[PROPOSAL] Cluster 42 - MS (45 candidates)

To: cve-editorial-board-list@lists.mitre.org
Subject: [PROPOSAL] Cluster 42 - MS (45 candidates)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 8 Dec 1999 17:41:29 -0500 (EST)
Delivery-Date: Wed Dec 8 17:44:40 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
The following cluster contains 45 candidates, all of which are
associated with a Microsoft Security Advisory.


Proposed: 12/8
Scheduled Proposed: 12/6
Scheduled Interim Decision: 12/20
Scheduled Final Decision: 12/24


Summary of votes to use (in ascending order of "severity"):

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: BID:598

The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.

VOTE:

=================================
Candidate: CAN-1999-0669
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064

The Eyedog ActiveX control is marked as "safe for scripting" for
Internet Explorer, which allows a remote attacker to execute arbitrary
commands as demonstrated by Bubbleboy.

VOTE:

=================================
Candidate: CAN-1999-0670
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064

Buffer overflow in the Eyedog ActiveX control allows a remote attacker
to execute arbitrary commands.

VOTE:

=================================
Candidate: CAN-1999-0680
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-028
Reference: MSKB:Q238600
Reference: CIAC:J-057
Reference: BID:571
Reference: XF:nt-terminal-dos

Windows NT Terminal Server performs extra work before a client is
authenticated, allowing for a denial of service.

VOTE:

=================================
Candidate: CAN-1999-0682
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:exchange-relay
Reference: MS:MS99-027
Reference: MSKB:Q237927
Reference: BID:567

Microsoft Exchange 5.5 allows a remote attacker to relay email
(i.e. spam) using encapsulated SMTP addresses, even if the
anti-relaying features are enabled.

VOTE:

=================================
Candidate: CAN-1999-0700
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q237185
Reference: MS:MS99-026

Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed
dialer entry.

VOTE:

=================================
Candidate: CAN-1999-0701
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-036
Reference: BID:626

After an unattended installation of Windows NT 4.0, an installation
file could include sensitive information such as the local
Administrator password.

VOTE:

=================================
Candidate: CAN-1999-0702
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
Reference: MS:MS99-037
Reference: MSKB:Q241631
Reference: BID:627

Internet Explorer 5.0 allows remote attackers to modify files via the
Import/Export Favorites feature, aka the "ImportExportFavorites"
vulnerability.

VOTE:

=================================
Candidate: CAN-1999-0715
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:Buffer Overruns in RAS allows execution of arbitary code as system
Reference: MS:MS99-016
Reference: MSKB:Q230667
Reference: XF:nt-ras-bo

Buffer overflow in Remote Access Service (RAS) client via a malformed
phonebook entry.

VOTE:

=================================
Candidate: CAN-1999-0716
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-helpfile-bo
Reference: MSKB:Q231605
Reference: MS:MS99-015

Buffer overflow in Windows NT 4.0 help file utility via a malformed
help file.

VOTE:

=================================
Candidate: CAN-1999-0717
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-014

A remote attacker can disable the virus warning mechanism in Microsoft
Excel 97.

VOTE:

=================================
Candidate: CAN-1999-0721
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BINDVIEW:Phantom Technical Advisory
Reference: MSKB:Q231457
Reference: MS:MS99-020
Reference: CIAC:J-049

Denial of service in Windows NT Local Security Authority (LSA) through
a malformed LSA request.

VOTE:

=================================
Candidate: CAN-1999-0723
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-021
Reference: CIAC:J-049
Reference: XF:nt-csrss-dos
Reference: MSKB:Q231323

The Windows NT Client Server Runtime Subsystem (CSRSS) can be
subjected to a denial of service when all worker threads are waiting
for user input.

VOTE:

=================================
Candidate: CAN-1999-0725
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q233335
Reference: MS:MS99-022
Reference: XF:iis-double-byte-code-page

When IIS is run with a default language of Chinese, Korean, or
Japanese, it allows a remote attacker to view the source code of
certain files, a.k.a. "Double Byte Code Page".

VOTE:

=================================
Candidate: CAN-1999-0726
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-023
Reference: MSKB:Q234557

An attacker can conduct a denial of service in Windows NT by executing
a program with a malformed file image header.

VOTE:

=================================
Candidate: CAN-1999-0728
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-024
Reference: MSKB:Q236359

A Windows NT user can disable the keyboard or mouse by directly
calling the IOCTLs which control them.

VOTE:

=================================
Candidate: CAN-1999-0736
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The showcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

VOTE:

=================================
Candidate: CAN-1999-0737
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q231656

The viewcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

VOTE:

=================================
Candidate: CAN-1999-0738
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The code.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

VOTE:

=================================
Candidate: CAN-1999-0739
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The codebrws.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

VOTE:

=================================
Candidate: CAN-1999-0749
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable
Reference: MS:MS99-033
Reference: XF:win-ie5-telnet-heap-overflow
Reference: BID:586

Buffer overflow in Microsoft Telnet client in Windows 95 and Windows
98 via a malformed Telnet argument.

VOTE:

=================================
Candidate: CAN-1999-0755
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-ras-pwcache
Reference: MSKB:Q230681
Reference: MS:MS99-017

Windows NT RRAS and RAS clients cache a user's password even if the
user has not selected the "Save password" option.

VOTE:

=================================
Candidate: CAN-1999-0766
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-031
Reference: MSKB:Q240346
Reference: BID:600

The Microsoft Java Virtual Machine allows a malicious Java applet to
execute arbitrary commands outside of the sandbox environment.

VOTE:

=================================
Candidate: CAN-1999-0777
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-039
Reference: BID:658

IIS FTP servers may allow a remote attacker to read or delete files on
the server, even if they have "No Access" permissions.

VOTE:

=================================
Candidate: CAN-1999-0793
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-043

Internet Explorer allows remote attackers to read files by redirecting
data to a Javascript applet.

VOTE:

=================================
Candidate: CAN-1999-0794
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-044

Microsoft Excel does not warn a user when a macro is present in a
Symbolic Link (SYLK) format file.

VOTE:

=================================
Candidate: CAN-1999-0802
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-018
Reference: MSKB:Q231450

Internet Explorer 5 has a buffer overflow that allows remote attackers
to crash the browser by providing a malformed Favorites icon.

VOTE:

=================================
Candidate: CAN-1999-0839
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation
Reference: MS:MS99-051
Reference: BID:828

Windows NT Task Scheduler installed with Internet Explorer 5 allows a
user to gain privileges by modifying the job after it has been
scheduled.

VOTE:

=================================
Candidate: CAN-1999-0858
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-054
Reference: MSKB:Q247333
Reference: BID:846

Internet Explorer 5 allows a remote attacker to modify the IE client's
proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD)
server.

VOTE:

=================================
Candidate: CAN-1999-0861
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-053

Race condition in the SSL ISAPI filter in IIS and other servers may
leak information in plaintext.

VOTE:

=================================
Candidate: CAN-1999-0867
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-029
Reference: MSKB:Q238349
Reference: CIAC:J-058
Reference: BID:579

Denial of service in IIS 4.0 via a flood of HTTP requests with
malformed headers.

VOTE:

=================================
Candidate: CAN-1999-0869
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-020
Reference: MSKB:167614

Internet Explorer 3.x to 4.01 allows a remote attacker to insert
malicious content into a frame of another web site, aka frame
spoofing.

VOTE:

=================================
Candidate: CAN-1999-0870
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-015
Reference: MSKB:169245

Internet Explorer 4.01 allows remote attackers to read arbitrary files
by pasting a file name into the file upload control, aka untrusted
scripted paste.

VOTE:

=================================
Candidate: CAN-1999-0871
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-013

Internet Explorer 4.0 and 4.01 allow a remote attacker to read files
via IE's cross frame security, aka the "Cross Frame Navigate"
vulnerability.

VOTE:

=================================
Candidate: CAN-1999-0874
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-019
Reference: MSKB:Q234905
Reference: EEYE:AD06081999
Reference: CERT:CA-99-07
Reference: CIAC:J-048

Buffer overflow in IIS via a malformed request for files with .HTR,
..IDC, or .STM extensions.

VOTE:

=================================
Candidate: CAN-1999-0877
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MSKB:Q243638
Reference: MS:MS99-042

Internet Explorer 5 allows remote attackers to read files via an
ExecCommand method called on an IFRAME.

VOTE:

=================================
Candidate: CAN-1999-0886
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: unknown
Reference: MSKB:Q242294
Reference: MS:MS99-041
Reference: BID:645

The security descriptor for RASMAN allows users to point to an
alternate location via tha Windows NT Service Control Manager.

VOTE:

=================================
Candidate: CAN-1999-0891
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-040
Reference: MSKB:Q242542

The "download behavior" in Internet Explorer 5 allows remote attackers
to read arbitrary files via a server-side redirect.

VOTE:

=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649

Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.

VOTE:

=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649

The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.

VOTE:

=================================
Candidate: CAN-1999-0909
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: NAI:Windows IP Source Routing Vulnerability
Reference: BID:646
Reference: MS:MS99-038

Windows systems allow a remote attacker to bypass IP source
routing restrictions via a malformed packet with IP options.

VOTE:

=================================
Candidate: CAN-1999-0910
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-035
Reference: BID:625

Microsoft Site Server and Commercial Internet System (MCIS) do not set
an expiration for a cookie, which could then be cached by a proxy and
inadvertently used by a different user.

VOTE:

=================================
Candidate: CAN-1999-0917
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-018
Reference: MSKB:Q231452

The Preloader ActiveX control used by Internet Explorer allows remote
attackers to read atrbitrary files.

VOTE:

=================================
Candidate: CAN-1999-0918
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000
Reference: MSKB:Q238329
Reference: MS:MS99-034
Reference: BID:514

Denial of service in Windows 98 and Windows 2000 systems via
malformed IGMP packets.

VOTE:

=================================
Candidate: CAN-1999-0969
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service
Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork
Reference: MS:MS98-014

The Windows NT RPC service allows remote attackers to conduct a denial
of service using spoofed malformed RPC packets which generate an
error message that is sent to the spoofed host, potentially setting up
a loop, aka Snork.

VOTE:
Prev by Date: [CVEPRI] Update on candidates and submissions
Next by Date: [PROPOSAL] Cluster 43 - CERT2 (26 candidates)
Prev by thread: [CVEPRI] Update on candidates and submissions
Next by thread: [PROPOSAL] Cluster 43 - CERT2 (26 candidates)
Index(es):
- Date
- Thread