Derek Soeder

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 6 through 9 **Description** A remote code execution issue exists due to improper handling of objects in memory. This allows attackers to execute arbitrary code by accessing a deleted object, potentially corrupting memory. The issue may enable attackers to execute code in the context of the current user. **Recommendations** For Microsoft Internet Explorer versions 6 through 9, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue allows remote attackers to cause a denial of service, resulting in an application crash, via a long URI when Internet Explorer is used. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider updating to a version that is not affected by this issue to prevent potential crashes when using Internet Explorer.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue concerns the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll. When Internet Explorer is used, remote attackers can cause a denial of service, leading to a NULL pointer dereference and application crash, via a URI that lacks a required delimiter. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider restricting the use of Internet Explorer or avoiding URIs that lack required delimiters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue concerns the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll. When Internet Explorer is used, these handlers provide different responses to remote requests based on the validity of a ZIP pathname. This allows remote attackers to potentially obtain sensitive information about the installation path and product version by making a series of requests involving the `Msxml2.XMLHTTP` object. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider restricting access to the HelpAsyncPluggableProtocol.dll handlers as a temporary mitigation measure until a patch is available. Avoid using the `Msxml2.XMLHTTP` object in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue allows remote attackers to obtain pathname information. This is achieved via the "qbwc://docontrol/GetCompanyFile" functionality. **Recommendations** For versions 2009 through 2012, consider restricting access to the qbwc://docontrol/GetCompanyFile functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue is related to an absolute path traversal vulnerability in the intu-help-qb handlers. This might allow remote attackers to read arbitrary files in ZIP archives via a full pathname in the URI when Internet Explorer is used. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider restricting access to the HelpAsyncPluggableProtocol.dll handlers as a temporary workaround until a patch is available. Avoid using Internet Explorer with these versions of Intuit QuickBooks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue concerns the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll. It might allow remote attackers to obtain sensitive information via a URI with a % (percent) character as its last or second-to-last character. This can happen when Internet Explorer is used and a certain "post-URL data" buffer contains a 0x0000 character but a buffer overflow does not occur. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider avoiding the use of Internet Explorer or restricting access to the HelpAsyncPluggableProtocol.dll handlers until a fix is available. As a temporary workaround, avoid using URIs with a % (percent) character as the last or second-to-last character.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** A memory leak issue exists in the intu-help-qb handlers within HelpAsyncPluggableProtocol.dll. This occurs when Internet Explorer is used and a URI contains multiple references to the same name-value pair, allowing remote attackers to cause a denial of service due to memory consumption. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider restricting the use of Internet Explorer or avoiding URIs with multiple references to the same name-value pair until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intuit QuickBooks versions 2009 through 2012 **Description** The issue is related to a heap-based buffer overflow in the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll. This occurs when Internet Explorer is used and a URI with a % (percent) character as its last or second-to-last character is accessed. The result can be a denial of service due to memory corruption or possibly the execution of arbitrary code. **Recommendations** For Intuit QuickBooks versions 2009 through 2012, consider avoiding the use of Internet Explorer or restricting access to URIs that contain a % (percent) character as their last or second-to-last character until a fix is available. As a temporary workaround, disabling the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll may help minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: VMware Workstation versions 6.0.x through 6.0.4 VMware Workstation versions 5.x through 5.5.7 VMware Player versions 2.0.x through 2.0.4 VMware Player versions 1.x through 1.0.7 VMware Server versions 1.x through 1.0.6 VMware ESX versions 2.5.4 through 3.5 Description: The issue allows authenticated guest OS users to gain additional guest OS privileges by triggering an exception that causes the virtual CPU to perform an indirect jump to a non-canonical address. This is related to the CPU hardware emulation for 64-bit guest operating systems. Recommendations: For VMware Workstation versions 6.0.x, update to version 6.0.5 build 109488 or later. For VMware Workstation versions 5.x, update to version 5.5.8 build 108000 or later. For VMware Player versions 2.0.x, update to version 2.0.5 build 109488 or later. For VMware Player versions 1.x, update to version 1.0.8 or later. For VMware Server versions 1.x, update to version 1.0.7 build 108231 or later. For VMware ESX versions 2.5.4 through 3.5, update to a version later than 3.5.

Name of the Vulnerable Software and Affected Versions: Internet Explorer versions 5.01 through 7 Description: The issue is related to an integer underflow in the CDownloadSink class code within the Vector Markup Language (VML) component. This allows remote attackers to execute arbitrary code via compressed content with an invalid buffer size, triggering a heap-based buffer overflow. A remote code execution vulnerability exists in the VML implementation in Microsoft Windows, which could be exploited by constructing a specially crafted Web page or HTML e-mail, allowing remote code execution when a user views the Web page or the message. Recommendations: For Internet Explorer versions 5.01 through 7, consider disabling the VML component until a patch is available. Restrict access to specially crafted Web pages or HTML e-mails to minimize the risk of exploitation. Avoid using compressed content with invalid buffer sizes in the affected VML implementation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows NT 4.0 **Description** A race condition exists in the Virtual DOS Machine (VDM) of the Windows Kernel, allowing local users to modify memory and gain privileges. This issue is related to the handling of the temporary DevicePhysicalMemory section handle. **Recommendations** For Microsoft Windows NT 4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows Vista **Description** A use-after-free issue in the Client/Server Run-time Subsystem (CSRSS) does not properly handle connection resources when starting and stopping processes. This allows local users to gain privileges by opening and closing multiple ApiPort connections, which leaves a "dangling pointer" to a process data structure. The vulnerability exists in the way that the Windows 32 Client/Server Run-time Subsystem (CSRSS) handles its connections during the startup and stopping of processes. **Recommendations** For Microsoft Windows Vista, apply the recommended patch or update to fix the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer 6 SP1 versions prior to MS06-042 patch 20060912 **Description** A remote code execution issue exists in the way Internet Explorer handles long URLs in websites using HTTP 1.1 protocol and compression. This could allow an attacker to cause a denial of service or execute arbitrary code via a specially crafted Web page, potentially giving the attacker complete control of an affected system. **Recommendations** For Microsoft Internet Explorer 6 SP1 versions prior to MS06-042 patch 20060912, apply the MS06-042 patch released after 20060912 to resolve the issue. As a temporary workaround, consider avoiding the use of long URLs in GZIP-encoded websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows NT versions 4.0 through 2000 **Description** The issue allows local users to modify kernel memory and execution flow. This is achieved through a series of steps involving a terminating thread that causes Asynchronous Procedure Call (APC) entries to free the wrong data. **Recommendations** For Windows NT versions 4.0 through 2000, at the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Windows versions prior to the fixed version, specifically including Windows 2000 SP4, and Windows XP SP1 and SP2 Description: The issue is a stack-based buffer overflow in the Plug and Play (PnP) service, located in the UMPNPMGR.DLL module. This occurs when a large number of "" (backslash) characters are present in a registry key name, triggering the overflow in a `wsprintfW` function call. This allows remote or local authenticated attackers to execute arbitrary code. Recommendations: For Windows 2000 SP4 and Windows XP SP1 and SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Plug and Play (PnP) service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows NT 4.0 Windows 2000 Windows XP Windows Server 2003 **Description** The issue arises from the improper validation of certain SMB packets in the Server Message Block implementation. This allows remote attackers to execute arbitrary code via Transaction responses containing Trans or Trans2 commands. Specifically, it can be exploited using Trans2 FIND FIRST2 responses with large file name length fields. **Recommendations** For Windows NT 4.0, consider disabling SMB services until a fix is available. For Windows 2000, restrict access to the Trans and Trans2 commands to minimize the risk of exploitation. For Windows XP, avoid using the Trans2 FIND FIRST2 response with large file name length fields in SMB packets until the issue is resolved. For Windows Server 2003, as a temporary workaround, consider limiting the file name length fields in Trans2 responses to prevent arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Apple QuickTime version 6.5 and earlier **Description** The issue is related to an integer overflow in the sample-to-chunk table data for a .mov movie file. This occurs when a large "number of entries" field is encountered, leading to a heap-based buffer overflow. This can allow attackers to execute arbitrary code. **Recommendations** For Apple QuickTime version 6.5 and earlier, update to version 6.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ISS Protocol Analysis Module (PAM) component versions (affected versions not specified) **Description** The issue is related to multiple stack-based buffer overflows in the ICQ parsing routines. This can be exploited by remote attackers to execute arbitrary code via a SRV MULTI response containing specific packets with long fields, such as `nickname`, `firstname`, `lastname`, or `email address`. The Witty worm is known to have exploited this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows NT 4.0 Windows 2000 Windows XP **Description** The issue is related to multiple integer overflows in the Microsoft ASN.1 library, which can be exploited by remote attackers to execute arbitrary code. This is achieved through ASN.1 BER encodings with very large length fields, causing arbitrary heap data to be overwritten, or through modified bit strings. **Recommendations** For Windows NT 4.0, apply the necessary patch to fix the integer overflows in the Microsoft ASN.1 library. For Windows 2000, apply the necessary patch to fix the integer overflows in the Microsoft ASN.1 library. For Windows XP, apply the necessary patch to fix the integer overflows in the Microsoft ASN.1 library.