OSS Index Helpclose
An open index of open source

 Welcome to the MSWin Start Page

Posted by OSS-Index on May 15, 2016

This page is dedicated to Microsoft Windows applications and their vulnerabilities. The page provides quick access to Microsoft Windows auditing tools, search, and recent MS Win package activity.

 Recent news...


MSI package vulnerability: jquery

Exceeding Stack Call Limit DoS
Sat Jul 29 22:35:15 EDT 2017

> In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0. Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit. > > – nodesecurity.io




MSI package vulnerability: Wireshark

[CVE-2017-11409] Resource Management Errors
Thu Jul 20 21:29:01 EDT 2017

In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a large loop. This was addressed in epan/dissectors/packet-gprs-llc.c by using a different integer data type.




MSI package vulnerability: Wireshark

[CVE-2017-11411] Resource Management Errors
Thu Jul 20 13:59:29 EDT 2017

In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-opensafety.c by adding length validation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9350.




MSI package vulnerability: Wireshark

[CVE-2017-11410] Resource Management Errors
Thu Jul 20 13:59:19 EDT 2017

In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding validation of the relationships between indexes and lengths. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-7702.




MSI Notes: Open Live Writer

Installer may be vulnerable to DLL Hijacking Attack
Wed Jun 15 02:08:37 EDT 2016

Description of attack: http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/

> Note that our installer does not run as admin, we only run as user. Will still look into mitigating this.

> Another note, we already made sure Writer itself is not vulnerable to DLL hijacking (though this specific bug is around the installer).




MSI Notes: Microsoft Money

Discontinued
Wed Jun 15 01:38:26 EDT 2016

"In August 2008, Microsoft announced that it would stop releasing a new version of Money each year and had no version planned for 2009. The company also announced that it would no longer ship boxed versions of Microsoft Money to retail stores and would instead sell the product only as online downloads.

On June 10, 2009, Microsoft announced that it would stop developing Money, would stop selling it by June 30 that year, and would continue supporting it until January 31, 2011. The company cited the changing needs of the marketplace as the reason for Money's demise, stating that "demand for a comprehensive personal finance toolset has declined." Product-activation servers used for Money 2007 and beyond were also to be deactivated after January 31, 2011, preventing these versions from being reinstalled after that date."




MSI Notes: KeePass Password Safe

KeePass security issues
Wed Jun 15 01:30:09 EDT 2016

This page lists various security issues that have been reported and their status (whether the claims are valid, whether an issue is fixed, etc.).




MSI Notes: Telegram Desktop

Desktop Telegram does not use Security API (no secret chat)
Tue Jun 07 14:48:27 EDT 2016

Telegram Desktop does not support secret chats and the developer does not plan to implement encryption.

See also:




MSI Notes: Java 8

Package versioning mismatch
Tue Jun 07 14:37:00 EDT 2016

Due to confusion and complexities in Java version and update numbers, and how they are represented in various CVEs, installers, and products, vulnerabilities for Java are not yet available. Custom code is being written to resolve these complexities.