再保险(建议):集群ms - 99 - 7遗留的候选人

* Steven m . Christey (coley@LINUS.MITRE.ORG)[000518 00:45]: >以下集群包含7遗留的候选人,都是>与微软相关报告,于1999年出版。>这个集群,我们现在有候选人(或条目)所有问题>从当年微软报告中描述。> >所有候选人有一个“优先1。”I encourage the Board to vote on > these rapidly, within the minimum 2-week time frame before they are > moved to Interim Decision. The schedule for this cluster is: > > Scheduled Interim Decision: May 30 > Scheduled Final Decision: June 5 > > Other legacy candidates related to 1999 advisories will be posted next > week. > > - Steve > > > > Summary of votes to use (in ascending order of "severity") > ---------------------------------------------------------- > > ACCEPT - voter accepts the candidate as proposed > NOOP - voter has no opinion on the candidate > MODIFY - voter wants to change some MINOR detail (e.g. reference/description) > REVIEWING - voter is reviewing/researching the candidate, or needs more info > RECAST - candidate must be significantly modified, e.g. split or merged > REJECT - candidate is "not a vulnerability", or a duplicate, etc. > > 1) Please write your vote on the line that starts with "VOTE: ". If > you want to add comments or details, add them to lines after the > VOTE: line. > > 2) If you see any missing references, please mention them so that they > can be included. References help greatly during mapping. > > 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. > So if you don't have sufficient information for a candidate but you > don't want to NOOP, use a REVIEWING. > > ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** > > Please keep in mind that your vote and comments will be recorded and > publicly viewable in the mailing list archives or in other formats. > > ================================= > Candidate: CAN-1999-1011 > Published: > Final-Decision: > Interim-Decision: > Modified: > Proposed: 20000518 > Assigned: 19991221 > Category: SF > Reference: MS:MS98-004 > Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98 - 004. - asp>参考:女士:ms99 - 025 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 025. - asp>参考:CIAC: j - 054 >参考:网址:http://www.ciac.org/ciac/bulletins/j - 054. shtml> >的远程数据服务(RDS) DataFactory组件微软在IIS数据>访问组件(MDAC) 3。x和4。x暴露不安全的方法,>允许远程攻击者执行任意命令。> > > ED_PRI - 1999 - 1011 1 > > >投票:修改其配置问题。我认为我们从软件故障类别不同confgiuration问题。参考:出价529 > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0323 >发表:>最终决定:>阶段性裁决:>修改:>提出:20000518 >分配:20000511 >类别:科幻小说>参考:BUGTRAQ: 19990728警报:MS Office 97漏洞>参考:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990729195531.25108.qmail@underground.org>参考:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=D1A11CCE78ADD111A35500805FD43F58019792A3@RED-MSG-04>参考:女士:ms99 - 030 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 030. - asp>参考:报价:595 >参考:网址:http://www.securityfocus.com/level2/?go=vulnerabilities&id=595> > Microsoft Jet数据库引擎允许攻击者修改文本>文件通过一个数据库查询,又名“文本I-ISAM”漏洞。> > > ED_PRI - 2000 - 0323 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0325 >发表:>最终决定:>阶段性裁决::>修改>提出:20000518 >分配:20000511 >类别:科幻小说>参考:女士:ms99 - 030 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 030. - asp> > Microsoft Jet数据库引擎允许攻击者通过数据库查询执行>命令,又名“VBA壳”的弱点。> > > ED_PRI - 2000 - 0325 1 > > >投票:修改这不是一个软件故障。其设计缺陷(或一个设计决定如果你喜欢;-)缺陷可以通过confguration然后使用错误(例如可以- 1999 - 1011)或输入验证错误。> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0327 >发表:>最终决定:>阶段性裁决::>修改>提出:20000518 >分配:20000511 >类别:科幻小说>参考:BUGTRAQ: 19991014 Disovered >引用另一个微软Java缺陷:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=93993545118416&w=2>参考:女士:ms99 - 045 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 045. - asp> >微软虚拟机(VM)允许远程攻击者逃避> Java沙箱和执行命令通过一个小应用程序,其中包含一个非法>操作,即“虚拟机验证器”的弱点。> > > ED_PRI - 2000 - 0327 1 > > >投票:修改参考报价740 > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0328 >发表:>最终决定:>阶段性裁决::>修改>提出:20000518 >分配:20000511 >类别:科幻小说>参考:BUGTRAQ: 19990824元可预测初始TCP序列号——变化观察SP4 >参考:网址:http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1>参考:女士:ms99 - 046 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 046. - asp>参考:报价:604 >参考:网址:http://www.securityfocus.com/vdb/bottom.html?vid=604> > Windows NT 4.0生成预测随机TCP初始序列>数字(是),它允许远程攻击者进行欺骗和>会话劫持。> > > ED_PRI - 2000 - 0328 1 > > >投票:接受> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0329 >发表:>最终决定:>阶段性裁决::>修改>提出:20000518 >分配:20000511 >类别:科幻小说>参考:女士:ms99 - 048 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 048. - asp> >一个Microsoft ActiveX控件允许远程攻击者执行>恶意内阁文件通过附件和嵌入式脚本> HTML邮件,又名“主动设置控制”的弱点。> > > ED_PRI - 2000 - 0329 1 > > >投票:修改参考:出价775 > > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0330 >发表:>最终决定:>阶段性裁决::>修改>提出:20000518 >分配:20000511 >类别:科幻小说>参考:女士:ms99 - 049 >参考:网址:http://www.microsoft.com/technet/security/bulletin/ms99 - 049. - asp> >网络软件在Windows 95, Windows 98允许远程攻击者>执行命令通过一个长文件名字符串,又名>”文件访问URL”漏洞。> > > ED_PRI - 2000 - 0330 1 > > >投票:修改参考:出价779,以利亚利维SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船