Renguang Yuan

**Name of the Vulnerable Software and Affected Versions** Internet Explorer (affected versions not specified) **Description** The issue is related to a use-after-free error when handling CFormElement and CInput objects, allowing remote attackers to execute arbitrary code via a specially crafted website. This could corrupt memory, enabling an attacker to execute code in the context of the current user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 8 through 10 **Description** A memory corruption issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted web site. This is due to improper access to objects in memory, which could corrupt memory and allow an attacker to execute arbitrary code in the context of the current user. **Recommendations** For Microsoft Internet Explorer versions 8 through 10, update to a newer version to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to potentially malicious websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows XP versions SP2 through SP3 Microsoft Windows Server 2003 version SP2 **Description** The issue allows local users to gain privileges by operating an LRPC server that sends a crafted LPC port message. An elevation of privilege vulnerability exists in Microsoft Local Remote Procedure Call (LRPC) where an attacker spoofs an LRPC Server and uses a specially crafted LPC port message to cause a stack-based buffer overflow condition on the LRPC client. This could allow an attacker to install programs, view, change, or delete data, or create new accounts with full administrator rights. **Recommendations** For Microsoft Windows XP versions SP2 through SP3, update to a version that includes the fix for this issue. For Microsoft Windows Server 2003 version SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the LRPC client to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows XP versions SP2 through SP3 Windows Server 2003 version SP2 **Description** The issue is related to the Win32k.sys kernel-mode driver, which does not properly validate addresses in memory. This allows a local user to potentially gain privileges via a crafted application. An attacker who successfully exploits this issue could execute arbitrary code with elevated privileges. **Recommendations** For Windows XP versions SP2 through SP3, update to a version that includes the fix for this issue. For Windows Server 2003 version SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Win32k.sys kernel-mode driver to minimize the risk of exploitation.