[VIM] CVE-2007-0028

Steven M. Christey coley at linus.mitre.org
Mon Mar 5 11:33:52 EST 2007


On Mon, 5 Mar 2007, Steve Tornio wrote:

> http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html
>
> I don't think this reference belongs in the entry, as I don't see any
> link between the Excel vulnerability and the WMF flaw referenced in the
> link.  If I missed it, please correct me.

This is a good example of why I plan to make CVE's analysis field public
at some point.  See below for what happened.

ALSO NOTE - the advisory that's returned on "FG-2006-30" is actually
labeled as FGA-2005-17 and talks about that WMF issue from December 2005.
So there's clearly something wrong with their web site on this, probably
as a result of the advisory name switch.

I filled out the form at http://www.fortiguardcenter.com/sendfeedback.php
under "Report a broken link or network issue".  Maybe someone else could
fill out a similar complaint in a different category to maximize the
chance of success...

- Steve

======================================================
Name: CVE-2006-3432
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3432
Acknowledged:
Announced:
Flaw:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2007-0028.  Reason:
This candidate is a reservation duplicate of CVE-2007-0028.  The
original assigner switched to a new CVE number.  Notes: All CVE users
should reference CVE-2007-0028 instead of this candidate.  All
references and descriptions in this candidate have been removed to
prevent accidental usage.


======================================================
Name: CVE-2007-0028
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0028
Acknowledged: yes advisory
Announced: 20070109
Flaw: unk
Reference: MISC:http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-30.html
Reference: MISC:http://www.fortinet.com/FortiGuardCenter/advisory/FGA-2007-01.html
Reference: HP:HPSBST02184
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded
Reference: HP:SSRT071296
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded
Reference: MS:MS07-002
Reference: URL:http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
Reference: CERT:TA07-009A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA07-009A.html
Reference: CERT-VN:VU#493185
Reference: URL:http://www.kb.cert.org/vuls/id/493185
Reference: BID:21952
Reference: URL:http://www.securityfocus.com/bid/21952
Reference: FRSIRT:ADV-2007-0103
Reference: URL:http://www.frsirt.com/english/advisories/2007/0103
Reference: SECTRACK:1017485
Reference: URL:http://securitytracker.com/id?1017485
Reference: SECUNIA:23676
Reference: URL:http://secunia.com/advisories/23676

Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac,
and Office v.X for Mac does not properly handle certain opcodes, which
allows user-assisted remote attackers to execute arbitrary code via a
crafted XLS file, which results in an "Improper Memory Access
Vulnerability."  NOTE: an early disclosure of this issue used
CVE-2006-3432, but only CVE-2007-0027 should be used.


Analysis:
ACCURACY: FG-2006-30 was originally published and used CVE-2006-3432,
but Microsoft had updated all CVEs to 2007 numbers before disclosure.
After MS07-002 was published, FG-2006-30 was changed to FGA-2007-01,
and used the new CVE-2007-0027 identifier.



More information about the VIM mailing list