[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[INTERIM] ACCEPT 38 candidates from MS (Final 1/3/2000)



I have made an Interim Decision to ACCEPT the following candidates
from the MS cluster.  I will make a Final Decision on January 3, 2000.

Voters:
  Wall ACCEPT(36) MODIFY(2)
  Frech ACCEPT(7) MODIFY(31)
  Ozancin ACCEPT(34) NOOP(4)
  Christey NOOP(7)
  Cole ACCEPT(27) MODIFY(9) NOOP(1) REJECT(1)
  Prosser ACCEPT(36) MODIFY(2)
  Stracener ACCEPT(25) MODIFY(13)

- Steve


=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: BID:598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.

Modifications:
  ADDREF XF:ms-scriptlet-eyedog-unsafe
  ADDREF MSKB:Q240308

INFERRED VOTE: CAN-1999-0668 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Wall> Note:  Was this not CVE 199-0376?
 Stracener> Add Ref: MSKB Q240308


=================================
Candidate: CAN-1999-0669
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

The Eyedog ActiveX control is marked as "safe for scripting" for
Internet Explorer, which allows a remote attacker to execute arbitrary
commands as demonstrated by Bubbleboy.

Modifications:
  XF:ms-scriptlet-eyedog-unsafe
  MSKB:Q240308

INFERRED VOTE: CAN-1999-0669 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Stracener> Add Ref: MSKB Q240308


=================================
Candidate: CAN-1999-0680
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-028
Reference: MSKB:Q238600
Reference: CIAC:J-057
Reference: BID:571
Reference: XF:nt-terminal-dos

Windows NT Terminal Server performs extra work when a client opens a
new connection but before it is authenticated, allowing for a denial
of service.

Modifications:
  DESC add "new connection" phrase

INFERRED VOTE: CAN-1999-0680 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Frech, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This happens not whenever a client authenticates but when they open
 Cole> up a new connection.
 Cole> It should be changed to
 Cole> Windows NT Terminal Server performs extra work before a client is
 Cole> authenticated,
 Cole> when a new connection is open, allowing for a denial of service
 Cole> attack.


=================================
Candidate: CAN-1999-0682
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-027
Reference: MSKB:Q237927
Reference: BID:567
Reference: CIAC:J-056
Reference: XF:exchange-relay

Microsoft Exchange 5.5 allows a remote attacker to relay email
(i.e. spam) using encapsulated SMTP addresses, even if the
anti-relaying features are enabled.

Modifications:
  ADDREF CIAC:J-056

INFERRED VOTE: CAN-1999-0682 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Frech, Cole, Wall, Prosser, Ozancin
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: CIAC: J-056


=================================
Candidate: CAN-1999-0700
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q237185
Reference: MS:MS99-026
Reference: XF:nt-malformed-dialer

Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed
dialer entry in the dialer.ini file.

Modifications:
  ADDREF XF:nt-malformed-dialer
  DESC add dialer.ini phrase

INFERRED VOTE: CAN-1999-0700 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(2) Frech, Cole

COMMENTS:
 Frech> XF:nt-malformed-dialer
 Cole> This is not clear, I would change it to
 Cole> Buffer overflow in Microsoft NT Phone dialer program, dialer.exe,
 Cole> when it calls the dialer.ini file.


=================================
Candidate: CAN-1999-0701
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-036
Reference: MSKB:Q17039
Reference: BID:626
Reference: XF:nt-install-unattend-file

After an unattended installation of Windows NT 4.0, an installation
file could include sensitive information such as the local
Administrator password.

Modifications:
  ADDREF XF:nt-install-unattend-file
  ADDREF MSKB:Q17039

INFERRED VOTE: CAN-1999-0701 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:nt-install-unattend-file
 Stracener> Add Ref: MSKB Q17039


=================================
Candidate: CAN-1999-0702
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990909 IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs
Reference: MS:MS99-037
Reference: MSKB:Q241631
Reference: XF:ie5-import-export-favorites
Reference: BID:627

Internet Explorer 5.0 and 5.01 allows remote attackers to modify or
execute files via the Import/Export Favorites feature, aka the
"ImportExportFavorites" vulnerability.

Modifications:
  DESC add "execute files"
  ADDREF XF:ie5-import-export-favorites

INFERRED VOTE: CAN-1999-0702 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Prosser, Ozancin, Stracener
   MODIFY(3) Frech, Cole, Wall

COMMENTS:
 Frech> XF:ie5-import-export-favorites
 Cole> The key exploit is to modify files but to cause system commands to
 Cole> be executed.
 Cole> Should be changed to:
 Cole> Internet Explorer 5.0 allows remote attackers to modify and/or
 Cole> execute files via the
 Cole> Import/Export Favorites feature, aka the "ImportExportFavorites"
 Cole> vulnerability.
 Wall> This now applies to IE 5 and 5.01, so replace 5.0 with 5/5.01.


=================================
Candidate: CAN-1999-0715
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990519 Buffer Overruns in RAS allows execution of arbitary code as system
Reference: MS:MS99-016
Reference: MSKB:Q230667
Reference: XF:nt-ras-bo

Buffer overflow in Remote Access Service (RAS) client allows an
attacker to execute commands or cause a denial of service via a
malformed phonebook entry.

Modifications:
  DESC add DoS/exec
  CHANGEREF BUGTRAQ [add date]

INFERRED VOTE: CAN-1999-0715 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Frech, Wall, Ozancin, Stracener
   MODIFY(2) Cole, Prosser
   NOOP(1) Christey

COMMENTS:
 Cole> This attack can also cause abtrary code to be executed.  It should
 Cole> be changed to:
 Cole> An exploit in the in Remote Access Service (RAS) client via a
 Cole> malformed
 Cole> phonebook entry can cause either a denial of service or arbitrary
 Cole> code to be
 Cole> executed, all caused by a buffer overflow..
 Prosser> This vulnerability can cause a DoS or under certain circumstances allow
 Prosser> arbitrary code to run.  Believe this should be split into two vulnerabities,
 Prosser> though both are the result of the buffer overflow.
 Christey> Since there is a single buffer overflow which can allow
 Christey> either to occur, the SF-LOC (Same Line-of-Code) content
 Christey> decision says we should keep this as a single item, although
 Christey> there are multiple effects.


=================================
Candidate: CAN-1999-0716
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-helpfile-bo
Reference: MSKB:Q231605
Reference: MS:MS99-015

Buffer overflow in Windows NT 4.0 help file utility via a malformed
help file.

INFERRED VOTE: CAN-1999-0716 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener


=================================
Candidate: CAN-1999-0717
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-014
Reference: MSKB:Q231304
Reference: XF:excel-virus-warning

A remote attacker can disable the virus warning mechanism in Microsoft
Excel 97.

Modifications:
  ADDREF XF:excel-virus-warning
  ADDREF MSKB:Q231304

INFERRED VOTE: CAN-1999-0717 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:excel-virus-warning
 Stracener> Add Ref: MSKB Q231304


=================================
Candidate: CAN-1999-0721
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BINDVIEW:Phantom Technical Advisory
Reference: MSKB:Q231457
Reference: MS:MS99-020
Reference: CIAC:J-049
Reference: XF:msrpc-lsa-lookupnames-dos

Denial of service in Windows NT Local Security Authority (LSA) through
a malformed LSA request.

Modifications:
  ADDREF XF:msrpc-lsa-lookupnames-dos

INFERRED VOTE: CAN-1999-0721 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:msrpc-lsa-lookupnames-dos


=================================
Candidate: CAN-1999-0723
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-021
Reference: CIAC:J-049
Reference: XF:nt-csrss-dos
Reference: MSKB:Q233323

The Windows NT Client Server Runtime Subsystem (CSRSS) can be
subjected to a denial of service when all worker threads are waiting
for user input.

Modifications:
  CHANGEREF MSKB:Q231323 Q233323

INFERRED VOTE: CAN-1999-0723 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Prosser, Ozancin, Stracener
   MODIFY(2) Frech, Wall

COMMENTS:
 Frech> MODREF MSKB: change Q231323 to Q233323.
 Wall> The MSKB should be Q233323, not Q231323.


=================================
Candidate: CAN-1999-0725
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MSKB:Q233335
Reference: MS:MS99-022
Reference: XF:iis-double-byte-code-page

When IIS is run with a default language of Chinese, Korean, or
Japanese, it allows a remote attacker to view the source code of
certain files, a.k.a. "Double Byte Code Page".

INFERRED VOTE: CAN-1999-0725 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(5) Frech, Cole, Wall, Prosser, Stracener
   NOOP(1) Ozancin


=================================
Candidate: CAN-1999-0726
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-023
Reference: MSKB:Q234557
Reference: XF:nt-malformed-image-header

An attacker can conduct a denial of service in Windows NT by executing
a program with a malformed file image header.

Modifications:
  ADDREF XF:nt-malformed-image-header

INFERRED VOTE: CAN-1999-0726 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:nt-malformed-image-header


=================================
Candidate: CAN-1999-0728
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-024
Reference: MSKB:Q236359
Reference: XF:nt-ioctl-dos

A Windows NT user can disable the keyboard or mouse by directly
calling the IOCTLs which control them.

Modifications:
  ADDREF XF:nt-ioctl-dos

INFERRED VOTE: CAN-1999-0728 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(1) Ozancin

COMMENTS:
 Frech> XF:nt-ioctl-dos


=================================
Candidate: CAN-1999-0749
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990815 telnet.exe heap overflow - remotely exploitable
Reference: MS:MS99-033
Reference: XF:win-ie5-telnet-heap-overflow
Reference: BID:586

Buffer overflow in Microsoft Telnet client in Windows 95 and Windows
98 via a malformed Telnet argument.

INFERRED VOTE: CAN-1999-0749 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener


=================================
Candidate: CAN-1999-0755
Published:
Final-Decision:
Interim-Decision: 19991229
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: XF:nt-ras-pwcache
Reference: MSKB:Q230681
Reference: MS:MS99-017

Windows NT RRAS and RAS clients cache a user's password even if the
user has not selected the "Save password" option.

INFERRED VOTE: CAN-1999-0755 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(6) Frech, Cole, Wall, Prosser, Ozancin, Stracener


=================================
Candidate: CAN-1999-0766
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-031
Reference: MSKB:Q240346
Reference: BID:600
Reference: XF:msvm-verifier-java

The Microsoft Java Virtual Machine allows a malicious Java applet to
execute arbitrary commands outside of the sandbox environment.

Modifications:
  ADDREF XF:msvm-verifier-java

INFERRED VOTE: CAN-1999-0766 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:msvm-verifier-java


=================================
Candidate: CAN-1999-0777
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-039
Reference: MSKB:Q241407
Reference: MSKB:Q242559
Reference: XF:iis-ftp-no-access-files
Reference: BID:658

IIS FTP servers may allow a remote attacker to read or delete files on
the server, even if they have "No Access" permissions.

Modifications:
  ADDREF MSKB:Q241407
  ADDREF MSKB:Q242559
  ADDREF XF:iis-ftp-no-access-files

INFERRED VOTE: CAN-1999-0777 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(3) Frech, Cole, Stracener
   NOOP(1) Christey

COMMENTS:
 Frech> XF:iis-ftp-no-access-files
 Cole> This attack only works if you access a ftp site via a wbe browser.
 Cole> If you go through an ftp client
 Cole> it will not work.
 Stracener> Add Ref: MSKB Q241407
 Stracener> Add Ref: MSKB Q242559
 Christey> Saying the attack only works through a web browser provides
 Christey> too much detail for a CVE description.


=================================
Candidate: CAN-1999-0793
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-043
Reference: XF:ie-java-redirect

Internet Explorer allows remote attackers to read files by redirecting
data to a Javascript applet.

Modifications:
  ADDREF XF:ie-java-redirect

INFERRED VOTE: CAN-1999-0793 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-java-redirect


=================================
Candidate: CAN-1999-0794
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-044
Reference: XF:excel-sylk
Reference: MSKB:Q241900
Reference: MSKB:Q241901
Reference: MSKB:Q241902

Microsoft Excel does not warn a user when a macro is present in a
Symbolic Link (SYLK) format file.

Modifications:
  ADDREF XF:excel-sylk
  ADDREF MSKB:Q241900
  ADDREF MSKB:Q241901
  ADDREF MSKB:Q241902

INFERRED VOTE: CAN-1999-0794 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:excel-sylk
 Stracener> Add Ref: MSKB Q241900
 Stracener> Add Ref: MSKB Q241901
 Stracener> Add Ref: MSKB Q241902


=================================
Candidate: CAN-1999-0802
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990503 MSIE 5 FAVICON BUG
Reference: MS:MS99-018
Reference: MSKB:Q231450
Reference: XF:ie-favicon

Buffer overflow in Internet Explorer 5 allows remote attackers to
execute commands via a malformed Favorites icon.

Modifications:
  ADDREF XF:ie-favicon
  ADDREF BUGTRAQ:19990503 MSIE 5 FAVICON BUG
  DESC reword

INFERRED VOTE: CAN-1999-0802 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(3) Frech, Cole, Stracener

COMMENTS:
 Frech> XF:ie-favicon
 Cole> This attack also allows code to be executed on the machine.
 Stracener> Add Ref: BUGTRAQ:19990503  MSIE 5 FAVICON BUG


=================================
Candidate: CAN-1999-0839
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: NTBUGTRAQ:19991130 Windows NT Task Scheduler vulnerability allows user to administrator elevation
Reference: MS:MS99-051
Reference: MSKB:Q246972
Reference: XF:ie-task-scheduler-privs
Reference: BID:828

Windows NT Task Scheduler installed with Internet Explorer 5 allows a
user to gain privileges by modifying the job after it has been
scheduled.

Modifications:
  ADDREF XF:ie-task-scheduler-privs
  ADDREF MSKB:Q246972

INFERRED VOTE: CAN-1999-0839 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:ie-task-scheduler-privs
 Stracener> Add Ref: MSKB Q246972


=================================
Candidate: CAN-1999-0858
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-054
Reference: MSKB:Q247333
Reference: BID:846
Reference: XF:ie-wpad-proxy-settings

Internet Explorer 5 allows a remote attacker to modify the IE client's
proxy configuration via a malicious Web Proxy Auto-Discovery (WPAD)
server.

Modifications:
  ADDREF XF:ie-wpad-proxy-settings

INFERRED VOTE: CAN-1999-0858 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-wpad-proxy-settings


=================================
Candidate: CAN-1999-0861
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991207
Category: SF
Reference: MS:MS99-053
Reference: MSKB:Q244613
Reference: XF:iis-ssl-isapi-filter

Race condition in the SSL ISAPI filter in IIS and other servers may
leak information in plaintext.

Modifications:
  ADDREF XF:iis-ssl-isapi-filter
  ADDREF MSKB:Q244613

INFERRED VOTE: CAN-1999-0861 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:iis-ssl-isapi-filter
 Stracener> Add Ref: MSKB Q244613


=================================
Candidate: CAN-1999-0867
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-029
Reference: MSKB:Q238349
Reference: CIAC:J-058
Reference: XF:http-iis-malformed-header
Reference: BID:579

Denial of service in IIS 4.0 via a flood of HTTP requests with
malformed headers.

Modifications:
  ADDREF XF:http-iis-malformed-header

INFERRED VOTE: CAN-1999-0867 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-iis-malformed-header


=================================
Candidate: CAN-1999-0869
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-020
Reference: MSKB:167614
Reference: XF:http-frame-spoof

Internet Explorer 3.x to 4.01 allows a remote attacker to insert
malicious content into a frame of another web site, aka frame
spoofing.

Modifications:
  ADDREF XF:http-frame-spoof

INFERRED VOTE: CAN-1999-0869 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:http-frame-spoof
 Cole> A lot of these are older attacks but I guess it is good to include
 Cole> them.


=================================
Candidate: CAN-1999-0870
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-015
Reference: MSKB:169245
Reference: XF:ie-usp-cuartango

Internet Explorer 4.01 allows remote attackers to read arbitrary files
by pasting a file name into the file upload control, aka untrusted
scripted paste.

Modifications:
  ADDREF XF:ie-usp-cuartango

INFERRED VOTE: CAN-1999-0870 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-usp-cuartango


=================================
Candidate: CAN-1999-0871
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS98-013
Reference: XF:ie-crossframe-file-read

Internet Explorer 4.0 and 4.01 allow a remote attacker to read files
via IE's cross frame security, aka the "Cross Frame Navigate"
vulnerability.

Modifications:
  ADDREF XF:ie-crossframe-file-read

INFERRED VOTE: CAN-1999-0871 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-crossframe-file-read


=================================
Candidate: CAN-1999-0877
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MSKB:Q243638
Reference: MS:MS99-042
Reference: XF:ie-iframe-exec

Internet Explorer 5 allows remote attackers to read files via an
ExecCommand method called on an IFRAME.

Modifications:
  ADDREF XF:ie-iframe-exec

INFERRED VOTE: CAN-1999-0877 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(2) Frech, Cole
   NOOP(1) Christey

COMMENTS:
 Frech> XF:ie-iframe-exec
 Cole> This attack is written up wrong.  This attack allows a web site to
 Cole> read files from a user that is
 Cole> connecting to the site.  This attack compromises a remote users
 Cole> machine.
 Christey> While the description could be misinterpreted, it remains
 Christey> in the style of other CVE descriptions.  The attack is still
 Christey> done remotely, although in the opposite direction of
 Christey> "typical" problems.


=================================
Candidate: CAN-1999-0886
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: unknown
Reference: MSKB:Q242294
Reference: MS:MS99-041
Reference: BID:645
Reference: XF:nt-rasman-pathname

The security descriptor for RASMAN allows users to point to an
alternate location via the Windows NT Service Control Manager.

Modifications:
  ADDREF XF:nt-rasman-pathname

INFERRED VOTE: CAN-1999-0886 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   NOOP(2) Cole, Christey

COMMENTS:
 Frech> XF:nt-rasman-pathname
 Cole> This one is pretty weak.
 Stracener> Recommend: Category:CF
 Christey> The category for this could be SF or CF, depending on your
 Christey> point of view.  Since categories are not the focus of CVE, we
 Christey> can leave this as "unknown"


=================================
Candidate: CAN-1999-0891
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-040
Reference: MSKB:Q242542
Reference: XF:ie-download-behavior

The "download behavior" in Internet Explorer 5 allows remote attackers
to read arbitrary files via a server-side redirect.

Modifications:
  ADDREF XF:ie-download-behavior

INFERRED VOTE: CAN-1999-0891 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> XF:ie-download-behavior


=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo

Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.

Modifications:
  ADDREF XF:nt-printer-spooler-bo

INFERRED VOTE: CAN-1999-0898 ACCEPT (5 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey

COMMENTS:
 Frech> XF:nt-printer-spooler-bo
 Prosser> (Modify)
 Prosser> This maybe should be seperated into two entries.  One for the DoS which is
 Prosser> just done with random data and one for the more experienced attack of
 Prosser> gaining privileges on the host.
 Christey> While the advisory is not entirely explicit, the difference
 Christey> between the DoS and the command execution is only in effect,
 Christey> and appears to be in the same line of code, so the SF-LOC
 Christey> content decision applies here.


=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo

The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.

Modifications:
  ADDREF XF:nt-printer-spooler-bo

INFERRED VOTE: CAN-1999-0899 REJECT (1 reject, 4 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey
   REJECT(1) Cole

COMMENTS:
 Frech> XF:nt-printer-spooler-bo
 Cole> This should be combined with the previous one to state it can cause
 Cole> a denial of service
 Cole> or allow commands to ve executed.  Just because a vulnerability can
 Cole> be exploited in different ways
 Cole> does not mean there should be separate entries since the underlying
 Cole> exploit is the same.
 Christey> This is different than CAN-1999-0898 because 898 is a buffer
 Christey> overflow, while this one is incorrect permissions.  They
 Christey> are different bugs, so should have separate entries.  Note
 Christey> that MS99-047 also discriminates between these two candidates,
 Christey> i.e. it contains the phrase "A second vulnerability exists..."
 Christey> and goes on to describe CAN-1999-0899.


=================================
Candidate: CAN-1999-0909
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: NAI:Windows IP Source Routing Vulnerability
Reference: MS:MS99-038
Reference: MSKB:Q238453
Reference: BID:646
Reference: XF:nt-ip-source-route

Multihomed Windows systems allow a remote attacker to bypass IP
source routing restrictions via a malformed packet with IP options,
aka the "Spoofed Route Pointer" vulnerability.

Modifications:
  DESC add "multihomed"
  ADDREF XF:nt-ip-source-route
  ADDREF MSKB:Q238453

INFERRED VOTE: CAN-1999-0909 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(3) Frech, Cole, Stracener
   NOOP(1) Christey

COMMENTS:
 Frech> XF:nt-ip-source-route
 Cole> This only works on NT machines that are multihomed and setup as
 Cole> routers.  I think
 Cole> that should be added for clarification.
 Stracener> Add Ref: MSKB Q238453
 Christey> The MS advisory states that this problem affects Windows 95/98
 Christey> as well as Windows NT.


=================================
Candidate: CAN-1999-0917
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-018
Reference: MSKB:Q231452
Reference: XF:legacy-activex-local-drive

The Preloader ActiveX control used by Internet Explorer allows remote
attackers to read arbitrary files.

Modifications:
  ADDREF XF:legacy-activex-local-drive

INFERRED VOTE: CAN-1999-0917 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(5) Cole, Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech

COMMENTS:
 Frech> In description, 'atrbitrary' should be spelled 'arbitrary'.
 Frech> XF:legacy-activex-local-drive


=================================
Candidate: CAN-1999-0918
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990703 IGMP fragmentation bug in Windows 98/2000
Reference: MSKB:Q238329
Reference: MS:MS99-034
Reference: XF:igmp-dos
Reference: BID:514

Denial of service in various Windows systems via malformed, fragmented
IGMP packets.

Modifications:
  ADDREF XF:igmp-dos
  DESC remove specific Windows types

INFERRED VOTE: CAN-1999-0918 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(3) Wall, Ozancin, Stracener
   MODIFY(3) Frech, Cole, Prosser

COMMENTS:
 Frech> XF:igmp-dos
 Cole> I would add fragmented after the word IGMP
 Prosser> Affected components include Microsoft Windows NT 4.0 (workstation and
 Prosser> various server versions, Win98, and Win95, all service releases and
 Prosser> editions, not just 98/2000.  Also Windows 2000 is still in Beta so do we
 Prosser> want to include it before it is final operational build.


=================================
Candidate: CAN-1999-0969
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: ISS:19980929 "Snork" Denial of Service Attack Against Windows NT RPC Service
Reference: NTBUGTRAQ:19980929 ISS Security Advisory: Snork
Reference: MS:MS98-014
Reference: MSKB:Q193233
Reference: XF:snork-dos

The Windows NT RPC service allows remote attackers to conduct a denial
of service using spoofed malformed RPC packets which generate an
error message that is sent to the spoofed host, potentially setting up
a loop, aka Snork.

Modifications:
  ADDREF XF:snork-dos
  ADDREF MSKB:Q193233

INFERRED VOTE: CAN-1999-0969 ACCEPT (6 accept, 0 review)

VOTES:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener

COMMENTS:
 Frech> XF:snork-dos
 Stracener> Add Ref: MSKB Q193233

Page Last Updated or Reviewed: May 22, 2007