[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Tue Apr 15 05:20:16 PDT 2014
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 357 Published: Tue, 15 Apr 2014 01:12:39 GMT
New Fixlets:
============
***************************************************************
Title: Word RTF memory corruption vulnerability (CVE-2014-1761) - MS14-017
Severity: High
Fixlet ID: 2398301
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval23983.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.
***************************************************************
Title: Apache HTTP vulnerability before 2.2.27 or before 2.4.8 in VisualSVN Server (CVE-2014-0098)
Severity: Medium
Fixlet ID: 2410101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24101.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-1751) - MS14-018
Severity: High
Fixlet ID: 2421801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24218.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1751
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0235 and CVE-2014-1755.
***************************************************************
Title: The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read
Severity: Medium
Fixlet ID: 2424101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24241.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
***************************************************************
Title: Microsoft Office file format converter vulnerability (CVE-2014-1757) - MS14-017
Severity: High
Fixlet ID: 2431801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24318.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1757
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Word 2007 SP3 and 2010 SP1 and SP2, and Office Compatibility Pack SP3, allocates memory incorrectly for file conversions from a binary (aka .doc) format to a newer format, which allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office File Format Converter Vulnerability."
***************************************************************
Title: Microsoft Word stack overflow vulnerability (CVE-2014-1758) - MS14-017
Severity: High
Fixlet ID: 2435801
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24358.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1758
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Stack-based buffer overflow in Microsoft Word 2003 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Word Stack Overflow Vulnerability."
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-1753) - MS14-018
Severity: High
Fixlet ID: 2438101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24381.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1753
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
***************************************************************
Title: Windows file handling vulnerability - CVE-2014-0315 (MS14-019)
Severity: High
Fixlet ID: 2444201
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24442.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0315
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Untrusted search path vulnerability in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse cmd.exe file in the current working directory, as demonstrated by a directory that contains a .bat or .cmd file, aka "Windows File Handling Vulnerability."
***************************************************************
Title: Arbitrary pointer dereference vulnerability - CVE-2014-1759 (MS14-020)
Severity: High
Fixlet ID: 2452401
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24524.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1759
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: pubconv.dll in Microsoft Publisher 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted .pub file, aka "Arbitrary Pointer Dereference Vulnerability."
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-1760) - MS14-018
Severity: High
Fixlet ID: 2453101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24531.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1760
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-1752) - MS14-018
Severity: High
Fixlet ID: 2455101
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24551.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1752
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-1755) - MS14-018
Severity: High
Fixlet ID: 2459001
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24590.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1755
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0235 and CVE-2014-1751.
***************************************************************
Title: Internet Explorer memory corruption vulnerability (CVE-2014-0235) - MS14-018
Severity: High
Fixlet ID: 2462901
Fixlet Link: http://oval.mitre.org/oval/definitions/data/oval24629.html
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0235
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1751 and CVE-2014-1755.
More information about the WinVulns-Announcements
mailing list