Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Windows multiple security vulnerabilities
Published:11.02.2014
Source:
SecurityVulns ID:13567
Type:library
Threat Level:
8/10
Description:XML services information leakage, IPv6 DoS, Direct2D memory corruption, .Net privilege escalation, VBScript code execution.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2012 Server
 MICROSOFT : Windows 8.1
CVE:CVE-2014-0295 (VsaVb7rt.dll in Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in February 2014, aka "VSAVB7RT ASLR Vulnerability.")
 CVE-2014-0271 (The VBScript engine in Microsoft Internet Explorer 6 through 11, and VBScript 5.6 through 5.8, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability.")
 CVE-2014-0266 (The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to bypass the Same Origin Policy via a web page that is visited in Internet Explorer, aka "MSXML Information Disclosure Vulnerability.")
 CVE-2014-0263 (The Direct2D implementation in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a large 2D geometric figure that is encountered with Internet Explorer, aka "Microsoft Graphics Component Memory Corruption Vulnerability.")
 CVE-2014-0257 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability.")
 CVE-2014-0254 (The IPv6 implementation in Microsoft Windows 8, Windows Server 2012, and Windows RT does not properly validate packets, which allows remote attackers to cause a denial of service (system hang) via crafted ICMPv6 Router Advertisement packets, aka "TCP/IP Version 6 (IPv6) Denial of Service Vulnerability.")
 CVE-2014-0253 (Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine TCP connection states, which allows remote attackers to cause a denial of service (ASP.NET daemon hang) via crafted HTTP requests that trigger persistent resource consumption for a (1) stale or (2) closed connection, as exploited in the wild in February 2014, aka "POST Request DoS Vulnerability.")
Files:Microsoft Security Bulletin MS14-005 - Important Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)
 Microsoft Security Bulletin MS14-006 - Important Vulnerability in IPv6 Could Allow Denial of Service (2904659)
 Microsoft Security Bulletin MS14-007 - Critical Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
 Microsoft Security Bulletin MS14-009 - Important Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607)
 Microsoft Security Bulletin MS14-011 - Critical Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod