overflow
controls which could allow a local
2000: 824141 or
user to gain elevated privileges.
SP4 Update
(CVE 2003-0659)
Rollup 1
XP: 824141 or
SP2
2003: 824141 or
SP1
Microsoft Data Access Components Fixes a vulnerability in MDAC
NT/2000:
patch needed
which could allow remote code
832483
execution. (CVE 2003-0353 CVE
XP: 832483 or
2003-0903)
SP2
2003: 832483 or
SP1
ASN.1 buffer overflow
Fixes a vulnerability in ASN.1
NT: 828028
2000: 828028 or
SP4 Update
Rollup 1
XP: 828028 or
SP2
2003: 828028 or
SP1
Multiple vulnerabilities (MS04-011) Fixes 14 vulnerabilities announced NT: 835732
in Microsoft bulletin MS04-011, the 2000: 835732 or
most critical of which could allow
SP4 Update
remote code execution. (CVE
Rollup 1
2003-0533 CVE 2003-0663 CVE
XP: 835732 or
2003-0719 CVE 2003-0806 CVE
SP2
2003-0906 CVE 2003-0907 CVE
2003: 835732 or
2003-0908 CVE 2003-0909 CVE
SP1
2003-0910 CVE 2004-0117 CVE
2004-0118 CVE 2004-0119 CVE
2004-0120 CVE 2004-0123)
RPC runtime library vulnerability
Fixes a race condition which could NT: 828741
allow an attacker to take control of 2000: 828741 or
a system, and fixes three other
SP4 Update
RPC vulnerabilities. (CVE
Rollup 1
2003-0807 CVE 2003-0813 CVE
XP: 828741 or
2004-0116 CVE 2004-0124)
SP2
2003: 828741 or
SP1
Jet Database Engine buffer
Fixes a vulnerability which could
NT: 837001
overflow
allow an attacker to take control of 2000: 837001 or
a computer by sending a specially SP4 Update
crafted database query to an
Rollup 1
application using Jet. (CVE
XP: 837001 or
2004-0197)
SP2
2003: 837001 or
SP1
HCP URL validation vulnerability
Fixes a vulnerability in the Help
NT/2000: not
and Support Center which could
affected
allow an attacker to control a
XP: 840374 or
69
03-045
CA-2003-27
04-003
04-007
04-011
TA04-104A
04-012
TA04-104A
04-014
TA04-104A
04-015
Task Scheduler buffer overflow
HTML Help and showHelp
vulnerability
Windows Shell API CLSID
vulnerability
Utility Manager privilege elevation
POSIX subsystem buffer overflow
GDI+ component JPEG buffer
overflow
computer via a malicious web page
or HTML e-mail message. (CVE
2004-0199)
allow an attacker to execute
page or a specially crafted .job
file. (CVE 2004-0212)
SP2
2003: 840374 or
SP1
NT: (with IE6)
841873
NT: (without
IE6) not affected
2000: 841873
or SP4 Update
Rollup 1
XP: 841873 or
SP2
XP: (64-bit)
841873 or SP2
Fixes vulnerabilities in HTML Help NT: 840315
and showHelp which could allow
2000: 840315 or
code execution via a malicious web SP4 Update
page or e-mail message. (CVE
Rollup 1
2003-1041 CVE 2004-0201)
XP: 840315 or
SP2
2003: 840315 or
SP1
NT: 839645
allow an attacker to send a class
2000: 839645 or
identifier which could persuade a
SP4 Update
user to run malicious code. (CVE
Rollup 1
2004-0420)
XP: 839645 or
SP2
2003: 839645 or
SP1
NT: not affected
allow any logged-on user to force
2000: 842526 or
Utility Manager to start an
SP4 Update
application with system privileges. Rollup 1
(CVE 2004-0213)
XP: not affected
2003: not
affected
Fixes a buffer overflow which could NT: 841872
allow a locally logged-on user to
NT: (server)
take full control of the computer.
841872
(CVE 2004-0210)
2000: 841872 or
SP4 Update
Rollup 1
XP: not affected
2003: not
affected
XP: 833987
Graphics Device Interface which
2003: 833987 or
could allow code execution when an SP1
application opens a malformed
Other: See list
image. (CVE 2004-0200)
of affected
products in
MS04-028
70
04-022
04-023
04-024
04-019
04-020
04-028
TA04-260A
application start vulnerability in
Windows shell
Compressed folder buffer overflow
Metafile rendering buffer overflow
Windows NT RPC runtime library
denial of service
Kernel and LSASS privilege
elevation
WordPad Word-for-Windows
Converter buffer overflow
Windows HyperTerminal buffer
overflow
HTML Help cross-domain
vulnerability
Fixes a buffer overflow which could
commands when the shell starts an
application. (CVE 2004-0214 CVE
2004-0572)
processing of compressed files
via a malicious web page or e-mail
message. (CVE 2004-0575)
Fixes four vulnerabilities, the most
critical of which could allow code
execution via a malformed WMF or
EMF image. (CVE 2004-0207
CVE 2004-0208 CVE 2004-0209
CVE 2004-0211)
Fixes a buffer overflow which
allows a remote attacker to crash
the system or read portions of
active memory. (CVE 2004-0569)
841356
NT: not affected 04-034
2000: not
affected
XP: 873376
(64-bit): 873376
2003: 873376 or
SP1
(64-bit): 873376
or SP1
840987
04-032
NT: 873350
2000: not
affected
XP: not affected
2003: not
affected
Fixes vulnerabilities in kernel's
NT: 885835
launching of applications and
2000: 885835 or
LSASS validation of identity tokens SP4 Update
which could allow a normal user to Rollup 1
gain administrative access. (CVE
XP: 885835
2004-0893 CVE 2004-0894)
2003: 885835 or
SP1
Fixes buffer overflows in table
NT: 885836
conversion and font conversion
2000: 885836 or
which could allow command
SP4 Update
execution when a malformed
Rollup 1
document is opened in WordPad.
XP: 885836
(CVE 2004-0571 CVE 2004-0901) 2003: 885836 or
SP1
NT: 873339
allow code execution when a user 2000: 873339 or
opens a malicious .ht file or
SP4 Update
possibly a Telnet URL. (CVE
Rollup 1
2004-0568)
XP: 873339
2003: 873339 or
SP1
NT: 890175
allow command execution in the
2000: 890175 or
Local Machine security zone when SP4 Update
a user follows a specially crafted
Rollup 1
link. (CVE 2004-1043)
XP: 890175
2003: 890175 or
SP1
71
04-037
04-029
04-044
04-041
04-043
05-001
TA05-012B
Bugtraq
Cursor and Icon vulnerabilities
Fixes vulnerabilities allowing
command execution or a system
crash when a user opens a
malformed cursor or icon file. (CVE
2004-1049 CVE 2004-1305)
NT: 891711
2000: 891711 or
SP4 Update
Rollup 1
XP: 891711 or
SP2
2003: 891711 or
SP1
Indexing service buffer overflow
Fixes a command execution
2000: 871250 or
vulnerability exploitable by an
SP4 Update
authenticated user, or by a web
Rollup 1
user if IIS allows access to
XP: 871250 or
indexing. (CVE 2004-0897)
SP2
2003: 871250 or
SP1
DHTML Editing Component
Fixes a cross-domain vulnerability 2000: 891781 or
vulnerability
allowing information disclosure or
SP4 Update
command execution when a user
Rollup 1
visits a malicious web page. (CVE XP: 891781
2004-1319)
2003: 891781 or
SP1
Hyperlink Object Library buffer
Fixes a buffer overflow which could 2000: 888113 or
overflow
allow command execution when a SP4 Update
user clicks on a specially crafted
Rollup 1
hyperlink. (CVE 2005-0057)
XP: 888113
2003: 888113 or
SP1
OLE and COM vulnerabilities
Fixes two vulnerabilities, the more 2000: 873333 or
critical of which could allow
SP4 Update
command execution by a malicious Rollup 1
document. (CVE 2005-0044 CVE
XP: 873333
2005-0047)
2003: 873333 or
SP1
PNG Image Processing
Media Player
Vulnerability
allow command execution when
9: 885492
Windows Media Player or Windows Windows
Messenger opens a malformed
Messenger: 5.1
image. (CVE 2004-0597 CVE
2004-1244)
Named Pipe Information Disclosure Prevents attackers from reading the 2000: Not
names of users who are connected affected
to shared resources. (CVE
XP: 888302 or
2005-0051)
disable Computer
Browser service
2003: Not
affected
Windows Shell Drag-and-Drop
2000: 890047 or
Vulnerability
allow writing of arbitrary files when SP4 Update
a user takes certain actions on a
Rollup 1
malicious web page. (CVE
XP: 890047
2005-0053)
2003: 890047 or
SP1
72
05-002
TA05-012A
05-003
05-013
05-015
05-012
05-009
05-007
05-008
SMB Transaction response buffer
overflow
Windows XP Unprivileged Remote
Shutdown
Windows TCP/IP Vulnerabilities
HTML Application Host
vulnerability in Windows shell
Windows kernel access request
buffer overflow
Message Queuing vulnerability
Jet Database Engine input
validation
Windows Explorer Web View
HTML Help integer overflow
Interactive Training bookmark file
buffer overflow
Fixes command execution
2000: 885250 or
vulnerability in processing of
SP4 Update
responses to Transaction commandsRollup 1
by the SMB client driver. (CVE
XP: 885250
2005-0045)
2003: 885250 or
SP1
Fixes Windows XP SP1 Remote
2000: Not
Desktop to observe the Force
affected
shutdown from a remote system
XP: SP2 or
user right when running
889323
TSShutdn.exe. (CVE 2005-0904) 2003: Not
affected
Fixes vulnerabilities which could
2000: 893066 or
allow a remote attacker to cause a SP4 Update
denial of service, or possibly
Rollup 1
execute commands. (CVE
XP: 893066
2004-0230 CVE 2004-0790 CVE
2003: 893066 or
2004-1060 CVE 2005-0048 CVE
SP1
2005-0688)
2000: 893086 or
allow an e-mail attachment of an
SP4 Update
unregistered type to execute code Rollup 1
using HTML Application Host.
XP: 893086
(CVE 2005-0063)
2003: 893086 or
SP1
Fixes vulnerabilities in the Windows 2000: 890859 or
kernel which could allow privilege
SP4 Update
elevation or denial of service. (CVE Rollup 1
2005-0060 CVE 2005-0061 CVE
XP: 890859
2005-0550 CVE 2005-0551)
2003: 890859 or
SP1
Fixes a buffer overflow in Message 2000: 892944 or
Queuing which could allow remote SP4 Update
command execution. (Sites using
Rollup 1
only HTTP Message Delivery are
XP: 892944 or
not affected.) (CVE 2005-0059)
SP2
2003: not
affected
2000: 950749
allow command execution by a
XP: 950749
malformed database file. (CVE
2003 SP1:
2005-0944)
950749
Fixes vulnerability which could allow 2000: 894320
a malicious file to execute
XP: Not affected
commands when previewed in
2003: Not
Windows Explorer's Web View.
affected
(CVE 2005-1191)
Fixes an integer overflow in HTML 2000: 896358
Help which could allow command
XP: 896358
2003: 896358 or
SP2
Fixes a vulnerability which allows
898458
opens a .cbo file with a long User
73
05-011
889323
05-019
05-016
05-018
05-017
08-028
VU#936529
Full Disclosure
05-024
Bugtraq
05-026
VulnWatch
05-031
iDEFENSE
Microsoft Agent spoofing
vulnerability
field. (CVE 2005-1212)
Prevents spoofing of trusted
Internet content using a Microsoft
Agent character which disguises
security prompts. (CVE 2005-1214)
allow remote code execution. (CVE
2005-1206)
2000: 890046
XP: 890046
2003: 890046 or
SP2
SMB input validation vulnerability
2000: 896422
XP: 896422
2003: 896422 or
SP2
Telnet client session variable
XP: 896428
disclosure
reveal telnet session variables to an 2003: 896428 or
attacker when a user clicks on a
SP2
malformed telnet URL. (CVE
Services for
2005-1205)
UNIX 3.5:
896428
Services for
UNIX 3.0:
896428
Services for
UNIX 2.2:
896428
Microsoft Color Management
Fixes a vulnerability in ICC profile 2000: 901214
Module buffer overflow
format tag validation which could
XP: 901214
allow command execution when a 2003: 901214 or
user views a malformed image.
SP2
(CVE 2005-1219)
Windows 2000 SP4 Update Rollup Update Rollup 1 for Windows 2000 2000: SP4
1
SP4 fixes multiple potential
Update Rollup 1
problems. (CVE 2005-3168 CVE
2005-3169 CVE 2005-3170 CVE
2005-3171 CVE 2005-3172 CVE
2005-3173 CVE 2005-3174 CVE
2005-3175 CVE 2005-3176 CVE
2005-3177)
DirectShow Buffer Overflow
Fixes a vulnerability in DirectX
2000: 904706
XP: 904706
execution by a specially crafted
2003: 904706 or
.avi file. (CVE 2005-2128)
SP2
Windows COM+ command
2000: 902400
allow remote command execution XP: 902400
on Windows 2000 and XP SP1, or 2003: 902400 or
privilege elevation on Windows XP SP2
SP2 and 2003. (CVE 2005-1978
CVE 2005-1979 CVE 2005-1980
CVE 2005-2119)
Windows Shortcut File command
Fixes three Windows shell
2000: 900725
execution
vulnerabilities, the most critical of
XP: 900725
2003: 900725 or
execution when a .lnk file is
SP2
opened. (CVE 2005-2117 CVE
2005-2118 CVE 2005-2122)
Collaboration Data Object
Fixes a vulnerability in Collaboration 2000: 901017
vulnerability
Data Objects which could allow an XP: 901017
attacker to perform remote code
2003: 901017 or
74
05-032
05-027
05-033
05-036
SP4 Update
Rollup 1
05-050
05-051
05-049
05-048
SP2
Client Service for NetWare
Fixes a vulnerability in Client
2000: 899589
vulnerability
Service for NetWare which could
XP: 899589
allow an attacker to perform remote 2003: 899589
code execution. (CVE 2005-1985)
FTP Client vulnerability
2000: 905495
FTP Client that could allow
XP: 905495
tampering in File Transfer location. 2003: 905495
(CVE 2005-2126)
Network Connection Manager
Fixes a vulnerability in Network
2000: 905414
vulnerability
Connection Manager that could
XP: 905414
allow Denial of Service. (CVE
2003: 905414 or
2005-2307)
SP2
Windows EMF/WMF image file
Fixes a vulnerability in the graphics 2000: 896424
vulnerability
engine processing of EMF/WMF
XP: 896424
image files that could allow an
2003: 896424 or
attacker to take control of a host.
SP2
(CVE 2005-0803 CVE 2005-2123
CVE 2005-2124)
Windows Kernel privilege elevation Fixes a vulnerability in the Windows 2000: 908523
vulnerability
2000 Kernel that allows an attacker
who has successfully logged into
the system to take control of a
host. (CVE 2005-2827)
Windows WMF gdi32.dll
Fixes a remote code execution
2000: 912919
vulnerability
vulnerability which exists in the
XP: 912919
Graphics Rendering Engine
2003: 912919 or
because of the way that it handles SP2
Windows Metafile (WMF) images.
An attacker could exploit the
vulnerability to take complete control
of the affected system by
constructing a specially crafted
WMF image which is read by a
user on the system. (CVE
2005-4560)
Windows web fonts vulnerability
Fixes a vulnerability in embedded 2000: 908519
web fonts that could allow remote XP: 908519
code execution. An attacker could 2003: 908519 or
exploit the vulnerability by having a SP2
user access a web page with the
malformed web fonts in it. This
would allow the attacker to execute
commands with the authority of the
user. (CVE 2006-0010)
Windows Media Player bmp buffer Fixes a command execution
911565
overflow
vulnerability in bmp image parsing.
(CVE 2006-0006)
Windows Media Player plug-in
Fixes a buffer overflow which could 911564
EMBED vulnerability
allow command execution when a
user plays media files through
non-Microsoft browsers. (CVE
2006-0005)
75
05-046
05-044
05-045
05-053
05-055
06-001
06-002
06-005
06-006
Windows IGMP v3 DoS
vulnerability
WebClient buffer overflow
Fixes a denial-of-service
vulnerability that would allow an
attacker to send a specially crafted
IGMP packet to an affected system
causing the affected system to stop
responding. (CVE 2006-0021)
Fixes a buffer overflow which could
allow a remote authenticated user
to gain administrative privileges.
(CVE 2005-1207 CVE 2006-0013)
Korean IME privilege elevation
vulnerability
2000: not
06-007
affected
XP: 913446
2003: 913446 or
SP2
2000: not
05-028
affected
06-008
XP: 911927
2003: 911927 or
SP2
or disable
WebClient
service
2000: not
06-009
affected
XP: 901190
2003: 901190
Fixes a privilege elevation
attacker who has interactively
logged onto the system to take full
control of the system. (CVE
2006-0008)
Windows DACL privilege elevation Fixes a privilege elevation
2000: not
vulnerability
vulnerability allowing full control of affected
the system by any user on
XP: 914798 or
Windows XP or by a user in the
SP2
network configuration operators
2003: 914798 or
group on Windows Server 2003.
SP1
(CVE 2006-0023)
Windows Help File Image
Windows 2000, XP, and 2003 are
Processing Heap Buffer Overflow
affected by a heap overflow issue
when handling a specially crafted
Windows Help (.hlp) file containing a
malicious image. (CVE 2006-1591)
Microsoft Data Access Component A remote code execution
2000: 911562
vulnerability
vulnerability exists in the
XP: 911562
RDS.Dataspace ActiveX control in 2003: 911562 or
ADO distributed in MDAC.
SP2
Opening a file provided by an
attacker (Mail or Website) allows an
attacker to execute code with the
rights of that user. (CVE
2006-0003)
Windows Explorer COM object
2000: 908531
command execution
allow command execution by a web XP: 908531
site which forces a connection to a 2003: 908531 or
remote file server. (CVE
SP2
2004-2289 CVE 2006-0012)
Distributed Transaction Coordinator Fixes two vulnerabilities that an
2000: 913580
Denial of Service
attacker could use to cause the
XP: 913580
Microsoft Distributed Transaction
2003: 913580
Coordinator (MSDTC) to stop
responding. (CVE 2006-0034 CVE
2006-1184)
ART Rendering Buffer Overflow
XP SP1/IE6:
code execution when a user views 918439
76
06-011
Bugtraq ID
17325
06-014
06-015
06-018
06-022
a malformed ART image. (CVE
2006-2378)
Routing and Remote Access
Service remote code execution
Fixes a vulnerability that allows for
remote code execution when the
RASMAN service is active (CVE
2006-2370 CVE 2006-2371)
Windows Media Player PNG buffer Fixes a vulnerability in Windows
overflow
Media Player which could allow
opens a malformed media file.
