Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Windows multiple security vulnerabilities
Published:27.05.2013
Source:
SecurityVulns ID:13083
Type:library
Threat Level:
7/10
Description:http.sys DoS, multiple kernel privilege escalations, .Net signature spoofing and authorization bypass.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2012 Server
CVE:CVE-2013-1337 (Microsoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTPS, which allows remote attackers to bypass authentication by sending queries to an endpoint, aka "Authentication Bypass Vulnerability.")
 CVE-2013-1336 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check signatures, which allows remote attackers to make undetected changes to signed XML documents via unspecified vectors that preserve signature validity, aka "XML Digital Signature Spoofing Vulnerability.")
 CVE-2013-1334 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Window Handle Vulnerability.")
 CVE-2013-1333 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 allows local users to gain privileges via a crafted application that leverages improper handling of objects in memory, aka "Win32k Buffer Overflow Vulnerability.")
 CVE-2013-1332 (dxgkrnl.sys (aka the DirectX graphics kernel subsystem) in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "DirectX Graphics Kernel Subsystem Double Fetch Vulnerability.")
 CVE-2013-1305 (HTTP.sys in Microsoft Windows 8, Windows Server 2012, and Windows RT allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP header, aka "HTTP.sys Denial of Service Vulnerability.")
Files:Microsoft Security Bulletin MS13-039 - Important Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
 Microsoft Security Bulletin MS13-046 - Important Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)
 Microsoft Security Bulletin MS13-040 - Important Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod