[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[INTERIM] ACCEPT 38 candidates from MS (Final 1/3/2000)
I have made an Interim Decision to ACCEPT the following candidates
from the MS cluster. I will make a Final Decision on January 3, 2000.
Voters:
Wall ACCEPT(36) MODIFY(2)
Frech ACCEPT(7) MODIFY(31)
Ozancin ACCEPT(34) NOOP(4)
Christey NOOP(7)
Cole ACCEPT(27) MODIFY(9) NOOP(1) REJECT(1)
Prosser ACCEPT(36) MODIFY(2)
Stracener ACCEPT(25) MODIFY(13)
- Steve
=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: BID:598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.
Modifications:
ADDREF XF:ms-scriptlet-eyedog-unsafe
ADDREF MSKB:Q240308
INFERRED VOTE: CAN-1999-0668 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:ms-scriptlet-eyedog-unsafe
Wall> Note: Was this not CVE 199-0376?
Stracener> Add Ref: MSKB Q240308
=================================
Candidate: CAN-1999-0669
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
The Eyedog ActiveX control is marked as "safe for scripting" for
Internet Explorer, which allows a remote attacker to execute arbitrary
commands as demonstrated by Bubbleboy.
Modifications:
XF:ms-scriptlet-eyedog-unsafe
MSKB:Q240308
INFERRED VOTE: CAN-1999-0669 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:ms-scriptlet-eyedog-unsafe
Stracener> Add Ref: MSKB Q240308
=================================
Candidate: CAN-1999-0680
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-028
Reference: MSKB:Q238600
Reference: CIAC:J-057
Reference: BID:571
Reference: XF:nt-terminal-dos
Windows NT Terminal Server performs extra work when a client opens a
new connection but before it is authenticated, allowing for a denial
of service.
Modifications:
DESC add "new connection" phrase
INFERRED VOTE: CAN-1999-0680 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Frech, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Cole
COMMENTS:
Cole> This happens not whenever a client authenticates but when they open
Cole> up a new connection.
Cole> It should be changed to
Cole> Windows NT Terminal Server performs extra work before a client is
Cole> authenticated,
Cole> when a new connection is open, allowing for a denial of service
Cole> attack.
=================================
Candidate: CAN-1999-0682
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-027
Reference: MSKB:Q237927
Reference: BID:567
Reference: CIAC:J-056
Reference: XF:exchange-relay
Microsoft Exchange 5.5 allows a remote attacker to relay email
(i.e. spam) using encapsulated SMTP addresses, even if the
anti-relaying features are enabled.
Modifications:
ADDREF CIAC:J-056
INFERRED VOTE: CAN-1999-0682 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Frech, Cole, Wall, Prosser, Ozancin
MODIFY(1) Stracener
COMMENTS:
Stracener> Add Ref: CIAC: J-056
=================================
Candidate: CAN-1999-0700
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q237185
Reference: MS:MS99-026
Reference: XF:nt-malformed-dialer
Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed
dialer entry in the dialer.ini file.
Modifications:
ADDREF XF:nt-malformed-dialer
DESC add dialer.ini phrase
INFERRED VOTE: CAN-1999-0700 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Wall, Prosser, Ozancin, Stracener
MODIFY(2) Frech, Cole
COMMENTS:
Frech> XF:nt-malformed-dialer
Cole> This is not clear, I would change it to
Cole> Buffer overflow in Microsoft NT Phone dialer program, dialer.exe,
Cole> when it calls the dialer.ini file.
=================================
Candidate: CAN-1999-0701
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-036
Reference: MSKB:Q17039
Reference: BID:626
Reference: XF:nt-install-unattend-file
After an unattended installation of Windows NT 4.0, an installation
file could include sensitive information such as the local
Administrator password.
Modifications:
ADDREF XF:nt-install-unattend-file
ADDREF MSKB:Q17039
INFERRED VOTE: CAN-1999-0701 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:nt-install-unattend-file
Stracener> Add Ref: MSKB Q17039
=================================
Candidate: CAN-1999-0702
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
Reference: MS:MS99-037
Reference: MSKB:Q241631
Reference: XF:ie5-import-export-favorites
Reference: BID:627
Internet Explorer 5.0 and 5.01 allows remote attackers to modify or
execute files via the Import/Export Favorites feature, aka the
"ImportExportFavorites" vulnerability.
Modifications:
DESC add "execute files"
ADDREF XF:ie5-import-export-favorites
INFERRED VOTE: CAN-1999-0702 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Prosser, Ozancin, Stracener
MODIFY(3) Frech, Cole, Wall
COMMENTS:
Frech> XF:ie5-import-export-favorites
Cole> The key exploit is to modify files but to cause system commands to
Cole> be executed.
Cole> Should be changed to:
Cole> Internet Explorer 5.0 allows remote attackers to modify and/or
Cole> execute files via the
Cole> Import/Export Favorites feature, aka the "ImportExportFavorites"
Cole> vulnerability.
Wall> This now applies to IE 5 and 5.01, so replace 5.0 with 5/5.01.
=================================
Candidate: CAN-1999-0715
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system
Reference: MS:MS99-016
Reference: MSKB:Q230667
Reference: XF:nt-ras-bo
Buffer overflow in Remote Access Service (RAS) client allows an
attacker to execute commands or cause a denial of service via a
malformed phonebook entry.
Modifications:
DESC add DoS/exec
CHANGEREF BUGTRAQ [add date]
INFERRED VOTE: CAN-1999-0715 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Frech, Wall, Ozancin, Stracener
MODIFY(2) Cole, Prosser
NOOP(1) Christey
COMMENTS:
Cole> This attack can also cause abtrary code to be executed. It should
Cole> be changed to:
Cole> An exploit in the in Remote Access Service (RAS) client via a
Cole> malformed
Cole> phonebook entry can cause either a denial of service or arbitrary
Cole> code to be
Cole> executed, all caused by a buffer overflow..
Prosser> This vulnerability can cause a DoS or under certain circumstances allow
Prosser> arbitrary code to run. Believe this should be split into two vulnerabities,
Prosser> though both are the result of the buffer overflow.
Christey> Since there is a single buffer overflow which can allow
Christey> either to occur, the SF-LOC (Same Line-of-Code) content
Christey> decision says we should keep this as a single item, although
Christey> there are multiple effects.
=================================
Candidate: CAN-1999-0716
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-helpfile-bo
Reference: MSKB:Q231605
Reference: MS:MS99-015
Buffer overflow in Windows NT 4.0 help file utility via a malformed
help file.
INFERRED VOTE: CAN-1999-0716 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener
=================================
Candidate: CAN-1999-0717
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-014
Reference: MSKB:Q231304
Reference: XF:excel-virus-warning
A remote attacker can disable the virus warning mechanism in Microsoft
Excel 97.
Modifications:
ADDREF XF:excel-virus-warning
ADDREF MSKB:Q231304
INFERRED VOTE: CAN-1999-0717 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:excel-virus-warning
Stracener> Add Ref: MSKB Q231304
=================================
Candidate: CAN-1999-0721
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BINDVIEW:Phantom Technical Advisory
Reference: MSKB:Q231457
Reference: MS:MS99-020
Reference: CIAC:J-049
Reference: XF:msrpc-lsa-lookupnames-dos
Denial of service in Windows NT Local Security Authority (LSA) through
a malformed LSA request.
Modifications:
ADDREF XF:msrpc-lsa-lookupnames-dos
INFERRED VOTE: CAN-1999-0721 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:msrpc-lsa-lookupnames-dos
=================================
Candidate: CAN-1999-0723
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-021
Reference: CIAC:J-049
Reference: XF:nt-csrss-dos
Reference: MSKB:Q233323
The Windows NT Client Server Runtime Subsystem (CSRSS) can be
subjected to a denial of service when all worker threads are waiting
for user input.
Modifications:
CHANGEREF MSKB:Q231323 Q233323
INFERRED VOTE: CAN-1999-0723 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Prosser, Ozancin, Stracener
MODIFY(2) Frech, Wall
COMMENTS:
Frech> MODREF MSKB: change Q231323 to Q233323.
Wall> The MSKB should be Q233323, not Q231323.
=================================
Candidate: CAN-1999-0725
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q233335
Reference: MS:MS99-022
Reference: XF:iis-double-byte-code-page
When IIS is run with a default language of Chinese, Korean, or
Japanese, it allows a remote attacker to view the source code of
certain files, a.k.a. "Double Byte Code Page".
INFERRED VOTE: CAN-1999-0725 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(5) Frech, Cole, Wall, Prosser, Stracener
NOOP(1) Ozancin
=================================
Candidate: CAN-1999-0726
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-023
Reference: MSKB:Q234557
Reference: XF:nt-malformed-image-header
An attacker can conduct a denial of service in Windows NT by executing
a program with a malformed file image header.
Modifications:
ADDREF XF:nt-malformed-image-header
INFERRED VOTE: CAN-1999-0726 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:nt-malformed-image-header
=================================
Candidate: CAN-1999-0728
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-024
Reference: MSKB:Q236359
Reference: XF:nt-ioctl-dos
A Windows NT user can disable the keyboard or mouse by directly
calling the IOCTLs which control them.
Modifications:
ADDREF XF:nt-ioctl-dos
INFERRED VOTE: CAN-1999-0728 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Stracener
MODIFY(1) Frech
NOOP(1) Ozancin
COMMENTS:
Frech> XF:nt-ioctl-dos
=================================
Candidate: CAN-1999-0749
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable
Reference: MS:MS99-033
Reference: XF:win-ie5-telnet-heap-overflow
Reference: BID:586
Buffer overflow in Microsoft Telnet client in Windows 95 and Windows
98 via a malformed Telnet argument.
INFERRED VOTE: CAN-1999-0749 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener
=================================
Candidate: CAN-1999-0755
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-ras-pwcache
Reference: MSKB:Q230681
Reference: MS:MS99-017
Windows NT RRAS and RAS clients cache a user's password even if the
user has not selected the "Save password" option.
INFERRED VOTE: CAN-1999-0755 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener
=================================
Candidate: CAN-1999-0766
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-031
Reference: MSKB:Q240346
Reference: BID:600
Reference: XF:msvm-verifier-java
The Microsoft Java Virtual Machine allows a malicious Java applet to
execute arbitrary commands outside of the sandbox environment.
Modifications:
ADDREF XF:msvm-verifier-java
INFERRED VOTE: CAN-1999-0766 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:msvm-verifier-java
=================================
Candidate: CAN-1999-0777
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-039
Reference: MSKB:Q241407
Reference: MSKB:Q242559
Reference: XF:iis-ftp-no-access-files
Reference: BID:658
IIS FTP servers may allow a remote attacker to read or delete files on
the server, even if they have "No Access" permissions.
Modifications:
ADDREF MSKB:Q241407
ADDREF MSKB:Q242559
ADDREF XF:iis-ftp-no-access-files
INFERRED VOTE: CAN-1999-0777 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Prosser, Ozancin
MODIFY(3) Frech, Cole, Stracener
NOOP(1) Christey
COMMENTS:
Frech> XF:iis-ftp-no-access-files
Cole> This attack only works if you access a ftp site via a wbe browser.
Cole> If you go through an ftp client
Cole> it will not work.
Stracener> Add Ref: MSKB Q241407
Stracener> Add Ref: MSKB Q242559
Christey> Saying the attack only works through a web browser provides
Christey> too much detail for a CVE description.
=================================
Candidate: CAN-1999-0793
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-043
Reference: XF:ie-java-redirect
Internet Explorer allows remote attackers to read files by redirecting
data to a Javascript applet.
Modifications:
ADDREF XF:ie-java-redirect
INFERRED VOTE: CAN-1999-0793 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-java-redirect
=================================
Candidate: CAN-1999-0794
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-044
Reference: XF:excel-sylk
Reference: MSKB:Q241900
Reference: MSKB:Q241901
Reference: MSKB:Q241902
Microsoft Excel does not warn a user when a macro is present in a
Symbolic Link (SYLK) format file.
Modifications:
ADDREF XF:excel-sylk
ADDREF MSKB:Q241900
ADDREF MSKB:Q241901
ADDREF MSKB:Q241902
INFERRED VOTE: CAN-1999-0794 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:excel-sylk
Stracener> Add Ref: MSKB Q241900
Stracener> Add Ref: MSKB Q241901
Stracener> Add Ref: MSKB Q241902
=================================
Candidate: CAN-1999-0802
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990503 MSIE 5 FAVICON BUG
Reference: MS:MS99-018
Reference: MSKB:Q231450
Reference: XF:ie-favicon
Buffer overflow in Internet Explorer 5 allows remote attackers to
execute commands via a malformed Favorites icon.
Modifications:
ADDREF XF:ie-favicon
ADDREF BUGTRAQ:19990503 MSIE 5 FAVICON BUG
DESC reword
INFERRED VOTE: CAN-1999-0802 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Prosser, Ozancin
MODIFY(3) Frech, Cole, Stracener
COMMENTS:
Frech> XF:ie-favicon
Cole> This attack also allows code to be executed on the machine.
Stracener> Add Ref: BUGTRAQ:19990503 MSIE 5 FAVICON BUG
=================================
Candidate: CAN-1999-0839
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation
Reference: MS:MS99-051
Reference: MSKB:Q246972
Reference: XF:ie-task-scheduler-privs
Reference: BID:828
Windows NT Task Scheduler installed with Internet Explorer 5 allows a
user to gain privileges by modifying the job after it has been
scheduled.
Modifications:
ADDREF XF:ie-task-scheduler-privs
ADDREF MSKB:Q246972
INFERRED VOTE: CAN-1999-0839 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:ie-task-scheduler-privs
Stracener> Add Ref: MSKB Q246972
=================================
Candidate: CAN-1999-0858
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-054
Reference: MSKB:Q247333
Reference: BID:846
Reference: XF:ie-wpad-proxy-settings
Internet Explorer 5 allows a remote attacker to modify the IE client's
proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD)
server.
Modifications:
ADDREF XF:ie-wpad-proxy-settings
INFERRED VOTE: CAN-1999-0858 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-wpad-proxy-settings
=================================
Candidate: CAN-1999-0861
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-053
Reference: MSKB:Q244613
Reference: XF:iis-ssl-isapi-filter
Race condition in the SSL ISAPI filter in IIS and other servers may
leak information in plaintext.
Modifications:
ADDREF XF:iis-ssl-isapi-filter
ADDREF MSKB:Q244613
INFERRED VOTE: CAN-1999-0861 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:iis-ssl-isapi-filter
Stracener> Add Ref: MSKB Q244613
=================================
Candidate: CAN-1999-0867
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-029
Reference: MSKB:Q238349
Reference: CIAC:J-058
Reference: XF:http-iis-malformed-header
Reference: BID:579
Denial of service in IIS 4.0 via a flood of HTTP requests with
malformed headers.
Modifications:
ADDREF XF:http-iis-malformed-header
INFERRED VOTE: CAN-1999-0867 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:http-iis-malformed-header
=================================
Candidate: CAN-1999-0869
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-020
Reference: MSKB:167614
Reference: XF:http-frame-spoof
Internet Explorer 3.x to 4.01 allows a remote attacker to insert
malicious content into a frame of another web site, aka frame
spoofing.
Modifications:
ADDREF XF:http-frame-spoof
INFERRED VOTE: CAN-1999-0869 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:http-frame-spoof
Cole> A lot of these are older attacks but I guess it is good to include
Cole> them.
=================================
Candidate: CAN-1999-0870
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-015
Reference: MSKB:169245
Reference: XF:ie-usp-cuartango
Internet Explorer 4.01 allows remote attackers to read arbitrary files
by pasting a file name into the file upload control, aka untrusted
scripted paste.
Modifications:
ADDREF XF:ie-usp-cuartango
INFERRED VOTE: CAN-1999-0870 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-usp-cuartango
=================================
Candidate: CAN-1999-0871
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-013
Reference: XF:ie-crossframe-file-read
Internet Explorer 4.0 and 4.01 allow a remote attacker to read files
via IE's cross frame security, aka the "Cross Frame Navigate"
vulnerability.
Modifications:
ADDREF XF:ie-crossframe-file-read
INFERRED VOTE: CAN-1999-0871 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-crossframe-file-read
=================================
Candidate: CAN-1999-0877
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MSKB:Q243638
Reference: MS:MS99-042
Reference: XF:ie-iframe-exec
Internet Explorer 5 allows remote attackers to read files via an
ExecCommand method called on an IFRAME.
Modifications:
ADDREF XF:ie-iframe-exec
INFERRED VOTE: CAN-1999-0877 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Wall, Prosser, Ozancin, Stracener
MODIFY(2) Frech, Cole
NOOP(1) Christey
COMMENTS:
Frech> XF:ie-iframe-exec
Cole> This attack is written up wrong. This attack allows a web site to
Cole> read files from a user that is
Cole> connecting to the site. This attack compromises a remote users
Cole> machine.
Christey> While the description could be misinterpreted, it remains
Christey> in the style of other CVE descriptions. The attack is still
Christey> done remotely, although in the opposite direction of
Christey> "typical" problems.
=================================
Candidate: CAN-1999-0886
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: unknown
Reference: MSKB:Q242294
Reference: MS:MS99-041
Reference: BID:645
Reference: XF:nt-rasman-pathname
The security descriptor for RASMAN allows users to point to an
alternate location via the Windows NT Service Control Manager.
Modifications:
ADDREF XF:nt-rasman-pathname
INFERRED VOTE: CAN-1999-0886 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
NOOP(2) Cole, Christey
COMMENTS:
Frech> XF:nt-rasman-pathname
Cole> This one is pretty weak.
Stracener> Recommend: Category:CF
Christey> The category for this could be SF or CF, depending on your
Christey> point of view. Since categories are not the focus of CVE, we
Christey> can leave this as "unknown"
=================================
Candidate: CAN-1999-0891
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-040
Reference: MSKB:Q242542
Reference: XF:ie-download-behavior
The "download behavior" in Internet Explorer 5 allows remote attackers
to read arbitrary files via a server-side redirect.
Modifications:
ADDREF XF:ie-download-behavior
INFERRED VOTE: CAN-1999-0891 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> XF:ie-download-behavior
=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo
Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.
Modifications:
ADDREF XF:nt-printer-spooler-bo
INFERRED VOTE: CAN-1999-0898 ACCEPT (5 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Stracener
MODIFY(1) Frech
NOOP(2) Ozancin, Christey
COMMENTS:
Frech> XF:nt-printer-spooler-bo
Prosser> (Modify)
Prosser> This maybe should be seperated into two entries. One for the DoS which is
Prosser> just done with random data and one for the more experienced attack of
Prosser> gaining privileges on the host.
Christey> While the advisory is not entirely explicit, the difference
Christey> between the DoS and the command execution is only in effect,
Christey> and appears to be in the same line of code, so the SF-LOC
Christey> content decision applies here.
=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo
The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.
Modifications:
ADDREF XF:nt-printer-spooler-bo
INFERRED VOTE: CAN-1999-0899 REJECT (1 reject, 4 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Prosser, Stracener
MODIFY(1) Frech
NOOP(2) Ozancin, Christey
REJECT(1) Cole
COMMENTS:
Frech> XF:nt-printer-spooler-bo
Cole> This should be combined with the previous one to state it can cause
Cole> a denial of service
Cole> or allow commands to ve executed. Just because a vulnerability can
Cole> be exploited in different ways
Cole> does not mean there should be separate entries since the underlying
Cole> exploit is the same.
Christey> This is different than CAN-1999-0898 because 898 is a buffer
Christey> overflow, while this one is incorrect permissions. They
Christey> are different bugs, so should have separate entries. Note
Christey> that MS99-047 also discriminates between these two candidates,
Christey> i.e. it contains the phrase "A second vulnerability exists..."
Christey> and goes on to describe CAN-1999-0899.
=================================
Candidate: CAN-1999-0909
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: NAI:Windows IP Source Routing Vulnerability
Reference: MS:MS99-038
Reference: MSKB:Q238453
Reference: BID:646
Reference: XF:nt-ip-source-route
Multihomed Windows systems allow a remote attacker to bypass IP
source routing restrictions via a malformed packet with IP options,
aka the "Spoofed Route Pointer" vulnerability.
Modifications:
DESC add "multihomed"
ADDREF XF:nt-ip-source-route
ADDREF MSKB:Q238453
INFERRED VOTE: CAN-1999-0909 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Prosser, Ozancin
MODIFY(3) Frech, Cole, Stracener
NOOP(1) Christey
COMMENTS:
Frech> XF:nt-ip-source-route
Cole> This only works on NT machines that are multihomed and setup as
Cole> routers. I think
Cole> that should be added for clarification.
Stracener> Add Ref: MSKB Q238453
Christey> The MS advisory states that this problem affects Windows 95/98
Christey> as well as Windows NT.
=================================
Candidate: CAN-1999-0917
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-018
Reference: MSKB:Q231452
Reference: XF:legacy-activex-local-drive
The Preloader ActiveX control used by Internet Explorer allows remote
attackers to read arbitrary files.
Modifications:
ADDREF XF:legacy-activex-local-drive
INFERRED VOTE: CAN-1999-0917 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
MODIFY(1) Frech
COMMENTS:
Frech> In description, 'atrbitrary' should be spelled 'arbitrary'.
Frech> XF:legacy-activex-local-drive
=================================
Candidate: CAN-1999-0918
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000
Reference: MSKB:Q238329
Reference: MS:MS99-034
Reference: XF:igmp-dos
Reference: BID:514
Denial of service in various Windows systems via malformed, fragmented
IGMP packets.
Modifications:
ADDREF XF:igmp-dos
DESC remove specific Windows types
INFERRED VOTE: CAN-1999-0918 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(3) Wall, Ozancin, Stracener
MODIFY(3) Frech, Cole, Prosser
COMMENTS:
Frech> XF:igmp-dos
Cole> I would add fragmented after the word IGMP
Prosser> Affected components include Microsoft Windows NT 4.0 (workstation and
Prosser> various server versions, Win98, and Win95, all service releases and
Prosser> editions, not just 98/2000. Also Windows 2000 is still in Beta so do we
Prosser> want to include it before it is final operational build.
=================================
Candidate: CAN-1999-0969
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service
Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork
Reference: MS:MS98-014
Reference: MSKB:Q193233
Reference: XF:snork-dos
The Windows NT RPC service allows remote attackers to conduct a denial
of service using spoofed malformed RPC packets which generate an
error message that is sent to the spoofed host, potentially setting up
a loop, aka Snork.
Modifications:
ADDREF XF:snork-dos
ADDREF MSKB:Q193233
INFERRED VOTE: CAN-1999-0969 ACCEPT (6 accept, 0 review)
VOTES:
ACCEPT(4) Cole, Wall, Prosser, Ozancin
MODIFY(2) Frech, Stracener
COMMENTS:
Frech> XF:snork-dos
Stracener> Add Ref: MSKB Q193233