Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a ms-its: URL in Internet Explorer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Windows_2000 | Microsoft | * | * |
| Windows_2003_server | Microsoft | 64-bit (including) | 64-bit (including) |
| Windows_2003_server | Microsoft | datacenter_64-bit-sp1 (including) | datacenter_64-bit-sp1 (including) |
| Windows_2003_server | Microsoft | datacenter_64-bit-sp1_beta_1 (including) | datacenter_64-bit-sp1_beta_1 (including) |
| Windows_2003_server | Microsoft | enterprise (including) | enterprise (including) |
| Windows_2003_server | Microsoft | enterprise-sp1 (including) | enterprise-sp1 (including) |
| Windows_2003_server | Microsoft | enterprise-sp1_beta_1 (including) | enterprise-sp1_beta_1 (including) |
| Windows_2003_server | Microsoft | enterprise_64-bit (including) | enterprise_64-bit (including) |
| Windows_2003_server | Microsoft | enterprise_64-bit-sp1 (including) | enterprise_64-bit-sp1 (including) |
| Windows_2003_server | Microsoft | enterprise_64-bit-sp1_beta_1 (including) | enterprise_64-bit-sp1_beta_1 (including) |
| Windows_2003_server | Microsoft | r2 (including) | r2 (including) |
| Windows_2003_server | Microsoft | r2-sp1 (including) | r2-sp1 (including) |
| Windows_2003_server | Microsoft | r2-sp1_beta_1 (including) | r2-sp1_beta_1 (including) |
| Windows_2003_server | Microsoft | standard (including) | standard (including) |
| Windows_2003_server | Microsoft | standard-sp1 (including) | standard-sp1 (including) |
| Windows_2003_server | Microsoft | standard-sp1_beta_1 (including) | standard-sp1_beta_1 (including) |
| Windows_2003_server | Microsoft | standard_64-bit (including) | standard_64-bit (including) |
| Windows_2003_server | Microsoft | web (including) | web (including) |
| Windows_2003_server | Microsoft | web-sp1 (including) | web-sp1 (including) |
| Windows_2003_server | Microsoft | web-sp1_beta_1 (including) | web-sp1_beta_1 (including) |
| Windows_98 | Microsoft | * | * |
| Windows_xp | Microsoft | * | * |
References
- http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0062.html
- http://secunia.com/advisories/15683
- http://www.kb.cert.org/vuls/id/851869
- http://www.securityfocus.com/bid/13953
- http://www.us-cert.gov/cas/techalerts/TA05-165A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-026
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1057
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A381
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A463
- http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0062.html
- http://secunia.com/advisories/15683
- http://www.kb.cert.org/vuls/id/851869
- http://www.securityfocus.com/bid/13953
- http://www.us-cert.gov/cas/techalerts/TA05-165A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-026
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1057
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A381
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A463