Vulnerability CVE-2006-0010 - CERT Civis.Net

Vulnerability Name:

CVE-2006-0010 (CCN-23922)

Assigned:

2005-11-09

Published:

2006-01-10

Updated:

2019-04-30

Summary:

Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2006-0010

Source: FULLDISC
Type: UNKNOWN
20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability

Source: CCN
Type: SA18311
Nortel Centrex IP Client Manager Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
18311

Source: CCN
Type: SA18365
Microsoft Windows Embedded Web Fonts Code Execution Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
18365

Source: CCN
Type: SA18391
Avaya Products Microsoft Windows Embedded Web Fonts Code Execution

Source: SECUNIA
Type: Vendor Advisory
18391

Source: CCN
Type: SECTRACK ID: 1015459
Microsoft Windows Embedded Web Fonts Buffer Overflow Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1015459

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm

Source: CCN
Type: ASA-2006-004
Windows Security Updates for January 2006 - (MS06-002 MS06-003)

Source: CCN
Type: eEye Digital Security Advisory AD20060110
Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability

Source: EEYE
Type: UNKNOWN
EEYEB20050801

Source: CCN
Type: US-CERT VU#915930
Microsoft embedded web font buffer overflow

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#915930

Source: CCN
Type: Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

Source: CCN
Type: Microsoft Security Bulletin MS09-029
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)

Source: CCN
Type: Microsoft Security Bulletin MS10-001
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)

Source: OSVDB
Type: UNKNOWN
18829

Source: CCN
Type: OSVDB ID: 18829
Microsoft Windows Open Type (EOT) Font Handling Remote Overflow

Source: BUGTRAQ
Type: UNKNOWN
20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability

Source: BID
Type: Patch
16194

Source: CCN
Type: BID-16194
Microsoft Windows Embedded Web Font Buffer Overflow Vulnerability

Source: CERT
Type: US Government Resource
TA06-010A

Source: VUPEN
Type: UNKNOWN
ADV-2006-0118

Source: MISC
Type: UNKNOWN
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525

Source: MS
Type: UNKNOWN
MS06-002

Source: XF
Type: UNKNOWN
win-embedded-fonts-bo(23922)

Source: XF
Type: UNKNOWN
win-embedded-fonts-bo(23922)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1126

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1185

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1462

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1491

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:698

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:714

Vulnerable Configuration:

Configuration 1:

cpe:/o:microsoft:windows_2000:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:r2:*:datacenter_64-bit:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:r2:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:standard_64-bit:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:web:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_98:*:gold:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_me:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp5:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:3.5.1:sp5:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server_alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:alpha:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:terminal_server:*:x86:*

OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:workstation:*:x86:*

OR cpe:/o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:*:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

Configuration CCN 1:

cpe:/o:microsoft:windows_98:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_me:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*

OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:-::~~~~itanium~:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*

OR cpe:/a:microsoft:windows_2003:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:698	V	WinXP,SP2 Embedded Web Font Vulnerability	2011-05-16
oval:org.mitre.oval:def:1462	V	WinXP (64-bit) Embedded Web Font Vulnerability	2011-05-16
oval:org.mitre.oval:def:714	V	Win2k Embedded Web Font Vulnerability	2011-05-16
oval:org.mitre.oval:def:1491	V	WinXP,SP1 Embedded Web Font Vulnerability	2011-05-16
oval:org.mitre.oval:def:1126	V	Server 2003 Embedded Web Font Vulnerability	2011-05-16
oval:org.mitre.oval:def:1185	V	Server 2003,SP1 Embedded Web Font Vulnerability	2011-05-16