Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.
Software | From | Fixed in |
---|---|---|
microsoft / windows_2000 | - | - |
microsoft / windows_98 | - | - |
microsoft / windows_xp | - | - |
microsoft / windows_2003_server | 64-bit | 64-bit.x |
microsoft / windows_2003_server | datacenter_64-bit-sp1 | datacenter_64-bit-sp1.x |
microsoft / windows_2003_server | datacenter_64-bit-sp1_beta_1 | datacenter_64-bit-sp1_beta_1.x |
microsoft / windows_2003_server | enterprise | enterprise.x |
microsoft / windows_2003_server | enterprise_64-bit | enterprise_64-bit.x |
microsoft / windows_2003_server | enterprise_64-bit-sp1 | enterprise_64-bit-sp1.x |
microsoft / windows_2003_server | enterprise_64-bit-sp1_beta_1 | enterprise_64-bit-sp1_beta_1.x |
microsoft / windows_2003_server | enterprise-sp1 | enterprise-sp1.x |
microsoft / windows_2003_server | enterprise-sp1_beta_1 | enterprise-sp1_beta_1.x |
microsoft / windows_2003_server | r2 | r2.x |
microsoft / windows_2003_server | r2-sp1 | r2-sp1.x |
microsoft / windows_2003_server | r2-sp1_beta_1 | r2-sp1_beta_1.x |
microsoft / windows_2003_server | standard | standard.x |
microsoft / windows_2003_server | standard_64-bit | standard_64-bit.x |
microsoft / windows_2003_server | standard-sp1 | standard-sp1.x |
microsoft / windows_2003_server | standard-sp1_beta_1 | standard-sp1_beta_1.x |
microsoft / windows_2003_server | web | web.x |
microsoft / windows_2003_server | web-sp1 | web-sp1.x |
microsoft / windows_2003_server | web-sp1_beta_1 | web-sp1_beta_1.x |