Microsoft Windows Nt

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which

CVE-2010-0232 7.8 - High - January 21, 2010

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors

CVE-2008-4609 - October 20, 2008

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

Configuration

The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Internet Explorer 5.01 SP4 and 6 SP1, in Windows XP SP2, Server 2003 SP1 and SP2, Vista SP1, and Server 2008

CVE-2008-1086 - April 08, 2008

The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Internet Explorer 5.01 SP4 and 6 SP1, in Windows XP SP2, Server 2003 SP1 and SP2, Vista SP1, and Server 2008, allows remote attackers to execute arbitrary code via malformed arguments, which triggers memory corruption.

Code Injection

Microsoft Internet Explorer 6.0 on Windows NT 4.0 SP6a, Windows 2000 SP4, Windows XP SP1, Windows XP SP2, and Windows Server 2003 SP1 allows remote attackers to cause a denial of service (client crash) via a certain combination of a malformed HTML file and a CSS file

CVE-2005-4717 - December 31, 2005

Microsoft Internet Explorer 6.0 on Windows NT 4.0 SP6a, Windows 2000 SP4, Windows XP SP1, Windows XP SP2, and Windows Server 2003 SP1 allows remote attackers to cause a denial of service (client crash) via a certain combination of a malformed HTML file and a CSS file that triggers a null dereference, probably related to rendering of a DIV element that contains a malformed IMG tag, as demonstrated by IEcrash.htm and IEcrash.rar.

The POSIX component of Microsoft Windows NT and Windows 2000

CVE-2004-0210 7.8 - High - August 06, 2004

The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.

Classic Buffer Overflow

Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x

CVE-2003-1048 7.8 - High - July 27, 2004

Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image.

Double-free

A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed

CVE-2003-0813 - November 17, 2003

A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.

TOCTTOU

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which

CVE-2002-0862 - October 04, 2002

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

Improper Certificate Validation

NTFS file system in Windows NT 4.0 and Windows 2000 SP2

CVE-2002-0725 5.5 - Medium - September 05, 2002

NTFS file system in Windows NT 4.0 and Windows 2000 SP2 allows local attackers to hide file usage activities via a hard link to the target file, which causes the link to be recorded in the audit trail instead of the target file.

insecure temporary file

Integer overflow in xdr_array function in RPC servers for operating systems

CVE-2002-0391 9.8 - Critical - August 12, 2002

Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.

Integer Overflow or Wraparound

smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs

CVE-2002-0367 7.8 - High - June 25, 2002

smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which

CVE-2001-1452 7.5 - High - August 31, 2001

By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cache glue records received from non-delegated name servers, which allows remote attackers to poison the DNS cache via spoofed DNS responses.

Origin Validation Error

The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which

CVE-2001-0006 7.1 - High - February 12, 2001

The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex" vulnerability.

Incorrect Permission Assignment for Critical Resource

A Windows NT administrator account has the default name of Administrator.

CVE-1999-0585 - July 01, 2000

A Windows NT administrator account has the default name of Administrator.

A system does not present an appropriate legal message or warning to a user who is accessing it.

CVE-1999-0590 - June 01, 2000

A system does not present an appropriate legal message or warning to a user who is accessing it.

The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts

CVE-2000-1218 9.8 - Critical - April 14, 2000

The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.

Origin Validation Error

Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server

CVE-2000-0129 - February 04, 2000

Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP server allows attackers to cause a denial of service by performing a LIST command on a malformed .lnk file.

A Windows NT system does not clear the system page file during shutdown, which might

CVE-1999-0595 - January 20, 2000

A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which

CVE-1999-1127 7.5 - High - December 31, 1999

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.

Missing Release of Resource after Effective Lifetime

Denial of service in Windows NT messenger service through a long username.

CVE-1999-0224 - July 23, 1999

Denial of service in Windows NT messenger service through a long username.

Denial of service in RAS/PPTP on NT systems.

CVE-1999-0140 - June 30, 1999

Denial of service in RAS/PPTP on NT systems.

Remote attackers can perform a denial of service in Windows machines using malicious ARP packets

CVE-1999-0444 - April 12, 1999

Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Windows NT 4.0 beta

CVE-1999-0119 - January 19, 1999

Windows NT 4.0 beta allows users to read and delete shares.

The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused

CVE-1999-0391 - January 05, 1999

The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and impersonate a user.

Windows NT TCP/IP processes fragmented IP packets improperly

CVE-1999-0226 - January 01, 1999

Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Data Processing Errors

Denial of service in telnet

CVE-1999-0285 - January 01, 1999

Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Windows NT automatically logs in an administrator upon rebooting.

CVE-1999-0549 - January 01, 1999

Windows NT automatically logs in an administrator upon rebooting.

A system-critical Windows NT file or directory has inappropriate permissions.

CVE-1999-0560 - January 01, 1999

A system-critical Windows NT file or directory has inappropriate permissions.

Windows NT is not using a password filter utility, e.g

CVE-1999-0570 - January 01, 1999

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

CVE-1999-0577 - January 01, 1999

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

CVE-1999-0578 - January 01, 1999

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

CVE-1999-0579 - January 01, 1999

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate

CVE-1999-0581 - January 01, 1999

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

The Windows NT guest account is enabled.

CVE-1999-0546 - October 01, 1998

The Windows NT guest account is enabled.

A Windows NT domain user or administrator account has a guessable password.

CVE-1999-0505 - October 01, 1998

A Windows NT domain user or administrator account has a guessable password.

A Windows NT domain user or administrator account has a default

CVE-1999-0506 - October 01, 1998

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

Bonk variation of teardrop IP fragmentation denial of service.

CVE-1999-0258 - February 13, 1998

Bonk variation of teardrop IP fragmentation denial of service.

Listening TCP ports are sequentially allocated

CVE-1999-0074 - July 01, 1997

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

CVE-1999-0275 - June 10, 1997

Denial of service in Windows NT DNS servers by flooding port 53 with too many characters.

Denial of service through Winpopup using large user names.

CVE-1999-0292 - April 01, 1997

Denial of service through Winpopup using large user names.

A version of finger is running

CVE-1999-0612 - March 01, 1997

A version of finger is running that exposes valid user information to any entity on the network.

A Windows NT local user or administrator account has a default

CVE-1999-0504 - January 01, 1997

A Windows NT local user or administrator account has a default, null, blank, or missing password.

Windows NT RSHSVC program

CVE-1999-0249 - January 01, 1997

Windows NT RSHSVC program allows remote users to execute arbitrary commands.

Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query

CVE-1999-0274 - January 01, 1997

Denial of service in Windows NT DNS servers through malicious packet which contains a response to a query that wasn't made.

NETBIOS share information may be published through SNMP registry keys in NT.

CVE-1999-0499 - January 01, 1997

NETBIOS share information may be published through SNMP registry keys in NT.

A Windows NT local user or administrator account has a guessable password.

CVE-1999-0503 - January 01, 1997

A Windows NT local user or administrator account has a guessable password.

A Windows NT user has inappropriate rights or privileges, e.g

CVE-1999-0534 - January 01, 1997

A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.

IP forwarding is enabled on a machine

CVE-1999-0511 - January 01, 1997

IP forwarding is enabled on a machine which is not a router or firewall.

A NETBIOS/SMB share password is the default

CVE-1999-0519 - January 01, 1997

A NETBIOS/SMB share password is the default, null, or missing.

A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g

CVE-1999-0582 - January 01, 1997

A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.

A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.

CVE-1999-0576 - January 01, 1997

A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.

A Windows NT system's user audit policy does not log an event success or failure, e.g

CVE-1999-0575 - January 01, 1997

A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.

.reg files are associated with the Windows NT registry editor (regedit)

CVE-1999-0572 - January 01, 1997

.reg files are associated with the Windows NT registry editor (regedit), making the registry susceptible to Trojan Horse attacks.

A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g

CVE-1999-0535 - January 01, 1997

A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.