(提案)集群女士7 - 99遗留的候选人

下面的集群包含7遗留的候选人,都是与微软相关报告,于1999年出版。这个集群,我们现在有候选人(或条目)的微软报告中描述的所有问题。所有的候选人有一个“优先1。”I encourage the Board to vote on these rapidly, within the minimum 2-week time frame before they are moved to Interim Decision. The schedule for this cluster is: Scheduled Interim Decision: May 30 Scheduled Final Decision: June 5 Other legacy candidates related to 1999 advisories will be posted next week. - Steve Summary of votes to use (in ascending order of "severity") ---------------------------------------------------------- ACCEPT - voter accepts the candidate as proposed NOOP - voter has no opinion on the candidate MODIFY - voter wants to change some MINOR detail (e.g. reference/description) REVIEWING - voter is reviewing/researching the candidate, or needs more info RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. 1) Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ================================= Candidate: CAN-1999-1011 Published: Final-Decision: Interim-Decision: Modified: Proposed: 20000518 Assigned: 19991221 Category: SF Reference: MS:MS98-004 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98 - 004. - asp参考:女士:ms99 - 025参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 025. - asp参考:CIAC: j - 054参考:网址:http://www.ciac.org/ciac/bulletins/j - 054. shtml远程数据服务(RDS) DataFactory微软数据访问组件的组件(MDAC)在IIS 3。x和4。x暴露不安全的方法,它允许远程攻击者执行任意命令。ED_PRI - 1999 - 1011 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0323:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:BUGTRAQ: 19990728警报:MS Office 97漏洞参考:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990729195531.25108.qmail@underground.org参考:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=D1A11CCE78ADD111A35500805FD43F58019792A3@RED-MSG-04参考:女士:ms99 - 030参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 030. - asp参考:报价:595参考:网址:http://www.securityfocus.com/level2/?go=vulnerabilities&id=595Microsoft Jet数据库引擎允许攻击者修改文本文件通过一个数据库查询,又名“文本I-ISAM”漏洞。ED_PRI - 2000 - 0323 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0325:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:女士:ms99 - 030参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 030. - aspMicrosoft Jet数据库引擎允许攻击者通过数据库查询执行命令,又名“VBA壳”的弱点。ED_PRI - 2000 - 0325 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0327:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:BUGTRAQ: 19991014 Disovered引用另一个微软Java缺陷:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=93993545118416&w=2参考:女士:ms99 - 045参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 045. - asp微软虚拟机(VM)允许远程攻击者逃避Java沙箱和执行命令通过一个小应用程序,其中包含一个非法操作,即“虚拟机验证器”的弱点。ED_PRI - 2000 - 0327 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0328:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:BUGTRAQ: 19990824元可预测初始TCP序列号——变化观察SP4参考:网址:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1参考:女士:ms99 - 046参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 046. - asp参考:报价:604参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=604Windows NT 4.0生成预测随机TCP初始序列号(是),它允许远程攻击者进行欺骗和会话劫持。ED_PRI - 2000 - 0328 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0329:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:女士:ms99 - 048参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 048. - aspMicrosoft ActiveX控件允许远程攻击者执行恶意内阁文件通过附件和嵌入式脚本在HTML邮件,又名“主动设置控制”的弱点。ED_PRI - 2000 - 0329 1投票:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:可以发表- 2000 - 0330:最终决定:阶段性裁决:修改:建议:20000518分配:20000511类别:科幻参考:女士:ms99 - 049参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 049. - asp网络软件在Windows 95, Windows 98允许远程攻击者通过一个长文件名字符串执行命令,又名“文件访问URL”漏洞。ED_PRI - 2000 - 0330 1投票: