|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [INTERIM] ACCEPT 38 candidates from MS (Final 1/3/2000)
I have made an Interim Decision to ACCEPT the following candidates from the MS cluster. I will make a Final Decision on January 3, 2000. Voters: Wall ACCEPT(36) MODIFY(2) Frech ACCEPT(7) MODIFY(31) Ozancin ACCEPT(34) NOOP(4) Christey NOOP(7) Cole ACCEPT(27) MODIFY(9) NOOP(1) REJECT(1) Prosser ACCEPT(36) MODIFY(2) Stracener ACCEPT(25) MODIFY(13) - Steve ================================= Candidate: CAN-1999-0668 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991123 Category: SF Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: BID:598 Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Modifications: ADDREF XF:ms-scriptlet-eyedog-unsafe ADDREF MSKB:Q240308 INFERRED VOTE: CAN-1999-0668 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:ms-scriptlet-eyedog-unsafe Wall> Note: Was this not CVE 199-0376? Stracener> Add Ref: MSKB Q240308 ================================= Candidate: CAN-1999-0669 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991123 Category: SF Reference: MS:MS99-032 Reference: CIAC:J-064 Reference: XF:ms-scriptlet-eyedog-unsafe Reference: MSKB:Q240308 The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy. Modifications: XF:ms-scriptlet-eyedog-unsafe MSKB:Q240308 INFERRED VOTE: CAN-1999-0669 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:ms-scriptlet-eyedog-unsafe Stracener> Add Ref: MSKB Q240308 ================================= Candidate: CAN-1999-0680 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-028 Reference: MSKB:Q238600 Reference: CIAC:J-057 Reference: BID:571 Reference: XF:nt-terminal-dos Windows NT Terminal Server performs extra work when a client opens a new connection but before it is authenticated, allowing for a denial of service. Modifications: DESC add "new connection" phrase INFERRED VOTE: CAN-1999-0680 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Frech, Wall, Prosser, Ozancin, Stracener MODIFY(1) Cole COMMENTS: Cole> This happens not whenever a client authenticates but when they open Cole> up a new connection. Cole> It should be changed to Cole> Windows NT Terminal Server performs extra work before a client is Cole> authenticated, Cole> when a new connection is open, allowing for a denial of service Cole> attack. ================================= Candidate: CAN-1999-0682 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-027 Reference: MSKB:Q237927 Reference: BID:567 Reference: CIAC:J-056 Reference: XF:exchange-relay Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. spam) using encapsulated SMTP addresses, even if the anti-relaying features are enabled. Modifications: ADDREF CIAC:J-056 INFERRED VOTE: CAN-1999-0682 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Frech, Cole, Wall, Prosser, Ozancin MODIFY(1) Stracener COMMENTS: Stracener> Add Ref: CIAC: J-056 ================================= Candidate: CAN-1999-0700 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MSKB:Q237185 Reference: MS:MS99-026 Reference: XF:nt-malformed-dialer Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file. Modifications: ADDREF XF:nt-malformed-dialer DESC add dialer.ini phrase INFERRED VOTE: CAN-1999-0700 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(2) Frech, Cole COMMENTS: Frech> XF:nt-malformed-dialer Cole> This is not clear, I would change it to Cole> Buffer overflow in Microsoft NT Phone dialer program, dialer.exe, Cole> when it calls the dialer.ini file. ================================= Candidate: CAN-1999-0701 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-036 Reference: MSKB:Q17039 Reference: BID:626 Reference: XF:nt-install-unattend-file After an unattended installation of Windows NT 4.0, an installation file could include sensitive information such as the local Administrator password. Modifications: ADDREF XF:nt-install-unattend-file ADDREF MSKB:Q17039 INFERRED VOTE: CAN-1999-0701 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:nt-install-unattend-file Stracener> Add Ref: MSKB Q17039 ================================= Candidate: CAN-1999-0702 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs Reference: MS:MS99-037 Reference: MSKB:Q241631 Reference: XF:ie5-import-export-favorites Reference: BID:627 Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. Modifications: DESC add "execute files" ADDREF XF:ie5-import-export-favorites INFERRED VOTE: CAN-1999-0702 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Prosser, Ozancin, Stracener MODIFY(3) Frech, Cole, Wall COMMENTS: Frech> XF:ie5-import-export-favorites Cole> The key exploit is to modify files but to cause system commands to Cole> be executed. Cole> Should be changed to: Cole> Internet Explorer 5.0 allows remote attackers to modify and/or Cole> execute files via the Cole> Import/Export Favorites feature, aka the "ImportExportFavorites" Cole> vulnerability. Wall> This now applies to IE 5 and 5.01, so replace 5.0 with 5/5.01. ================================= Candidate: CAN-1999-0715 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system Reference: MS:MS99-016 Reference: MSKB:Q230667 Reference: XF:nt-ras-bo Buffer overflow in Remote Access Service (RAS) client allows an attacker to execute commands or cause a denial of service via a malformed phonebook entry. Modifications: DESC add DoS/exec CHANGEREF BUGTRAQ [add date] INFERRED VOTE: CAN-1999-0715 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Frech, Wall, Ozancin, Stracener MODIFY(2) Cole, Prosser NOOP(1) Christey COMMENTS: Cole> This attack can also cause abtrary code to be executed. It should Cole> be changed to: Cole> An exploit in the in Remote Access Service (RAS) client via a Cole> malformed Cole> phonebook entry can cause either a denial of service or arbitrary Cole> code to be Cole> executed, all caused by a buffer overflow.. Prosser> This vulnerability can cause a DoS or under certain circumstances allow Prosser> arbitrary code to run. Believe this should be split into two vulnerabities, Prosser> though both are the result of the buffer overflow. Christey> Since there is a single buffer overflow which can allow Christey> either to occur, the SF-LOC (Same Line-of-Code) content Christey> decision says we should keep this as a single item, although Christey> there are multiple effects. ================================= Candidate: CAN-1999-0716 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: XF:nt-helpfile-bo Reference: MSKB:Q231605 Reference: MS:MS99-015 Buffer overflow in Windows NT 4.0 help file utility via a malformed help file. INFERRED VOTE: CAN-1999-0716 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener ================================= Candidate: CAN-1999-0717 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-014 Reference: MSKB:Q231304 Reference: XF:excel-virus-warning A remote attacker can disable the virus warning mechanism in Microsoft Excel 97. Modifications: ADDREF XF:excel-virus-warning ADDREF MSKB:Q231304 INFERRED VOTE: CAN-1999-0717 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:excel-virus-warning Stracener> Add Ref: MSKB Q231304 ================================= Candidate: CAN-1999-0721 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BINDVIEW:Phantom Technical Advisory Reference: MSKB:Q231457 Reference: MS:MS99-020 Reference: CIAC:J-049 Reference: XF:msrpc-lsa-lookupnames-dos Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request. Modifications: ADDREF XF:msrpc-lsa-lookupnames-dos INFERRED VOTE: CAN-1999-0721 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:msrpc-lsa-lookupnames-dos ================================= Candidate: CAN-1999-0723 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-021 Reference: CIAC:J-049 Reference: XF:nt-csrss-dos Reference: MSKB:Q233323 The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input. Modifications: CHANGEREF MSKB:Q231323 Q233323 INFERRED VOTE: CAN-1999-0723 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Prosser, Ozancin, Stracener MODIFY(2) Frech, Wall COMMENTS: Frech> MODREF MSKB: change Q231323 to Q233323. Wall> The MSKB should be Q233323, not Q231323. ================================= Candidate: CAN-1999-0725 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MSKB:Q233335 Reference: MS:MS99-022 Reference: XF:iis-double-byte-code-page When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page". INFERRED VOTE: CAN-1999-0725 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(5) Frech, Cole, Wall, Prosser, Stracener NOOP(1) Ozancin ================================= Candidate: CAN-1999-0726 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-023 Reference: MSKB:Q234557 Reference: XF:nt-malformed-image-header An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header. Modifications: ADDREF XF:nt-malformed-image-header INFERRED VOTE: CAN-1999-0726 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:nt-malformed-image-header ================================= Candidate: CAN-1999-0728 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-024 Reference: MSKB:Q236359 Reference: XF:nt-ioctl-dos A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them. Modifications: ADDREF XF:nt-ioctl-dos INFERRED VOTE: CAN-1999-0728 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Stracener MODIFY(1) Frech NOOP(1) Ozancin COMMENTS: Frech> XF:nt-ioctl-dos ================================= Candidate: CAN-1999-0749 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable Reference: MS:MS99-033 Reference: XF:win-ie5-telnet-heap-overflow Reference: BID:586 Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 98 via a malformed Telnet argument. INFERRED VOTE: CAN-1999-0749 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener ================================= Candidate: CAN-1999-0755 Published: Final-Decision: Interim-Decision: 19991229 Modified: Proposed: 19991208 Assigned: 19991125 Category: SF Reference: XF:nt-ras-pwcache Reference: MSKB:Q230681 Reference: MS:MS99-017 Windows NT RRAS and RAS clients cache a user's password even if the user has not selected the "Save password" option. INFERRED VOTE: CAN-1999-0755 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener ================================= Candidate: CAN-1999-0766 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-031 Reference: MSKB:Q240346 Reference: BID:600 Reference: XF:msvm-verifier-java The Microsoft Java Virtual Machine allows a malicious Java applet to execute arbitrary commands outside of the sandbox environment. Modifications: ADDREF XF:msvm-verifier-java INFERRED VOTE: CAN-1999-0766 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:msvm-verifier-java ================================= Candidate: CAN-1999-0777 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-039 Reference: MSKB:Q241407 Reference: MSKB:Q242559 Reference: XF:iis-ftp-no-access-files Reference: BID:658 IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. Modifications: ADDREF MSKB:Q241407 ADDREF MSKB:Q242559 ADDREF XF:iis-ftp-no-access-files INFERRED VOTE: CAN-1999-0777 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(3) Frech, Cole, Stracener NOOP(1) Christey COMMENTS: Frech> XF:iis-ftp-no-access-files Cole> This attack only works if you access a ftp site via a wbe browser. Cole> If you go through an ftp client Cole> it will not work. Stracener> Add Ref: MSKB Q241407 Stracener> Add Ref: MSKB Q242559 Christey> Saying the attack only works through a web browser provides Christey> too much detail for a CVE description. ================================= Candidate: CAN-1999-0793 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-043 Reference: XF:ie-java-redirect Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. Modifications: ADDREF XF:ie-java-redirect INFERRED VOTE: CAN-1999-0793 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:ie-java-redirect ================================= Candidate: CAN-1999-0794 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991227-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: MS:MS99-044 Reference: XF:excel-sylk Reference: MSKB:Q241900 Reference: MSKB:Q241901 Reference: MSKB:Q241902 Microsoft Excel does not warn a user when a macro is present in a Symbolic Link (SYLK) format file. Modifications: ADDREF XF:excel-sylk ADDREF MSKB:Q241900 ADDREF MSKB:Q241901 ADDREF MSKB:Q241902 INFERRED VOTE: CAN-1999-0794 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:excel-sylk Stracener> Add Ref: MSKB Q241900 Stracener> Add Ref: MSKB Q241901 Stracener> Add Ref: MSKB Q241902 ================================= Candidate: CAN-1999-0802 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991125 Category: SF Reference: BUGTRAQ:19990503 MSIE 5 FAVICON BUG Reference: MS:MS99-018 Reference: MSKB:Q231450 Reference: XF:ie-favicon Buffer overflow in Internet Explorer 5 allows remote attackers to execute commands via a malformed Favorites icon. Modifications: ADDREF XF:ie-favicon ADDREF BUGTRAQ:19990503 MSIE 5 FAVICON BUG DESC reword INFERRED VOTE: CAN-1999-0802 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(3) Frech, Cole, Stracener COMMENTS: Frech> XF:ie-favicon Cole> This attack also allows code to be executed on the machine. Stracener> Add Ref: BUGTRAQ:19990503 MSIE 5 FAVICON BUG ================================= Candidate: CAN-1999-0839 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation Reference: MS:MS99-051 Reference: MSKB:Q246972 Reference: XF:ie-task-scheduler-privs Reference: BID:828 Windows NT Task Scheduler installed with Internet Explorer 5 allows a user to gain privileges by modifying the job after it has been scheduled. Modifications: ADDREF XF:ie-task-scheduler-privs ADDREF MSKB:Q246972 INFERRED VOTE: CAN-1999-0839 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:ie-task-scheduler-privs Stracener> Add Ref: MSKB Q246972 ================================= Candidate: CAN-1999-0858 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: MS:MS99-054 Reference: MSKB:Q247333 Reference: BID:846 Reference: XF:ie-wpad-proxy-settings Internet Explorer 5 allows a remote attacker to modify the IE client's proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD) server. Modifications: ADDREF XF:ie-wpad-proxy-settings INFERRED VOTE: CAN-1999-0858 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:ie-wpad-proxy-settings ================================= Candidate: CAN-1999-0861 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991207 Category: SF Reference: MS:MS99-053 Reference: MSKB:Q244613 Reference: XF:iis-ssl-isapi-filter Race condition in the SSL ISAPI filter in IIS and other servers may leak information in plaintext. Modifications: ADDREF XF:iis-ssl-isapi-filter ADDREF MSKB:Q244613 INFERRED VOTE: CAN-1999-0861 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:iis-ssl-isapi-filter Stracener> Add Ref: MSKB Q244613 ================================= Candidate: CAN-1999-0867 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-029 Reference: MSKB:Q238349 Reference: CIAC:J-058 Reference: XF:http-iis-malformed-header Reference: BID:579 Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers. Modifications: ADDREF XF:http-iis-malformed-header INFERRED VOTE: CAN-1999-0867 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:http-iis-malformed-header ================================= Candidate: CAN-1999-0869 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS98-020 Reference: MSKB:167614 Reference: XF:http-frame-spoof Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing. Modifications: ADDREF XF:http-frame-spoof INFERRED VOTE: CAN-1999-0869 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:http-frame-spoof Cole> A lot of these are older attacks but I guess it is good to include Cole> them. ================================= Candidate: CAN-1999-0870 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS98-015 Reference: MSKB:169245 Reference: XF:ie-usp-cuartango Internet Explorer 4.01 allows remote attackers to read arbitrary files by pasting a file name into the file upload control, aka untrusted scripted paste. Modifications: ADDREF XF:ie-usp-cuartango INFERRED VOTE: CAN-1999-0870 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:ie-usp-cuartango ================================= Candidate: CAN-1999-0871 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS98-013 Reference: XF:ie-crossframe-file-read Internet Explorer 4.0 and 4.01 allow a remote attacker to read files via IE's cross frame security, aka the "Cross Frame Navigate" vulnerability. Modifications: ADDREF XF:ie-crossframe-file-read INFERRED VOTE: CAN-1999-0871 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:ie-crossframe-file-read ================================= Candidate: CAN-1999-0877 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MSKB:Q243638 Reference: MS:MS99-042 Reference: XF:ie-iframe-exec Internet Explorer 5 allows remote attackers to read files via an ExecCommand method called on an IFRAME. Modifications: ADDREF XF:ie-iframe-exec INFERRED VOTE: CAN-1999-0877 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Wall, Prosser, Ozancin, Stracener MODIFY(2) Frech, Cole NOOP(1) Christey COMMENTS: Frech> XF:ie-iframe-exec Cole> This attack is written up wrong. This attack allows a web site to Cole> read files from a user that is Cole> connecting to the site. This attack compromises a remote users Cole> machine. Christey> While the description could be misinterpreted, it remains Christey> in the style of other CVE descriptions. The attack is still Christey> done remotely, although in the opposite direction of Christey> "typical" problems. ================================= Candidate: CAN-1999-0886 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: unknown Reference: MSKB:Q242294 Reference: MS:MS99-041 Reference: BID:645 Reference: XF:nt-rasman-pathname The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager. Modifications: ADDREF XF:nt-rasman-pathname INFERRED VOTE: CAN-1999-0886 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener NOOP(2) Cole, Christey COMMENTS: Frech> XF:nt-rasman-pathname Cole> This one is pretty weak. Stracener> Recommend: Category:CF Christey> The category for this could be SF or CF, depending on your Christey> point of view. Since categories are not the focus of CVE, we Christey> can leave this as "unknown" ================================= Candidate: CAN-1999-0891 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-040 Reference: MSKB:Q242542 Reference: XF:ie-download-behavior The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. Modifications: ADDREF XF:ie-download-behavior INFERRED VOTE: CAN-1999-0891 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> XF:ie-download-behavior ================================= Candidate: CAN-1999-0898 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-047 Reference: MSKB:Q243649 Reference: XF:nt-printer-spooler-bo Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request. Modifications: ADDREF XF:nt-printer-spooler-bo INFERRED VOTE: CAN-1999-0898 ACCEPT (5 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Stracener MODIFY(1) Frech NOOP(2) Ozancin, Christey COMMENTS: Frech> XF:nt-printer-spooler-bo Prosser> (Modify) Prosser> This maybe should be seperated into two entries. One for the DoS which is Prosser> just done with random data and one for the more experienced attack of Prosser> gaining privileges on the host. Christey> While the advisory is not entirely explicit, the difference Christey> between the DoS and the command execution is only in effect, Christey> and appears to be in the same line of code, so the SF-LOC Christey> content decision applies here. ================================= Candidate: CAN-1999-0899 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-047 Reference: MSKB:Q243649 Reference: XF:nt-printer-spooler-bo The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider. Modifications: ADDREF XF:nt-printer-spooler-bo INFERRED VOTE: CAN-1999-0899 REJECT (1 reject, 4 accept, 0 review) VOTES: ACCEPT(3) Wall, Prosser, Stracener MODIFY(1) Frech NOOP(2) Ozancin, Christey REJECT(1) Cole COMMENTS: Frech> XF:nt-printer-spooler-bo Cole> This should be combined with the previous one to state it can cause Cole> a denial of service Cole> or allow commands to ve executed. Just because a vulnerability can Cole> be exploited in different ways Cole> does not mean there should be separate entries since the underlying Cole> exploit is the same. Christey> This is different than CAN-1999-0898 because 898 is a buffer Christey> overflow, while this one is incorrect permissions. They Christey> are different bugs, so should have separate entries. Note Christey> that MS99-047 also discriminates between these two candidates, Christey> i.e. it contains the phrase "A second vulnerability exists..." Christey> and goes on to describe CAN-1999-0899. ================================= Candidate: CAN-1999-0909 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: NAI:Windows IP Source Routing Vulnerability Reference: MS:MS99-038 Reference: MSKB:Q238453 Reference: BID:646 Reference: XF:nt-ip-source-route Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability. Modifications: DESC add "multihomed" ADDREF XF:nt-ip-source-route ADDREF MSKB:Q238453 INFERRED VOTE: CAN-1999-0909 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Wall, Prosser, Ozancin MODIFY(3) Frech, Cole, Stracener NOOP(1) Christey COMMENTS: Frech> XF:nt-ip-source-route Cole> This only works on NT machines that are multihomed and setup as Cole> routers. I think Cole> that should be added for clarification. Stracener> Add Ref: MSKB Q238453 Christey> The MS advisory states that this problem affects Windows 95/98 Christey> as well as Windows NT. ================================= Candidate: CAN-1999-0917 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: MS:MS99-018 Reference: MSKB:Q231452 Reference: XF:legacy-activex-local-drive The Preloader ActiveX control used by Internet Explorer allows remote attackers to read arbitrary files. Modifications: ADDREF XF:legacy-activex-local-drive INFERRED VOTE: CAN-1999-0917 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener MODIFY(1) Frech COMMENTS: Frech> In description, 'atrbitrary' should be spelled 'arbitrary'. Frech> XF:legacy-activex-local-drive ================================= Candidate: CAN-1999-0918 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000 Reference: MSKB:Q238329 Reference: MS:MS99-034 Reference: XF:igmp-dos Reference: BID:514 Denial of service in various Windows systems via malformed, fragmented IGMP packets. Modifications: ADDREF XF:igmp-dos DESC remove specific Windows types INFERRED VOTE: CAN-1999-0918 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(3) Wall, Ozancin, Stracener MODIFY(3) Frech, Cole, Prosser COMMENTS: Frech> XF:igmp-dos Cole> I would add fragmented after the word IGMP Prosser> Affected components include Microsoft Windows NT 4.0 (workstation and Prosser> various server versions, Win98, and Win95, all service releases and Prosser> editions, not just 98/2000. Also Windows 2000 is still in Beta so do we Prosser> want to include it before it is final operational build. ================================= Candidate: CAN-1999-0969 Published: Final-Decision: Interim-Decision: 19991229 Modified: 19991228-01 Proposed: 19991208 Assigned: 19991208 Category: SF Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork Reference: MS:MS98-014 Reference: MSKB:Q193233 Reference: XF:snork-dos The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork. Modifications: ADDREF XF:snork-dos ADDREF MSKB:Q193233 INFERRED VOTE: CAN-1999-0969 ACCEPT (6 accept, 0 review) VOTES: ACCEPT(4) Cole, Wall, Prosser, Ozancin MODIFY(2) Frech, Stracener COMMENTS: Frech> XF:snork-dos Stracener> Add Ref: MSKB Q193233
|
||||
