Computer Security
[EN] securityvulns.ru no-pyccku


Multiple Cisco Clean Access vulnerabilities
updated since 04.01.2007
Published:09.01.2007
Source:
SecurityVulns ID:6997
Type:remote
Threat Level:
7/10
Description:Shared secret for client access is same for all devices and can not be changed. Location of database backup (snapshot) can be bruteforced and downloaded without authentication.
Affected:CISCO : Cisco Clean Access 3.5
 CISCO : Cisco Clean Access 3.6
 CISCO : Cisco Clean Access 4.0
CVE:CVE-2007-0058 (Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file.)
 CVE-2007-0057 (Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access.)
Original documentdocumentDamir Rajnovic, Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access (09.01.2007)
 documentCISCO, Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access (04.01.2007)

Opera browser multiple security vulnerabilities
updated since 06.01.2007
Published:09.01.2007
Source:
SecurityVulns ID:7006
Type:remote
Threat Level:
7/10
Description:Memory corruption on JPEG parsing, function call via user-controlled pointer.
Affected:OPERA : Opera 9.02
CVE:CVE-2007-0127 (The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call.)
 CVE-2007-0126 (Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker.)
Original documentdocumentposidron, Opera JPEG processing - Heap corruption vulnerabilities (09.01.2007)
 documentIDEFENSE, iDefense Security Advisory 01.05.07: Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting Vulnerability (06.01.2007)
 documentIDEFENSE, iDefense Security Advisory 01.05.07: Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption Vulnerability (06.01.2007)
Files:Exploits Opera ntdll.RtlAllocateHeap() DHT vulnerability
 Exploits Opera ntdll.RtlAllocateHeap() SOS vulnerability

Avahi DNS response DoS
Published:09.01.2007
Source:
SecurityVulns ID:7018
Type:client
Threat Level:
5/10
Description:Malcrafted DNS response causes endless loop.
Affected:AVAHI : Avahi 0.6
CVE:CVE-2006-6870 (The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself.)
Original documentdocumentMANDRIVA, [ MDKSA-2007:003 ] - Updated avahi packages fix DoS vulnerability (09.01.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:09.01.2007
Source:
SecurityVulns ID:7020
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:GFORGE : gforge 4.5
 MKPORTAL : MKPortal 1.1
 ALEXGUESTBOOK : @lex Guestbook 4.0
 GEOIP : geoip 1.4
 AJLOGIN : AJLogin 3.5
 EMEMBERSPRO : EMembersPro 1.0
 HARIKAONLINE : HarikaOnline 2.0
 UGUESTBOOK : Uguestbook 1.0
 NUNE : nune 2.0
CVE:CVE-2007-0205 (Multiple directory traversal vulnerabilities in @lex Guestbook 4.0.2 and earlier allow remote attackers to (1) include and execute arbitrary local files via a relative pathname in the lang parameter to index.php, which is handled in livre_include.php, and (2) possibly access arbitrary directories via the aj_skin and skin_edit parameters to admin/skins.php.)
 CVE-2007-0202 (SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter.)
 CVE-2007-0194 (admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message.)
 CVE-2007-0192 (Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack.)
 CVE-2007-0191 (Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section.)
 CVE-2007-0189 (** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value.)
 CVE-2007-0182 (Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date.)
 CVE-2007-0181 (PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter.)
 CVE-2007-0176 (Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter.)
 CVE-2007-0167 (Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/.)
 CVE-2007-0159 (Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename.)
 CVE-2007-0156 (M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb.)
 CVE-2007-0155 (HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb.)
 CVE-2007-0154 (Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb.)
 CVE-2007-0153 (AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb.)
 CVE-2007-0151 (MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb.)
 CVE-2007-0150 (Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters.)
 CVE-2007-0149 (EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb.)
 CVE-2007-0143 (Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php.)
 CVE-2007-0112 (SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter.)
Original documentdocumentIbnuSina, magic photo storage website Multiple Remote File Inclusion (09.01.2007)
 documentjose.palanco_(at)_eazel.es, GForge Cross Site Scripting vulnerability (09.01.2007)
 documentIbnuSina, ppc engine Multiple file inclusion (09.01.2007)
 documentIbnuSina, createauction (cats.asp) Remote SQL Injection Vulnerability (09.01.2007)
 documentk1tk4t_(at)_newhack.org, magic photo storage website Remote File Inclusion (09.01.2007)
 documentinfo_(at)_burnhead.it, MKPortal Full Path Disclosure (09.01.2007)
 documentShaFuq31_(at)_HoTMaiL.CoM, GeoBB Georgian Bulletin Board Remote File Include Vuln. (09.01.2007)
 documentShaFuq31_(at)_HoTMaiL.CoM, Dayfox Blog Remote File Include Vuln. (09.01.2007)
 documentXORON, NUNE News Script (custom_admin_path) Remote File Include Vulnerablity (09.01.2007)
 documentbeks, Uguestbook Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, Webulas Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, HarikaOnline v2.0 Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, M-Core Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, MitiSoft Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, EMembersPro 1.0 Remote Password Disclosure Vulnerability (09.01.2007)
 documentbeks, AJLogin v3.5 Remote Password Disclosure Vulnerability (09.01.2007)
 documentMANDRIVA, [ MDKSA-2007:004 ] - Updated geoip packages fix geoipupdate vulnerability (09.01.2007)
Files:@lex Guestbook <= 4.0.2 Remote Command Execution Exploit

ksirc client DoS
Published:09.01.2007
Source:
SecurityVulns ID:7021
Type:remote
Threat Level:
4/10
Description:NULL pointer dereference on malformed server reply.
Affected:KDE : KDE 3.5
 KDE : ksirc 3.5
CVE:CVE-2006-6811 (KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow.)
 CVE-2006-6811 (KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow.)
Original documentdocumentKDE, [KDE Security Advisory] ksirc Denial of Service vulnerability (09.01.2007)

Hewlett Packard multiple printers privilege escalation
Published:09.01.2007
Source:
SecurityVulns ID:7022
Type:local
Threat Level:
7/10
Description:Local user have full access to printer service "PML Driver HPZ12" thorugh service manager, making it possible to configure any executable to be run with local system privileges.
Affected:HP : HP PSC 700
 HP : HP PSC 900
 HP : HP PSC 1100
 HP : HP PSC 1200
 HP : HP PSC 1300
 HP : HP PSC 2100
 HP : HP PSC 2200
 HP : HP PSC 2400
 HP : HP PSC 2500
 HP : HP Officejet D
 HP : HP Officejet G
 HP : HP Officejet K
 HP : HP Officejet 4100
 HP : HP Officejet 5100
 HP : HP Officejet 5500
 HP : HP Officejet 6100
 HP : Officejet 7100
 HP : LaserJet 4650
CVE:CVE-2007-0161 (The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023.)
Original documentdocumentSowhat ., HP Multiple Products PML Driver Local Privilege Escalation (09.01.2007)

Packeteer PacketShaper multiple buffer overflow
Published:09.01.2007
Source:
SecurityVulns ID:7023
Type:remote
Threat Level:
5/10
Description:Buffer overflow in Web and command line interfaces.
Affected:PACKETEER : PacketShaper 9500
CVE:CVE-2007-0113 (Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm.)
Original documentdocumentkian.mohageri_(at)_gmail.com, Packeteer PacketWise CLI overflow DoS (09.01.2007)

RPC library / MIT Kerberos kadmind uninitialized function pointer
Published:09.01.2007
Source:
SecurityVulns ID:7025
Type:remote
Threat Level:
9/10
Description:Function call by uninitialized pointer in RPC server code allows code execution.
Affected:MIT : krb5 1.4
 MIT : krb5 1.5
CVE:CVE-2006-6143 (The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.)
Original documentdocumentMIT, MITKRB5-SA-2006-002: kadmind (via RPC lib) calls uninitialized function pointer (09.01.2007)

Sina UC instant messenger ActiveX buffer overflow
Published:09.01.2007
Source:
SecurityVulns ID:7026
Type:client
Threat Level:
5/10
Description:Buffer overflow in SendChatRoomOpt() method.
Affected:SINAUC : Sina UC 2006
CVE:CVE-2007-0174 (Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function.)
Original documentdocumentSowhat ., Sina UC ActiveX Multiple Remote Stack Overflow (09.01.2007)

Microsoft VML buffer overflow
Published:09.01.2007
Source:
SecurityVulns ID:7028
Type:client
Threat Level:
8/10
Description:Buffer overflow and integer overflows on Vector Markup Language parsing. May be used for hidden malware installation.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
CVE:CVE-2007-0024 (Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability.")
Original documentdocumentMICROSOFT, Microsoft Security Bulletin MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) (09.01.2007)
 documentIDEFENSE, [Full-disclosure] iDefense Security Advisory 01.09.07: Multiple Microsoft Products VML 'recolorinfo' Element Integer Overflow Vulnerability (09.01.2007)
Files:MS07-004 VML integer overflow exploit
 Microsoft Security Bulletin MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)

GSS-API library / MIT Kerberos kadmind (uninitialized pointer free)
Published:09.01.2007
Source:
SecurityVulns ID:7029
Type:remote
Threat Level:
8/10
Description:free() of unallocated memory pointer in mechglue GSS API layer.
Affected:MIT : krb5 1.5
CVE:CVE-2006-6144 (The "mechglue" abstraction interface of the GSS-API library for Kerberos 5 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, allows remote attackers to cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers.)
Original documentdocumentMIT, MITKRB5-SA-2006-003: kadmind (via GSS-API lib) frees uninitialized pointers (09.01.2007)

Microsoft Office 2003 grammar checking memory corruption
Published:09.01.2007
Source:
SecurityVulns ID:7031
Type:client
Threat Level:
5/10
Description:Memory corruption on Brazilian and Portuguese grammar checking.
Affected:MICROSOFT : Office 2003
CVE:CVE-2006-5574 (Unspecified vulnerability in the Brazilian Portuguese Grammar Checker in Microsoft Office 2003 and the Multilingual Interface for Office 2003, Project 2003, and Visio 2003 allows user-assisted remote attackers to execute arbitrary code via crafted text that is not properly parsed.)
Original documentdocumentMICROSOFT, Microsoft Security Bulletin MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585) (09.01.2007)

X.org / XFree68 multiple integer overflows
updated since 09.01.2007
Published:10.01.2007
Source:
SecurityVulns ID:7024
Type:local
Threat Level:
6/10
Description:Integer overflow in DBE and Renderer extensions.
Affected:XFREE : XFree86 4.3
 XFREE : XFree86 4.6
 X.ORG : X.org 6.8
 XFREE : XFree86 4.5
 XFREE : XFree86 4.4
CVE:CVE-2006-6103 (Integer overflow in the ProcDbeSwapBuffers function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures.)
 CVE-2006-6102 (Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures.)
 CVE-2006-6101 (Integer overflow in the ProcRenderAddGlyphs function in the Render extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of glyph management data structures.)
Original documentdocumentIDEFENSE, iDefense Security Advisory 01.09.07: Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability (10.01.2007)
 documentIDEFENSE, iDefense Security Advisory 01.09.07: Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability (10.01.2007)
 documentIDEFENSE, iDefense Security Advisory 01.09.07: Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability (10.01.2007)
 documentUBUNTU, [USN-403-1] X.org vulnerabilities (09.01.2007)

Securekit Steganography / Camouflage protection bypass
updated since 09.01.2007
Published:11.01.2007
Source:
SecurityVulns ID:7019
Type:m-i-t-m
Threat Level:
5/10
Description:File with hidden information has strong signature, password protection is implemented in interface only.
Affected:SECUREKIT : Steganography 1.8
 SECUREKIT : Steganography 1.7
 TWISTEDPEAR : Camouflage 1.2
CVE:CVE-2007-0164 (Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information.)
 CVE-2007-0163 (SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information.)
Original documentdocumentthesinoda_(at)_hotmail.com, A Major design Bug in Camouflage 1.2.1 (latest) (11.01.2007)
 documentthesinoda_(at)_hotmail.com, A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version) (11.01.2007)
 documentthesinoda_(at)_hotmail.com, Cracking Steganography Application in less than ONE minute (09.01.2007)

Multiple Microsoft Outlook security vulnerabilities
updated since 09.01.2007
Published:11.01.2007
Source:
SecurityVulns ID:7030
Type:client
Threat Level:
6/10
Description:DoS. Buffer overflow on .iCal and .oss files parsing.
Affected:MICROSOFT : Office 2000
 MICROSOFT : Office XP
 MICROSOFT : Office 2003
CVE:CVE-2007-0034 (Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability.")
 CVE-2007-0033 (Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file.)
 CVE-2006-1305 (Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to cause a denial of service (memory exhaustion and interrupted mail recovery) via malformed e-mail header information, possibly related to (1) long subject lines or (2) large numbers of recipients in To or CC headers.)
Original documentdocumentComputer Terrorism (UK) :: Incident Response Centre, [Full-disclosure] Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook Vulnerability (11.01.2007)
 documentMICROSOFT, Microsoft Security Bulletin MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938) (09.01.2007)
Files:Microsoft Security Bulletin MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)

Multiple Microsoft Excel buffer oveflows
updated since 09.01.2007
Published:01.02.2007
Source:
SecurityVulns ID:7027
Type:client
Threat Level:
7/10
Description:Heap buffer overflow on oversized value of BIFF8 type column. Heap buffer overflow on oversized palette value for BIFF8 type column.
Affected:MICROSOFT : Office 2000
 MICROSOFT : Office XP
 MICROSOFT : Office 2003
CVE:CVE-2007-0031 (Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries.)
 CVE-2007-0030 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory.)
 CVE-2007-0029 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability.")
 CVE-2007-0028 (Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used.)
 CVE-2007-0027 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption.)
Original documentdocumentLifeAsaGeek_(at)_gmail.com, MS07-002 EXCEL Malformed Palette Record Vulnerability DOS POC (01.02.2007)
 documentMICROSOFT, Microsoft Security Bulletin MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198) (09.01.2007)
 documentIDEFENSE, [Full-disclosure] iDefense Security Advisory 01.09.07: Microsoft Excel Invalid Column Heap Corruption Vulnerability (09.01.2007)
 documentIDEFENSE, [Full-disclosure] iDefense Security Advisory 01.09.07: Microsoft Excel Long Palette Heap Overflow Vulnerability (09.01.2007)
Files:Microsoft Security Bulletin MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod