| 6! | Internet Explorer drag-n-drop vulnerability
updated since 25.08.2004
|
 | | By using javaasript in conjunction with shell:startup it's possible to place executable into startup folder if user drags an object on the page or scrolls the page. |
| | Microsoft Indexing Service crossite scripting
updated since 12.09.2006
|
| | Crossite scripting with UTF-7 characters in URL is possible. |
| 7! | Multiple Microsoft Internet Explorer and Windows security vulnerabilities
updated since 28.06.2006
|
| | Cross-domain page content access, MSHTA code execution. |
| 6! | Microsoft Internet Explorer filtering protection bypass
|
| | For ASCII codepage 8-bit text is converted to 7-bit. It makes it possible to bypass content filters with 8-bit characters within ASCII encoded text. |
| 8! | Multiple Microsoft Internet Explorer security vulnerabilities
updated since 13.06.2006
|
| | Multiple memory corruptions, address bar spoofing, cross-frame data access. May be used for hidden malware installation. |
| 9! | Multiple Microsoft Internet Explorer security vulnerabilities
updated since 22.03.2006
|
| | Jump to ininitialized function pointer by referencing unspupported object's method (createTextRange() for checkbox). Potentially can be used for code execution and hidden malware installation. Memory corruption on uninitialized event handlers. HTA code execution. HTML parsing memory corrution. COM objects memory corruption. Crossite scripting. |
| 6! | Microsoft Internet Explorer memory corruption
|
| | resizeBy() method negative values memory corruption. |
| 6! | Microsoft Internet Explorer XmlHTTPRequest object request and response spoofing
|
| | It's possible to spoof client application request and, under some conditions, server reply by using Microsoft.XMLHTTP object. |
| 8! | Microsoft Internet Explorer memory corruption
updated since 23.04.2006
|
| | Uninitialized pointer dereference on OBJECT tag processing. Can be used for hidden malware installation. |
| | Microsoft Internet Explorer modial dialogs spoofing
|
| | It's possible to spoof modal dialog content. This problem is only significant for Windows proir to Windows XP SP2 / Windows 2003 SP1. |
| 7! | Microsoft Internet Explorer crossite access
|
| | Script from one site can access content of the page from different site with mhtml: URI handler. |
| 8! | Microsoft Internet Explorer array index overflow
|
| | Array index overflow for large number of HTML tag's events handlers. Vulnerability can be used for hidden malware installation. |
| | Microsoft Internet Explorer IsComponentInstalled buffer overflow
|
| | Problem is fixed in Windows 2000 SP4 / Windows XP SP1. |
| | Microsoft Internet Explorer Drag-and-Drop code execution
updated since 13.02.2006
|
| | By spoofing target window in race period it's possible to install malware in special folder. Vulnerability may be exploited for trojaning user's machine, but requires interaction. |
| 7! | Multiple Microsoft Internet Explorer vulnerabilities
updated since 14.12.2005
|
| | Code execution, memory corruption, download dialog manipulation, unencrypted HTTPS proxy data leak. |
| 9! | Microsoft Internet Explorer code execution
|
| | Uninitilized memory call on Window() function within OnLoad handler of BODY tag allows code execution. |
| 7! | Macromedia Flash Player array index overflow
updated since 05.11.2005
|
| | User controlled value is used as function pointers array index without boundary control. |
| | Microsoft Internet Explorer URL spoofing
|
| | It's possible to spoof URL with document.write within OnClick method for <a> tag. |
| 7! | Microsoft Design Tools COM object uninitialized memory reference
updated since 12.10.2005
|
| | CPolyCtrl class destructor attempts to call a function by the pointer from uninitialized dynamic memory region. |
| 6! | Microsoft FTP client directory traversal
|
| | It's possible to place downloaded file in any directory from server side. |
| 9! | Multiple Microsoft Internet Explorer vulnerabilities
updated since 09.08.2005
|
| | Memory corruption on JPEG files parsing, memory corruption on COM object installation, crossite scripting with Web folders. |
| 7! | Multiple Internet Explorer JPEG parsing problems
|
| | Multiple problems including memory corruption on JPEG parsing. |
| 8! | Microsoft Internet Explorer buffer overflow
updated since 29.06.2005
|
| | Buffer overflow while parsing document with embedded non-ActiveX <object> elements. |
| | Multiple browsers dialog content spoofing
|
| | It's possible to spoof dialog window origin. |
| | Microsoft Outlook Express NNTP client buffer overflow
|
| | Buffer overflow on NNTP server reply parsing. |
| 6! | Multiple Microsoft Internet Explorer memory corruptions
updated since 13.04.2005
|
| | Memory corruptions of different types, including buffer overflows. |
| | Buffer overflow in multiple IMAP clients
updated since 15.05.2003
|
| | Buffer overflows on long replies, large message sizes, etc. |
| 8! | Multiple Microsoft Internet Explorer browser security vulnerabilities
updated since 09.02.2005
|
| | Drag-n-Drop vulnerability, URL Decoding Zone Spoofing Vulnerability, DHTML Method Heap Memory Corruption Vulnerability, Channel Definition Format (CDF) Cross Domain Vulnerability. This vulnerability can potentially be used for silent spyware or adware installation. |
| 9! | Microsoft Internet Explorer DHTML Edit and Help ActiveX crossite scripting
updated since 15.12.2004
|
| | DHTML ActiveX and Help allows code injection into context of different server. By combining this vulnerability it's psosible to execute code in local machine zone. This vulnerability can potentially be used for silent spyware/adware installation. |
| 9! | Multiple Internet Explorer bugs
updated since 13.10.2004
|
| | CSS buffer overflow, local zone scripting, buffer overflow in Install Engine, writing file to any location with drag and drop or scripting in <img> tag, address bar spoofing, SSL crossite scripting. |
| | Microsoft Internet Explorer directory traversal
|
| | ..\ in filename is not checked. |
| | Microsoft Internet Explorer sysimage: information leak
|
| | By using sysimage: URL it's possible to check local file existance. |
| 7! | Microsoft Internet Explorer buffer overflow
updated since 03.11.2004
|
| | Buffer overflow in FRAME and IFRAME tags parameters. |
| | Microsoft Internet Explorer information leak
|
| | It's possible to check file existance in the standard folder. |
| 7! | Internet Explorer HTML Help Control ActiveX crossite scripting
|
| | By clicking control element, it's possible to activate script in context of different site or local system. |
| 6! | Multiple bugs in Internet Explorer
updated since 23.08.2002
|
| | New cumulative patch released by Microsoft. |
| 8! | Windows GDI+ libraries JPEG buffer overflow
updated since 15.09.2004
|
| | Buffer overflow in JPEG parsing routines. |
| 6! | Local file access and code execution in Microsoft Internet Explorer and Netscape/Mozilla XML component
updated since 17.12.2001
|
| | Microsoft's Microsoft.XMLHTTP and Mozilla XMLHttpRequest incorrectly handle redirection allowing to access local files. |
| | multiple browsers cookie spoofing
updated since 25.08.2004
|
| | It's possible to spoof cookies for few 3rd level domains. |
| 8! | Multiple Microsoft Internet Explorer crossite scripting bugs
updated since 13.07.2004
|
| | Same name function redirection crossite scripting, ADODB.Stream vulnerability variant (Shell.Application), mouse click hijacking with Popup.show(), Media Preview crossite scripting, drag-n-drop files to shell:Startup. |
| 7! | Multiple Internet Explorer vulnerabilities
|
| | Integer overflow on .BMP parsing, double free() on GIF parsing, new ms-its: vulnerability variant. |
| | Outlook/Outlook Express NULL character DoS
|
| | Client hangs on POP3 receiving if message contains NULL character. |
| 8! | MS Internet Explorer CHM files and ms-its handler code execution
updated since 09.04.2004
|
| | HTTP redirection to ms-its (and few others) protocol exploiting directory traversal bug cause CHM file to be saved to known location. With another directory traversal bug HTML from CHM file can be executed in local zone. |
| | Directory traversal in multiple browsers cookie path
|
| | It's possible to access cookie from the document with different path |
| | Internet Explorer crossdomain keystrokes leak
|
| | Script from one site can access keystrokes send do another site. |
| 10! | Multiple Windows ASN.1 bugs
updated since 11.02.2004
|
| | Heap corruptions, heap buffer overflows open possibilities for attack via different protocols and applications. |
| 6! | Multiple Internet Explorer bugs
updated since 03.02.2004
|
| | Crossite scripting in Travel Log, URL spoofing. |
| 6! | CHM files execution in Internet Explorer
updated since 19.05.2000
|
| | CHM file (HTML-help) may contain unsafe ActiveX elements and could lead to code execution. CHM execution may be triggered by calling CHM file as a HTML or via ActiveX elements. |
| 7! | Multiple bugs in Internet Explorer
updated since 11.09.2003
|
| | Crossite scripting via Find dialog, location/refresh, NavigateAndFind, file:javascript:, click to drug-n-drop spoofing, src URL spoofing, BaseRef spoofing, etc. |
| | Internet explorer (and others) CA certificate attack
updated since 15.08.2002
|
| | For intermediate CA only signature is checked, missed check for basic constaint allows to use any valid certificate as CA certificate. |
| 7! | Microsoft Internet Explorer crossite scripting
|
| | Few vulnerabilities allow scripting in local zone. |
| 8! | Internet explorer HTML embedded .exe file code execution
updated since 26.02.2003
|
| | By combining Content-Location: file:///xxx.exe with codebase property of <object> tag it's possible to execute .exe file embedded into HTML. |
| 6! | Microsoft internet explorer local files access
updated since 27.10.2003
|
| | Redirection with Location: file:/// allows to open local file in known location. Macromedia flash allows to store HTML text in known file. |
| | Internet Explorer Shell Folders local files access
|
| | It's possible to address local files by URL shell: with relative paths. |
| 10! | Microsoft Internet Explorer multiple bugs
updated since 21.08.2003
|
| | New rollaup fix released:
crossite scripting, buffer overflow during <OBJECT> tag parsing, temporary internet files path disclosure, code execution via OBJECT tag. |
| 6! | Microsoft Internet Explorer showHelp crossite scripting
updated since 07.02.2003
|
| | Subsequent calls to showHelp cause content to be displayed in the same security zone. |
| 7! | Multiple bugs in ActiveX components
updated since 20.08.2002
|
| | Local files access in applet com.ms.xml.dso.XMLDSO.class and XMLHTTPConnection ActiveX, buffer overflow in xweb.ocx ActiveX (Microsoft DirectX Files Viewer), TSAC and File Transfer Manager (FTM) ActiveX. |
| | Outlook Express plaintext HTML injection
|
| | Message content type is determinetd automatically bypassing MIME settings. |
| 6! | Internet Explorer buffer overflow
updated since 24.06.2003
|
| | Buffer overflow on copying HR tag with oversized align to clipboard. |
| 7! | Multiple bugs in Internet Explorer/Outlook Express
updated since 25.04.2003
|
| | New cumulative patch announced. |
| 7! | Multiple Internet Explorer bugs
updated since 05.06.2003
|
| | New cumulativ update fixes buffer overflow and code execution. |
| 7! | Microsoft Internet Explorer code execution
updated since 09.05.2003
|
| | If page contains large number of elements like <FRAME SRC="C:\winnt\regedit.exe"></FRAME> application will be executed without user's intervation. |
| 6! | Microsoft Internet Explorer code execution
updated since 03.05.2003
|
| | Web Folders feature allows to store file in known location. In conjunction with another weaknesses it makes it possible to save and execute code. |
| | Internet Explorer .mht DoS
|
| | If executable with MZP signature but without actual data is included, NULL pointer reference occurs. |
| 7! | Launichng programs via OBJECT tag and scripting via cookies in Microsoft Internet Explorer
updated since 17.01.2002
|
| | It's possible to launch any installed application using OBJECT tag |
| | Internet Explorer Macromedia Flash crossite scripting
|
| | It's possible to inject script into flash object URL. |
| 6! | Multiple bugs in Microsoft Virtual Java Machine
updated since 09.09.2002
|
| | Amongg others there are bugs allowing file access on client computer. |
| 6! | Microsoft Internet Explorer PNG integer overflow
|
| | Integer overflow dusing PNG deflate unpacking. |
| 7! | Multiple Microsoft Internet Explorer bugs
updated since 21.11.2002
|
| | New cumulative patch fixes multiple bugs. |
| | Internet Explorer modal dialog style crossite scripting
|
| | By using <IMG width="0" height="0" style="width: expression(alert());">
script may be executed in local zone. |
| 6! | Microsoft Internet Explorer saved references and identifiers crossite scripting
updated since 02.10.2002
|
| | By saving location.assign method of parent window it's possible to access it content any time. It's also possible to reference frame by it's identifier. |
| 6! | Outlook Express S/MIME buffer voerflow
|
| | Buffer overflow on certificate warning window. |
| | Internet explorer and Konquerror frames crossite scripting
updated since 10.09.2002
|
| | For sites with frame it's possible to execute script by spoofing location of one of frames. |
| 6! | Buffer overflows in multiple browsers x.509 certificates parsing |
| | | |
| 6! | Crossite scripting in Internet Explorer and Konqueror
updated since 04.09.2002
|
| | It's possible to spoof domain by using %sF in URL's username:
http://secretcookie.com%2F@hacker.com/ |
| | Internet Explorer/Mozilla/Opera local zone script execution via FTP folders
updated since 07.06.2002
|
| | It's possible to script on local securty zone if FTP folder presentation is enabled. |
| | Unauthorized file upload via Internet Explorer
|
| | It's possible to download file in known location or to determine location of cache by using htm files download or Web folders. |
| | Microsoft Internet Explorer cash path leakage via XML
|
| | It's possible to obtain path of loaded document by using XML exception handlers. |
| | Crossite scripting in Microsoft Internet Explorer
|
| | It's possible to get full access to OBJECT's elements. |
| 8! | Microsoft Internet Explorer, Microsoft Proxy & Microsoft ISA server buffer overflow gopher buffer overflow
updated since 04.06.2002 |
| | | |
| 7! | Six new bugs in Internet Explorer
updated since 16.05.2002
|
| | Crossite scripting, local files disclosure, security zone spoofing, etc. |
| 7! | Unauthorized access to special devices and NetBIOS connections in Microsoft Internet Explorer
updated since 14.05.2002
|
| | With <IFRAME> and <BGSOUND> tags it's possible to cause DoS against Outlook Express or to send data to special device. It's also posible to cause IE to establish NetBIOS connection with any untrusted host. |
| 6! | Special DOS-device access in Microsoft Outlook Express
|
| | It's possible to hang Outlooks Express by using prn: device as a name for bgsound or iframe. It's also possible to send data to special device. |
| 6! | Cookie access via res:\\ and about:\\ in Microsoft Internet Explorer
updated since 20.10.2001
|
| | It's possible to use about:\\ and res:\\ URl to execute javascript in context of any page and local machine. |
| | HTML injection via mailto: URL Interenet Explorer
|
| | It's possible to inject HTML text into mailto: reference. |
| | Partial access to local files via CSS in Internet Explorer
|
| | Via .oFile.cssText property of Link object it's possible to get partial content of any file with structure close to CSS. |
| | File existance checking in Microsoft Internet Explorer
updated since 05.11.2001
|
| | It's possible to check file existance with dynsrc property or with file:// URL in conjunction with javascript. |
| 6! | Executable launch via Windows Medial Player from Microsoft Outlook/Outlook express
|
| | Via Windows Media file (wma) it's possible to open HTML file in local security zone, from html it's open chm, from chm - executable. |
| 8! | Buffer overflow in mshtml.dll
updated since 13.02.2002
|
| | Stack overflow on long filename or extension in <EMBED> tag. |
| 7! | Несанкционированный доступ через GetObject() в Microsoft Internet Explorer (unauthorized access)
updated since 03.01.2002 |
| | | |
| | Проблемы с MDB-файлам в Internet Explorer (code execution) |
| | | |
| 6! | Проблема с сертификатами в Internet Explorer (certificates spoofing) |
| | | |
| 7! | Доступ к файлам через htmlfile_FullWindowEmbed ActiveX в Internet Explorer(code execution)
updated since 22.11.2001 |
| | | |
| 6! | Проблемы с Secure Password Authentication в Outlook Express (weak encryption) |
| | | |
| | Проблемы с "бесточечными" адресами в Internet Explorer (protection bypass)
updated since 11.10.2001 |
| | | |
| | |
