NIPC CyberNotes #2002-12 Page 10 of 33 06/17/2002
Vendor
Operating
System
Software
Name
Vulnerability/
Impact
Patches/Workarounds/
Alerts
Common
Name
Risk*
Attacks/
Scripts
Microsoft
52
Windows
95/98/ME/
NT
4.0/2000
Internet
Explorer
5.0.1,
5.0.1SP1&
2, 5.5,
5.5SP1&2,
6.0;
Proxy
Server 2.0;
ISA Server
2000
A buffer overflow
vulnerability exists in the
component that parses gopher
replies, which could let a
remote malicious user execute
arbitrary code.
Frequently asked
questions regarding this
vulnerability and the
patch can be found at:
http://www.microsoft.com/t
echnet/treeview/default.asp?
url=/technet/security/bulleti
n/MS02-027.asp
Multiple
Microsoft
Product
Gopher Client
Buffer
Overflows
CVE Name:
CAN-2002-
0371
High
Bug discussed
in newsgroups
and websites.
Vulnerability
has appeared in
the press and
other public
media.
Microsoft
53
Windows
95/98/ME/
NT
4.0/2000
Internet
Explorer
5.5, 5.5
SP1&2. 6.0
A Cross-Site Scripting
vulnerability exists if both the
"Enable folder view for FTP
sites" and the "Enable Web
content in folders" options are
enabled, which could let a
malicious user execute
arbitrary JavaScript code.
No workaround or patch
available at time of
publishing.
Internet
Explorer
Cross-Site
Scripting
High
Bug discussed
in newsgroups
and websites.
Exploit has
been published.
Microsoft
54
Microsoft
updates
bulletin
55
Multiple MSN Chat
Control
A buffer overflow
vulnerability exists in the
ActiveX control, which
could let a remote malicious
user execute arbitrary code
on the system with the
privileges of the current
user.
Bulletin updated to advise
customers that the
ixes
released on May 08, 2002 did
not fully protect systems
against the
reintroduction of the older,
vulnerable control and to
announce the availability of
updated fixes.
Frequently asked
questions regarding this
vulnerability and the
patch can be found at:
http://www.microsoft.com/
technet/treeview/default.as
p?url=/technet/security/bu
lletin/MS02-022.asp
Updates fixes available
at:
http://www.microsoft.com/t
echnet/treeview/default.asp?
url=/technet/security/bulleti
n/MS02-022.asp
MSN Chat
Control
Remote
Buffer
Overflow
CVE Name:
CAN-2002-
0155
High Bug discussed
in newsgroups
and websites.
Vulnerability
has appeared
in the press
and other
public media.
Microsoft
56
Windows
NT
4.0/2000
SQL Server
2000, 2000
SP1&2
Two vulnerabilities exist: a
buffer overflow vulnerability
exists in the SQLXML ISAPI
extension that handles data
queries over HTTP(SQLXML
HTTP) when malformed data
is received, which could let a
malicious user execute
arbitrary code; and a
vulnerability exists because it
is possible to inject arbitrary
script code via XML tags,
which could let a malicious
user execute arbitrary script
code.
Frequently asked
questions regarding this
vulnerability and the
patch can be found at:
http://www.microsoft.com/t
echnet/treeview/default.asp?
url=/technet/security/bulleti
n/MS02-030.asp
Microsoft SQL
Server
Vulnerabilities
CVE Name:
CAN-2002-
0186,
CAN-2002-
0187
High
Bug discussed
in newsgroups
and websites.
Proof of
Concept
exploit has
been published.
Vulnerability
has appeared in
the press and
other public
media.
52
Microsoft Security Bulletin, MS02-027 V2.0, June 14, 2002.
53
Bugtraq, June 7, 2002.
54
Microsoft Security Bulletin, MS02-022, May 8, 2002.
55
Microsoft Security Bulletin, MS02-022 V2.0, June 11, 2002.
56
Microsoft Security Bulletin, MS02-030, June 12, 2002.
(51 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales