| 7! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.04.2013
|
 | | Use-after-free vulnerabilities. |
| | Microsoft Internet Explorer DoS
|
| | Crash on recursive CSS inclusion. |
| | Microsoft Active Directory DoS
|
| | Memory exhaustion. |
| 7! | Microsoft Windows multiple security vulnerabilities
|
| | Multiple privilege escalations in kernel, CSRSS and drivers. |
| 7! | Microsoft Remote Desktop Connection Client ActiveX code execution
|
| | Use-after-free in ActiveX |
| 7! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 13.03.2013
|
| | Multiple use-after-free vulnerabilities. |
| | Microsoft Windows USB devices privilege escalation
updated since 13.03.2013
|
| | Few different vulnerabilities on USB device plugging with ability of code execution. |
| 8! | Microsoft Windows multiple security vulnerabilities
updated since 14.02.2013
|
| | Quartz.dll memory corruption, .Net privilege escalation, multiple kernel race conditions, CSRSS privilege escalation, TCP/IP DoS. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Information leakage, multiple use-after-free vulnerabilities, VML memory corruption. |
| 8! | Microsoft Internet Explorer use-after-free vulnerabilities
|
| | Use-after-free vulnerability in CButton is actively used in-the-wild. |
| 8! | Microsoft Windows multiple security vulnerabilities
|
| | Print spooler service code execution, XML library integer overflow and memory corruption, multiple .Net vulnerabilities, Win32K privilege escalation SSL/TLS library protection bypass, Open Data Protocol DoS. |
| 9! | Microsoft Windows multiple security vulnerabilities
|
| | Buffer overflow on OpenType and TrueType fonts parsing, memory corruption on filname handling, DirectPlay buffer overflow, DirectAccess IP-HTTPS insufficient certificate check. |
| 7! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Few use-after-free vulnerabilities. |
| | Internet Explorer information leakage
|
| | Page can track any mouse movements, even behind the page. |
| 6! | Microsoft Internet Explorer 7 memory corruption
|
| | Memory corruption on redirection to data: uri containing some tags. |
| 8! | Microsoft Windows security vulnerabilities
|
| | Windows Briefacese integer overflows, .Net protection bypass, information leakage and code execution, kernel drivers privilege escalations. |
| 9! | Microsoft Internet Explorer memory corruption
updated since 19.09.2012
|
| | Use-after-free vulnereability is actively used in-the-wild to install malware. |
| 7! | Microsoft Windows kernel integer overflow
|
| | Kernel integer overflow leads to privilege escalation. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 11.07.2012
|
| | Microsoft XML Services memory corruption, ADO memory corruption, kernel drivers vulnerabilities, Window Shell command injection, TLS vulnerabilities |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Memory corruptions, integer overflow, function pointer corruption. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 09.05.2012
|
| | TCP/IP privilege escalation, partition manager privilege escalation, multiple security vulnerabililities in .Net, Silverlight, font management, GDI+, window components, etc. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 13.06.2012
|
| | Multiple memory corruptions, code executions, information leakage. |
| 6! | Microsoft IIS protection bypass
|
| | Password protection bypass, script files content access. |
| 8! | Microsoft Remote Desktop memory corruption
|
| | Memory corruption on RDP packets processing. |
| | Opera / Mozilla / Internet Explorer DoS
updated since 12.02.2010
|
| | Large number of nested tags leads to buffer overflow. |
| 7! | Microsoft Windows multiple security vulnerabilities
updated since 11.04.2012
|
| | MSCOMCTL.ocx code execution, .Net code execution, WinVerifyTrust digital signature validation vulnerability |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 11.04.2012
|
| | Multple vulnerabilities allow remote code execution. |
| 9! | Microsoft .Net multiple security vulnerabilities
updated since 02.01.2012
|
| | DoS, multiple vulnerabilities in forms authentication. |
| 8! | Microsoft Windows multiple security vulnerabilities
|
| | Kernel drivers privileges escalation, DirectWrite API DoS, RDP memory corruption and DoS. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 15.02.2012
|
| | GDI code execution, drivers privilege escalation, unsafe DLL loading, C Runtime code execution, .Net framework and Silverlight vulnerabilities. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.02.2012
|
| | Code execution, information leakage. |
| 7! | Microsoft Windows multiple security vulnerabilities
updated since 11.01.2012
|
| | SafeSEH protection bypass, Windows Object Packager code execution, CSRSS privilege escalation, DirectShow / Windows Media memory corruption, Windows Packager code execution, SSL/TLS information leakage. |
| 6! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.12.2011
|
| | Information leakage, insecure library loading. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 15.12.2011
|
| | Buffer overflow on TTF fonts parsing, OLE objects memory corruption, CSRSS and kernel privilege escalations, ActiveX code execution. |
| 6! | Microsoft Windows multiple applications DLL hijacking
updated since 26.08.2010
|
| | If application is launched via file type association, current path is set to the path file is located, making it's possible to place DLLs application tries to load dynamically into same directory. |
| | Microsoft Windows Media memory corruption
|
| | Memory corruption on .dvr-ms files parsing. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.10.2011
|
| | Multiple memory corruptions with code execution. |
| 6! | Microsoft .Net / Silverlight code execution
|
| | It's possible to escape from sandbox. |
| 7! | Microsoft Windows multiple security vulnerabilities
|
| | Active Accessibility and Media Center insecure DLL loading |
| 6! | DigiNotar fraudulent certificates
updated since 01.09.2011
|
| | Well known domain names certificates were issued to untrusted party. |
| 8! | Microsoft Windows multiple security vulnerabilities
|
| | NDISTAPI service and CSRSS privilege escalations, kernel DoS, TCP/IP DoS, RDP DoS, .Net information disclosure. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Multiple memory corruptions, crossite data access, code execution. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.06.2011
|
| | mhtml handler cross application scripting, VML processor memory corruption, multiple internet explorer memory corruptions, information leakage. |
| 7! | Microsoft Windows multiple security vulnerabilities
|
| | Uninitialized memory reference in Bluetooth stack, multiple memory handling vulnerabilities in Windows kernel, multiple privilege escalations in CSRSS. |
| 8! | Microsoft Windows multiple security vulnerabilities
updated since 15.06.2011
|
| | Buffer overflow on WMF files parsing. Uninitialized pointers on OTF parsing. DFS memory corruptions. SMB client and server memory corruptions. afd.sys privilege escalation. |
| 8! | Microsoft .Net Framework multiple security vulnerabilities
|
| | Array index overflow, JIT compiler code execution. |
| | Microsoft fixed SMB NTLM relay attacks
updated since 12.11.2008
|
| | Microsoft fixed NTLM proxing vulnerability: credentials used for one services could be forwardedto different one. Attack is known for many years as NTLM weakness. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 13.04.2011
|
| | SMB client and server memory corruption, Fax Cover Page Editor memory corruption, MFC library unsafe DLL loading, MHTML library information leak, GDI+ library integer overflow, DNS client memory corruption, memory corruption in .Net Framework, memory corruption in JScript / VBScript engines, stack overflow in OpenType fonts parsing, multiple drivers vulnerabilities. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 13.04.2011
|
| | Multiple memory corruptions and information leaks. |
| | Multiple systems ICMPv6 flood DoS
|
| | router announcement packets flood resourceds exhaustion |
| | Windows help system buffer overflow
|
| | Buffer overflow on CHM files parsing. |
| 6! | Multiple ActiveX components security vulnerabilities
|
| | kill bit update for multiple components of different vendors. |
| 6! | Microsoft Windows multiple security vulnerabilities
|
| | Unsafe library loading, code execution with .dvr-ms files. |
| 6! | Microsoft Windows application policy bypass
|
| | It's possible to bypass application restriction policy by directly loading code into suspended process' memory via e.g. Microsoft Word macro. |
| 8! | Microsoft Windows multiple security vulnerabilities
updated since 08.02.2011
|
| | Buffer overflow in shell on thumbnail parsing, memory corruption on OpenType Compact Font Format parsing, privilege escalation via CSRSS, LSA, kernel and different drivers, Kerberos server spoofing, JScript/VBScript memory content leak. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 08.02.2011
|
| | Multiple memory corruptions, unsafe DLL loading. |
| | Microsoft IIS code execution
|
| | Files placed inside folder with lodername ending with .asp are treated as ASP files regardless of extension. |
| | Microsoft Fax Cover Page Editor double free vulnerability
|
| | Double free vulnerability on .cov files parsing. |
| | Microsoft ADO security vulnerabilities
|
| | Buffer overflow, memory corruption. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.12.2010
|
| | Crossite data access, multiple memory corruptions. |
| 9! | Microsoft Windows multiple security vulnerabilities
|
| | OpenType Font parsing memory corruption, task scheduler privilege escalation, usafe DLL loading, multiple kernel vulnerabilities, Consent User Interface privilege escalation, Netlogon DoS. |
| | Microsoft Windows hidden administrative group membership
|
| | It's possible to include user's account into administrative group without direct group membership. |
| 6! | Microsoft Windows Wordpad / Windows Shell code execution
|
| | Code execution via embedded COM object. |
| | Windows Media Player memory corruption
|
| | Memory corruption if page with WMP ActiveX is reloaded. |
| 6! | Microsoft Sharepoint SafeHTML crossite scripting
|
| | Few crossite scripting possibilities. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Multiple memory corruptions, cross domain information disclosure. |
| 9! | Microsoft Windows multiple security vulnerabilities
|
| | Multiple privilege escalation with different drivers. MFC buffer overflow. EOT and OTF fonts memory corruptions and integer overflow. comctl32 buffer overflow. LPC buffer overflow. SChannel DoS. |
| 9! | Microsoft Office multiple security vulnerabilities
updated since 15.09.2010
|
| | Buffer overflow in Microsoft Outlook message parsing, memory corruption on fonts parsing. |
| 9! | Microsoft Internet Information Services multiple security vulnerabilities
|
| | Authentication bypass, buffer overflow, DoS. |
| 9! | Microsoft Windows multiple security vulnerabilities
updated since 15.09.2010
|
| | Privilege escalation and code execution in spooler services,memory corruption in MPEG-4 codec, memroy corruption in RPC, privilege escalation in LSA, privilege escalation in CSRSS subsystem, WordPad memory corruption. |
| | Multiple browsers certificates validation weakness
|
| | Wildmasks in certificates issued to IP address are enabled. |
| 6! | Microsoft Windows Kerberos tickets spoofing
|
| | It's possible to logon with any account by manipulating network traffic. |
| 7! | Microsoft .Net and Silverlight security vulnerabilities
|
| | Memory corruption, code execution. |
| 7! | Microsoft Windows DirectShow memory corruption
|
| | Memory corruption on MP3 file parsing. |
| | Microsoft Windows Cinepak codec memory corruption
|
| | Memory corruption on data decompression. |
| 7! | Microsoft Windows SMB/CIFS service multiple security vulnerabilities
|
| | Buffer overflow, privilege escalation, DoS. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Multiple memory corruptions, crossite access. |
| 8! | Microsoft XML Core Services memory corruption
|
| | Memory corruption on server's response pasrsing in XMLHTTP. |
| | Microsoft Windows MovieMaker memory corruption
|
| | Memory corruption on project file parsing. |
| 6! | Microsoft Windows kernel multiple security vulnerabilities
updated since 10.08.2010
|
| | Memory corruptions, privilege escalations, DoS. |
| 6! | Microsoft Windows shortcuts code execution
|
| | Code execution on shortcut icon displaying. |
| | Microsoft ClickOnce technology insufficient security
|
| | Installation of unsigned elements is allowed. |
| 7! | Microsoft Windows Help and Support Center code execution
|
| | Code injection via URL. |
| | Microsoft Windows CHM files protection bypass
|
| | It's possible to bypass CHM file locking protection for file downloaded from Internet. |
| 6! | Microsoft Windows win32k privilege escalation
updated since 08.06.2010
|
| | Multiple memory corruptions. |
| 8! | Microsoft Internet Explorer code execution
|
| | It's possible to execute code via hcp:// handler. |
| 6! | Microsoft .Net XML signing protection bypass
|
| | Only part of signature is compared in case of incomplete HMAC. |
| 6! | Microsoft Windows OpenType Compact Font Format driver memory corruption
|
| | Memory corruption on IOCTL processing. |
| 7! | Code execution with multiple ActiveX components in Microsoft Windows
updated since 08.06.2010 |
| | | |
| 7! | Microsoft Windows media files parsing memroy corruption
|
| | Memory corruption on JPEG / MJPEG parsing. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Crossite scripting, information leakage, multiple memory corruptions. |
| | Multiple browsers DoS
updated since 20.05.2010
|
| | Mail program compose message window is created for avery frame with mailto:, news:, nntp:, etc URI. |
| | Microsoft Internet Explorer information leak
|
| | It's possible to access external UNC location via ICMFilter option, leaking authentication information. |
| | Microsoft Windows Mail / Outlook Express integer overflow
|
| | Integer overflow on POP3 or IMAP server reply parsing. |
| | Microsoft Internet Explorer, Google Chrome, Opera and Mozilla Firefox DoS
|
| | Large buffer within <marquee> tag causes browser to crash. |
| | Microsoft Windows DoS
|
| | SfnLOGONNOTIFY and SfnINSTRING functions DoS. |
| | Microsoft Windows Media Player ActiveX memory corruption
|
| | Memory corruption on media file parsing. |
| | Microsoft Windows ISATAP IPv6 address spoofing
|
| | Insufficient check for tunneling address. |
| 7! | Microsoft Windows MP3 codec buffer overflow
|
| | Buffer overflow on AVI files with MP3 audio stream. |
| 7! | Microsoft SMB client multiple security vulnerabilities
updated since 10.02.2010
|
| | Memory corruptions, race conditions. |
| | Microsoft VBS code execution
|
| | If F1 is pressed in dialog window, help file controlled by attacker |
| 6! | Microsoft Windows kernel multiple privilege escalations
|
| | Multiple DoS conditions, race conditions, memory corruptions. |
| 8! | Microsoft Windows file signature spoofing
|
| | Signature spoofing in PE and CAB files. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 31.03.2010
|
| | Multiple security vulnerability are used in-the-wild for hiddden malware installation. |
| 8! | Microsoft Internet Explorer memory corruption
|
| | Memory corruption on XML/HTML processing. |
| | Microsoft Movie Maker buffer overflow
|
| | Buffer overflow on .MSWMM files parsing. |
| 7! | Microsoft Windows code execution
updated since 10.02.2010
|
| | URL code injection. |
| 6! | Microsoft Windows kernel privilege escalation
|
| | Double free() vulnerability, exception handler vulnerability. |
| | Microsoft Paint integer overflow
|
| | Integer overflow on JPEG parsing. |
| 6! | Microsoft DirectShow buffer overflow
|
| | Buffer overflow on AVI parsing. |
| 7! | Microsoft Windows SMB server multiple security vulnerabilities
|
| | Memory corruptions, buffer overflow, DoS conditions, cryptography weakness. |
| 6! | Microsoft Windows Client/Server Run-time Subsystem
|
| | Invalid process termination on user's logout. |
| 7! | Microsoft Data Analyzer ActiveX Control memory corruption |
| | | |
| 8! | Microsoft Internet Explorer information leak
|
| | It's possible to retrieve any file from client computer via URLMON and Dynamic OBJECT tag. |
| 9! | Internet Explorer memory corruption
updated since 22.11.2009
|
| | Memory corruption then setting outerHTML from body style. |
| 8! | Microsoft Internet Explorer Multiple security vulnerabilities
updated since 19.01.2010
|
| | 0-day use-after-free vulnerability on createEventObject processing: <body onload="for(var i=0; i!=10000; i++) ev.srcElement">
<img src=. onerror="ev=createEventObject(event); outerHTML++">,
Multiple memory corruptions.
|
| 6! | Adobe Flash Player memory corruption
|
| | Memory corruption (use-after-free). |
| 8! | Microsoft Windows Embedded OpenType (EOT) Fonts multiple security vulnerabilities
updated since 14.07.2009
|
| | Integer overflows, heap buffer overflows. |
| 6! | Microsoft IIS protection bypass
|
| | It's possible to bypass 3rd party upload protection by file extension, because part of filename after semicolon is ingored then detecting file type. E.g. script.asp;.jpg is treated by web server as ASP file. |
| 6! | Microsoft Wordpad / Office Text Converters memory corruption
updated since 09.12.2009
|
| | Memory corruption on Office 97 documents parsing. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 09.12.2009
|
| | Multiple memory corruptions, code execution. |
| 8! | Microsoft Windows Intel Indeo codecs multiple
updated since 09.12.2009
|
| | Multiple vulnerabilities on video files parsing. |
| 7! | Microsoft Windows DoS
|
| | LSASS DoS on ISAKMP IPSec messages parsing. |
| 7! | Microsoft Internet Authentication Service multiple security vulnerabilities
|
| | MS-CHAP authentication bypass, memory corruption. |
| 9! | Multiple TCP implementations different security vulnerabilities
updated since 09.09.2009
|
| | Multiple security vulnerabilities in different operation sustems caused by resource exhaustions on maintaining TCP states table. |
| 8! | Microsoft Windows GDI code execution
|
| | Memory corruption on EOT (Embedded Open Type) font parsing, privilege escalation, DoS. |
| | Microsoft Active Directory DoS
|
| | LSASS stack overflow (stack memory exhaustion). |
| | Microsoft Internet Explorer DoS
|
| | Unremovable dialog with cycled setHomePage. |
| | Microsoft Windows Media Player information leak
|
| | Windows Media Player plugin allows to detect local file existance. |
| 6! | Microsoft Windows kernel multiple security vulnerabilities
updated since 13.10.2009
|
| | Integer overflow, NULL pointer dereference, exception handler vulnerability. |
| 7! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 13.10.2009
|
| | Multiple memory corruptions. |
| 6! | Microsoft Windows Media Runtime multiple security vulnerabilities
updated since 13.10.2009
|
| | Buffer overflows, memory corruptions. |
| 8! | Microsoft .Net multiple security vulnerabilities
|
| | Multiple vulnerabilities allow escape from sandbox environment. |
| 8! | Microsoft GDI+ multiple security vulnerabilities
|
| | Multiple vulnerabilities on WMF, PNG, TIFF, BMP parsing. |
| 9! | Microsoft Active Template Library (ATL) multiple security vulnerabilities
updated since 29.07.2009
|
| | Memory corruptions, information leak, initialization problem, leading to killbit protection bypass. |
| 8! | Microsoft Windows IIS FTP server buffer overflow
updated since 31.08.2009
|
| | Buffer overflow in NLST command. Same vulnerability may be used for stack overflow (stack memory exhaustion) without need fo write access. |
| 6! | Microsoft CryptoAPI certificate spoofing
|
| | Certificate name spoofing with NULL byte. |
| 7! | Microsoft Windows Indexing Service ActiveX memory corruption |
| | | |
| 6! | Microsoft Windows LSA DoS
|
| | Crash on NTLM authentication parsing. |
| 6! | Microsoft Windows Media Player buffer overflow
|
| | Buffer overflow on .ASF files parsing. |
| 7! | Microsoft DHTML ActiveX code execution |
| | | |
| 8! | Microsoft Windows JavaScript engine memory corruption
|
| | Memory corruption on "arguments" keyword parsing. |
| | DoS in multiple browsers
|
| | Hang or crash on oversized location.hash |
| 6! | Microsoft Windows MSMQ (message queuing) privilege escalation
updated since 11.08.2009
|
| | DoS conditions in the service lead to named channel spoofing possibility. |
| 7! | Microsoft RDP client multiple security vulnerabilities
updated since 11.08.2009
|
| | Memory corruption in ActiveX control, memory corruption on server reply processing. |
| 6! | Microsoft Windows Workstation service memory corruption
updated since 11.08.2009
|
| | Memory corruption on RPC message parsing. |
| 8! | Microsoft Windows media files processing memory corruption
|
| | Memory corruptions and integer overflows on AVI processing. |
| | Microsoft telnet NTLM relaying
|
| | NTLM relaying attack against telnet client authentication is possible. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 29.07.2009
|
| | Multiple memory corruptions, workaround for ATL vulnerability added. |
| | Multiple browsers DoS
updated since 16.07.2009
|
| | select() method doesn't limie the number of selected elements, leading to resources exhaustion. |
| | Multiple browsers DoS
|
| | Crash or resources exhaustion on oversized unicode string operations via Javascript. |
| 9! | Microsoft Video ActiveX code execution
updated since 07.07.2009
|
| | ActiveX vulnerability is actively for hidden malware installation. |
| 7! | Microsoft DirectShow multiple security vulnerabilities
|
| | Multiple DoS conditions and memory corruptions on Apple QuickTime formats processing. |
| | Mozilla Firefox / Microsoft Internet Explorer / Opera /Google Chrome DoS
updated since 26.05.2009
|
| | Hang on circle with large radius value in SVG tags. Hang and memory leak on reload with keygen tag. |
| 7! | Microsoft Active Directory multiple security vulnerabilities
updated since 09.06.2009
|
| | Double free() vulnerability, memory leaks. |
| 8! | Windows print spooler multiple security vulnerabilities
updated since 10.06.2009
|
| | Buffer overflow, unauthorized files access, privilege escalation with dynamic library loading. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 09.06.2009
|
| | Crossite data access, multiple memory corruptions. |
| 6! | Microsoft Wordpad / Microsoft Works multiple security vulnerabilities
updated since 14.04.2009
|
| | Buffer overflows and memory corruptions on different file formats conversions. |
| 6! | Microsoft Windows kernel multiple privilege escalation
|
| | Multiple vulnerabilities in different subsystems. |
| | Microsoft Windows Search information leak
|
| | Crossite scripting on search results. |
| 6! | Microsoft IIS WevDAV authentication bypass
|
| | It's possible to access resources? requireing authentication anonymously. |
| | Browsers and search systems URL spoofing
updated since 27.04.2009
|
| | By using %xx in host name it's possible to spoof URL origin. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 15.04.2009
|
| | Code exexuction, multiple memory corruptions, NTLM relaying. |
| 6! | Microsoft Windows WinHTTP servive multiple security vulnerabilities
|
| | Integer overflow, certificate spoofing, NTLM relaying. |
| 6! | Microsoft Windows privilege escalation
|
| | Privilege escalation with MSDTC, WMI, RPCSS, Windows Thread Pool services. |
| 7! | Microsoft DirectShow memory corruption
|
| | Memory corruption on Motion JPEG files decompression. |
| | Microsoft Internet Explorer DoS
|
| | Browser hangs while trying to determine charset of the text document with large number of random characters. |
| | Windows ZIP folders buffer overflow
updated since 13.10.2004
|
| | Integer overflow in DynaZip (DUNZIP32.DLL) library on oversized filename in archive. |
| 10! | Microsoft Windows kernel multiple security vulnerabilities
|
| | Multiple security vulnerabilities allow code execution via EMF/WMF files. |
| | Multiple browsers inherited charset crossite scripting
updated since 25.02.2007
|
| | If [age with undefined charset is displayed in frame, codepage of parent page is used. It makes it possible to conduct crossite scripting attack with e.g. UTF-7, EUC-JP (SHIFT_JIS) charset. |
| | Google Chrome, Mozilla Firefox, Opera, Internet Explorer browsers DoS
updated since 30.09.2008
|
| | Calling window.print() function in loop causes browser to hang. Uncontrollable memory allocation. Script can close window without user approval. |
| 6! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Few memory corruptions. |
| | Microsoft Windows fails to disable autorun
|
| | None of documented methods to disable autorun does it completely. This way of distribution is actively used by malware. CERT advises to add next record into registry (@ means default value for key).
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
|
| 9! | Microsoft Windows SMB multiple security vulnerabilities
updated since 13.01.2009
|
| | Buffer overflows and DoS conditions. |
| | Microsoft Internet Explorer DoS
|
| | Crash on recursive script creation with createElement(). |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 10.12.2008
|
| | Multiple memory corruptions. |
| 9! | Microsoft Windows Media Player buffer overflow
|
| | Buffer overflow on WAV parsing |
| | Mozilla Firefox, Microsoft Internet Explorer, Opera and Google Chrome DoS
|
| | Printing <irame> in endless loop from javascript causes resources exhaustion and leads to browser hang. |
| 9! | Microsoft Windows Media Player integer overflow
|
| | Integer overflow on WAV parsing. |
| 6! | Microsoft Outlook Express / Outlook / Internet Explorer DoS
updated since 17.12.2008
|
| | <dt><h1 style=width:1px><li></h1> in HTML part causes application to crash. |
| 10! | Microsoft Internet Explorer memory corruption
|
| | Memory corruption leads to code execution. Vulnerability is used in-the-wild for hidden malware installation. |
| | Microsoft Windows Media Player multiple security vulnerabilities
|
| | NTLM credentials leak and relaying. |
| 8! | Microsoft Windows GDI library multiple security vulnerabilities
|
| | Buffer overflow and integer overflow on WMF parsing. |
| 8! | Microsoft Windows Search multiple security vulnerabilities
|
| | Code execution with saved search results and with search-ms: URI. |
| 6! | DoS against multiple e-mail applications and anti-viruses
|
| | MIME messages with large recursion level may cause application to hang or crash. |
| | Microsoft Internet Explorer saved pages crossite scripting
updated since 21.08.2007
|
| | Crossite scripting in context of local machine is possible on saving URL with address like
http://site/--><script>alert("XSS")</script> |
| | Internet Explorer, Opera, Google Chrome, Mozilla browsers DoS
updated since 03.10.2008
|
| | window.close() в цикле на событие OnLoad() приводит к зависанию браузера. Multiple resource exhaustion attacks with Javascript. |
| 7! | Microsoft XML multiple security vulnerabilities
|
| | Memory corruption, crossite scripting, information leak. |
| | Microsoft Windows Explorer buffer overflow
updated since 01.06.2006
|
| | Buffer overflow during right-click on .url file with oversized mhtml://mid: URL. Vulnerability can be used for hidden malware installation. |
| 10! | Microsoft Windows code execution
updated since 24.10.2008
|
| | It's possible toexecute code without authentication with RPC request UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 to browser service via SERVER (LanmanServer) service, TCP/139, TCP/445.
Reccomendation is to disable browser service. |
| | Microsoft Internet Explorer address bar spoofing
|
| | There are few methods of address bar spoofing. |
| 7! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 14.10.2008
|
| | Memory corruptions, information hijack, crossite scripting. |
| 7! | Microsoft Windows AFD driver privilege escalation
updated since 15.10.2008
|
| | Kernel memory access is possible. |
| 7! | Microsoft Windows Virtual Address Descriptor manipulation privilege escalation
|
| | Integer overflow leads to memory corruption. |
| 8! | Microsoft Windows SMB buffer overflow
|
| | Buffer overflow on SMB protocol parsing. |
| | Microsoft Windows Internet Printing Service integer overflow
|
| | Integer overflow after authentication. |
| | Microsoft Windows kernel multiple security vulnerabilities
|
| | Double free() vulnerability and memory corruptions. |
| | Windows kernel integer overflow
|
| | Integer overflow in IopfCompleteRequest function. |
| | Microsoft Internet Explorer DoS
|
| | Browser hangs on malcrafted PNG image. |
| | Mozilla Firefox / Opera / Microsoft Internet Explorer browsers DoS
|
| | window.sidebar.addPanel() in the loop causes browser to hang. |
| 6! | Microsoft Outlook Express / Microsoft Outlook DoS
|
| | Crash on
<style>*{position:relative}</style>
<table>DoS</table>
in HTML content. |
| | Microsoft Windows DoS
|
| | Uninitialized memory reference on WRITE_ANDX SMB request handling. |
| 7! | Microsoft Windows Media Encoder ActiveX code execution
|
| | Control supports unsafe methods. |
| 6! | Microsoft Windows Media Player memory corruption
|
| | Server-Side playlists parsing memory corruption. |
| 8! | Microsoft Windows GDI library multiple security vulnerabilities
|
| | Multiple vulnerabilities on different graphics format parsing. |
| 7! | Microsoft .Net framework multiple security vulnerabilities
updated since 10.07.2007
|
| | Buffer overflow on PE .Net format parsing, buffer overflow in KIT compiler, remote information leak in ASP.NET with poisoned NULL byte. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.08.2008
|
| | Multiple memory corruptions, MHTML crossite scripting. |
| 7! | Microsoft Windows color management system memory corruption
updated since 12.08.2008
|
| | Memory corruption on ICCM management. |
| 6! | Microsoft Windows privilege escalation
|
| | Invalid event handling allows code execution in system context. |
| 6! | Microsoft Windows DNS server and DNS client DNS reply spoofing
updated since 14.11.2007
|
| | Weak pseudo-random generator is used to generate DNS request ID. |
| 6! | Microsoft Windows PGM DoS
|
| | Infinite loop on PGM packet parsing. |
| 6! | Microsoft Wndows Bluetooth stack code execution
|
| | The Windows Bluetooth Stack does not correctly handle a large number of SDP requests. |
| 7! | Microsoft DirectX code execution
|
| | MJPEG format AVI and ASF files parsing vulnerability, SAMI files parsing vulnerability. |
| 6! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Crossite scripting, information leak. |
| | Microsoft Windows I2O driver privilege escalation
|
| | \\.\I2OExc device weak permissions, IOCTL data insufficient validation. |
| 7! | Microsoft Jet engine buffer overflow
|
| | Buffer overflow on MDB files request handling. |
| 6! | Microsoft Windows Realtek HD Audio privilege escalation
|
| | Multiple security vulnerabilities on IOCTL processing. |
| | Microsoft Windows privilege escalation
|
| | By using RPCSS service it's possible to elevate privileges from NetworkService to SYSTEM. |
| 6! | Microsoft Internet Explorer memory corruption
updated since 08.04.2008
|
| | Memory corruption on datasream processing. |
| 8! | Microsoft Windows multiple ActiveX elements security update
updated since 08.04.2008
|
| | Code execution in hxvz.dll. |
| 9! | Microsoft Windows GDI multiple security vulnerabilities
updated since 08.04.2008
|
| | Multiple buffer overflows on EMF and WMF files parsing. |
| 6! | Microsoft Windows privilege escalation
|
| | Code execution in kernel context. |
| 9! | Microsoft Windows VBScript / JScript buffer overflow
|
| | Buffer overflow on scripts parsing. |
| | Microsoft Internet Explorer / mozilla Firefox address spoofing |
| | | |
| 6! | Microsoft Internet Explorer 7 request modification
|
| | Headers manipulation and invalid chunked encoding processing allow response splitting. |
| | Microsoft Internet Explorer 7.0 DoS
|
| | Crash on createtextrange method. |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.02.2008
|
| | Multiple memory corruptions. |
| 7! | Microsoft Windows OLE buffer overflow
|
| | Heap buffer overflow |
| 6! | Microsoft Internet Information Services privilege escalation
|
| | Privilege escalation through file change notification. ASP files processing privilege escalation. |
| 7! | Microsoft Windows Web Client service buffer overflow
|
| | Buffer overflow on WebDAV server response parsing. |
| 6! | Microsoft Windows Active Directory DoS
|
| | Crash on LDAP request handling. |
| 6! | Microsoft Windows LSASS LPC requests privilege escalation
|
| | It's possible to execute code with LocalSystem privileges. |
| 10! | Microsoft Windows TCP/IP stack multiple security vulnerabilities
|
| | Memory corruption on IGMP/MLD processing, DoS on fragmented ICMP router discovery. |
| 6! | Microsoft Windows Vista / XP / 2000 audio drivers privilege escalation
|
| | Ensoniq PCI 1371 WDM audio driver privilege escalation. |
| 7! | Microsoft Windows Message Queuing buffer overflow
updated since 12.12.2007
|
| | Buffer overflow in RPC interface (TCP/2103). |
| 8! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.12.2007
|
| | Multiple memory corruptions. |
| 8! | Microsoft Windows DirectX multiple security vulnerabilities
updated since 12.12.2007
|
| | Synchronized Accessible Media Interchange (SAMI), WAV and AVI. |
| 7! | Microsoft Windows SafeDisk driver buffer overflow
updated since 20.10.2007
|
| | Buffer overflow in secdrv.sys driver allows code execution in syste, context. |
| 6! | 3ivx MP4 codec buffer overflow
|
| | Buffer overflow on MP4 tags parsing. |
| | Microsoft Jet Engine MDB files parsing buffer overflow
|
| | Buffer overflow on MDB file access. |
| 7! | Microsoft Windows URL code execution
|
| | Invalid handling of %xx sequences on external URL handlers in Windows XP with Internet Explorer 7 installed allows to execute applications. |
| 6! | Microsoft Windows TCP/IP stack IGMP DoS
updated since 15.02.2006
|
| | System hangs on malformed IGMPv3 packet. |
| | Microsoft Internet Explorer executable files download filter protection bypass
|
| | It's possible to upload file to temporary internet files folder by adding GET parameters to filename, e.g. http://example.com/program.exe?1.cda/ |
| 6! | Microsoft Windows RPC DoS
updated since 10.10.2007
|
| | Denial of Service during authentication in RPC-based services. |
| 6! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Memory corruption, address bar spoofing. |
| 8! | Microsoft Outlook Express / Windows Mail NNTP buffer overflow
|
| | Heap memory overflow on NNTP server reply parsing. |
| | Microsoft Windows Explorer PNG DoS
|
| | Infinite loop on invalid PNG file parsing. |
| 9! | Microsoft Windows XML core services memory corruption
updated since 14.08.2007
|
| | Memory corruption on XML parsing. |
| 10! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 14.08.2007
|
| | Memory corruption on ActiveX parsing, unsafe Visual Basic ActiveX execution, Visual Basic ActiveX memory corruption. |
| 10! | Microsoft Windows VML parsing buffer overflow
|
| | Heap buffer overflow on compressed VML content. |
| 6! | Microsoft Windows Media Player multiple security vulnerabilities
|
| | Multiple vulnerabilities on skin files parsing. |
| 6! | Microsoft Windows OLE Automation memory corruption
updated since 14.08.2007
|
| | Memory corruption on embedded objects processing. |
| 10! | Microsoft Windows GDI code execution
updated since 14.08.2007
|
| | Heap buffer overflow on Windows metafiles parsing. |
| | Microsoft Internet Explorer DoS
|
| | Line <style>*{position:relative}</style><table><input></table> causes brower to crash. |
| | Microsoft Windows ARP DoS
|
| | Flood with packets with different MACs causes CPU exaustion. |
| | Microsoft DirectX buffer overflow
|
| | Buffer overflow on compressed TGA images parsing. |
| 6! | Microsoft Internet Explorer 0-day vulnerability
updated since 10.07.2007
|
| | Unfiltered shell characters on executed URL: protocol application handler. |
| | Microsoft Internet Explorer content spoofing
|
| | It's possiblt to emulate navigation to different site by using document.open(), actually stayin in context of previous page. |
| 7! | Microsoft Internet Information Server DoS
updated since 18.12.2005
|
| | Request like http://www.example.com/_vti_bin/.dll/*\~0 for virtual folders with CGI execution enabled causes server to crash and potentially leads to code execution. |
| | Microsoft Internet Explorer DoS
|
| | Browser DoS on the page in domain with special characters. |
| 8! | Microsoft Outlook Express / Windows Mail multiple security vulnerabilities
updated since 12.06.2007
|
| | Multiple vulnerabilities on MHTML parsing. Code execution with UNC URLs. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 12.06.2007
|
| | Multiple memory corruptions, content spoofing. |
| 9! | Microsoft Windows APi code execution
|
| | Insufficient validation of function arguments. |
| | Microsoft Windows GDI+ library DoS
updated since 11.06.2007
|
| | Division by zero on .ICO files parsing. |
| | Microsoft Html Popup / Outlook Express Address Book ActiveX DoS
|
| | Crash on element displaying. |
| 7! | Microsoft Internet Explorer and Mozilla Firefox multiple security vulnerabilities
|
| | Internet Explorer race conditions allow cross domain access. Mozilla Firefox IFRAME cross domain access. Mozilla file download dialogs delay protection bypass. MSIE address bar spoofing. |
| 9! | Microsoft Internet Explorer multiple security vulnerabilities
updated since 08.05.2007
|
| | Multiple memory corruption on COM objects and HTML parsing, files rewrite. |
| | Multiple browsers digest authentication request splitting
|
| | It's possible to inject new line characters to HTTP request headers thorugh username. |
| 7! | Microsoft Windows memory corruption
updated since 16.12.2006
|
| | CSRSS memory corruption on MessageBox with MB_SERVICE_NOTIFICATION beginning with "\??\". |
| | Microsoft Windows Virtual DOS machine privilege escalation
|
| | Race conditions allow to overwrite VDM memory zero page. |
| 6! | Microsoft Windows Universal PnP memory corruption
|
| | Memory corruption during TCP/2869 and UDP/1900 request processing. |
| 7! | Microsoft Agent ActiveX memory corruption
|
| | Buffer overflow on URL parsing. |
| | Microsoft Windows DoS with WMF files
|
| | Uninitialized memory reference in system kernel. |
| 10! | Microsoft Windows animated cursors buffer overflow
updated since 30.03.2007
|
| | Stack buffer overflow (stack overrun) is actively used for hidden malware installation. |
| 9! | Microsoft Windows multiple GDI vulnerabilities |
| | | |
| 7! | Microsoft Data Access Components code execution
updated since 13.02.2007
|
| | ADODB.Connection NextRecordset() / Execute() double free() vulnerability. Can be used for hidden malware installation. |
| | Microsoft Internet Explorer DoS
|
| | Memory exhaustion with appendChild method. |
| | Microsoft Windows NDISTAPI DoS
|
| | During exceptions handling on \Device\NdisTapi device request handling URQL is not returned from DISPATCH level on switching to user mode, leading to crash (BSOD) with IRQL_LESS_THAN_NOT_EQUAL on accessing paged memory. |
| 7! | Microsoft MFC memory corruption
updated since 13.02.2007
|
| | Memory corruption on RTF files parsing. Can be used for hidden malware installation. |
| | Microsoft Windows mmioRead () multimedia function integer overflow
|
| | Integer overflow on negative parameter values. |
| | Microsoft Internet Explorer page content spoofing
|
| | Crossite scripting in res://ieframe.dll/navcancl.htm#http://www.site.com page allows to inject HTML code into page. |
| 6! | Microsoft Windows files and folders management problems
updated since 07.03.2007
|
| | During file operations conditions exist for attacker to gain access to content of protected or locked files. It's also possible to create unmanageble file. |
| | Microsoft Windows OLE files DoS
|
| | Crash on OLE file (.DOC) preview. |
| | Multiple browsers information leaks
|
| | Server can find pages visited by user by using, e.g., different background pages for "visited" elements. |
| 6! | Multiple browsers OnUnload event handler different vulnerabilities
updated since 23.02.2007
|
| | Different memory corruptions because of race conditions in OnUnload handler. In addition address bar spoofing and creation of pages can not be left is possible. |
| 6! | Mozilla libnss multiple security vulnerabilities
updated since 25.02.2007
|
| | Buffer overflows and integer overflows in SSL2 client and server code implementation. |
| | Microsoft Windows Explorer DoS
updated since 25.02.2007
|
| | Application (explorer.exe) crashes on browsing folder with corrupted WMF file (no need to click file itself). |
| 6! | Microsoft Windows ReadDirectoryChangesW information leak
|
| | ReadDirectoryChangesW() API function doesn't check user's privileges for subtree folders, making it's possible for unprivileged user to gather information about sensitive files. |
| | Microsoft Step-by-Step Interactive Training buffer overflow
updated since 13.02.2007
|
| | Buffer overflow on bokmarks files handling (.cbl, .cbm, .cbo). |
| 7! | Microsoft Internet Explorer multiple security vulnerabilities
|
| | Memory corruptions on COM objects instantiation and FTP server response parsing can be used for hidden malware installation. |
| 6! | Microsoft Windows Shell Hardware Detection privilege escalation
|
| | Parameter of function executed during hardware detection is not validated. |
| 7! | Microsoft Windows RiсhEdit control memory corruption
|
| | Memory corruption in RF-enbedded OLE object can be used for hidden malware installation. |
| 7! | Microsoft Windows OLE dialog memory corruption
|
| | Memory corruption on RTF-embedded OLE object. Can be used for hideen malware installation. |
| 7! | Microsoft Windows HTML Help ActiveX code execution
|
| | It's possible to access unsafe functions from web page. Vulnerability can be used for hidden malware installation. |
| 6! | Microsoft Windows Image Acquisition Service buffer overflow |
| | | |
| | Microsoft Internet Explorer / Mozilla Firefox user input hijacking
|
| | It's possible to hijack input focus by using OnKeyDown / OnKeyPress events. |
| 6! | Microsoft Windows XMLHTTP proxy problem
|
| | Because of insufficient request validation Msxml2.XMLHTTP ActiveX object can be used to proxy HTTML request via client browser. |
| | Microsoft Internet Explorer multiple ActiveX different paramters DoS
|
| | NULL pointer dereference. |
| 7! | Microsoft Agent memory corruption
updated since 14.11.2006
|
| | Memory corruption on parsing .ACF files. |
| | Microsoft Windows WMF invalid pointer dereference
|
| | Invalid pointer dereference in GDI on CreateBrushIndirect function. |
| 8! | Microsoft VML buffer overflow
|
| | Buffer overflow and integer overflows on Vector Markup Language parsing. May be used for hidden malware installation. |
| 6! | Multiple browsers race conditions
updated since 18.08.2006
|
| | There are different race condition with threading synchronization on different concurrent events. |
| | Microsoft Windows Client for Microsoft Network DoS
|
| | Argument of NetrWkstaUserEnum() memory is not checked and used to allocate memory, creating condition for memory exhaustion. |
| 6! | Multiple browsers DNS pinning protection bypass
|
| | By emulatin Web server failure it's possible to bypass DNS pinning protection (protection against changing IP address resolution by DNS name for crossite access) |
| | Microsoft Windows quartz.dll DoS
|
| | Division by zero on malformed MIDI file or WMV file. |
| 7! | Microsoft Internet Explorer / Outlook Express multiple security vulnerabilities
updated since 12.12.2006
|
| | Memory corruption on Javascript errors processing and Javascript normalize() function. Temporary Internet Files crossite access. Buffer overflow on Windows Address Book (WAB) parsing. |
| 6! | Microsoft Windows SNMP service buffer overflow |
| | | |
| 6! | Microsoft Windows CSRSS privilege escalation
|
| | It's possible to elevate privileges with manifest file. |
| 7! | Microsoft Windows Media Format Runtime buffer overflow
|
| | Buffer oveflows on parsing ASF (.ASF, .WMV, .WMA) and ASX files. |
| 7! | Microsoft Windows Workstation service buffer overflow
updated since 14.11.2006
|
| | Buffer overflow in RPC based service. |
| | Microsoft Windows Client Service for Netware multiple vulnerabilities
updated since 14.11.2006
|
| | Memory corruption, DoS. |
| 9! | Microsoft Windows daxctle.ocx and HTML parsing buffer overflows
updated since 13.09.2006
|
| | DirectAnimation.PathControl ActiveX control KeyFrame method heap overflow. Buffer overflow in CSS Floatproperty.
May be used for hidden malware installation. |
| 8! | Macromedia Flash Player buffer overflow
updated since 13.09.2006
|
| | Buffer overflow on .swf files playing. Vulnerability can be used for hidden malware installation through browser. |
| 9! | Microsoft Windows XMLHTTP ActiveX code execution
updated since 05.11.2006
|
| | ActiveX vulenrability is used for silent malware installation. |
| 6! | Windows kernel GDI structures privilege escalation
|
| | It's possible to remap read-only share memory section in write mode. |
| | Microsoft Windows connection sharing DoS
|
| | NULL-pointer dereference on DNS request proxying in Microsoft Windows NAT Helper. |
| 6! | Microsoft Windows Object Packager dialog spoofing
updated since 11.10.2006
|
| | Code execution with .RTF or .WRI file embedded object. |
| 7! | Microsoft Windows Server service multiple security vulnerabilities
|
| | Denial of service and code execution vulnerabilities. |
| | Multiple Microsoft Windows IPv6 security vulnerabilities
|
| | TCP connection reset with ICMP or TCP packet, CPU exhaustion. |
| 10! | Microsoft Windows WebViewFolderIcon ActiveX (integer overflow)
updated since 28.09.2006
|
| | Integer overflow can be used for hidden malware installation. |
| 7! | Microsoft Windows drmstor.dll buffer overflow
|
| | Buffer overflow in ActiveX element. |
| 7! | Multiple Microsoft XML service security vulnerabilities
|
| | Crossdomain data access, buffer overflow. |
| | Microsoft Indexing Service crossite scripting
updated since 12.09.2006
|
| | Crossite scripting with UTF-7 characters in URL is possible. |
| 10! | Microsoft Windows / Internet Explorer 0-day vulnerability
updated since 20.09.2006
|
| | Microsoft Vector Graphics Rendering Library vulnerability is used for hidden malware installation. |
| 8! | Multiple Windows kernel security vulnerabilities
updated since 09.08.2006
|
| | Buffer overflow vulnerability allows privilege escalation, WinLogon user profile DLL privilege escalation, unhandled exception code execution vulnerability. |
| 9! | Multiple Microsoft Internet Explorer security vulnerabilities
updated since 08.08.2006
|
| | Crossite scripting, crossite information access, FTP commands injection. Vulnerabilities can be used for hidden malware installation. |
| | Microsoft Windows XP Pragmatic General Multicast memory corruption
|
| | Memory corruption on parsing multicast PGM message if Microsoft Message Queuing Services (MSMQ) service is installed. |
| 7! | Microsoft Windows DHCP client buffer overflow
updated since 11.07.2006
|
| | Buffer overflow on DHCP server response parsing. |
| 8! | Multiple Microsoft Windows Server service security vulnerabilities
updated since 11.07.2006
|
| | Kernel mode heap overflow on mailslots processing. Information leak from SMB buffers. |
| 7! | Microsoft Windows crossite MMC access
updated since 08.08.2006
|
| | Script from Internet/Intranet zone site can access any Microsoft Management Console's object. |
| 9! | Microsoft Windows DNS client buffer overflows
updated since 08.08.2006
|
| | Buffer overflows in Winsock API and DNS client code. |
| 7! | Multiple Microsoft Internet Explorer and Windows security vulnerabilities
updated since 28.06.2006
|
| | Cross-domain page content access, MSHTA code execution. |
| 6! | Microsoft Windows GDI32 library integer overflow
|
| | CreateBrushInderect integer overflow on WMF files parsing. |
| 6! | Microsoft Windows graphics subsystem DoS
|
| | Gdiplus.dll division by zero on .ICO files parsing. |
| 6! | Microsoft Internet Information services buffer overflow
updated since 11.07.2006
|
| | Buffer overflow in ASP files processing leads to privilege escalation. |
| 9! | Microsoft Windows XP/2003 Picture and Fax Viewer / Wine / ME code execution
updated since 28.12.2005
|
| | Buffer overflow on parsing WMF metafiles. It may be used for silent Spyware/Trojan installation with Internet Explorer or another browser and also with Lotus Notes. There are vulnerabilities not covered by MS06-001. |
| 6! | ASP.NET source code disclosure
|
| | It's possible to retrieve source codes for scripts and executable, except protected file extensions. |
| 6! | Microsoft Windows SMB/CIFS privilege escalation
updated since 13.06.2006
|
| | MRxSmbCscIoctlOpenForCopyChunk buffer overflow. In additions, there are DoS vulnerabilities not covered by MS06-30. |
| 9! | Windows ICMP DoS (potential code execution)
updated since 09.02.2006
|
| | Buffer overflow on ICMP packets with Loose Source and Record Route IP options.
Short message translation:
There are DoS conditions in Windows 2000 built-in NAT server. Tested configuration: Windows 2000 English Standard/Advanced Service Pack 4 + Update Rollup 1 for Service Pack 4 with NAT server enabled. While routing packets with options "Loose Source and Record Route" defined by RFC 791 through server, Windows crashes to BSOD with error in tcpip.sys or ntoskrnl.exe, or system hangs or system began instable work. It doesn't metter if packets are from internal or external networks. Use attached script to test vulnerability. On Windows 2003 problem doesn't present. It's also likely same problem to present in Windows 2000 + ISA 2000. Code execution is potentially possible. |
| 9! | Microsoft Windows RRAS Service buffer overflow
updated since 13.06.2006
|
| | Buffer overflows in service RPC interface. May be used by network worm. |
| 7! | Windows Media Player PNG files buffer overflow
updated since 13.06.2006
|
| | Buffer overflow on PNG files processing. |
| 8! | Microsoft JScript (Internet Explorer) memory corruption
|
| | Memory corruption on objects release. May be used for hidden malware installation. |
| | Microsoft Windows software restriction policy protection bypass
|
| | By using RunAs function it's possible to launch any application. |
| | Windows limited service account privilege escalation
|
| | By using security tokens located in process memory it's possible to escalate privileges from limited service account, such as Network Service or Microsoft SQL Service account. |
| | Microsoft Distributed Transaction Coordinator DoS
updated since 09.05.2006
|
| | Two different buffer overflows causing service to crash. |
| 8! | Microsoft Windows shell code execution
updated since 11.04.2006
|
| | COM object can execute code. Can be used for hidden malware installation with Internet Explorer. |
| 6! | Microsoft Outlook Express buffer overflow
updated since 11.04.2006
|
| | Buffer overflow on parsing WAB address book. |
| 8! | Microsoft Windows MDAC code execution
updated since 11.04.2006
|
| | RDS.Dataspace ActiveX object is marked as safe. Can be used for hidden malware installation with Internet Explorer. |
| 8! | Microsoft Windows system services privilege escalation
updated since 01.02.2006
|
| | There are several local services SSDP Discovery service, Universal Plug and Play Host service) allow any authenticated user to configure service. It makes it possible to specify executable file and elevate privilege to Local System.
Also vulnerable:
HP Software: "Pml Driver HPZ12" (HP Printer Laserjet 4200L PCL 6)
Audodesk: "Autodesk Licensing Service"
Dell Power Managment Software for network cards: "NICCONFIGSVC"
Macromedia: "Macromedia Licensing Service"
Zonelabs.com TrueVector Device Driver: "vsdatant"
C-Dilla Software: "C-DillaCdaC11BA"
Macrovision SECURITY Driver (Security Windows NT): "CdaC15BA"
Macrovision SECURITY Driver (Security Windows NT): "SecDrv" |
| 8! | Multiple Microsoft Windows Media Player vulnerabilities
updated since 15.02.2006
|
| | Buffer overflow on BMP files playing. Buffer overflow on oversized SRC for HTML page with EMBED'ded WMP. May be used for client machine trojaning. |
| | Microsoft Windows Korean IME privilege escalation
updated since 15.02.2006
|
| | Help subsystem is executed with LocalSystem privileges. |
| 6! | Microsoft Windows WebClient service buffer overflow
|
| | Buffer overflow on RPC based service allows code execution with LocalSystem privileges. |
| | Microsoft Windows MS-DOS applications uninitilized memory access information leak
|
| | Memory is not initialized then allocated for MS-DOS virtual machine. It allows to read data from physical memory. |
| | Multiple Windows wireless adapters WEP protection bypass
|
| | Atacker can force client to downgradte to unencrypted cleartext mode operations. |
| 8! | Microsoft Windows embedded web fonts memory corruption
updated since 10.01.2006
|
| | Memory corruption on parsing web fonts embedded to HTML page. May be used to install trojans, backdoors or another malware to client computer. |
| | Microsoft Windows RunAs GPO restrictions protection bypass
|
| | It's possible to use RunAs with restricted application. |
| 7! | LAND attack DoS against Microsoft Windows 2003 and Microsoft Windows XP
updated since 05.03.2005
|
| | LAND attack (ICMP or TCP SYN packet with equal SRC and DST IPs and ports) causes target host to freeze. |
| 7! | Microsoft Windows Plug and Play Service UMPNPMGR buffer overflow
updated since 12.10.2005
|
| | Buffer overflow on PNP_GetDeviceList and PNP_GetDeviceListSize calls for anonymous user on Windows 2000 and authenticated user on Windows 2003 / XP. There is another one similar vulnerability, leading to memory leak with DoS conditions. |
| 8! | Microsoft Windows WMF / EMF buffer overflow
|
| | Multiple buffer overflows in GDI on WMF and WMF windows metafile formats. |
| | Multiple firewalls protection bypass
updated since 28.10.2004
|
| | The number of different way to break protection against client application attacks is almost unlimited. |
| 7! | Microsoft Distributed Transaction Coordinator service memory corruption
updated since 12.10.2005
|
| | Memory corruption as a result of integer overflow with anonymous remote access (Windows 2000) and authenticated access under Windows XP/2003. |
| 7! | Microsoft Windows Microsoft Collaboration Data Objects buffer overflow
updated since 12.10.2005
|
| | Buffer overflow on parsing mail messages with Microsoft SMTP service. |
| | Multiple Microsoft Distributed Transaction Controller DoS conditions
updated since 12.10.2005
|
| | Problems with TIP protocols handling, bounce attack is possible. |
| 6! | Microsoft Windows Network Connection Manager service buffer overflow
|
| | Buffer overflow in RPC service. |
| 6! | Microsoft FTP client directory traversal
|
| | It's possible to place downloaded file in any directory from server side. |
| 6! | Microsoft Windows Client Service for NetWare buffer overflow
|
| | Buffer overflow in network file srevice. |
| 6! | Microsoft Windows Shell multiple vulnerabilities
|
| | Problems with .lnk files processing, HTML files preview. |
| | Windows XP Wireless Zero Configuration service information leak
|
| | WPA PMKs and WEP keys are available with WZCQueryInterface() of Wzcsapi.dll. |
| | Microsoft Windows win32k.sys DoS
|
| | WM_CLOSE event for active drop-down menu causes system to crash. |
| | Microsoft Windows keyboard events design flow
|
| | Application with diferent user's credentials may send keyboard events to applications running in the same desktop emulating user input. |
| 6! | ICMP and TCP timestamp attacks to reset TCP connections
updated since 13.04.2005
|
| | By using different ICMP packet types and TCP timestamps values it's possible to cause TCP connection resets or performance decrease. |
| 6! | Microsoft Windows Plug and Play service buffer overflow
updated since 09.08.2005
|
| | Stack overflow on named pipes request processig. |
| 6! | Microsoft Windows RDP protocol DoS
updated since 09.08.2005
|
| | Bug in RDP protocol parsing causes system to crash and restart. |
| 6! | Microsoft Windows print Spooler service buffer overflow
|
| | Buffer overflow on named pipes request processing. |
| 6! | Microsoft Windows Telephony service privilege escalation |
| | | |
| | Microsoft Windows USB drivers buffer overflow
|
| | Buffer overflow on USB device response parsing. |
| 9! | Microsoft Windows Color Management module buffer overflow
updated since 13.07.2005
|
| | Buffer overflow during ICC tags processing in different graphics formats, including JPEG. |
| 6! | Remote Windows XP DoS
|
| | Access behind allocated memory on network packets handling. |
| | Windows XP / 2000 / 2003 / NT named pipes usernames information leak
updated since 09.02.2005
|
| | It's possible to retrieve usernames of the users accessing network resources. |
| 6! | Windows XP memory information leak
|
| | If WMI is used a part of RPC cache memory is not cleaned, making sensitive information leakage. |
| | Windows XP Service Manager race conditions
updated since 22.04.2003
|
| | On some race conditions confidential information may appear in the files open by system services during system shutdown. |
| 7! | Microsoft Message Queuing buffer overflow
updated since 13.04.2005
|
| | Buffer overflow in RPC-based protocol. |
| | Microsoft Agent content spoofing
|
| | Microsoft Agent ActiveX allows to spoof trusted site content. |
| | Multiple system telnet client information leak
|
| | Telnet server can request client's environment variables. |
| 8! | Microsoft Internet Explorer PNG images buffer overflow
|
| | Heap overflow on large specific PNG chunk. |
| 6! | Microsoft Windows Web Client service (WebDav client) buffer overflow
|
| | Buffer overflow on client request parsing. |
| 8! | Microsoft Windows HTML Help files parsing buffer overflow
|
| | Heap overflow on HTML help (.chm) files structure parsing. |
| 8! | Microsoft Windows SMB file system client buffer overflow
updated since 09.02.2005
|
| | Buffer overflow on nework protocol parsing. |
| 7! | Windows 2000/XP/2003 kernel multiple vulnerabilities
|
| | Buffer overflow during font files parsing, buffer overflow in CSRSS (Win32 execution subsystem), privilege escalation. |
| 6! | Microsoft Windows MSHTA code execution
|
| | Content type of the file is determined based on CLSID in file content, not by it's extention. |
| 9! | Microsoft Windows TCP/IP stack multiple vulnerabilities
|
| | Memory corruption on IP packets handling, TCP connection reset with spoofed TCP and ICMP packets, a varinat of LAND attack. |
| 10! | Windows multiple bugs
updated since 14.04.2004
|
| | LSASSS buffer overflow, LDAP DoS, PCT buffer overflow, WinLogon buffer overflow, WMF/EMF parsing buffer overflow, HCP:// code execution, Utility Manager privilege escalation, WMI privilege escalation, LDT privilege escalation, H.323 buffer overflow, NTVDM privilege escalation, ASM.1 double free memory coruuption. |
| | Microsoft Windows msjet database multipl vulnerabilities
|
| | Microsoft Windows msjet databases multiple vulnerabilities. |
| | Microsoft VBScript Engine memory leak
|
| | Regular expression functions memory leaks. |
| 7! | Microsoft Windows Hyperlink Object Library buffer overflow |
| | | |
| 7! | Microsoft Windows COM/OLE multiple bugs
|
| | Privilege escalation during parsing files with COM structure (e.g. MS Office), buffer overflow on OLE objects, including MS Exchange MS-TNEF data format. |
| 7! | Microsoft Windows Drag-and-Drop vulnerability
|
| | It's possible to trick user to drag-n-drop malicious file into special (for example autostart) folder. |
| 6! | Microsoft Windows XP SP2 non-executable memory (DEP) protection bypass
|
| | By using small memory regisouns it's possible to place executable code into non-executable memory regions. |
| 7! | Microsoft Windows NetDDE buffer overflow
updated since 13.10.2004 |
| | | |
| 6! | Microsoft Indexing Service buffer overflow
|
| | Buffer overflow on search request processing. |
| 8! | Microsoft Windows .ANI (animated cursor) files buffer overflow
|
| | USER32.DLL buffer overflow allows code to be executed. This vulnerability can potentially be used for silent spyware/adware installation. |
| 8! | Multiple Microsoft Windows bugs
updated since 15.12.2004
|
| | Kernel buffer overflow LSASS privilege escalation. |
| 6! | Windows LoadImage integer overflow
|
| | Integer overflow on bitmap size calculation. |
| | Windows ANI files DoS
|
| | Installing ANI file with incorrect parameters causes syste, to freeze or crash. |
| | Windows XP SP2 protection bypass
|
| | For dialup connection whole network of dynamic IP class is treated as local segment. |
| | HyperTerminal buffer overflow
|
| | Buffer overflow on .ht files parsing. |
| 6! | Microsoft WordPad buffer overflow
|
| | Buffer overflow during Word 95/6.0 documents conversion. |
| 8! | Microsoft Windows multiple bugs
updated since 13.10.2004
|
| | Windows management API privilege escalation with SetWindowLong()/SetWindowLongPtr() shatter attack, Virtual DOS Machine privilege escalation, EMF/WMF files code execution, DoS. |
| 6! | Windows Shell buffer overflow |
| | | |
| 8! | Windows GDI+ libraries JPEG buffer overflow
updated since 15.09.2004
|
| | Buffer overflow in JPEG parsing routines. |
| | Windows XP SP2 dangerous content filtering protection bypass
|
| | Comment in predefined format causes content to bypass protection. |
| | Windows XP/Windows 2003 DoS
|
| | Flood with WinKey+U from consoles or via RDP before logon causes memory exhaustion. |
| 8! | Microsoft HTML Help buffer overflow
|
| | Buffer overflow on CHM format parsing. |
| | Windows Shell file type spoofing
|
| | By using class id in content-disposition it's possible ti spoof file type.
Content-Disposition: attachment; filename=malware.{3050f4d8-98B5-
11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"
|
| 6! | Microsoft Windows Task Scheduler buffer overflow
|
| | Buffer overflow during .job files parsing. |
| | Microsoft DirectPlay DoS
|
| | Invalid network packets parsing. |
| 6! | Windows Help Center Dvdupgrade code execution
|
| | It's possible to execute any code via local zone scripting. |
| | Explorer / Internet Explorer buffer overflow
|
| | Buffer overflow on connection to network folder with oversized share name. |
| 6! | Microsoft Jet Database Engine buffer overflow
|
| | Request to database can cause buffer overflow. |
| 10! | Windows NT/2000/XP/2003 RPC buffer overflow
updated since 17.07.2003
|
| | Multiple buffer overflows during RPC request parsing via TCP/135 and another RPC ports. |
| 10! | Multiple Windows ASN.1 bugs
updated since 11.02.2004
|
| | Heap corruptions, heap buffer overflows open possibilities for attack via different protocols and applications. |
| 6! | Windows XP EMF buffer overflow
|
| | Heap overflow on image preview. |
| | Windows XP/2003 server service memory leak
|
| | Memory leak on directory cration/deletion. |
| | Windows XP .folder files code execution
|
| | It's possible to create .folder file launching executable fail on open. |
| | HTML help privilege escalation
updated since 24.10.2003
|
| | HtmlHelp() call doesn't drop system privileges. |
| 9! | Lanman workstation buffer overflow
|
| | Buffer overflow during service network messages processing. |
| 7! | Win32 'Shatter' attacks
updated since 22.08.2002
|
| | Is priveleged application doesn't check system messages data it may be possible to execute code in application context by setting callback functions or excluding limits causing buffer overflws. |
| 10! | Windows Messenger service buffer overflow
updated since 16.10.2003
|
| | Buffer overflow on message receiving. |
| 7! | Buffer Overflow in Tshoot.ocx Windows Troubleshooter ActiveX
updated since 16.10.2003 |
| | | |
| | Windows ListBox/ComboBox buffer overflow
|
| | Buffer overflow in Windows components makes it possible to launch shatter attack. |
| 7! | Microsoft Windows Help and Support Center buffer overflow
|
| | Buffer overflow on hcp:// protocol handling. |
| 8! | Microsoft Windows Authenticode protection bypass
|
| | There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog. |
| | Microsoft Windows NetBIOS information leak
|
| | Uninitialized memory structure during reply to NetBIOS name request allows attacker to read few bytes from remote host's memory. |
| 7! | Windows DirectX MIDI integer overflow
updated since 24.07.2003
|
| | Integer overflow during MIDI processing leads to heap corruption allowing code execution. |
| 6! | Multiple SNMP problems
updated since 13.02.2002
|
| | Multiple problems in different SNMP implementation can lead to DoS, remote code execution, etc. |
| | Buffer overflow in explorer.exe
updated since 18.05.2003
|
| | Buffer overflow on desktop.ini parsing. |
| 6! | Windows 2003/XP gethostbyaddr() NULL pointer bug
|
| | If invalid CNAME in reverse lookup zone is specified, gethostbyaddr() returns hostent structure with name pointer set to NULL. |
| 7! | Windows NTLM relaying attacks
updated since 14.09.2000
|
| | Some client program use NTLM authentication with user's permission without user request. It may leak to NTLM credentials and perform choosen challenge attack and comprometation of server's with client credentials by relaying NTLM request. |
| 7! | Windows NT/2000/XP kernel buffer overflow
|
| | Stack based overflow during debug message processing. |
| 6! | Microsoft Windows XP redirector service buffer overflow
updated since 07.02.2003
|
| | Buffer overflow on oversized UNC, for example in net use command. |
| | Microsoft RPC DoS
|
| | Malformed request to RPC Endpoint Mapper (TCP/135) may cause RPC services to crash. |
| 7! | Windows Script Engine integer overflow
|
| | Integer overflow on array's sort() function. |
| | WIN32 PostMessage API information leak
|
| | By using PostMessage(hwnd, EM_SETPASSWORDCHAR, 0, 0) it's possible to unmask password in dialog to copy it later via buffer. It alows to bypass WM_GETTEXT protection. |
| | Windows 2000 SMB signing protection bypass
updated since 14.12.2002
|
| | During connectio nsetup it's possible to switch off SMB signing regardless of policy setting. |
| | Multiple Windows 2000 driver signing problems
|
| | It's possible to spoof file with older one, problem in certificate chain validation. |
| | Buffer overflow in Windows XP Shell
|
| | Buffer overflow on audio file processing. |
| | Microsoft Windows XP information leakage |
| | | |
| 6! | Windows 2000/XP PPTP buffer overflow
updated since 01.10.2002
|
| | Malformed PPTP packets causes service to crash. |
| 6! | File deletion via Windows XP Help Center
updated since 16.08.2002
|
| | By usgin hcp:// URL it's possible to remove file sustem objects. |
| | Buffer overflow and directory traversal in Microsoft Windows Compressed Folders feature
updated since 03.10.2002
|
| | Buffer overflow and directory traversal while extracting file from .zip archive. |
| | Microsoft Windows XP weak permissions
|
| | Weak permissions for restore information allow to view and change sensitive data, including SAM. |
| 6! | Microsoft RAS Phonebook buffer overflow
updated since 05.12.2000
|
| | Buffer overflow. |
| 6! | Buffer overflow in Windows NT/2000/XP
updated since 04.04.2002
|
| | Buffer overflow on long request to MUP (Multiple UNC Provider) |
| | DoS против SMTP в Exchange
updated since 28.02.2002 |
| | | |
| | DoS против CIFS в WindowsXP |
| | | |
| | Локальный DoS против Windows XP |
| | | |
| 8! | Переполнение буфера и DoS в SSDP/UpNP в Windows ME
updated since 19.10.2001 |
| | | |
| | |
