[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Fri Mar 4 05:20:08 PST 2011
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 243 Published: Thu, 03 Mar 2011 18:43:31 GMT
New Fixlets:
============
***************************************************************
Title: ASP.NET Padding Oracle Vulnerability
Severity: Medium
Fixlet ID: 1236501
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12365.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3332
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
***************************************************************
Title: Microsoft Windows Human Interface Device (HID) driver is prone to security bypass vulnerability.
Severity: High
Fixlet ID: 1256601
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval12566.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0638
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.
More information about the WinVulns-Announcements
mailing list