(CVE 2006-0025)
Windows SMB invalid handle denial Fixes two vulnerabilities, one that
of service
would allow for a denial of service
and the other which would allow
privilege elevation. (CVE
2006-2373 CVE 2006-2374)
Windows TCP/IP remote code
Fixes vulnerability in Windows TCP
/IP IP Source Routing code which
allows for remote code execution.
(CVE 2006-2379)
Windows RPC Mutual
Fixes vulnerability in Windows RPC
Authentication spoofing
for Windows 2000 that allows for
spoofing of RPC authentication.
(CVE 2006-2380)
Windows Mailslot Heap Overflow
Fixes a heap overflow in Mailslot
allowing remote command
execution, and an SMB information
disclosure vulnerability. (CVE
2006-1314 CVE 2006-1315)
DHCP Client Buffer Overflow
allow command execution by an
attacker-controlled DHCP server on
the local subnet. (CVE 2006-2372)
Server Service Buffer Overrun
allow command execution on a
buffer overrun on the Server
Service (CVE 2006-3439)
DNS Resolution Remote Code
Fixes vulnerabilities in the Winsock
Execution
Hostname functionality and a DNS
Resolution Client Buffer Overrun.
(CVE 2006-3440 CVE 2006-3441)
Windows MMC redirect cross-site Fixes vulnerabilities which allow for
scripting vulnerability
Remote Code Execution in the
Microsoft Management Console on
the load of malformed files. (CVE
2006-3643)
Windows Explorer Folder GUID
Code Execution vulnerability
vulnerability which exists in
Windows Explorer dealing with
Drag and Drop events. (CVE
2006-3281)
77
XP SP2:
918439
2003: 918439 or
SP2
IE 5.01: 918439
2000: 911280
06-025
XP: 911280
2003: 911280 or
SP2
917734
06-024
2000: 914389
06-030
XP: 914389
2003: 914389 or
SP2
2000: 917953
06-032
XP: 917953
2003: 917953 or
SP2
2000: 917736
06-031
2000: 917159
06-035
XP: 917159
2003: 917159 or
SP2
2000: 914388
XP: 914388
2003: 914388 or
SP2
2000: 921883
XP: 921883
2003: 921883 or
SP2
2000: 920683
XP: 920683
2003: 920683 or
SP2
2000: 917008
06-036
06-040
06-041
06-044
2000: 921398
06-045
XP: 921398
2003: 921398 or
SP2
HTML Help ActiveX Control string
buffer overflow
Fixes an overflow in a string buffer
execution by a malicious web site
or e-mail. (CVE 2006-3357)
Windows Kernel privilege elevation Fixes a vulnerability that allows an
vulnerability
attacker who has successfully
logged into the system to take
control of a host. Note: Different
than MS05-055. (CVE 2006-3444)
Hyperlink Object Library function
Fixes both a function vulnerability
vulnerability and buffer overflow
and a buffer overflow, either of
execution when a user clicks on a
specially crafted hyperlink. (CVE
2006-3086 CVE 2006-3438)
Windows unhandled exception
Fixes two vulnerabilities, including a
vulnerability
bug in handling of chained
exceptions allowing command
execution when a user visits a
malformed web page. (CVE
2006-3443 CVE 2006-3648)
Windows PGM remote code
Fixes a vulnerability which allows a
execution
malformed Pragmatic General
Multicast (PGM) message to cause
remote code execution through the
MSMQ service. (CVE 2006-3442)
Windows indexing service cross-site Fixes a vulnerability that allows
scripting
cross-site scripting leading to
information disclosure through the
indexing (cisvc) service. (CVE
2006-0032)
Windows Explorer setslice remote Fixes a remote code execution
code execution
vulnerability which exists in
Windows Explorer
WebViewFolderIcon ActiveX
setslice function. A crafted website
or email message could cause
2006-3730)
Microsoft XML Core Services
XML Core services, a remote code
execution and an information
disclosure. (CVE 2006-4685
CVE 2006-4686)
Windows SMB Remote Code
Fixes a vulnerability in Microsoft
Execution
Server Message Block (SMB)
Protocol. The vulnerability could
allow remote code execution on a
server that is sharing files or
folders. An attacker who
successfully exploited this
vulnerability could install programs;
view, change, or delete data; or
78
2000: 922616
06-046
XP: 922616
2003: 922616 or
SP2
2000: 920958
06-049
2000: 920670
06-050
XP: 920670
2003: 920670 or
SP2
2000: 917422
06-051
XP: 917422
2003: 917422 or
SP2
2000: not
06-052
affected
XP: 919007
2003: not
affected
2000: 920685
06-053
XP: 920685
2003: 920685 or
SP2
2000: 923191
06-057
XP: 923191
2003: 923191 or
SP2
924191
06-061
2000: 957095
XP: 957095
2003: 957095
Vista: 957095
2008: 957095
08-063
06-063
create new accounts with full user
rights. (CVE 2008-4038)
Also fixes other two vulnerabilities.
A null pointer dereference in
srv.sys allows an attacker to
remotely crash the system. A
validated attacker can execute code
as administrator. (CVE 2006-3942
CVE 2006-4696)
Windows TCP/IP IPv6 denial of
Fixes vulnerabilities which allow for XP: 922819
service
denial of service when IPv6 is
2003: 922819 or
used. (CVE 2004-0230, CVE
SP2
2004-0790, CVE 2005-0688, CVE
2005-1649)
Windows Object Packer dialogue
XP: 924496
allow a file to execute commands
2003: 924496 or
by creating a misleading dialogue SP2
box. (CVE 2006-4692)
Microsoft Windows NAT Helper
DoS vulnerability in Windows NAT
DNS Query Denial of Service
Helper caused by improper
processing of crafted DNS queries.
(CVE 2006-5614)
Client Service for NetWare buffer
Vulnerabilities allowing remote
2000: 923980
overflow and driver denial of
attacker to execute arbitrary
XP: 923980
service
commands or crash the system.
2003: 923980
(Requires valid login on 2003.)
(CVE 2006-4688 CVE 2006-4689)
Microsoft Agent ACF memory
Microsoft Agent vulnerability causing 2000: 920213
corruption
remote code execution through
XP: 920213
read of crafted .ACF files read in
2003: 920213
web page. (CVE 2006-3445)
Windows Workstation service
A remote code execution
2000: 924270
vulnerability in Workstation service XP: 924270
allows complete control of the
2003: Not
affected system. (Note, administratoraffected
privileges are required for XP)
CVE 2006-4691)
Microsoft XMLHTTP
XMLHTTP 4.0 and 6.0 ActiveX
MSXML 4.0:
setRequestHeader code execution Control vulnerability in
927978
setRequestHeader allows remote
MSXML 6.0:
code execution from read of crafted 927977
webpage. (CVE 2006-5745)
Client Server Run-Time Subsystem Fixes a vulnerability allowing local XP: 926255
file manifest vulnerability
authenticated users to gain elevated 2003: 926255
privileges due to improper handling
of file manifests. (CVE 2006-5585)
Windows Media Format ASX
Fixes vulnerabilities in Windows
2000: 923689 or
Parsing Buffer Overflow
Media Format which could allow
925398 (WMP
command execution when parsing 6.4)
ASF and ASX files. (CVE
XP: 923689 or
2006-4702 CVE 2006-6134)
925398 (WMP
6.4)
2003: 923689 or
925398 (WMP
79
06-064
06-065
Bugtraq ID
20804
06-066
06-068
06-070
06-071
06-075
06-078
6.4)
Microsoft Windows Workstation
Vulnerability in the Workstation
Not currently
Service NetrWkstaUserEnum denial Service that allows for a temporary fixed
of service
denial of service due to memory
allocation. (CVE 2006-6723)
HTML Help ActiveX Control
Fixes an overflow which could allow 2000: 928843
command execution by a malicious XP: 928843
web site or e-mail. (CVE
2003: 928843
2007-0214)
Interactive Training bookmark file
923723
opens a bookmark file. (CVE
2006-3448)
Windows Shell Privilege Elevation Fixes a privilege elevation
XP: 928843
vulnerability when Shell Hardware 2003: 928843
Detection service is enabled. (CVE
2007-0211)
Windows Image Acquisition
XP: 927802
Privilege Elevation
vulnerability when the Windows
Image Acquisition (WIA) service
(stisvc) is enabled. (CVE 2007-0210)
RTF OLE dialog memory
Fixes a memory corruption of OLE 2000: 926436
corruption
objects within RTF files. (CVE
XP: 926436
2007-0026)
2003: 926436
RTF MFC component memory
Fixes a memory corruption of MFC 2000: 924667
corruption
components within RTF files. (CVE XP: 924667
2007-0025)
2003: 924667
RTF RichEdit component memory Fixes a memory corruption of
2000: 918118
corruption
RichEdit components within RTF
XP: 918118
files. (CVE 2006-1311)
2003: 918118
Microsoft Malware Protection
Fixes an integer overflow which can Automatic update
Engine PDF integer overflow
occur when the Malware Protection from Microsoft
Engine processes PDF files. (CVE Update, Windows
2006-5270)
Live OneCare
AutoUpdate, or
Forefront Server
security update
service
Multiple GDI vulnerabilities fixed by Multiple vulnerabilities in parts of the 2000: 925902
MS07-017
Graphic Design Interface including XP: 925902
remote code execution.
2003: 925902
(CVE 2006-5586 CVE 2006-5758 Vista: 925902
CVE 2007-0038 CVE 2007-1211
CVE 2007-1212 CVE 2007-1213
CVE 2007-1215)
Windows Kernel privilege elevation Fixes a vulnerability that allows an 2000: 931784
vulnerability
XP: 931784
2003: 931784
control of a host. Note: Different
than MS05-055 and MS06-049.
(CVE 2007-1206)
Windows CSRSS remote code
Fixes vulnerabilities in the Windows 2000: 930178
execution
Client/Server Run-time Subsystem XP: 930178
(CSRSS) that include remote code 2003: 930178
80
Secunia Advisory
SA23487
07-008
07-005
07-006
07-007
07-011
07-012
07-013
07-010
07-017
07-022
07-021
execution. (CVE 2006-6696 CVE
Vista: 930178
2006-6797 CVE 2007-1209)
Windows Client/Server Runtime
XP: KB2121546
Subsystem Could Allow Elevation allow elevation of privilege if an
2003:
of Privilege
attacker logged on to an affected
KB2121546
system that is configured with a
Chinese, Japanese, or Korean
system locale. An attacker who
vulnerability could then install
programs; view, change, or delete
data; or create new accounts with
full user rights. (CVE 2010-1891 )
Microsoft Agent URL parsing
2000: 932168
vulnerability
Agent that allows remote code
XP: 932168
execution when reading a crafted
2003: 932168
URL (CVE 2007-1205)
Windows Help File Handling Heap Windows 2000, XP, and 2003 are
Buffer Overflow
affected by a heap overflow issue
when handling a specially crafted
Windows Help (.hlp) file containing a
malicious bitmap. (CVE 2007-1912)
CAPICOM.Certificates ActiveX
Fixes a vulnerability in the
931906
control code execution
Cryptographic API Component
Object Model (CAPICOM) allowing
code execution by a malicious web
page. (CVE 2007-0940)
Windows DirectX ActiveX control
Internet Explorer Denial of Service
Denial of Service
in the DirectX Media software for
XP. (CVE 2006-4301)
Windows Schannel digital signature Fixes a vulnerability affecting
2000: 935840
applications which use SSL/TLS
XP: 935840
allowing code execution on
2003: 935840
Windows XP and denial of service
on Windows 2000 and 2003. (CVE
2007-2218)
Vulnerability in TLS Could Disclose Fixes a vulnerability which could
XP:2655992
Information
allow information disclosure if an
(32-bit), 2655992
attacker intercepts encrypted web (64-bit)
traffic served from an affected
2003:2655992
system. (CVE 2012-1870)
(32-bit), 2655992
(64-bit)
Vista:2655992
(32-bit), 2655992
(64-bit)
2008:2655992
(32-bit), 2655992
(64-bit)
Win 7:2655992
(32-bit), 2655992
(64-bit)
2008
R2:2655992
(64-bit)
81
10-069
07-020
Bugtraq ID
23382
07-028
Bugtraq archive
443901
07-031
12-049
Fixes Vista Permissive User
Fixes a vulnerability allowing
Vista: 931213
Information Store ACLs
non-privileged users to access local
Information Disclosure Vulnerability user information data stores such as
admin passwords contained within
the registry and local file system.
(CVE 2007-2229)
Win32 API parameter validation
2000: 935839
vulnerability
allow command execution by a
XP: 935839
specially crafted web site. (CVE
2003: 935839
2007-2219)
GDI+ component ICO divide by
Fixes a divide by zero error in the
Do not download
zero
Graphics Device Interface which
ICO files from
could allow denial of service when untrusted
an application opens a malformed sources.
image. Affects Windows 2003.
(CVE 2007-2237)
Windows Vista Teredo interface
Fixes a flaw which could allow
Vista: 935807
firewall bypass
network traffic to bypass firewall
rules on the Teredo interface.
(CVE 2007-3038)
DirectX RLE Compressed Targa
Fixes a buffer overflow vulnerability Update to the
Image File Heap Overflow
in DirectX libraries which handles
October 2006
compressed Targa (TGA) files.
version of
(CVE 2006-4183)
DirectX or later.
Microsoft XML Core Services
Fixes a vulnerability in the XML
Windows XP
Core services which allowed for
Service Pack
remote code execution on
3, Microsoft
processing of a crafted file. (CVE
XML Core
2007-2223)
Services
4.0:KB2758694
XML Core Services 3.0 which
Windows XP
allows command execution when a Service Pack
user loads a specially crafted
3, Microsoft
HTML page. (CVE 2010-2561)
XML Core
Fixes multiple vulnerabilities which Services
could allow code execution when
6.0:KB2757638
XML content is parsed. (CVE
Windows XP
2007-0099 CVE 2008-4029 CVE
Professional
2008-4033)
x64 Edition
Fixes a vulnerability in the XML
Service Pack
Core services which allowed for
2, Microsoft
remote code execution if a user
XML Core
views a specially crafted webpage Services
using Internet Explorer. (CVE
3.0:KB2757638
2012-1889 CVE 2013-0006 CVE
Windows XP
2013-0007)
Professional
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows XP
82
07-032
07-035
VU#290961
07-038
Secunia Advisory
SA26131
07-042
08-069
10-051
12-043
13-002
Professional x64
Edition Service
Pack 2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2003
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2003
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2758696
Windows
Server 2003
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2003
83
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2003
with SP2 for
Itanium-based
Systems,
Microsoft XML
Core Services
6.0:KB2758696
Windows Vista
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows Vista
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows Vista
x64 Edition
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
for 32-bit
Systems
Service Pack
2, Microsoft
XML Core
84
Services
4.0:KB2758694
Windows
Server 2008
for 32-bit
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
for x64-based
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
for
Itanium-based
Systems
Service Pack
2, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
for
Itanium-based
Systems
Service Pack
85
2, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
for
Itanium-based
Systems
Service Pack
2, Microsoft
XML Core
Services
6.0:KB2757638
Windows 7 for
32-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 7 for
32-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows 7 for
32-bit Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows 7 for
32-bit Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows 7 for
x64-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows 7 for
x64-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 7 for
x64-based
Systems,
Microsoft XML
86
Core Services
6.0:KB2757638
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
3.0:KB2757638
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows 7 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2008
R2 for
x64-based
Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2008
R2 for
x64-based
87
Systems Service
Pack 1, Microsoft
XML Core
Services
3.0:KB2757638
Windows
Server 2008
R2 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
R2 for
x64-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2008
R2 for
Itanium-based
Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems
88
Service Pack 1,
Microsoft XML
Core Services
3.0:KB2757638
Windows
Server 2008
R2 for
Itanium-based
Systems
Service Pack
1, Microsoft
XML Core
Services
4.0:KB2758694
Windows
Server 2008
R2 for
Itanium-based
Systems
Service Pack
1, Microsoft
XML Core
Services
6.0:KB2757638
Windows 8 for
32-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 8 for
32-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows 8 for
64-bit Systems,
Microsoft XML
Core Services
3.0:KB2757638
Windows 8 for
64-bit Systems,
Microsoft XML
Core Services
4.0:KB2758694
Windows 8 for
64-bit Systems,
Microsoft XML
Core Services
6.0:KB2757638
Windows
Server 2012,
Microsoft XML
Core Services
3.0:KB2757638
89
Windows
Server 2012,
Microsoft XML
Core Services
4.0:KB2758694
Windows
Server 2012,
Microsoft XML
Core Services
6.0:KB2757638
2000: 921503
XP: 921503
2003: 921503
Windows OLE Automation remote
code execution
Fixes a vulnerability in the OLE
07-043
automation which allowed for
remote code execution on
processing of a crafted file. (CVE
2007-2224)
Windows GDI image handling
Fixes a vulnerability in the Windows 2000: 938829
07-046
buffer overflow
graphics device interface allowing XP: 938829
command execution when a
2003: 938829
specially crafted image is rendered.
(CVE 2007-3034)
Windows Media Player Skin parsing Fixes a vulnerability in Windows
936782
07-047
and decompression remote code
Media Player which could allow
execution
opens a media file with a
malformed skin. (CVE 2007-3035
CVE 2007-3037)
Windows Gadgets remote code
Vista: 938123
07-048
execution vulnerabilities
Gadgets for Headline, Contacts and
Weather that allow for remote code
execution when accessing remote
feeds. (CVE 2007-3032 CVE
2007-3033 CVE 2007-3891)
DirectX DirectTransform FlashPix Fixes a remote code execution
Workaround: Set Secunia Advisory
ActiveX buffer overflow
vulnerability in the DirectTransform kill bit for CLSID SA26426
FlashPix ActiveX control as
201EA564-A6F6
packaged in Microsoft DirectX
-11D1-811D-00C0
Media 6.0 SDK. (CVE 2007-4336) 4FB6BD36.
Microsoft Agent ActiveX remote
Fixes an additional vulnerability in 2000: 938827
07-051
code execution
Microsoft Agent that allows remote
code execution when reading a
crafted URL. (CVE 2007-3040)
Windows Services for UNIX 3.0
WS UNIX 3.0:
07-053
and 3.5, and Subsystem for
Services for UNIX where running
939778
UNIX-based Applications setuid
certain setuid binary files could allow WS UNIX 3.5:
privilege elevation
an attacker to gain elevated
938827
privileges. (CVE 2007-3036)
SfUA 2003:
938827
SfUA Vista:
938827
Vulnerable MFC Library FileFind
A Heap Overflow exists in the
XP: 2387149
VU#611008
Class file Heap Overflow
Microsoft Windows MFC Shared
2003: 2387149 SA26800
Library - FileFind Class. (CVE
2007-4916)
Kodak Image Viewer remote code Fixes a vulnerability in the Kodak
2000: 923810
07-055
90
execution
Image Viewer that allows for
remote code execution when
viewing a crafted file. (CVE
2007-2217)
Windows RPC Authentication denial Fixes vulnerability in Windows RPC
of service
for Windows that allows for a denial
of service to be caused in the RPC
authentication. (CVE 2007-2228)
SharePoint Services site privilege SharePoint Services 3.0 and Office
elevation
SharePoint Server 2007 have an
elevation of privilege vulnerability
within the SharePoint site. (CVE
2007-2581)
Microsoft SharePoint Server 2007
Shell32.dll Windows URI handling
Remote Code Execution
Jet Database Engine vulnerable
version
Windows Vista SMBv2 Remote
Code Execution
DirectX Parsing Remote Code
Execution
Microsoft Video ActiveX Control
Stack Buffer Overflow
Message Queuing validation
vulnerability
XP: 923810
2003: 923810
2000: 933729
XP: 933729
2003: 933729
Vista: 933729
2003
SharePoint
Services 3.0:
934525
Office
SharePoint
Server 2007:
934525 and
937832
Microsoft SharePoint Server 2007 Microsoft
has an elevation of privilege
SharePoint
vulnerability within the SharePoint Server 2007:
site. (CVE 2008-3006)
KB953397
Fixes vulnerability in Windows URI XP: 943460
handling that can lead to remote
2003: 943460
code execution. (CVE 2007-3896)
2000: 950749
XP: 950749
arbitrary code by enticing a target 2003 SP1:
user to open a crafted MDB file.
950749
(CVE 2007-6026 CVE 2008-1092 )
Fixes a vulnerability that could allow Vista: 942624
an attacker to tamper with data
transferred in SMBv2 leading to
2007-5351)
Fixed vulnerabilities that could allow 2000 (7.0):
remote code execution parsing
941568 2000
SAMI, WAV or AVI files. (CVE
(8.0): 941568
2007-3895 CVE 2007-3901)
2000 (9.0c):
941568 XP:
941568
2003: 941568
Vista: 941568
A buffer overflow vulnerability exists Video ActiveX
in Microsoft DirectShow. The flaw Control: 972890
is due to the way Microsoft Video
ActiveX Control parses image files.
An attacker can persuade the
target user to open a malicious web
page to exploit this vulnerability.
(CVE 2008-0015)
Fixes a buffer overflow in Message 2000: 937894
Queuing which could allow remote XP: 937894
command execution for Windows
2000 and privilege elevation for
91
07-058
07-059
08-043
07-061
08-028
VU#936529
07-063
07-064
09-032
07-065
Windows XP. (CVE 2007-3039)
Vulnerability in Message Queuing Fixes a memory corruption
2000: 971032
Could Allow Elevation of Privilege vulnerability in Message Queuing. XP: 971032
The vulnerability is caused by a
2003: 971032
failure to validate messages
Vista: 971032
containing user-defined memory
address. Remote unauthenticated
attackers can exploit this
vulnerability by sending specially
crafted messages to the affected
interface. A successful exploitation
can lead to arbitrary code execution
with System level privileges. (CVE
2008-3479)
Fixes a vulnerability in the Windows
Message Queuing Service
(MSMQ). The vulnerability could
allow elevation of privilege if a user
received a specially crafted request
to an affected MSMQ service.
(CVE 2009-1922)
Windows Kernel privilege elevation Fixes a vulnerability that allows an Vista: 943078
vulnerability
control of a host running Vista.
(CVE 2007-5350)
Windows Media Format ASF file
Windows Media
command execution when Windows Format: 941569
Media Player or Media Services
Windows Media
processes malformed content. (CVE Services:
2007-0064)
944275
Multiple Windows TCP/IP
Fixes two vulnerabilities: (1) an
2000: 941644
vulnerabilities
IGMPv3 and MLDv2 vulnerability
XP: 941644
that could allow remote code
2003: 941644
execution; and (2) an ICMP
Vista: 941644
vulnerability that could result in
denial of service. (CVE 2007-0069,
CVE 2007-0066)
Windows LSASS vulnerability
Fixes a vulnerability that could allow 2000: 943485
an attacker to gain elevated
XP: 943485
privileges. (CVE 2007-5352)
2003: 943485
Vista DHCP response denial of
Fixes a TCP/IP vulnerability
Vista: 946456
service
allowing a denial of service by a
response from a DHCP server.
(CVE 2008-0084)
Windows WebDAV Mini-Redirector Fixes a vulnerability that could allow XP: 946026
a remote attacker to take complete 2003: 946026
control of an affected system.
Vista: 946026
(CVE 2008-0080)
Windows OLE Automation Heap
Fixes a heap-based buffer overflow 2000: 943055
Overrun
in Object Linking and Embedding
XP: 943055
(OLE) automation that could allow 2003: 943055
remote attackers to execute
Vista: 943055
arbitrary code via a crafted request.
92
09-040
08-065
07-066
07-068
08-001
08-002
08-004
08-007
08-008
(CVE 2007-0065)
Windows DNS Spoofing Attack
vulnerability
DNS client that leads to a lack of
entropy in the randomness of the
choice of transaction IDs which
could allow an attacker to send
malicious responses to DNS
requests. (CVE 2008-0087)
Windows GDI remote code
Fixes several vulnerabilities: (1)
execution
stack overflow vulnerability in the
way Graphics Device Interface
(GDI) handles filename parameters
in EMF image files; (CVE
2008-1087) (2) heap overflow
vulnerability in the way GDI
handles integer calculations; (CVE
2008-1083) (3) remote code
execution vulnerability in the way
that GDI handles integer
calculations; (CVE 2008-2249) (4)
remote code execution vulnerability
in the way that GDI handles file
size parameters in WMF files.
(CVE 2008-3465)
Windows kernel user mode callback Fixes a privilege elevation
vulnerability
vulnerability caused by insufficient
validation of input passed from user
mode to the kernel. (CVE
2008-1084)
DirectX SAMI-MJPEG Parsing
Fixed vulnerabilities that could allow
remote code execution parsing
MJPEG and SAMI files. (CVE
2008-0011 CVE 2008-1444)
Windows PGM denial of service
Snapshot Viewer for Microsoft
Access file download vulnerability
Windows DNS Client Spoofing
vulnerability
Fixes two vulnerabilities which allow
a malformed Pragmatic General
Multicast (PGM) message to cause
a denial of service through the
MSMQ service. (CVE 2008-1440
CVE 2008-1441)
allow files to be downloaded to
arbitrary locations. (CVE
2008-2463)
DNS client. This vulnerability could
allow a remote unauthenticated
93
2000: 945553
XP: 945553
2003: 945553
Vista: 945553
08-020
2000: 956802
XP: 956802
2003: 956802
Vista: 956802
2008: 956802
08-071
08-021
2000: 941693
XP: 941693
2003: 941693
Vista: 941693
2008: 941693
2000: 951698
XP: 951698
2003: 951698
Vista: 951698
2008: 951698
2000: not
affected
XP: 950762
2003: 950762
Vista: 950762
2008: 950762
Set kill bits (see
08-041)
Snapshot
Viewer 2000:
955441
Snapshot
Viewer 2002:
955440
Snapshot
Viewer 2003:
955439
2000: 951748
XP: 951748
2003: 951748
08-025
08-033
08-036
08-041
08-037
attacker to quickly and reliably spoof
responses and insert records into
the client cache, thereby redirecting
Internet traffic. (CVE 2008-1447)
Windows DNS Server Spoofing
2000: 951746
vulnerability
Windows DNS Server. The
2003: 951746
vulnerabilities could allow spoofing 2008: 951746
by poisoning the DNS cache.
(CVE 2008-1447 CVE 2008-1454)
Windows Explorer Remote Code
Fixes several vulnerabilities: (1)
Vista: 958623,
Execution
remote code execution vulnerability 958624
when a specially crafted
2008: 958623,
saved-search file is opened and
958624
saved; (CVE 2008-1435) (2) remote
code execution vulnerability when
saving a specially crafted search file
within Windows Explorer; (CVE
2008-4268) (3) remote code
execution vulnerability in Windows
Explorer that allows an attacker to
construct a malicious web page that
includes a call to the search-ms
protocol handler. (CVE 2008-4269)
Microsoft Image Color Management Fixes a vulnerability which could
2000: 952954
System vulnerable version
allow remote command execution XP: 952954
on Windows 2000, Windows XP
2003: 952954
and Windows Server 2003. (CVE
2008-2245)
Windows Messenger UIAutomation Fixes an information disclosure
XP: 946648
ActiveX vulnerability
vulnerability caused by an ActiveX 2003: 954723
control which is incorrectly marked
safe. (CVE 2008-0082)
Event System vulnerabilities
Fixes two vulnerabilities which allow 2000: 950974
authenticated users to execute
XP: 950974
arbitrary code on Windows 2000,
XP
Windows XP, Windows Server
Professional
2003, Windows Vista, and Windows x64: 950974
Server 2008. (CVE 2008-1456
2003: 950974
CVE 2008-1457)
2003 x64
950974
Vista: 950974
Vista x64:
950974
2008: 950974
2008 x64:
950974
Active Directory Federation
Fixes two vulnerabilities which allow 2003 SP2:
Services vulnerable version
remote authenticated code execution971726
and spoofing on Windows Server
2003 SP2 x64:
2003 SP2, and Windows Server
971726
2008. (CVE 2009-2508 CVE
2008 & SP2:
2009-2509)
971726
2008 x64 &
SP2: 971726
94
08-037
08-075
08-038
08-046
08-050
08-049
09-070
Windows kernel vulnerable version Fixes multiple vulnerabilities which 2000: 977165
allow authenticated users to elevate XP: 977165
privileges on Windows 2000,
2003: 977165
Vista: 977165
2003, Windows Vista, Windows
2008: 977165
Server 2008, and Windows 7.
Windows 7:
(CVE 2009-2515 CVE 2009-2516 977165
CVE 2009-2517 CVE 2010-0232
CVE 2010-0233 )
Windows GDI+ vulnerabilities
Fixes vulnerabilities in the gdiplus.dll XP: 958869
of Microsoft Windows GDI+
XP
subsystem which could allow remote Professional
code execution if a user viewed a
x64: 958869
specially crafted file. (CVE
2003: 958869
2009-2500 CVE 2009-2501 CVE
2003 X64:
2009-2502 CVE 2009-2503 CVE
958869
2009-2504 CVE 2009-3126 CVE
2003 Itanium:
2009-2528 CVE 2009-2518)
958869
Vista: 958869
Vista X64:
958869
2008: 958869
2008 X64:
958869
Windows GDI+ vulnerabilities
Fixes vulnerabilities in the gdiplus.dll XP: 938464
of Microsoft Windows GDI+
XP
subsystem which could allow remote Professional
x64: 938464
specially crafted file. (CVE
2003: 938464
2007-5348 CVE 2008-3012 CVE
2003 X64:
2008-3013 CVE 2008-3014 CVE
938464
2008-3015)
Vista: 938464
Vista X64:
938464
2008: 938464
2008 X64:
938464
Windows Media Player sampling
Fixes a command execution
XP: 954154
rate vulnerability
vulnerability when streaming audio Vista: 954154
files from a Windows Media Server 2008: 954154
in a server-side playlist. (CVE
2008-2253)
Windows Media Encoder wmex.dll Fixes a command execution
2000: 954156
ActiveX vulnerability
vulnerability in an ActiveX control
XP: 954156
which was incorrectly marked
2003: 954156
safe-for-scripting. (CVE 2008-3008) Vista: 954156
2008: 954156
Windows kernel validation
Fixes vulnerabilities by validating
2000: 958690
input passed from user mode
XP: 958690
through the kernel component of
2003: 958690
GDI, correcting the way that the
Vista: 958690
kernel validates handles, and
2008: 958690
changing the way that the Windows
95
09-058
10-015
09-062
(superseded by
11-029)
08-052
08-054
08-053
09-006
08-061
kernel handles specially crafted
invalid pointers. (CVE 2009-0081
CVE 2009-0082 CVE 2009-0083)
Fixes vulnerabilities by correcting
window property validation passed
during the new window creation
process, calls from multiple threads
are handled, and validation of
parameters passed to the Windows
Kernel from user mode. (CVE
2008-2250 CVE 2008-2251 CVE
2008-2252)
AFD Kernel Overwrite vulnerability Fixes a privilege elevation
vulnerability in the Ancillary
Function Driver which occurs when
passing data from user to kernel
mode. (CVE 2008-3464)
Elevation of Privilege Vulnerabilities Fixes multiple privilege elevation
in Windows
vulnerabilities. (CVE 2008-4036
CVE 2008-1436 CVE 2009-0078
CVE 2009-0079 CVE 2009-0080 )
Windows Server Service MS08-067 Fixes a buffer overflow in the
buffer overflow
Windows Server service which
could allow remote attackers to take
complete control of the computer.
(CVE 2008-4250)
Windows SMB credential reflection Fixes validation of NTLM
vulnerability
authentication replies to ensure that
a user's credentials are not
reflected back to an attacker. (CVE
2008-4037)
Windows Media components SPN Fixes a vulnerability which allows
credential reflection vulnerability
unauthorized access by forwarding
a client's credentials and a
credential disclosure vulnerability in
ISATAP. (CVE 2008-3009 CVE
2008-3010)
SharePoint Services site privilege
elevation
Microsoft Office SharePoint Server
2007 and Microsoft Search Server
2008 have an elevation of privilege
vulnerability within the SharePoint
site. (CVE 2008-4032)
Multiple Windows SMB
vulnerabilities
Fixes multiple SMB buffer overflow
vulnerabilities that could give an
attacker administrative rights to the
system. (CVE 2008-4114 CVE
96
XP: 956803
2003: 956803
08-066
2000: 952004
08-064
XP: 952004
09-012
2003: 952004
Vista: 952004
2008: 952004
2000: 958644
08-067
XP: 958644
2003: 958644
Vista: 958644
2008: 958644
2000: 957097
08-068
XP: 957097
2003: 957097
Vista: 957097
2008: 957097
Media Player:
08-076
954600
Media Format:
952069
Media
Services:
952068
Office
08-077
SharePoint
Server 2007:
956716 (32 Bit)
or 956716 (64
Bit)
Office Search
Server 2008:
956716 (32 Bit)
or 956716 (64
Bit)
2000: 958687
09-001
(32 bit)
XP: 958687 (32
bit) or 958687 (64
2008-4834 CVE 2008-4835)
Windows Schannel spoofing
vulnerability
Vulnerabilities in SChannel could
allow Remote Code Execution
WordPad and Text converters
DirectX MJPEG decompression
bit)
2003: 958687
(32 bit), 958687
(64 bit), or
958687 Itanium
Vista: 958687
(32 bit) or 958687
(64 bit)
2008: 958687
(32 bit), 958687
(64 bit), or
958687 Itanium
Fixes a spoofing vulnerability in
2000: 960225
09-007
windows 2000, 2003, XP, Vista,
XP: 960225 (32
and 2008. The vulnerability is only bit), or 960225
harmful if the attacker gains access (64 bit)
to the certificate after having
2003: 960225
obtained the public key component (32 bit), 960225
through other means. (CVE
(64 bit), or
2009-0085)
960225 Itanium
Vista: 960225
(32 bit), or
960225 (64 bit)
2008: 960225
(32 bit), 960225
(64 bit), or
960225 Itanium
XP: 980436,
10-049
Secure Channel (SChannel) security 2003: 980436,
package in Windows. The more
Vista: 980436,
severe of these vulnerabilities could 2008: 980436,
allow remote code execution if a
Windows 7:
user visits a specially crafted Web 980436,
site that is designed to exploit these 2008 R2:
vulnerabilities through an Internet
980436.
Web browser. In all cases,
however, an attacker would have
no way to force users to visit these
Web sites. Instead, an attacker
would have to convince users to
visit the Web site, typically by
getting them to click a link in an
e-mail message or in an Instant
Messenger message that takes
users to the attacker's Web site.
(CVE 2009-3555 CVE 2010-2566)
Fixes Microsoft WordPad and
2000: 973904
09-010
Microsoft Office text converters
XP: 973904
09-073
memory corruption. (CVE
2003: 973904
2008-4841 CVE 2009-0087 CVE
2009-0235 CVE 2009-2506)
Corrects the way the DirectShow
2000 (8.1):
09-011
component of DirectX
961373
decompresses media files. CVE
2000
97
2009-0084)
Windows HTTP Services integer
underflow
Blended threat privilege elevation
vulnerability
Microsoft Office Web Apps 2010
(9.0->9.0c):
961373
XP: 32-bit:
961373
64-bit: 96173
2003: 32-bit:
961373
64-bit: 961373
Itanium: 961373
Fixes integer underflow, certificate 2000: 960803
name mismatch, and credential
XP: 960803
reflection vulnerabilities in Windows 2003: 960803
HTTP Services. (CVE 2009-0086
Vista: 960803
CVE 2009-0089 CVE 2009-0550) 2008: 960803
2000: 959426
vulnerability in Windows 2000,
XP: 959426 (32
2003, XP, Vista, and 2008. The
bit), or 959426
vulnerability exists due to a faulty
(64 bit)
SearchPath function used for
2003: 959426
locating and opening files on
(32 bit), 959426
windows. An attacker could exploit (64 bit), or
the vulnerability by enticing a user 959426 Itanium
to download a crafted file to a
Vista: 959426
specific location and then have them (32 bit), or
open an application that uses the
959426 (64 bit)
file. (CVE 2008-2540)
2008: 959426
(32 bit), 959426
(64 bit), or
959426 Itanium
has a remote code execution
SharePoint
vulnerability. (CVE 2009-0549
Server 2007
CVE 2009-0557 CVE 2009-0558
SP1:KB969737
CVE 2009-0559 CVE 2009-0560
(32 bit), or
CVE 2009-0561 CVE 2009-1134
KB969737 (64
CVE 2011-1989 CVE 2011-1990) bit)
Microsoft
SharePoint
Server 2007
SP2:KB2553093
(32 bit), or
KB2553093 (64
bit)
SharePoint
vulnerability. (CVE 2011-1989)
Server 2010
SP1:KB2553094
(32 bit), or
KB2553094 (64
bit)
Microsoft Office Web Apps 2010
Microsoft Office
Web Apps
vulnerability. (CVE 2011-1989)
2010
SP1:KB2553095
98
09-013
09-015
09-021
11-072
11-072
11-072
(32 bit), or
KB2553095 (64
bit)
Windows Search Contains
Windows 2003 and XP contain an 2003 SP2:
Information Disclosure Vulnerability information disclosure vulnerability inKB963093 (32
Windows search due to the way file bit), or
previews are generated.
KB963093 (64
Exploitation requires user interaction bit)
and upon a successful attack,
XP SP2, SP3:
information will be presented to the KB963093, or
attacker. (CVE 2009-0239)
KB963093
Windows kernel desktop validation Fixes four vulnerabilities by
2000: 968537
vulnerabilities
correcting the methods used in
XP: 968537
validating a change in kernel object, 2003: 968537
the input passed from user mode to Vista: 968537
the kernel and the argument passed 2008: 968537
to the system call. (CVE
2009-1123 CVE 2009-1124 CVE
2009-1125 CVE 2009-1126)
Windows RPC Marshalling Engine Fixes an elevation of privilege
2000: 970238
vulnerability
vulnerability by correcting the way XP: 970238
RPC Marshalling Engine updates
2003: 970238
its internal state. (CVE 2009-0568) Vista: 970238
2008: 970238
Windows print spooler vulnerabilities Fixes two privilege elevation
2000: 961501
vulnerabilities in the Windows print XP: 961501
spooler, and one remote command 2003: 961501
execution vulnerability on Windows Vista: 961501
2000. (CVE 2009-0228 CVE
2008: 961501
2009-0229 CVE 2009-0230)
Microsoft DirectShow QuickTime
Fixes three vulnerabilities which
2000: 971633
Movie Parsing Code Execution
could allow code execution when
XP: 971633
DirectShow parses Quicktime media 2003: 971633
files, validates pointer values and
size fields. (CVE 2009-1537 CVE
2009-1538 CVE 2009-1539)
Windows Embedded OpenType
2000: 961371
Font Engine vulnerabilities
XP: 961371
opens a file or web page containing 2003: 961371
Embedded OpenType fonts. (CVE Vista: 961371
2009-0231 CVE 2009-0232)
2008: 961371
Vulnerability in the OpenType
Fixes a vulnerability in the Windows 2000: 980218
Compact Font Format Driver
OpenType Compact Font Format
(Note: Windows
Could Allow Elevation of Privilege (CFF) driver. The vulnerability
2000 is past its
could allow elevation of privilege if a maintenance
user views content rendered in a
window)
specially crafted CFF font. An
XP: 2279986
attacker must have valid logon
(32-bit), 2279986
credentials and be able to log on
(64-bit)
locally to exploit this vulnerability.
2003: 2279986
The vulnerability could not be
(32-bit), 2279986
exploited remotely or by
(64-bit), 2279986
anonymous users. (CVE 2010-0819 (Itanium)
CVE 2010-2740 CVE 2010-2741) Vista: 980218
99
09-023
09-025
09-026
09-022
09-028
09-029
10-037
10-078
(supersedes
10-037 on XP
and 2003)
Windows media file processing
vulnerable
Fixes a vulnerability that allows
remote code execution due to
improper handling of specially
crafted AVI format files. (CVE
2009-1545 CVE 2009-1546)
Windows Remote Desktop
Connection vulnerabilities
Fixes two heap overflow
vulnerabilities which could allow
command execution when the client
receives a specially crafted
response from a RDP server or
web site. (CVE 2009-1133 CVE
2009-1929)
Multiple Windows ATL vulnerability Fixes multiple vulnerabilities in
Windows Active Template Library
that could allow an attacker to
execute arbitrary code. (CVE
2008-0015 CVE 2008-0020 CVE
2009-0901 CVE 2009-2493 CVE
2009-2494)
2008: 980218
Windows 7:
980218
2000: 971557
XP: 971557
(32-bit), 971557
(64 bit)
2003: 971557
(32-bit), 971557
(64 bit), 971557
(Itanium)
Vista: 971557
(32-bit), 971557
(64-bit)
2008: 971557
(32-bit), 971557
(64-bit), 971557
(Itanium)
970927
Outlook:973354
Media
Player:973540
ATL
Component:973
507
DHTML
Component:973
869
ActiveX:
973525
DHTML Editing Component
2000: 956844
ActiveX Control Vulnerability
vulnerability in the DHTML Editing XP: 956844
Component ActiveX Control
(32-bit), 956844
brought on by users visiting a
(64-bit)
specially crafted web page. (CVE
2003: 956844
2009-2519)
(32-bit), 956844
(64-bit), 956844
(Itanium)
Windows Media header parsing and Fixes code execution vulnerabilities 2000: 968816
playback memory corruption
in the handling of ASF format files XP SP2:
vulnerabilities
and MP3 media files. (CVE
968816
2009-2498 CVE 2009-2499)
XP SP3:
968816
2003: 968816
Vista: 968816
2008: 968816
Microsoft Windows TCP/IP remote Fixes several vulnerabilities in
2003: 967723
code execution vulnerability
Transmission Control Protocol
Vista: 967723
100
09-038
09-044
09-037
09-055
09-046
09-047
09-048
Wireless LAN AutoConfig Service
frame parsing remote code
Windows Media Player ASF file
heap overflow
Windows LSASS denial of service
vulnerability
SMBv2 remote code execution
vulnerability
Windows WMA Voice codec
vulnerability
Windows ASN1 spoofing
vulnerability
/Internet Protocol (TCP/IP)
2008: 967723
processing. The vulnerabilities could
allow remote code execution if an
attacker sent specially crafted TCP
/IP packets over the network to a
computer with a listening service.
(CVE 2008-4609, CVE 2009-1925,
CVE 2009-1926)
Vista: 970710
vulnerability in the Wireless LAN
(32-bit), 970710
AutoConfig Service (wlansvc)
(64-bit)
triggered when the service receives 2008: 970710
a specially crafted wireless frame. (32-bit), 970710
(CVE 2009-1132)
(64-bit)
2000: 974112
allow command execution when a XP: 974112
user opens a malformed file in
2003: 974112
Windows Media Player 6.4. (CVE
2009-2527)
XP: 975467
allow a remote attacker to crash the 2003: 975467
computer. (CVE 2009-2524)
Vista: 975467
2008: 975467
7: 975467
Vista: 975517
vulnerability that could allow a
(32-bit), 975517
remote attacker to take control of or (64-bit)
crash the system. (CVE 2009-2526 2008: 975517
CVE 2009-2532 CVE 2009-3103) (32-bit), 975517
(64-bit), 975517
(Itanium)
2000, XP and
Media Runtime that could allow
2003 (Voice
remote code execution (CVE
codec): 969878
2009-0555 CVE 2009-2525)
2000 WMF 9:
954155
2000 WMP 9:
975025
2000, XP and
2003 (Decoder):
969878
XP SP2 WMF
9, 9.5 and 11:
954155
XP
(Compression
Manager):
975025
2000 WMP 9:
975925
2000: 974571
CryptoAPI component when
XP: 974571
parsing ASN.1. (CVE 2009-2510
XP (64-bit):
CVE 2009-2511)
974571
101
09-049
09-052
09-059
09-050
09-051
09-056
Windows Indexing Service memory Fixes a remote code execution
corruption vulnerability
remote attacker to execute arbitrary
code with the permissions of the
user loading a specially crafted web
page. (CVE 2009-2507)
2003: 974571
2003 (64-bit):
974571
Vista: 974571
2000: 969059
XP: 969059
(32-bit), 969059
(64-bit)
2003: 969059
(32-bit), 969059
(64-bit), 969059
(Itanium)
2000: 969947
XP: 969947
(32-bit), 969947
(64-bit)
2003: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Vista: 969947
(32-bit), 969947
(64-bit)
2008: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Vista: 973565
2008: 973565
Windows kernel embedded font
vulnerabilities
remote attacker to execute arbitrary
code with the permissions of the
user loading a specially crafted
Embedded OpenType (EOT) font.
(CVE 2009-1127) (CVE 2009-2513)
(CVE 2009-2514)
Windows WSDAPI remote code
remote attacker to send specially
crafted message to a computer
using the Web Services on Devices
API (WSDAPI) on Windows
systems. The service is enabled by
default on Windows Vista and
Windows Server 2008. (CVE
2009-2512)
Fixes vulnerabilities in the Windows 2000: 974318
PEAP and MS-CHAPv2 protocol
XP: 974318
implementations, which could lead to2003: 974318
remote code execution in Windows Vista: 974318
2008, privilege elevation in other
2008: 974318
server operating systems, and
potential vulnerabilities in
workstations. (CVE 2009-2505
CVE 2009-3677)
Fixes a vulnerability in the Local
2000: 974392
Security Authority Subsystem
2003: 974392
Service (LSASS) which could allow (32-bit), 974392
a denial of service. (CVE
(64-bit), 974392
2009-3675)
(Itanium)
XP: 974392
(32-bit), 974392
(64-bit)
Windows Internet Authentication
Service vulnerabilities
Windows LSASS IPSEC
Denial-of-Service Vulnerability
102
09-057
09-065
09-063
09-071
09-069
Windows Embedded OpenType
Font Engine Vulnerability
vulnerability in Windows 2000,
2003, XP, Vista, 7, and Server
2008. The vulnerability exists due
to the way Windows Embedded
OpenType (EOT) Font Engine
decompresses specially crafted
EOT fonts. (CVE 2010-0018)
2000: 972270
2003: 972270
(32-bit), 972270
(64-bit)
XP: 972270
(32-bit), 972270
(64-bit)
Vista: 972270
(32-bit), 972270
(64-bit)
Windows 7:
972270
2008: 972270
(32-bit), 972270
(64-bit)
Microsoft Paint Integer Overflow
2000: 978706
vulnerability
vulnerability if a user viewed a
XP: 978706
specially crafted JPEG image file
(32-bit), 978706
using Microsoft Paint in Windows
(64-bit)
2000, XP and Server 2003. An
2003: 978706
attacker who successfully exploited (32-bit), 978706
this vulnerability could take complete (64-bit), 978706
control of an affected system and
(Itanium)
could then install programs; view,
change, or delete data; or create
new accounts. (CVE 2010-0028)
DirectShow AVI buffer overflow
Fixes vulnerabilities in DirectShow 977914 and
975560
when a user opens a crafted AVI
file. (CVE 2010-0250)
Windows Shell Handler vulnerability Fixes a remote code execution
2000: 975713
vulnerability in Windows 2000, XP XP: 975713
and Server 2003; if an application (32-bit), 975713
such as a Web browser passes
(64-bit)
specially crafted data to the
2003: 975713
ShellExecute API function through (32-bit), 975713
the Windows Shell Handler. An
(64-bit), 975713
attacker who successfully exploited (Itanium)
this vulnerability could take complete
(CVE 2010-0027)
Microsoft Hyper-V Server Denial of Fixes a remote denial of service
2008: 977894
Service Vulnerability
vulnerability in Windows Server
(64-bit)
2008 Hyper-V and Windows
2008 R2:
Server 2008 R2 Hyper-V. The
977894 (64-bit)
vulnerability could allow denial of
service if a malformed sequence of
machine instructions is run by an
authenticated user in one of the
guest virtual machines hosted by
the Hyper-V server. (CVE
2010-0026)
103
10-001
10-005
10-013
10-007
10-010
Multiple vulnerabilities (MS10-012) Fixes 4 vulnerabilities announced in
Microsoft bulletin MS10-012, the
remote code execution. The
vulnerabilities are due to weak
entropy used in encryption, bounds
checking on path names, and null
pointers. (CVE 2010-0020 CVE
2010-0021 CVE 2010-0022 CVE
2010-0231)
2000 (all
10-012
versions):
971468
XP: 971468
2003 (all
versions):
971468
Vista (all
versions):
971468
Windows 7 (all
versions):
971468
2008 (all
versions):
971468
Multiple vulnerabilities (MS10-009) Fixes 4 vulnerabilities announced in Vista (all
10-009
versions):
971468
2008 (all
2010-0239 CVE 2010-0240 CVE
versions):
2010-0241 CVE 2010-0242)
971468
Multiple Data Analyzer ActiveX
Fixes multiple vulnerabilities in
ActiveX:978262 10-008
Control vulnerabilities
Windows Data Analyzer ActiveX
Control that could allow an attacker
to execute arbitrary code. (CVE
2010-0252)
Windows SMB Client vulnerabilities Fixes vulnerabilities which could
2000: 978251
10-006
allow remote code execution when XP: 978251,
a user initiates an SMB connection 978251 (64-bit)
with a malicious server. (CVE
2003: 978251,
2010-0016 CVE 2010-0017)
978251 (64-bit)
Vista: 978251,
978251 (64-bit)
Windows 7:
978251, 978251
(64-bit)
2008: 978251,
978251 (64-bit)
CSRSS Local Privilege Elevation
Fixes a vulnerability in Client
2000: 978037
10-011
/Server Run-time Subsystem
XP: 978037,
(CSRSS). (CVE 2010-0023)
978037 (64-bit)
2003: 978037,
978037 (64-bit)
Vulnerability in Windows CSRSS
XP:2476687
11-010
could Allow Elevation of Privilege. XP:2476687
(CVE 2011-0030)
(64-bit)
2003:2476687
2003:2476687
(64-bit)
XP:2620712
11-097
(CVE 2011-3408)
(64-bit)
2003:2620712
104
Movie Maker and Producer Buffer
Overflow vulnerability
Vulnerability in Windows Movie
Maker Could Allow Remote Code
Execution
2003:2620712
(64-bit)
Vista:2620712
Vista:2620712
(64-bit)
2008:2620712
2008:2620712
(64-bit)
Windows
7:2620712
Windows
7:2620712 (64-bit)
2008
R2:2620712
(64-bit)
XP:2507938
11-056
(CVE 2011-1281 CVE 2011-1282 (64-bit)
CVE 2011-1283 CVE 2011-1284
2003:2507938
CVE 2011-1870)
2003:2507938
(64-bit)
Vista:2507938
Vista:2507938
(64-bit)
2008:2507938
2008:2507938
(64-bit)
Windows
7:2507938
Windows
7:2507938 (64-bit)
2008
R2:2507938
(64-bit)
XP: 975561
10-016
allow remote code execution when (32-bit), 975561
a user opens a specially crafted
(64-bit)
Movie Maker or Microsoft Producer Vista: 975561
project file. An attacker could exploit (32-bit)(MM 2.6),
this vulnerability to take complete
975561
control of the affected system.
(32-bit)(MM 6.0),
(CVE 2010-0265)
975561
(64-bit)(MM 2.6)
975561
(64-bit)(MM 6.0)
Windows 7:
975561 (32-bit),
975561 (64-bit)
XP: 981997,
10-050
Movie Maker. The vulnerability
Vista:
could allow remote code execution if 981997(MM 2.6),
an attacker sent a specially crafted 981997(MM 6.0).
Movie Maker project file and
convinced the user to open the
105
specially crafted file. Users whose
accounts are configured to have
fewer user rights on the system
could be less impacted than users
who operate with administrative
user rights. (CVE 2010-2564)
Windows Media Unicast Service
transport information buffer overflow vulnerability in handling transport
information packets. (CVE
2010-0478)
Windows MPEG layer 3 codec
Fixes remote code execution
vulnerable
vulnerability in MPEG Layer-3
codecs. (CVE 2010-0480)
allow remote code execution when
a user initiates an SMB connection
with a malicious server. (CVE
2009-3676 CVE 2010-0269 CVE
2010-0270 CVE 2010-0476 CVE
2010-0477)
Windows ISATAP Component
Fixes a spoofing vulnerability which
exists in the Microsoft Windows
IPv6 stack due to the way that
Windows checks the inner packet's
IPv6 source address in a tunneled
ISATAP packet. (CVE 2010-0812)
Windows VB script vulnerable
vulnerability which exists due to the
way VB Script interacts with help
files in Internet Explorer. (CVE
106
2000: 980858
10-025
2000: 977816,
XP: 977816
(32-bit), 977816
(64-bit),
2003: 977816
(32-bit), 977816
(64-bit),
Vista: 977816
(32-bit), 977816
(64-bit),
2008: 977816
(32-bit), 977816
(64-bit)
2000: 980232
XP: 980232,
980232 (64-bit)
2003: 980232,
980232 (64-bit),
980232 (Itanium)
Vista: 980232,
980232 (64-bit)
2008: 980232,
980232 (64-bit),
980232 (Itanium)
Windows 7:
980232, 980232
(64-bit)
2008 R2:
980232 (64-bit),
980232 (Itanium)
XP: 978338,
978338 (64-bit)
2003: 978338,
978338 (64-bit),
978338 (Itanium)
Vista: 978338,
978338 (64-bit)
2008: 978338,
978338 (64-bit),
978338 (Itanium)
Apply the
appropriate patch
10-026
10-020
10-029
10-022
2010-0483)
Windows Authenticode Verification Fixes vulnerabilities which could
allow remote code execution when
a user modifies an existing signed
executable file. (CVE 2010-0486
CVE 2010-0487 )
Windows Media Player ActiveX
vulnerability
Windows kernel multiple privilege
For
Authenticode
Signature
Verification:
2000 978601
XP 978601
XP x64 978601
2003 978601
2003 x64
978601
Vista 978601
Vista x64
978601
2008 978601
2008 x64
978601
Windows 7
978601
Windows 7 x64
978601
2008 R2 x64
978601
For Cabinet
File Viewer:
2000 979309
XP 979309
XP x64 979309
2003 979309
2003 x64
979309
Vista 979309
Vista x64
979309
2008 979309
2008 x64
979309
Windows 7
979309
Windows 7 x64
979309
2008 R2 x64
979309
2000 979402
Media Player 9 series which could XP SP2
allow remote code execution. (CVE 979402
2010-0268 )
XP SP3
979402
Fixes multiple vulnerabilities which 2000 SP 4
allow authenticated users to elevate 979559
XP SP 2 &
SP 3 979559
XP x64 SP 2
979559
107
10-019
10-027
(superseded by
10-082 on XP
SP3)
10-032
(CVE 2010-0484 CVE 2010-0485
CVE 2010-1255)
Multiple ActiveX Control
vulnerabilities
2003 SP 2
979559
2003 x64 SP 2
979559
2003 SP2
Itanium 979559
Vista SP 1 &
SP 2 979559
Vista x64 SP
1 & SP 2
979559
2008 32 SP 2
979559
2008 x64 SP 2
979559
2008 Itanium
SP 2 979559
Windows 7
32-bit 979559
Windows 7
x64-based
979559
2008 R2 x64
979559
2008 R2
Itanium 979559
ActiveX:980195 10-034
Windows Data Analyzer ActiveX
Control and Internet Explorer 8
Development Tools ActiveX
2010-0252 CVE 2010-0811)
Windows Media decompression
10-033
10-033
vulnerabilities
DirectX, Windows Media Format
(KB975562
and Encoder, and Asycfilt.dll
superseded by
allowing command execution when MS13-011 on
invalid compression data in media Windows XP and
files is processed. (CVE 2010-1879 Windows Server
CVE 2010-1880)
2003)
MS10-039 fixes toStaticHTML
InfoPath 2003, 2007, and
InfoPath 2003: 10-039
Information Disclosure Vulnerability SharePoint Server 2007 have a
KB980923
vulnerability in the way
InfoPath 2007:
toStaticHTML sanitizes HTML
KB979441
content in Microsoft SharePoint.
(CVE 2010-1257)
Windows Help and Support Center The MPC:HexToNum function in
XP: KB2229593 10-042
trusted document whitelist bypass helpctr.exe in Windows Help
XP Pro x64:
and Support Center on Windows
KB2229593
XP and Windows Server 2003
2003:
does not properly handle malformed KB2229593
escape sequences, thereby allowing 2003 x64:
a remote attacker to bypass the
KB2229593
trusted documents whitelist and
2003 Itanium:
108
execute arbitrary commands if a
KB2229593
user is enticed to open a specially
crafted hcp:// URL. (CVE
2010-1885)
Canonical Display Driver vulnerable Windows 7 and Windows Server
Windows
10-043
version
2008 R2 contain an integer
7:KB2032276
overflow vulnerability in the
2008
canonical display driver that could R2:KB2032276
allow an attacker to cause a denial
of service or take complete control
of the system. (CVE 2009-3678)
Microsoft Windows Shell Remote
XP: 2286198
10-046
Code Execution Vulnerability
vulnerability exists in Windows
2003: 2286198
Shell, a component of Microsoft
Vista: 2286198
Windows. The vulnerability exists
2008: 2286198
because Windows incorrectly parses 7: 2286198
shortcuts in such a way that
2008 R2:
malicious code may be executed
2286198
when the icon of a specially crafted
shortcut is displayed. This
vulnerability is most likely to be
exploited through removable drives.
(CVE 2010-2568)
Microsoft Windows Shell Remote
XP: 2691442
12-048
vulnerability exists in Windows
2003: 2691442
Shell, a component of Microsoft
Vista: 2691442
Windows. The vulnerability exists
2008: 2691442
because Windows incorrectly
7: 2691442
handles files and directories with
2008 R2:
specially crafted names. Attackers 2691442
can use this vulnerability to gain
complete control of the system if a
user is logged on with administrative
user rights. (CVE 2012-0175)
Over-the-network SMB packet
Fixes 3 vulnerabilities announced in XP: 982214
10-054
vulnerabilities in Windows
2003: 982214
Vista: 982214
2008: 982214
2010-2550 CVE 2010-2551 CVE
7: 982214
2010-2552)
2008 R2:
982214
Windows cinepak codec
Fixes a vulnerability in windows
XP: 982665
10-055
decompression vulnerability
cinepak codec triggered by a user (32-bit) 982665
opening a malformed media file.
(64-bit)
(CVE 2010-2553)
Vista: 982665
(32-bit) 982665
(64-bit)
7: 982665 (32-bit)
982665 (64-bit)
TCP/IP authenticated user
Fixes 2 vulnerabilities announced in Vista: 978886
10-058
privilege escalation or
Microsoft bulletin MS10-058. (CVE 2008: 978886
unauthenticated denial of service
2010-1892 CVE 2010-1893)
7: 978886
2008 R2:
978886
109
Windows MPEG Layer-3 Audio
Decoder Buffer Overflow
Vulnerability
XP: 2115168
vulnerability exists in the way that (32-bit), 2115168
Microsoft DirectShow MP3 filter
(64-bit)
handles supported format files. An 2003: 2115168
this vulnerability could gain the
(64-bit)
same user rights as the local user.
Users whose accounts are
configured to have fewer user rights
on the system could be less
impacted than users who operate
with administrative user rights.
(CVE 2010-1882)
Windows Tracing Feature for
Fixes a vulnerability in the Windows Vista: 982799
Services
Tracing Feature for Services
2008: 982799
feature which allowed for local code 7: 982799
execution. A local user account is 2008 R2:
required. (CVE 2010-2554, CVE
982799
2010-2555)
Windows kernel vulnerable version Fixes multiple vulnerabilities which XP: KB2393802
allow authenticated users to elevate 2003:
KB2393802
Vista:
KB2393802
2008:
(CVE 2010-0232 CVE 2010-0233 KB2393802
CVE 2010-0234 CVE 2010-0235
Windows 7:
CVE 2010-0236 CVE 2010-0237
KB2393802
CVE 2010-0238 CVE 2010-0481
CVE 2010-0481 CVE 2010-0482
CVE 2010-0810)
Fixes three vulnerabilities in the
Windows kernel. A data initialization
bug may be exploited when
creating new threads. A double free
error may be exploited during error
handling. These two vulnerabilities
may allow a local attacker to
execute arbitrary code in kernel
mode. A kernel object ACL
validation routine lacks sufficient
sanity checking, which may allow a
local attacker to cause the system
to reboot or become unresponsive.
(CVE 2010-1888 CVE 2010-1889
CVE 2010-1890)
Also fixes vulnerabilities which could
allow elevation of privilege if an
attacker logged on locally and ran a
specially crafted application. An
locally to exploit these vulnerabilities.
110
10-052
10-059
10-021
10-047
11-011
(CVE 2010-4398 CVE 2011-0045)
Fixes multiple vulnerabilities which
allow authenticated users to elevate
privileges on Windows XP,
Windows Server 2003, Windows
Vista, Windows Server 2008,
Windows Server 2008 R2, and
Windows 7. (CVE 2010-1887
CVE 2010-1894 CVE 2010-1895
CVE 2010-1896 CVE 2010-1897)
XP 2160329
10-048
XP x64
2160329
2003 2160329
2003 x64
2160329
2003 Itanium
2160329
Vista 2160329
Vista x64
2160329
2008 2160329
2008 x64
2160329
2008 Itanium
2160329
Windows 7
2160329
Windows 7 x64
2160329
2008 R2 x64
2160329
2008 R2
Itanium 2160329
TAPI 982316
2264072
Microsoft Windows Service Isolation Fixed a vulnerability which
Bypass Local Privilege Escalation leverages the Windows Service
Isolation feature to gain elevation of
privilege. (CVE 2010-1886)
Microsoft Windows Insecure Library A remote attacker could execute
Disable loading of 2269637
Loading vulnerability
DLL preloading attacks through an libraries from
SMB share or WebDAV.
WebDAV and
remote network
shares as
described in
Microsoft KB
2264107.
WordPad Word 97 Text Converter Fixes a vulnerability in
XP 2259922
10-067
Memory Corruption Vulnerability
mswrd8.wpc which could allow
XP x64
2259922
2010-2563)
2003 2259922
2003 x64
2259922
Print Spooler Service remote code Fixes a remote code execution
XP 975558
10-061
vulnerability that exists due to the
XP x64 975558
way the Print Spooler Service
2003 975558
handles data sent over RPC calls. 2003 x64
(CVE 2010-2729)
975558
Vista 975558
Vista x64
975558
2008 975558
2008 x64
975558
111
MPEG 4 remote code execution
vulnerability
Active Directory LDAP LSASS
privilege elevation vulnerability
Windows RPC Memory Corruption
vulnerability
Uniscribe Font Parsing Engine
Memory Corruption
7 975558
7 x64 975558
2008 R2
975558
XP 975558
vulnerability that exists due to the
XP x64 975558
way the MPEG-4 codec handles
2003 975558
supported format files. (CVE
2003 x64
2010-0818)
975558
Vista 975558
Vista x64
975558
2008 975558
2008 x64
975558
Fixes a remote authenticated
ADAM Client
privilege elevation vulnerability that Patches
exists due to a heap overflow in
XP 982000
the handling of LDAP messages in 2003 982000
the LSASS service. (CVE
2003 x64
2010-0820)
982000
Active
Directory
Patches
2003 981550
2003 x64
981550
2003 Itanium
981550
Vista 981550
Vista x64
981550
2008 981550
2008 x64
981550
7 981550
7 x64 981550
2008 R2 x64
981550
An unauthenticated remote code
XP: 982802
execution vulnerability exists in the (32-bit), 982802
way that the Remote Procedure
(64-bit)
Call (RPC) client implementation
2003: 982802
allocates memory when parsing
(32-bit), 982802
specially crafted RPC responses.
(64-bit), 982802
An attacker who successfully
(Itanium)
exploited this vulnerability could
execute arbitrary code and take
complete control of an affected
system. (CVE 2010-2567)
Fixes a memory corruption
XP: 981322
vulnerability that exists because
(32-bit), 981322
Windows and Office incorrectly
(64-bit)
parse specific font types. The
2003: 981322
112
10-062
10-068
10-066
10-063
vulnerability could allow remote
specially crafted document or Web
page with an application that
supports embedded OpenType
fonts. (CVE 2010-2738)
(32-bit), 981322
(64-bit), 981322
(Itanium)
Vista: 981322
(32-bit), 981322
(64-bit)
2008: 981322
(32-bit), 981322
(64-bit), 981322
(Itanium)
Office XP:
2288608
Office 2003:
2288613
2007 Office
Suite: 2288621
Windows MFC Document Title
Fixes a vulnerability in the Windows XP: 2387149
10-074
Update vulnerability
MFC libraries which could allow
(32-bit), 2387149
remote code execution if an
(64-bit)
attacker is able to control the title of 2003: 2387149
an application written using the
(32-bit), 2387149
Microsoft Foundation Class (MFC) (64-bit)
Library. (CVE 2010-3227)
Vista: 2387149
(32-bit), 2387149
(64-bit)
2008: 2387149
(32-bit), 2387149
(64-bit)
7: 2387149
(32-bit), 2387149
(64-bit)
2008 R2:
2387149 (64-bit)
Windows Media Player Network
Vista 2281679, 10-075
Sharing Service vulnerability
Media Player Network Sharing
2281679 (64-bit)
Service which could allow remote
Windows 7
code execution if an attacker sends 2281679,
a specially crafted RTSP packet to 2281679 (64-bit)
an affected system. (CVE
2010-3225)
Embedded OpenType Font Engine Fixes a vulnerability in Windows
XP: 982132
10-076
vulnerability
(32-bit), 982132
execution if an attacker gets a user (64-bit)
to open a document containing a
2003: 982132
malicious embedded open-type font. (32-bit), 982132
(CVE 2010-1883)
(64-bit)
Vista: 982132
(32-bit), 982132
(64-bit)
2008: 982132
(32-bit), 982132
(64-bit)
7: 982132
(32-bit), 982132
113
Windows Common Control Library
SVG vulnerability
Windows LPC Elevation of
Privilege vulnerability
Microsoft Windows JIT remote
code execution vulnerability
Windows SChannel Denial of
Service vulnerability
Vulnerability in windows shared
cluster disks
Elevation of Privilege Vulnerability
in SharePoint Foundation 2010
(64-bit)
2008 R2:
982132 (64-bit)
XP: 2296011
10-081
(32-bit), 2296011
execution if an attacker gets a user (64-bit)
to open a document containing a
2003: 2296011
malicious Scalable Vector Graphic (32-bit), 2296011
image using a variety of third-party (64-bit)
image viewers or editors. (CVE
Vista: 2296011
2010-2746)
(32-bit), 2296011
(64-bit)
2008: 2296011
(32-bit), 2296011
(64-bit)
7: 2296011
(32-bit), 2296011
(64-bit)
2008 R2:
2296011 (64-bit)
Fixes a vulnerability that could allow XP: 2360937,
10-084
elevation of privilege if an attacker 2360937 (64-bit)
logs on to an affected system and 2003: 2360937,
runs specially crafted code that
2360937 (64-bit),
sends an LPC message to the
2360937 (Itanium)
local LRPC Server. (CVE
2010-3222)
All: KB 2160841 10-077
Windows x64 .NET 4 framework
that could allow arbitrary code
Fixes a vulnerability in the Secure Vista: 2207566, 10-085
Channel (SChannel) security
2207566 (64-bit)
package in Windows which could
2008: 2207566,
allow denial of service if an affected 2207566 (64-bit),
Internet Information Services (IIS) 2207566 (Itanium)
server hosting a Secure Sockets
Windows 7:
Layer (SSL)-enabled web site
2207566,
receives a specially crafted packet 2207566 (64-bit)
message. (CVE 2010-3229)
2008 R2:
2207566 (64-bit),
2207566 (Itanium)
Fixes a vulnerability in windows
2008 R2:
10-086
shared cluster disks due to incorrect 2294255 (64-bit),
permission handling that could allow 2294255 (Itanium)
unauthorized users to read, write,
and delete administrative shares on
a failover cluster disk. (CVE
2010-3223)
Fixes multiple elevation of privilege SharePoint
13-024
vulnerabilities caused due to an
Foundation
error in the way the user input is
2010: 2687418
parsed. (CVE 2013-0080, CVE
2013-0084, CVE 2013-0085)
114
SharePoint, Groove and Sharepoint This update resolves multiple
Microsoft
10-072
Services multiple Vulnerabilities
Information Disclosure vulnerabilities Windows
in Microsoft SharePoint and
SharePoint
Windows SharePoint Services. The Services 3.0
vulnerability can be triggered if an SP2:
attacker submits a specially crafted 2345304 (32 Bit)
script to a target site that uses
or 2345304 (64
SafeHTML. (CVE 2010-3243,
Bit)
CVE 2010-3324)
Microsoft Office
SharePoint
Server 2007
SP2:
2345212 (32 Bit)
or 2345212 (64
Bit)
Microsoft
SharePoint
Foundation
2010:
2345322
Microsoft
Groove Server
2010:
2346298
Microsoft Office
Web Apps:
2346411
Fixes multiple vulnerabilities which XP: 981957
10-073
allow authenticated users to elevate (32-bit), 981957
privileges on Windows XP,
(64-bit)
Windows Server 2003, Windows
2003: 981957
Vista, Windows Server 2008,
(32-bit), 981957
Windows Server 2008 R2, and
(64-bit), 981957
Windows 7. (CVE 2010-2549
(Itanium)
CVE 2010-2743 CVE 2010-2744) Vista: 981957
(32-bit), 981957
(64-bit)
2008: 981957
(32-bit), 981957
(64-bit), 981957
(Itanium)
Win 7: 981957
(32-bit), 981957
(64-bit)
2008 R2:
981957 (64-bit),
981957 (Itanium)
Windows Shell validation
Fixes a vulnerability in a way
Vista: 979688
10-083
vulnerability
Windows Shell validate COM object (32-bit), 979688
instantiation. (CVE 2010-1263)
(64-bit)
2008: 979688
(32-bit), 979688
(64-bit), 979688
115
Windows Wordpad COM validation Fixes a vulnerability in a way
vulnerability
WordPad validate COM object
instantiation. (CVE 2010-1263)
Memory Corruption Vulnerability in Fixes a memory corruption
Windows Media Player 9.x, 10.x,
vulnerability in Windows Media
11.x
Player (WMP). The vulnerability can
be triggered if an attacker is able to
entice their victim into opening
specially crafted media content from
a malicious web site. A successful
attack would result in the attacker
executing code in the context of the
logged in user. (CVE 2010-2745)
116
(Itanium)
Win 7: 979688
(32-bit, 979688
(64-bit)
2008 R2:
979688 (64-bit),
979688 (Itanium))
XP: 979687
10-083
(32-bit), 979687
(64-bit)
2003: 979687
(32-bit), 979687
(64-bit), 979687
(Itanium)
Vista: 979687
(32-bit), 979687
(64-bit)
2008: 979687
(32-bit), 979687
(64-bit), 979687
(Itanium)
Win 7: 979687
(32-bit), 979687
(64-bit)
2008 R2:
979687 (64-bit),
979687 (Itanium)
XP: 2378111
10-082
(WMP 9, 10 or
11)
XP 64-bit:
2378111 (WMP
10) or 2378111
(WMP 11)
2003 SP2:
2346411 (WMP
10)
2003 SP2
64-bit: 2346411
(WMP 10)
Vista SP1 and
SP2: 2346411
(WMP 11)
Vista SP1 and
SP2 64-bit:
2346411 (WMP
11)
2008 and SP2:
2346411 (WMP
11)
2008 and SP2
64-bit: 2346411
(WMP 11)
7: 2346411
(WMP 12)
7 64-bit:
2346411 (WMP
12)
2008 R2 64-bit:
2346411 (WMP
12)
Forefront Unified Access Gateway Fixes several cross-site scripting
UAG 2010:
Cross-Site Scripting
vulnerabilities and one redirection KB2433585
spoofing vulnerability in Forefront
UAG 2010
Unified Access Gateway (UAG).
Update 1:
The vulnerability may be triggered KB2433584
if an attacker is able to entice their UAG 2010
victim into clicking a specially crafted Update 2:
link. A successful attack would result KB2418933
in the attacker making requests to
the UAG server in the context of
the victim's logged in session.
(CVE 2010-2732) (CVE 2010-2733)
(CVE 2010-2734) (CVE 2010-3936)
Windows kernel NDProxy privilege Fixes a buffer overflow vulnerability XP: 2440591
which could allow privilege elevation 2003: 2440591
when a local user runs a specially
crafted application. (CVE
2010-3963)
Fixes multiple vulnerabilities which XP:KB2567053
elevation vulnerabilities fixed by
could allow privilege elevation and 2003:KB256705
MS11-077
this vulnerability could allow an
3
attacker to run arbitrary code in
Vista:KB256705
kernel mode, then install programs; 3
2008:KB256705
create new accounts with full
3
administrative rights. (CVE
Win
2011-1874, CVE 2011-1875, CVE 7:KB2567053
2011-1876, CVE 2011-1877, CVE
2011-1878, CVE 2011-1879, CVE
2011-1880, CVE 2011-1881, CVE
2011-1882, CVE 2011-1883, CVE
2011-1884, CVE 2011-1885, CVE
2011-1886, CVE 2011-1887, CVE
2011-1888, CVE 2011-1985, CVE
2011-2002, CVE 2011-2003, CVE
2011-2011.)
Fixes multiple vulnerabilities which XP: 2436673
elevation vulnerabilities fixed by
could allow privilege elevation when 2003: 2436673
MS10-098
a local user runs a specially crafted Vista: 2436673
application. (CVE 2010-3939, CVE 2008: 2436673
2010-3940, CVE 2010-3941, CVE 7: 2436673
2010-3942, CVE 2010-3943, CVE 2008 R2:
2010-3944)
2436673
Windows Movie Maker insecure
Vista: 2424434
library loading vulnerability
user loads a document from an
untrusted remote location. (CVE
117
10-089
10-099
11-054
11-077
10-098
10-093
2010-3967)
Windows Live DLL Injection
Fixes a local DLL injection
Vulnerability
vulnerability in the Webio.dll that is
used by many Windows Live
applications, as well as other
Microsoft applications. This
vulnerability may be exploited to
allow a remote attacker to trick a
user into opening a file opened by
the vulnerable applications. If the
file is located on a Windows file
share or a WebDAV HTTP file
share, the attacker can overwrite
libraries that the application
dynamically loads at run time with a
payload of their choosing. (CVE
2010-3966)
Windows Consent UI Impersonation Fixes a privilege elevation
vulnerability
vulnerability which allows an
authenticated user with
SeImpersonatePrivilege to execute
code with LocalSystem privilege.
(CVE 2010-3961)
Windows Task Scheduler Privilege Windows Task Scheduler does not
Elevation Vulnerability
validate whether or not scheduled
tasks run within the intended
security context properly. An
attacker could run arbitrary code
with system privileges. (CVE
2010-3338)
Windows Media Encoder insecure
library loading vulnerability
user loads a .prx file located in the
same network directory as a
specially crafted DLL. (CVE
2010-3965)
Insecure Library Loading in
Fixes a vulnerability that could allow
Internet Connection Signup Wizard remote code execution if a user
Could Allow Remote Code
opens an .ins or .isp file
Execution
located in the same network folder
as a specially crafted library file.
For an attack to be successful, a
user must visit an untrusted remote
file system location or WebDAV
share and open a document from
this location that is then loaded by
a vulnerable application. (CVE
2010-3144)
Hyper-V Authenticated DOS
Multiple denial of service
Vulnerabilities
vulnerabilities exist in the Hyper-V
118
7: KB2385678
2008 R2 64-bit
KB2385678
10-095
Vista: 2442962
2008: 2442962
7: 2442962
2008R2:
2442962
10-100
Vista: 2305420
Vista 64-bit:
2305420
2008: 2305420
2008 64-bit:
2305420
2008 R2:
2305420
7: 2305420
7 64-bit:
2305420
XP: 2447961
2003: 2447961
Vista: 2447961
2008: 2447961
10-092
10-094
XP: KB2443105 10-097
2003:
KB2443105
2008 64-bit:
2525835
10-102
11-047
Netlogon RPC Denial of Service
OpenType Font format driver
Microsoft Graphics Rendering
Engine Thumbnail Image Stack
Buffer Overflow
Backup Manager Insecure Library
Loading Vulnerability
server that can be exploited by
R2: 2525835
sending a crafted packet to the
VMBus. Sending such a packet
requires the attacker to already be
authenticated to a guest virtual
machine. (CVE 2010-3960) (CVE
2011-1872)
A remote authenticated denial of
2003: 2207559
service vulnerability exists in
(32-bit), 2207559
implementations of the Netlogon
(64-bit), 2207559
RPC Service on affected versions (Itanium)
of Windows Server. An attacker
2008: 2207559
who successfully exploited this
(32-bit), 2207559
vulnerability could cause affected
(64-bit)
versions of the Windows Server to 2008 R2:
restart. Only Windows Servers that 2207559 (64-bit)
are configured as domain controllers
and host the Netlogon service are
affected by this vulnerability. (CVE
2010-2742)
Fixes three vulnerabilities which
XP: KB2485376
could allow remote command
2003:
execution on Windows Vista, 2008, KB2485376
and 7, and privilege elevation on
Vista:
earlier operating systems. (CVE
KB2485376
2010-3956 CVE 2010-3957 CVE
2008:
2010-3959)
KB2485376
Also fixes a vulnerability in the
Windows 7:
Windows OpenType Compact Font KB2485376
Format (CFF) driver. The
code execution if a user views
content rendered in a specially
crafted CFF font. (CVE 2011-0033)
Fixes a vulnerability in the Windows XP: 2483185
Graphics Rendering Engine. An
(32-bit), 2483185
attacker who successfully exploited (64-bit)
this vulnerability could run arbitrary 2003: 2483185
code in the security context of the (32-bit), 2483185
logged-on user. (CVE 2010-3970) (64-bit), 2483185
(Itanium)
Vista: 2483185
(32-bit), 2483185
(64-bit)
2008: 2483185
(32-bit), 2483185
(64-bit), 2483185
(Itanium)
Vista: 2478935
vulnerability in the Microsoft
(32 bit), 2478935
Windows Backup Manager. An
(64 bit)
attacker who successfully exploited
control of an affected system and
119
10-101
10-091
11-007
11-006
11-001
Vulnerabilities in Windows
Kernel-Mode Drivers Could Allow
Windows SMB Server Transaction
Vulnerability
could then install programs; view,
new accounts with full user rights.
(CVE 2010-3145)
XP: KB2506223 11-034
2003:
11-012
attacker logged on locally and ran a KB2506223
Vista:
KB2506223
2008:
locally to exploit these vulnerabilities.KB2506223
(CVE 2011-0662 CVE 2011-0665 Windows 7:
CVE 2011-0666 CVE 2011-0667
KB2506223
CVE 2011-0670 CVE 2011-0671
CVE 2011-0672 CVE 2011-0673
CVE 2011-0674 CVE 2011-0675
CVE 2011-0676 CVE 2011-0677
CVE 2011-1225 CVE 2011-1226
CVE 2011-1227 CVE 2011-1228
CVE 2011-1229 CVE 2011-1230
CVE 2011-1231 CVE 2011-1232
CVE 2011-1233 CVE 2011-1234
CVE 2011-1235 CVE 2011-1236
CVE 2011-1237 CVE 2011-1238
CVE 2011-1239 CVE 2011-1240
CVE 2011-1241 CVE 2011-1242)
Also fixes five vulnerabilities which
could allow elevation of privileges if
an attacker logged on locally and
was able to execute a specially
crafted program. (CVE 2011-0086
CVE 2011-0087 CVE 2011-0088
CVE 2011-0089 CVE 2011-0090)
Fixes multiple vulnerabilities in SMB XP: 2508429
11-020
server and SMB client which could (32-bit), 2508429
allow remote code execution. (CVE (64-bit)
2011-0661)
2003: 2508429
(32-bit), 2508429
(64-bit),
Vista: 2508429
(32-bit), 2508429
(64-bit),
2008: 2508429
(32-bit), 2508429
(64-bit),
Windows 7:
2508429 (32-bit),
2508429 (64-bit),
Windows 7
SP1: 2508429
(32-bit), 2508429
(64-bit),
2008 R2:
2508429 (64-bit),
120
2008 R2 SP1:
2508429 (64-bit)
Microsoft Data Access Component Fixes two vulnerabilities which could XP: 2419632
remote code execution (MS11-002) allow remote execution in the way it (32-bit), 2419632
validates third-party API usage and (64-bit)
memory allocation. (CVE
2003: 2419635
2011-0026 CVE 2011-0027)
(32-bit), 2419635
(64-bit),
Vista: 2419640
(32-bit), 2419640
(64-bit),
2008: 2419640
(32-bit), 2419640
(64-bit),
Windows 7:
2419640 (32-bit),
2419640 (64-bit),
2008 R2:
2419640 (64-bit)
Windows DNS Resolution
Fixes a vulnerability in the DNS
XP: 2509553
Vulnerability
client which could allow remote code (32-bit), 2509553
execution if an attacker is able to
(64-bit)
deliver specially crafted LLMNR
2003: 2509553
broadcast packets to the target
(32-bit), 2509553
system. (CVE 2011-0657)
(64-bit),
Vista: 2509553
(32-bit), 2509553
(64-bit),
2008: 2509553
(32-bit), 2509553
(64-bit),
Windows 7:
2509553 (32-bit),
2509553 (64-bit),
2008 R2 SP1:
2509553 (64-bit)
Windows Active Directory SPN
2003: 2478953
validation denial of service
allow an administrator on a
computer in the domain to
downgrade the target from
Kerberos to NTLM, possibly
leading to a denial of service.
(CVE 2011-0040)
Windows LSASS length validation Fixes a privilege elevation
XP: 2478960
vulnerability
2003: 2478960
authenticated user to take complete
2011-0039)
Vulnerabilities in DirectShow and
XP: 2502898
vulnerabilities in DirectShow and
(Windows XP
Windows Media Player. (CVE
Media Center
2011-0032 CVE 2011-0042)
Edition 2005),
2479943 (32-bit),
2479943 (Pro
121
11-002
11-030
11-005
11-014
11-015
Vulnerabilities in Windows Media
Center TV Pack
JScript and VBScript information
disclosure vulnerability
vulnerabilities in Windows Media
Center TV Pack. (CVE 2011-0032
CVE 2011-0042)
Fixes an information disclosure
vulnerability due to a memory
corruption error. (CVE 2011-0031)
Windows Remote Desktop Insecure Fixes a vulnerability which could
Library Loading Vulnerability
user opens a legitimate Remote
Desktop configuration (.rdp) file
located in the same network folder
as a specially crafted library file.
(CVE 2011-0029)
Windows MHTML Script Injection
Vulnerability
allow an attacker to run
MIME-formated MHTML requests
in the wrong security context. This
may result in an information
disclosure, similar to a cross-site
scripting attack. (CVE 2011-0096)
122
64-bit)
Vista: 2479943
(32-bit), 2479943
(64-bit)
Win 7: 2479943
(32-bit), 2479943
(64-bit)
2008 R2:
2479943 (64-bit)
Vista: 2494132 11-015
(32-bit), 2494132
(64-bit)
Win 7: 2475792 11-009
(32-bit) 2475792
(64-bit)
2008 R2:
2475792
XP: 2483618
970927
(32-bit 5.2),
2481109 (32-bit
6.1), 2481109
(64-bit 6.0),
2483614 (32-bit
7.0)
2003: 2481109
(32-bit) 6.0,
2481109 (64-bit)
6.0
Vista: 2481109
(32-bit) 6.1,
2481109 (64-bit)
6.1, 2483614
(32-bit) 7.0,
2483614 (64-bit)
7.0
2008: 2481109
(32-bit) 6.1,
2481109 (64-bit)
6.1
Win 7: 2483614
(32-bit) 7.0,
2483614 (64-bit)
7.0
2008 R2:
2483614 (64-bit)
7.0
XP:2503658
11-026
(32-bit), 2503658
(64-bit)
2003:2503658
(32-bit), 2503658
(64-bit)
Vista:2503658
(32-bit), 2503658
(64-bit)
2008:2503658
(32-bit), 2503658
(64-bit)
Win 7:2503658
(32-bit), 2503658
(64-bit)
2008
R2:2503658
(64-bit)
ActiveX:KB250 11-027
8272
vulnerabilities
WMITools ActiveX Control,
Internet Explorer 8 Development
Tools ActiveX Control, and
Windows Messenger ActiveX
2010-0811 CVE 2010-3973 CVE
2011-1243)
Windows Fax Cover Page Remote Fixes a vulnerability in Windows
XP
11-024
Fax Cover Page Editor which
32-bit:2491683
(MS11-024)
improperly parses malformed cover and 2506212
pages. Successful exploitation could XP
give the attacker the same
64-bit:2491683
privileges as the logged on user.
and 2506212
(CVE 2010-3974 CVE 2010-4701) 2003
32-bit:2491683
and 2506212
2003
64-bit:2491683
and 2506212
Vista
32-bit:2491683
and 2506212
Vista
64-bit:2491683
and 2506212
2008
32-bit:2491683
and 2506212
2008
64-bit:2491683
and 2506212
Windows 7
32-bit:2491683
and 2506212
Windows 7
64-bit:2491683
and 2506212
2008
R2:2491683 and
2506212
123
Windows GDI+ Integer Overflow
allow remote code execution if the
user opens a specially crafted
Windows Enhanced Metafile (EMF)
image file. (CVE 2011-0041)
XP: 2412687,
11-029
2412687 (64-bit)
2003: 2412687,
2412687 (64-bit)
Vista: 2412687,
2412687 (64-bit)
2008: 2412687,
2412687 (64-bit)
XP: 2511455,
11-019
allow remote code execution if an 2511455 (64-bit)
attacker sent a specially crafted
2003: 2511455,
SMB response to a client-initiated 2511455 (64-bit)
SMB request. To exploit these
Vista: 2511455,
vulnerabilities, an attacker must
2511455 (64-bit)
convince the user to initiate an
2008: 2511455,
SMB connection to a specially
2511455 (64-bit)
crafted SMB server. (CVE
Windows 7:
2011-0654 CVE 2011-0660)
2511455,
2511455 (64-bit)
2008 R2:
2511455 (64-bit)
WordPad Text Converter
XP 2485663,
11-033
Vulnerability
2485663 (64-bit)
user opens a specially crafted Word 2003 2485663,
file that includes a malformed
2485663 (64-bit)
structure. An attacker could then
install programs; view, change, or
delete data; or create new accounts
with full user rights. (CVE
2011-0028)
Windows OpenType CFF
XP 2507618,
11-032
vulnerability
allow remote code execution in the 2507618 (64-bit)
way that the OpenType Font
2003 2507618,
(OTF) driver improperly parses
2507618 (64-bit)
specially crafted OpenType fonts. Vista: 2507618,
An attacker could then install
2507618 (64-bit)
programs; view, change, or delete 2008: 2507618,
data; or create new accounts with 2507618 (64-bit)
full user rights. (CVE 2011-0034)
Windows 7:
2507618,
2507618 (64-bit)
2008 R2:
2507618 (64-bit)
Ancillary Function Driver
Fixes a vulnerability in the Microsoft XP 2503665,
11-046
Windows Ancillary Function Driver 2503665 (64-bit)
(AFD). A local user with valid login 2003 2503665,
credentials could exploit this
2503665 (64-bit)
vulnerability to elevate privileges by Vista 2503665,
executing a specially crafted
2503665 (64-bit)
application. (CVE 2011-1249)
2008 2503665,
2503665 (64-bit)
Windows 7:
2503665,
2503665 (64-bit)
124
2008 R2:
2503665 (64-bit)
Fixes a vulnerability in the Microsoft XP 2592799,
11-080
Windows Ancillary Function Driver 2592799 (64-bit)
(AFD). A local user with valid login 2003 2592799,
credentials could exploit this
2592799 (64-bit)
vulnerability to elevate privileges by
executing a specially crafted
Fixes two vulnerabilities in Microsoft XP x64
12-009
Windows. The vulnerabilities could Edition:KB2645
640
attacker logs on to a user's system 2003:KB264564
and runs a specially crafted
0
application. An attacker must have 2003 x64
valid logon credentials and be able Edition:KB2645
to log on locally to exploit the
640
Vista x64
CVE 2012-0149)
Edition:KB2645
640
2008:KB264564
0
Windows
7:KB2645640
2008
R2:KB2645640
Windows SMB Server vulnerability Fixes a vulnerability which could
Vista 2536275, 11-048
allow remote denial of service
2536275 (64-bit)
attacks from an unauthenticated
2008 2536275,
user. (CVE 2011-1267)
2536275 (64-bit)
Windows 7:
2536275,
2536275 (64-bit)
2008 R2:
2536275 (64-bit)
Windows Distributed File System
XP: (32-bit),
11-042
vulnerabilities
allow remote denial of service and (64-bit)
remote code execution attacks from 2003: (32-bit),
an unauthenticated user. (CVE
(64-bit)
2011-1868 CVE 2011-1869)
Vista: (32-bit),
(64-bit)
2008: (32-bit),
(64-bit)
Windows 7:
(32-bit), (64-bit)
2008 R2:
(64-bit)
Active Directory Certificate Services A reflective cross-site scripting
2003: 2518295 11-051
Web Enrollment Vulnerability
vulnerability may allow an attacker 2008: 2518295
to execute scripts under the context 2008 R2:
of a user's Internet Explorer client. 2518295
This may allow an attacker to steal
session data or perform a phishing
attack. (CVE 2011-1264)
125
Windows Kernel-Mode drivers
XP: (64-bit),
11-041
remote code execution vulnerability allow remote code execution attacks 2003: (64-bit),
by enticing a user to visit a
Vista: (64-bit),
specially crafted web page. (CVE
2008: (64-bit),
2011-1873)
Windows 7:
(64-bit),
2008 R2: (64-bit)
Forefront Threat Management
Forefront
11-040
Gateway Vulnerability
allow remote code execution if an TMG:
attacker leveraged a client computer KB2520426
to make specific requests on a
system where the Threat
Management Gateway (TMG) firewall
client is used. (CVE 2011-1889)
XP: 2536276,
11-043
allow remote code execution if an 2536276 (64-bit)
attacker sent a specially crafted
2003: 2536276,
SMB response to a client-initiated 2536276 (64-bit)
SMB request. To exploit these
2536276 (Itanium)
vulnerabilities, an attacker must
Vista: 2536276,
convince the user to initiate an
2536276 (64-bit)
SMB connection to a specially
2008: 2536276,
crafted SMB server. (CVE
2536276 (64-bit)
2011-1268)
2536276 (Itanium)
Windows 7:
2536276,
2536276 (64-bit)
2008 R2:
2536276 (64-bit)
2008 R2:
2536276 (Itanium)
MHTML Mime-formatted
Fixes an information disclosure
XP 2544893,
11-037
information disclosure (MS11-037) vulnerability in the way that
2544893 (64-bit)
MHTML protocol handler interprets 2003 2544893,
MIME-formatted requests. (CVE
2544893 (64-bit)
2011-1894)
Vista 2544893,
2544893 (64-bit)
2008 2544893,
2544893 (64-bit)
Windows 7
2544893,
2544893 (64-bit)
2008 R2
2544893 (64-bit)
Windows OLE Automation
XP 2476490,
11-038
Underflow vulnerability (MS11-038) vulnerability in OLE Automation.
2476490 (64-bit)
(CVE 2011-0658)
2003 2476490,
2476490 (64-bit)
Vista 2476490,
2476490 (64-bit)
2008 2476490,
2476490 (64-bit)
Windows 7
126
2476490,
2476490 (64-bit)
2008 R2
2476490 (64-bit)
Windows CSRSS Privilege
Fixes a local privilege escalation
XP 2567680,
Escalation Vulnerability
vulnerability in the Windows Client 2567680 (64-bit)
2003 2567680,
(CSRSS). Authenticated users may 2567680 (64-bit)
be able to execute code under the Vista 2567680,
context of other users. (CVE
2567680 (64-bit)
2011-1967)
2008 2567680,
2567680 (64-bit)
Windows 7
2567680,
2567680 (64-bit)
2008 R2
2567680 (64-bit)
Elevation of Privilege Vulnerabilities Fixes a vulnerability in Remote
XP 2566454,
in Windows (MS11-062)
Access Service NDISTAPI driver.
2566454 (64-bit)
(CVE 2011-1974)
2003 2566454,
2566454 (64-bit)
Microsoft Remote Desktop Protocol If the Remote Desktop Protocol is XP 32-bit SP3
Denial of Service Vulnerability
enabled but not patched, a
2570222
(MS11-065)
maliciously-crafted sequence of
XP 64-bit SP2
RDP packets sent by a remote,
2570222
unauthenticated attacker could cause2003 32-bit
a denial of service and possibly
SP2 2570222
restart the target system. (CVE
2003 64-bit
2011-1968)
SP2 2570222
2003 Itanium
SP2 2570222
Microsoft Active Accessibility
XP: 2564958
Insecure Library Loading
Vulnerability
the Microsoft Active Accessibility
(64-bit)
component handles the loading of 2003: 2564958
DLL files. An attacker who
(32-bit), 2564958
(64-bit)
vulnerability could take complete
Vista: 2564958
(32-bit), 2564958
(CVE 2011-1247)
(64-bit)
2008: 2564958
(32-bit), 2564958
(64-bit)
Win 7: 2564958
(32-bit), 2564958
(64-bit)
2008 R2:
2564958 (64-bit)
Windows Media Center Remote
Vista: 2579692
Windows Media Center handles the (64-bit)
loading of DLL files. An attacker
127
11-063
11-062
11-065
11-075
11-076
control of an affected system. An
attacker could then install programs;
create new accounts with full user
rights. Users whose accounts are
configured to have fewer user rights
on the system could be less
impacted than users who operate
with administrative user rights.
(CVE 2011-2009)
Microsoft Data Access Component A remote code execution
Windows 7:
vulnerability exists in the way that 2560656 (32-bit),
Vulnerability
the Windows Data Access Tracing 2560656 (64-bit)
component handles the loading of 2008 R2:
DLL files. An attacker who
2560656 (64-bit)
(CVE 2011-1975)
Windows Kernel Metadata Parsing A denial of service vulnerability
Vista: 2556532
DOS Vulnerability
exists in Windows due to the way
(32-bit), 2556532
the kernel parses file meta-data
(64-bit)
when browsing to a folder. An
2008: 2556532
this vulnerability could cause the
(64-bit)
affected system to crash. (CVE
Windows 7:
2011-1971)
2556532 (32-bit),
2556532 (64-bit)
2008 R2:
2556532 (64-bit)
Windows Kernel Exception Handler A privilege elevation vulnerability
XP: 2633171
Vulnerability
exists in Windows due to the
(32-bit)
kernel's failure to initialize some
2003: 2633171
objects in memory. An attacker
(32-bit)
would have to log on locally to an
Vista: 2633171
affected system and run a specially (32-bit)
crafted application designed to
2008: 2633171
exploit the vulnerability. The
(32-bit)
vulnerability could not be exploited Windows 7:
remotely or by anonymous users.
2633171 (32-bit)
(CVE 2011-2018)
Windows IME Library Injection
An insecure library loading
XP: 2570947
Vulnerability
vulnerability exists in several
(32-bit), 2570947
Windows components. An attacker (64-bit)
may exploit this vulnerability by
2003: 2570947
placing a malicious library file (DLL) (32-bit), 2570947
in the same folder as documents
(64-bit)
with the following extensions: .txt, Vista: 2570947
.rft, .doc. (CVE 2011-1991)
(32-bit), 2570947
(64-bit)
2008: 2570947
(32-bit), 2570947
(64-bit)
Windows 7:
128
11-059
11-068
(superseded by
11-098 on 32-bit
versions of
Windows Vista,
Windows Server
2008, and
Windows 7)
11-098
11-071
Forefront Unified Access Gateway
Cross-Site Scripting and Java
Applet
Windows Active Directory LDAPS
Authentication Bypass
Vulnerability in Windows
Kernel-Mode Drivers Could cause
a Denial of Service
Windows TCP/IP Elevation of
Privilege and Firewall Bypass
Vulnerabilities (MS12-032)
2570947 (32-bit),
2570947 (64-bit)
2008 R2:
2570947 (64-bit)
Fixes several cross-site scripting
UAG 2010:
11-079
vulnerabilities and one client
2522482,
browser JAVA applet vulnerability 2522483
in Forefront Unified Access
(Update1),
Gateway (UAG). The XSS
2522484
vulnerabilities may be triggered if an (Update2),
attacker is able to entice their victim 2522485 (SP1)
into clicking a specially crafted link.
A successful attack would result in
the attacker making requests to the
UAG server in the context of the
victim's logged in session. The
JAVA applet vulnerability may
allow an attacker to compromise an
end-user's work station if they can
convince the user view a page
containing malicious content. (CVE
2011-1895) (CVE 2011-1896)
(CVE 2011-1897) (CVE 2011-1969)
(CVE 2011-2012)
XP: ADAM:
11-086
Active Directory, Active Directory
2616310,
Application Mode (ADAM), and
2616310 (64-bit)
Active Directory Lightweight
2003: AD:
Directory Service (AD LDS) that
2601626,
could allow privilege elevation if (a) 2601626 (64-bit);
Active Directory is configured to
ADAM:
use LDAP over SSL (LDAPS)
2616310,
and (b) an attacker acquires a
2616310 (64-bit)
revoked certificate that is associated Vista: AD LDS:
with a valid domain account and
2601626,
then uses that revoked certificate to 2601626 (64-bit)
authenticate to the Active Directory 2008: AD &
domain. By default, Active
AD LDS:
Directory is not configured to use
2601626,
LDAP over SSL. (CVE
2601626 (64-bit)
2011-2014)
7: AD LDS:
2601626,
2601626 (64-bit)
2008 R2: AD
& AD LDS:
2601626
KB2617657
11-084
Kernel-Mode Drivers that could
Win 7: 32-bit,
cause a denial of service when
64-bit
opening specially crafted true types 2008 R2: 64-bit,
fonts. (CVE 2011-2004)
Itanium
Fixes two vulnerabilities in Microsoft Vista:KB268833 11-064
Windows. The more severe of
8
11-083
these vulnerabilities could allow
Vista x64:
12-032
129
Microsoft Windows Mail Insecure
Library Loading Vulnerability
vulnerabilities
Windows TrueType font parsing
vulnerability
Active Directory and ADAM buffer
overflow
elevation of privilege if an attacker
logs on to a system and runs a
specially crafted application. (CVE
2012-0174 CVE 2012-0179)
Also fixes two denial of service
vulnerabilities in windows TCP/IP
stack. (CVE 2011-1871 CVE
2011-1965)
Also fixes a remote code execution
vulnerability in Windows TCP/IP
stack. (CVE 2011-2013 )
A vulnerability in Microsoft Windows
Mail and Windows Meeting Space
could permit remote code execution
using a malicious DLL library.
(CVE 2011-2016)
KB2688338
2008:KB268833
8
2008
x64:KB2688338
Windows
7:KB2688338
Windows 7
x64: KB2688338
2008 R2 x64:
KB2688338
KB2620704
Vista SP2:
32-bit, 64-bit
2008 SP2:
32-bit, 64-bit,
Itanium
Windows 7 &
SP1: 32-bit,
64-bit
2008 R2 &
SP1: 64-bit,
Itanium
Fixes multiple vulnerabilities in the KB2618451
Microsoft Time ActiveX Control
XP: 32-bit,
that could allow an attacker to gain 64-bit
the same privileges as the logged 2003: 32-bit,
on user. (CVE 2011-3397)
64-bit, Itanium
Vista: 32-bit,
64-bit
2008: 32-bit,
64-bit, Itanium
Win 7: 32-bit,
64-bit
2008 R2: 64-bit,
Itanium
KB2639417
Kernel-Mode Drivers that could
XP: 32-bit,
allow privilege elevation and this
64-bit
vulnerability could allow an attacker 2003: 32-bit,
to run arbitrary code in kernel
64-bit
mode, then install programs; view, Vista: 32-bit,
64-bit
new accounts with full administrative 2008: 32-bit,
rights. (CVE 2011-3402)
64-bit
Win 7: 32-bit,
64-bit
2008 R2: 64-bit
XP: 2626416
vulnerability which could allow
2003: 2621146
command execution by an attacker (Active Directory)
who has credentials to an Active
2003: 2626416
Directory domain. (CVE 2011-3406) (ADAM)
Vista: 2621146
130
11-085
11-090
11-087
11-095
Windows Media Player DVR-MS
File Parsing Vulnerability
Object Linking and Embedding
(OLE) Vulnerability
Windows Kernel Security Feature
Bypass Vulnerability
Microsoft Office ClickOnce
Vulnerability
Fixes an error in the DirectShow
library of Windows Media Center
and Media Player where DVR-MS
files (with the dvr-ms extension)
are improperly parsed. An attacker
could leverage this bug to corrupt
memory and gain control of
execution over the target system.
(CVE 2011-3401)
Fixes an error in the handling of
OLE objects in compound
documents. An attacker could
leverage this bug to corrupt
memory and gain control of
execution over the target system.
(CVE 2011-3400)
Windows. The vulnerability could
allow an attacker to bypass the
SafeSEH security feature in a
software application. An attacker
could then use other vulnerabilities
to leverage the structured exception
handler to run arbitrary code.
(CVE 2012-0001)
vulnerability exists in the Microsoft
Office ClickOnce embedded
application feature due to the way
Windows validates package
contents. (CVE 2012-0013)
2008: 2621146
7: 2621146
2008 R2:
2621146
XP 2619339
Vista 2619339
7 2619339
XP 2624667
2003 2624667
11-092
11-093
2003:KB264461 12-001
5
Vista:KB264461
5
2008:KB264461
5
Win
7:KB2644615
XP: 2584146
12-005
(32-bit), 2584146
(64-bit)
2003: 2584146
(32-bit), 2584146
(64-bit)
Vista: 2584146
(32-bit), 2584146
(64-bit)
2008: 2584146
(32-bit), 2584146
(64-bit)
Windows 7:
2584146 (32-bit),
2584146 (64-bit)
2008 R2:
2584146 (64-bit)
Fixes a local privilege escalation
XP 2646524
12-003
vulnerability in the Windows Client 2003 2646524
Vista 2646524
(CSRSS). Authenticated users may 2008 2646524
be able to execute code under the
context of other users. (CVE
2012-0005)
131
Windows Object Packager Insecure Fixes a vulnerability in the way that XP: KB2598479
Executable Launching Vulnerability Windows registers and uses the
(32-bit), 2603381
Windows Object Packager that
(64-bit)
could allow remote code execution if 2003: 2603381
a user opens a legitimate file with
(32-bit), 2603381
an embedded packaged object that (64-bit)
is located in the same network
directory as a specially crafted
executable file. An attacker who
(CVE 2012-0009)
Windows Multimedia Library MIDI Fixes a vulnerability in the way that XP: 2628259
Vulnerability
Windows Multimedia Library parses (Windows XP
MIDI files. Windows Multimedia
Media Center
Library is used by applications such Edition 2005),
as Windows Media Player to work 2598479 (32-bit),
with audio and video. An attacker
2598479 (64-bit)
who convinces a user to open a
2003: 2598479
specially crafted MIDI file could run (32-bit), 2598479
arbitrary code in the context of the (64-bit)
current user. (CVE 2012-0003)
Vista: 2598479
(32-bit), 2598479
(64-bit)
2008: 2598479
(32-bit), 2598479
(64-bit)
Windows DirectShow media file
Fixes a vulnerability in the way that XP: 2631813
Windows DirectShow (a component (32-bit), 2631813
of Windows DirectX) handles media (64-bit)
files. An attacker who convinces a 2003: 2631813
user to open a specially crafted
(32-bit), 2631813
media file could run arbitrary code (64-bit)
in the context of the current user.
Vista: 2631813
(CVE 2012-0004)
(32-bit), 2631813
(64-bit), 2628642
(32-bit), 2628642
(64-bit)
2008: 263183
(32-bit), 2603381
(64-bit)
7: 263183
(32-bit), 263183
(64-bit)
2008R2: 263183
SSL and TLS Protocols
A vulnerability exists within the
XP 32-bit SP3
Vulnerable Implementation
SSL 3.0 and TLS 1.0 protocols
2585542
through which an attacker who has XP 64-bit SP2
access to an active (encrypted)
2585542,
SSL connection — a
2638806
“man-in-the-middle” attack — may 2003 32-bit
be able to break the encryption and SP2 2585542,
read the content being transmitted. 2638806
132
12-002
12-004
12-004
12-006
No actual exploit was known until
2011, when an exploit tool named
“BEAST” demonstrated a
block-wise chosen-plaintext attack
using vulnerable Web browsers and
a crafted Web site.
SSL 3.0 and TLS 1.0, using CBC
mode, are vulnerable. TLS 1.1 and
1.2, and all encryption methods
which do not use CBC mode, are
unaffected by this vulnerability.
(CVE 2011-3389)
2003 64-bit
SP2 2585542,
2638806
2003 Itanium
SP2 2585542,
2638806
Vista 32-bit
SP2 2585542
Vista 64-bit
SP2 2585542
2008 32-bit
SP2 2585542
2008 64-bit
SP2 2585542
2008 Itanium
SP2 2585542
W7 32-bit to
SP1 2585542
W7 64-bit to
SP1 2585542
2008 R2 64-bit
to SP1 2585542
2008 R2
Itanium to SP1
2585542
MS Windows Kernel-Mode Drivers Two vulnerabilities exist in
KB2660465
12-008
kernel-mode drivers which, if
XP: 32-bit,
Vulnerability
exploited, could give an attacker the 64-bit
ability to execute arbitrary program 2003: 32-bit,
code on the vulnerable computer. 64-bit, Itanium
(CVE 2011-5046, CVE
Vista: 32-bit,
2012-0154)
64-bit
2008: 32-bit,
64-bit, Itanium
Win 7: 32-bit,
64-bit
2008 R2: 64-bit,
Itanium
Windows Kernel-Mode Drivers
Three privately reported
XP
13-027
Elevation of Privilege vulnerabilities vulnerabilities in Microsoft Windows 32-bit:KB280798
kernel-mode drivers could allow
6
elevation of privilege if an attacker XP
logs on to the system and runs a
64-bit:KB280798
6
2003
32-bit:KB280798
locally to exploit this vulnerability.
6
(CVE 2013-1285 CVE 2013-1286 2003
CVE 2013-1287)
64-bit:KB280798
6
Vista
32-bit:KB280798
6
Vista
133
64-bit:KB280798
6
2008
32-bit:KB280798
6
2008
64-bit:KB280798
6
W7
32-bit:KB280798
6
W7
64-bit:KB280798
6
2008
R2:KB2807986
W8
32-bit:KB280798
6
W8
64-bit:KB280798
6
2012:KB280798
6
MS Windows Kernel-Mode Drivers One publicly disclosed and one
XP
12-018
Elevation of Privilege vulnerabilities privately reported vulnerability exist 32-bit:KB271852 12-041
in Microsoft Windows kernel-mode 3
12-047
drivers which could allow elevation XP
of privilege if an attacker logs on to 64-bit:KB271852
the system and runs a specially
3
crafted application. An attacker must 2003
have valid logon credentials and be 32-bit:KB271852
able to log on locally to exploit this 3
vulnerability.
2003
(CVE 2012-1890 CVE 2012-1893) 64-bit:KB271852
The vulnerabilities could allow
3
elevation of privilege if an attacker Vista
logs on to a system and runs a
32-bit:KB271852
3
Vista
64-bit:KB271852
locally to exploit any of these
3
2008
CVE 2012-1865 CVE 2012-1866
32-bit:KB271852
CVE 2012-1867 CVE 2012-1868) 3
A vulnerability exists in kernel-mode 2008
drivers which, if exploited, could
64-bit:KB271852
give an attacker the ability to
3
execute arbitrary program code on W7
the vulnerable computer.
32-bit:KB271852
(CVE 2012-0157)
3
W7
64-bit:KB271852
3
134
2008
R2:KB2718523
MS Remote Desktop Could Allow
Fixed Remote Code Execution
KB2621440 and 12-020
Vulnerabilities in the Remote
KB2621402
Vulnerabilities
Desktop Protocol. If exploited, an
XP: 32-bit,
attacker could run arbitrary code on 64-bit
the target system, then install
2003: 32-bit,
programs; view, change, or delete 64-bit, Itanium
data; or create new accounts with Vista: 32-bit,
full user rights.
64-bit
(CVE 2012-0002, CVE
2008: 32-bit,
2012-0152)
64-bit, Itanium
2008 R2:
64-bit(1), 64-bit(2),
Itanium(1),
Itanium(2)
Win 7: 32-bit(1),
32-bit(2), 64-bit(1),
64-bit(2)
Windows Kernel Elevation of
Fixes a vulnerability that could allow XP SP3:
12-042
Privilege Vulnerability
elevation of privilege if an attacker 2707511 (32-bit)
logs on to an affected system and 2003 SP2:
runs a specially crafted application 2707511 (32-bit)
that exploits the vulnerability. This Window 7:
vulnerability affects all 32-bit editions 2709715 (64-bit)
of Windows XP and Windows
2008 R2:
Server 2003: (CVE 2012-0217),
2709715 (64-bit)
and it also affects Windows 7 for
x64-based Systems, and Windows
Server 2008 R2 for x64-based
Systems: (CVE 2012-1515)
Windows C Run-Time Library
Fixes a remote code vulnerability in Vista: 2654428 12-013
remote code execution vulnerability the way that the msvcrt.dll
(32-bit), 2654428
calculates the size of a buffer in
(64-bit)
memory, allowing data to be copied 2008: 2654428
into memory that has not been
(32-bit), 2654428
properly allocated. This vulnerability (64-bit)
could allow remote code execution if Windows 7:
a user opens a specially crafted
2654428 (32-bit),
media file that is hosted on a
2654428 (64-bit)
website or sent as an email
2008 R2:
attachment. An attacker who
2654428 (64-bit)
successfully exploits the vulnerability
could gain the same user rights as
the local user. (CVE 2012-0150)
Windows Color Control Panel
2008: 2643719, 12-012
Server 2008 and 2008 R2 that
2643719 (64-bit)
vulnerability
could allow remote code execution. 2008R2:
The vulnerability is caused in the
2643719
way that the Color Control Panel
handles the loading of DLL files
when a user opens a legitimate file
(example, .icm or .icc) which is in
the same directory as the specially
135
Vulnerability in Indeo Codec
Microsoft Windows DirectWrite
Denial of Service Vulnerability
MS Forefront Unified Access
Gateway 2010 information
disclosure vulnerability
Windows Authenticode Signature
Verification function bypass
Privilege Vulnerability fixed by
MS12-033
crafted dll file. An attacker could
run arbitrary code in the context of
the current user. (CVE 2010-5082)
A vulnerability exists in the Indeo
XP 32-bit SP3
codec for Windows XP SP3. The
2661637
code execution if a user opens a
legitimate file from a directory which
also contains a specially-crafted dll
file. If successful, the attacker could
then run arbitrary code as the
logged-on user. The higher the
privilege level of the logged-on
user, the more damage could be
done.
(CVE 2010-3138)
Vista:KB266536
DirectWrite. In an Instant
4
Messenger-based attack scenario, 2008:KB266536
the vulnerability could allow denial 4
of service if an attacker sends a
Win
specially crafted sequence of
7:KB2665364
Unicode characters directly to an
Instant Messenger client. (CVE
2012-0156)
Two information disclosure
UAG 2010
vulnerabilities exist in Unified
SP1:
Access Gateway (UAG) 2010 SP1: KB2649261
A spoofing vulnerability could allow SP1 Update 1:
an outside attacker to acquire
KB2649262
authentication cookies and
credentials for an internal UAG
user, and an access vulnerability
could allow an unauthenticated
attacker on the (external) Internet to
acquire confidential content from a
UAG server's (internal) default Web
page.
(CVE 2012-0146, CVE
2012-0147)
The WinVerifyTrust function
XP:KB2653956
improperly validates the signature of 2003:KB265395
an executable file, allowing for the 6
potential execution of untrusted
Vista:KB265395
code. (CVE 2012-0151)
6
Win
7:KB2653956
2008:KB265395
6
2008
R2:KB2653956
MS12-033 fixed a Plug and Play
Vista 32 bit
(PnP) Configuration Manager
SP2:KB2690533
Vulnerability in Windows. The
,
136
12-014
12-019
(superseded by
12-034 on all
vulnerable
platforms)
12-026
12-024
12-033
vulnerability could allow elevation of
privilege if an attacker logs on to a
system and runs a specially crafted
Multiple vulnerabilities fixed by
MS12-034
MS12-034 fixed multiple
vulnerabilities in Windows, Office,
GDI+, .NET, and Silverlight. (CVE
2011-3402 CVE 2012-0159 CVE
2012-0165 CVE 2012-0167 CVE
2012-0180 CVE 2012-0181 CVE
2012-1848)
Windows RDP Remote Code
MS12-036 fixed a vulnerability in
Execution Vulnerability (MS12-036) the Remote Desktop Protocol which
allowed for potential remote code
137
Vista 64 bit
SP2:KB2690533
W7 32
bit:KB2690533,
W7 32 bit
SP1:KB2690533
,
W7 64
bit:KB2690533,
W7 64 bit
SP1:KB2690533
,
2008 32 bit
SP2:KB2690533
,
2008 64 bit
SP2:KB2690533
,
2008 Itanium
SP2:KB2690533
,
2008 R2 64
bit:KB2690533,
2008 R2 64 bit
SP1:KB2690533
,
2008 R2
Itanium:KB2690
533,
2008 R2
Itanium
SP1:KB2690533
MS12-034
12-034
XP SP3
12-036
(32-bit):KB26859
39
XP SP2
(64-bit)KB268593
9
Vista SP2
(32-bit)KB268593
9
Vista SP2
(64-bit)KB268593
9
7
(32-bit)KB268593
9
Microsoft Lync Multiple
Vulnerabilities (MS12-039)
MDAC ADO cachesize heap
overflow
Four vulnerabilities have been
patched in the following Microsoft
Lync applications: Communicator
2007 R2, Lync 2010, Lync 2010
Attendee, and Lync 2010
Attendant. The vulnerabilities
include two TrueType font parsing
vulnerabilities, a DLL injection
vulnerability, and an HTML
sanitization vulnerability. (CVE
2011-3402) (CVE 2012-0159)
(CVE 2012-1849) (CVE 2012-1858)
Microsoft Data Access Components
(MDAC) ActiveX Data Objects
(ADO) could allow command
execution when parsing specially
crafted XML code due to an
attempt to access an uninitialized
138
7 SP1
(32-bit)KB268593
9
7
(64-bit)KB268593
9
7 SP1
(64-bit)KB268593
9
2003 SP2
(32-bit)KB268593
9
2003 SP2
(64-bit)KB268593
9
2003 SP2
(Itanium)KB2685
939
2008 SP2
(32-bit)KB268593
9
2008 SP2
(64-bit)KB268593
9
2008 SP2
(Itanium)KB2685
939
2008 R2
(64-bit)KB268593
9
2008 R2 SP1
(64-bit)KB268593
9
2008 R2
(Itanium)KB2685
939
Communicator 12-039
2007
R2:KB2708980
Lync
2010:KB2693282
Lync 2010
Attendee:KB26
96031
Lync 2010
Attendant:KB27
02444
XP: 2698365
2003: 2698365
Vista: 2698365
2008: 2698365
7: 2698365
2008 R2:
12-045
Remote Desktop Protocol Use
After Free Vulnerability
Vulnerabilities in Windows
Kernel-Mode Drivers Could Allow
VBScript and JScript Engines
JavaScript integer overflow
object. (CVE 2012-1891)
The Windows XP implementation of
the Remote Desktop Protocol
(RDP) contains a use-after-free
vulnerability. An unauthenticated
remote attacker may be able to
trigger the vulnerability by sending
a sequence of specially crafted
messages to the RDP service. This
may result in heap corruption that
could lead to arbitrary code
Fixes three vulnerabilities in
Microsoft Windows. The most
severe of these vulnerabilities could
document or visits a malicious
webpage that embeds TrueType
font files. (CVE 2012-2530 CVE
2012-2553 CVE 2012-2897 )
Also fixes a “use after free” coding
error. The error could allow an
authenticated local user to raise his
privileges to administrator (or
potentially even kernel) levels.
(CVE2012-2527)
2698365
XP: 2723135
12-053
XP
12-055
(32-bit):KB27612212-075
6
XP
(64-bit):KB276122
6
2003
(32-bit):KB276122
6
2003
(64-bit):KB276122
6
Vista
(32-bit):KB276122
6
Vista
(64-bit):KB276122
6
2008
(32-bit):KB276122
6
2008
(64-bit):KB276122
6
Win 7
(32-bit):KB276122
6
Win 7
(64-bit):KB276122
6
2008
R2:KB2761226
Win 8
(32-bit):KB276122
6
Win 8
(64-bit):KB276122
6
2012:KB276122
6
An integer overflow vulnerability
XP: 2706045
12-056
allows command execution when a 2003: 2706045
139
user opens a specially crafted web Vista: 2706045
page in Internet Explorer or an
2008: 2706045
application or document which
7: 2706045
embeds a malicious ActiveX control. 2008 R2:
(CVE 2012-2523)
2706045
Windows networking components Multiple vulnerabilities exist in
XP: 2705219
Windows remote administration
2003: 2705219
protocol that can lead to remote
Vista: 2705219
code execution. Attackers that
2008: 2705219
successfully exploit any of these
7: 2705219
vulnerabilities could take complete 2008 R2:
control of the system or cause a
2705219
denial of service. (CVE 2012-1850)
(CVE 2012-1852) (CVE 2012-1853)
Windows print spooler remote code A vulnerability exists in the
XP: 2712808
Windows print spooler service that 2003: 2712808
can lead to remote code execution. Vista: 2712808
Attackers that successfully exploit 2008: 2712808
this vulnerability could take complete 7: 2712808
2008 R2:
2012-1851)
2712808
Windows Kernel integer overflow
XP: 2724197
allow a logged-on user to gain
2003: 2724197
administrative privileges. (CVE
Vista: 2724197
2012-2529)
2008: 2724197
7: 2724197
2008 R2:
2724197
HTML Sanitization Vulnerability in Various products do not properly
Communicator
Various Products
validate user-supplied HTML input, 2007 R2:
which may result in a Cross Site
2726391
Scripting or privilege-escalation
Lync 2010:
vulnerability. An attacker could
2726382
exploit this weakness to steal a
Lync 2010
user's session or other privileged
Attendee:
information. In a web-based attack 2726388
scenario, an attack could be
SharePoint
delivered by directing the user to a Server 2007:
target SharePoint website.
2687405 (32-bit),
Attackers may also target users of 2687405 (64-bit)
Lync 2010 and Communicator 2007 SharePoint
R2 by sending them a specially
Server 2010:
crafted message. (CVE 2012-2520) 2687435,
2589280 on 2010
MS Business
Productivity
Servers
SharePoint
Server
Services 3.0:
2687356 (32-bit),
2687356 (64-bit)
SharePoint
Foundation
140
12-054
12-054
12-068
12-066
2010: 2687434
Microsoft Windows Briefcase
Fixes two privately reported
XP: 2727528 (32 12-072
remote code execution vulnerabilitiesvulnerabilities by modifying the way bit), 2727528 (64
that Microsoft Windows handles a bit)
specially crafted briefcase. (CVE
2003: 2727528
2012-1527 CVE 2012-1528)
(32 bit), 2727528
(64 bit)
Vista: 2727528
(32 bit), 2727528
(64 bit)
2008: 2727528
(32 bit), 2727528
(64 bit)
7: 2727528 (32
bit), 2727528 (64
bit)
2008 R2:
2727528 (64 bit)
8: 2727528 (32
bit), 2727528 (64
bit)
2012: 2727528
(32 bit)
Vulnerability in IP-HTTPS
2008
12-083
Component Could Allow Security
R2:KB2765809
Feature Bypass
allow security feature bypass if an 2012:KB276580
attacker presents a revoked
9
certificate to an IP-HTTPS server
commonly used in Microsoft
DirectAccess deployments.
(CVE 2012-2549)
Vulnerability in DirectPlay Could Fixes a vulnerability in Microsoft
XP:KB2770660 12-082
Allow Remote Code Execution
2003:KB277066
allow remote code execution if an 0
attacker convinces a user to view a Vista:KB277066
specially crafted Office document
0
with embedded content. An attacker 2008:KB277066
who successfully exploits this
0
vulnerability could gain the same
7:KB2770660
user rights as the current user.
2008 R2 (64
(CVE 2012-1537)
bit):KB2770660
Window
8:KB2770660
2012:KB277066
0
Microsoft Windows Kernel-Mode
There are vulnerabilities in the
KB2753842
12-078
Drivers Font Parsing Vulnerabilities handling of both “OpenType” and
(OT),
“TrueType” fonts, such that
KB2779030 (TT)
attempting to render characters
XP: x86 (OT
from a specially-crafted malicious
TT), x64 (OT
font file, even from a remote Web
TT)
page, may give an attacker
2003: x86 (OT
complete control of the victim's
TT), x64 (OT
computer. (CVE 2012-2556, CVE
TT), IA64 (OT
141
2012-4786)
Microsoft Windows File Handling
Component vulnerability
Microsoft Word RTF
listoverridecount
Vulnerability in SharePoint Server
2010 Word Automation Services
Microsoft Exchange Server RSS
feed denial of service
Kernel-Mode Driver Privilege
TT)
Vista: x86 (OT
TT), x64 (OT
TT)
2008: x86 (OT
TT), x64 (OT
TT), IA64 (OT
TT)
W7: x86 (OT
TT), x64 (OT
TT)
2008 R2: x64
(OT TT), IA64
(OT TT)
W8: x86 (OT
TT), x64 (OT
TT)
2012: x64 (OT
TT)
Fixes a vulnerability in Windows file XP: 2758857 (32 12-081
handling component which could
bit), 2758857 (64
bit)
user browses to a folder that
2003: 2758857
contains a file or subfolder with a
(32 bit), 2758857
specially crafted name. An attacker (64 bit)
Vista: 2758857
vulnerability could gain the same
(32 bit), 2758857
user rights as the current user.
(64 bit)
(CVE 2012-4774)
2008: 2758857
(32 bit), 2758857
(64 bit)
7: 2758857 (32
bit), 2758857 (64
bit)
2008 R2:
2758857 (64 bit)
SharePoint
12-079
vulnerability due to an error in the 2010: 2760405
way the /listoverridecount
RTF header is parsed. (CVE
2012-2539)
Fixes a vulnerability in the way
Patch:
12-080
Microsoft Exchange Server 2010
MS12-080
and 2007 handle RSS feeds that
could lead to a denial of service.
Fixes a vulnerability in Oracle
Outside due to a remote code
execution vulnerability in the
WebReady Document Viewing
feature of Microsoft Exchange
Server. (CVE 2012-3214) (CVE
2012-3217) (CVE 2012-4791)
Fixes a vulnerability caused by
Vista: 2778930 13-005
improper handling of windows
(32 bit), 2778930
142
broadcast messages by the
Windows kernel. The vulnerability
could allow an attacker to gain full
control of the effected system.
(CVE 2013-0008)
(64 bit)
Server 2008
2778930 (32 bit),
2778930 (64 bit),
2778930 (IA64)
Windows 7
2778930 (32 bit),
2778930 (64 bit)
Server 2008
R2 2778930 (64
bit), 2778930
(IA64)
Windows 8
2778930 (32 bit),
2778930 (64 bit)
Server 2012
2778930
Windows print spooler remote code A vulnerability exists in the
Windows 7:
13-001
Windows print spooler service that 2769369
can lead to remote code execution. 2008 R2:
Attackers that successfully exploit 2769369
2013-0011)
Windows TCP FIN WAIT
Fixes a vulnerability in the way that Vista SP2:
13-018
Vulnerability
Microsoft Windows handles TCP
2790655
FIN responses when window size Vista (x64)
is equal to zero. (CVE 2013-0075) SP2: 2790655
2008 (x86)
SP2: 2790655
2008 (x64)
SP2: 2790655
Windows 7
(x86) 2790655
Windows 7
(x64) 2790655
Windows 7
SP1 (x86)
2790655
Windows 7
SP1 (x64)
2790655
2008 R2 (x64)
SP2: 2790655
2008 R2 SP1
(x64) SP2:
2790655
Windows 8
(x32) 2790655
Windows 8
(x64) 2790655
2012 (x64)
SP2: 2790655
143
SSL Version 3 and TLS Security
Feature Bypass
Fixes a vulnerability in the way that
Microsoft Windows SSL/TLS
handle the SSL version 3 (SSLv3)
and TLS protocols. The
vulnerability could allow security
feature bypass if an attacker injects
specially crafted content into an
SSL/TLS session. (CVE
2013-0013)
Vista: 2785220
(32 bit), 2785220
(64 bit)
Server 2008:
2785220 (32 bit),
2785220 (64 bit)
Windows 7:
2785220 (32 bit),
2785220 (64 bit)
2008 R2:
2785220
Windows 8:
2785220 (32 bit),
2785220 (64 bit)
2012: 2785220
Windows Kernel integer overflow
XP: 2799494
allow a logged-on user to gain
2003: 2799494
administrative privileges. (CVE
Vista: 2799494
2013-1278) (CVE 2013-1279)
2008: 2799494
(CVE 2013-1280)
7: 2799494
2008 R2:
2799494
8: 2799494
2012: 2799494
Windows DirectShow Media
XP: 2780091
Decompression vulnerability fixed by allow remote code execution if a
(32-bit), 2780091
MS13-011
(64-bit)
media file (such as an .mpg file),
2003: 2780091
opens a Microsoft Office document (32-bit), 2780091
(such as a .ppt file) that contains (64-bit)
a specially crafted embedded media Vista: 2780091
file, or receives specially crafted
(32-bit), 2780091
streaming content. (CVE
(64-bit)
2013-0077)
2008: 2780091
(32-bit), 2780091
(64-bit)
Kernel-Mode Driver Privilege
This security update resolves 30
XP: 2778344 (32
Escalation Vulnerabilities
privately reported vulnerabilities in bit), 2778344 (64
Microsoft Windows. These
bit)
vulnerabilities exist when the
Server 2003:
Windows kernel-mode driver
2778344 (32 bit),
improperly handles objects in
2778344 (64 bit)
memory. An attacker who
Vista: 2778344
successfully exploited these
(32 bit), 2778344
vulnerabilities could gain elevated (64 bit)
privileges and read arbitrary
Server 2008:
amounts of kernel memory. An
2778344 (32 bit),
2778344 (64 bit)
Windows 7:
locally to exploit these vulnerabilities.2778344 (32 bit),
(CVE 2013-1248 CVE 2013-1249 2778344 (64 bit)
CVE 2013-1250 CVE 2013-1251
Server 2008
CVE 2013-1252 CVE 2013-1253
R2: 2778344 (64
CVE 2013-1254 CVE 2013-1255
bit)
144
13-006
13-017
13-011
13-016
Elevation Vulnerability
CVE 2013-1256 CVE 2013-1257
CVE 2013-1258 CVE 2013-1259
CVE 2013-1260 CVE 2013-1261
CVE 2013-1262 CVE 2013-1263
CVE 2013-1264 CVE 2013-1265
CVE 2013-1266 CVE 2013-1267
CVE 2013-1268 CVE 2013-1269
CVE 2013-1270 CVE 2013-1271
CVE 2013-1272 CVE 2013-1273
CVE 2013-1274 CVE 2013-1275
CVE 2013-1276 CVE 2013-1277)
Fixes a vulnerability which might
allow an authenticated user to
execute arbitrary code in the
context of the local system. (CVE
2013-0076)
Windows NFS Server null
dereference vulnerability
Windows 7:
13-019
2790113 (32-bit),
2790113 (64-bit)
Server 2008
R2: 2790113
(64-bit), 2790113
(IA64)
2008 R2:
13-014
2790978
2012: 2790978
Fixes a denial of service
vulnerability in the Windows NFS
server when handling a file
operation on a read-only share.
(CVE 2013-1281)
Windows OLE Automation Remote This update corrects a memory
Windows XP:
corruption vulnerability in the Object 2802968
Linking and Embedding (OLE)
Automation library. (CVE
2013-1313)
13-020
For more information on critical updates, see the Windows critical update pages which are available for
Windows 2000, Windows NT 4.0, Windows XP, Windows Server 2003, Windows Vista, Windows Server
2008, and Windows 7.
Scan Session: autotest2; Scan Policy: heavy; Scan Data Set: 20 March 2013 10:38
Copyright 2001-2013 SAINT Corporation. All rights reserved.
145

Trend Analysis

Transcription

Similar documents

Winter 2010/2011 - USS Natoma Bay CVE-62

The development of a heat wave vulnerability index for

A “resilient”

Where are the Vulnerable Places in Africa?

safeti advanced explosion modelling

Vol. 4, Issue 4 - Cert-Mu

Narrowing the gap Across the line

32-Bit Virus Threats on 64-Bit Windows

Costa Rica Sewage Collection and Treatment System – Final