Wei Wang

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer (affected versions not specified) **Description** The issue is related to incorrect access to objects in memory, which can cause a memory error and allow an attacker to execute arbitrary code in the context of the current user. This is a remote code execution issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer (affected versions not specified) **Description** The issue is related to incorrect access to objects in memory, which can cause a memory error and allow an attacker to execute arbitrary code in the context of the current user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Pinyin IME 2010 Microsoft Office 2010 SP1 **Description** The issue arises when Microsoft Pinyin IME 2010 is used with Microsoft Office 2010 SP1, as it fails to properly restrict configuration options. This allows local users to gain privileges by starting Internet Explorer from the IME toolbar. **Recommendations** For Microsoft Pinyin IME 2010, avoid starting Internet Explorer from the IME toolbar until a fix is available. For Microsoft Office 2010 SP1, restrict the use of the IME toolbar in conjunction with Internet Explorer to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MIT Kerberos 5 (krb5) versions 1.6.1 and earlier krb5-server-1.5 krb5-libs-1.5 krb5-devel-1.5 krb5-1.5 krb5-workstation-1.5 mit-krb5 versions prior to 1.5.2-r3 Description: The issue is related to multiple vulnerabilities in the krb5 package, which can lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. Specifically, an integer signedness error in the `gssrpc svcauth unix` function in `svc auth unix.c` in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value. Recommendations: For MIT Kerberos 5 (krb5) versions 1.6.1 and earlier, consider updating to a version later than 1.6.1. For krb5-server-1.5, krb5-libs-1.5, krb5-devel-1.5, krb5-1.5, and krb5-workstation-1.5, update to a version later than 1.5. For mit-krb5 versions prior to 1.5.2-r3, update to version 1.5.2-r3 or later. As a temporary workaround, consider restricting access to the `gssrpc svcauth unix` function in the RPC library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 2.4.23 through 2.4.33 Linux kernel versions 2.6.x before 2.6.17.10 **Description** The issue affects the Linux kernel, specifically the SCTP implementation, and can be exploited to cause a denial of service or potentially gain root privileges. The `sctp make abort user` function is vulnerable, allowing local users to launch an attack. The estimated number of potentially affected devices is not specified. **Recommendations** For Linux kernel versions 2.4.23 through 2.4.33, consider upgrading to a version outside of this range to mitigate the risk. For Linux kernel versions 2.6.x before 2.6.17.10, upgrade to version 2.6.17.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the `sctp make abort user` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** openSUSE kernel-rt debug-debuginfo versions (affected versions not specified) openSUSE kernel-rt-debugsource versions (affected versions not specified) Linux kernel versions prior to 2.4.36.6 and prior to 2.6.25.5 **Description** The issue concerns multiple vulnerabilities in the kernel packages of the openSUSE operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The asn1 implementation in the Linux kernel does not properly validate length values during decoding of ASN.1 BER data, allowing remote attackers to cause a denial of service or execute arbitrary code via various methods, including a length greater than the working buffer, an oid length of zero, or an indefinite length for a primitive encoding. **Recommendations** For openSUSE kernel-rt debug-debuginfo, kernel-rt-debugsource, and kernel-rt debug-debugsource: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Linux kernel versions prior to 2.4.36.6 and prior to 2.6.25.5: Update to version 2.4.36.6 or 2.6.25.5 or later to resolve the issue.