Microsoft security exploits

This table summarizes a number of bugs and security concerns found in Microsoft products in 1997 and 1998, particularly in Microsoft Internet Explorer as it interacts with other operating-system features. In most cases the discoverer of a vulnerability posted an exploit site to demonstrate the problem.

I'm no longer updating this page. When I began publishing this compendium, a hacker could get news coverage by vowing to concentrate on Microsoft products and to prove their vulnerability. At that time almost all known security weaknesses in Net computers were to be found in Unix machines.

The NT Security page features useful pointers to background material on these and other potential NT vulnerabilities. Microsoft's authoritative response to its ongoing security problems can be found on this issues page.

Subscribe to the weekly email newsletter in which these exploits appeared when they were news. Rob Malda, aka Cmdr. Taco, has called TBTF "The best nerd news (besides Slashdot) out there."

Bug Exploit by Date TBTF MSIE? W-95? W-NT? Damage Attacks via Fix
#0 (anony-
mous) 1997-01-21 1997-01-29 -- no yes Can consume all available CPU cycles from across the Net telnet to port 135
#1 Paul
Greene 1997-02-27 1997-03-09 3.0,
3.01 yes 4.0 Can run arbitrary program on your PC .url or .lnk file
#2 David
Ross 1997-03-04 1997-03-04 3.0,
3.01,
3.01a no 4.0 w /
SP 1
or 2 Can run program if you double-click, w/no firewall CIFS
#3 Chris
Rioux 1997-03-07 1997-03-09 3.01 yes no Can run arbitrary program on your PC .isp file
#4 Aaron
Spangler 1997-03-14 1997-03-21 any,
or NN no yes Obtains username, hashed password SMB
#5 Paul
Ashton 1997-03-17 1997-03-21 any no yes Obtains username, hashed password, more NTLM
#6 Steve
Birnbaum 1997-03-15 1997-03-21 any no yes Obtains plaintext password SMB
not a bug #7 Tea Vui
Huang 1997-03-14 1997-04-04 any no yes Can disable IE security if you agree .reg file --
not a bug #8 Jeremy
Allison,
Jonathan
Wilkins 1997-03-31 1997-04-04 -- no yes Can be used to obtain plaintext passwords if security policy is lax SAM (PWdump, NTcrack) --
#8a Dan
Gordon 1997-04-18 1997-04-21 -- yes yes Can reveal user names and passwords in plain text from ODBC log ODBC Trace in Office 97
#9 Andrew
Smith 1997-05-07 1997-05-08 3 yes yes Can run arbitrary program on your PC PowerPoint presentation
#10 "_eci" 1997-05-07 1997-05-22 -- yes yes Can crash or freeze any Windows PC from across the Net TCP/IP OOB data to port 139 sp3
sp2
3.51
95
#11 Todd Fast 1997-06-18 1997-06-23 -- -- yes Can crash IIS from across the Net Request a specific, non-deterministic URL intel
alpha
#12 Ben Mesander 1997-08-07 1997-08-11 IE3 (also affects Netscape Navigator & HotJava; Macintosh immune) Can make network connection to arbitrary IP address Java VM bug W3.1 / NT3.51 US
W3.1 / NT3.51 export
W95 / NT4
#13 Tim Macinta 1997-09-08 1997-09-09 IE3 (Macintosh, Win 3.1 immune) Can overwrite files on disk MS extensions to Java W95 / NT4
#14 Ralf Hueskes 1997-10-16 1997-10-20 IE4 (Macintosh immune) Can steal known files from disk Dynamic HTML, Active Scripting intel
#15 dildog 1997-11-10 1997-11-10 IE4 (Windows) Can execute arbitrary code locally res:// scheme
#16 dildog 1998-01-14 1998-01-19 IE4 & 4.01, W95 and NT Can execute arbitrary code locally mk:// scheme
#17 San Diego Source 1998-06-26 1998-07-20 any non-IIS server on NT Shows contents of scripts add "." to URL
#18 Paul Aston 1998-06-30 1998-07-20 any server on NT Shows contents of scripts add ":$$data" to URL
#19 Microsoft 1998-07-15 1998-07-20 IIS 4.0 Allows illicit remote ODBC access Remote Data Service / DataFactory
#20 Dr. Solomon's 1998-06-03 1998-07-20 any Win32 Trojan horse mails encrypted password file Dialup Data Networking

	Bug	Exploit by	Date	TBTF	MSIE?	W-95?	W-NT?	Damage	Attacks via	Fix
	#0	(anony- mous)	1997-01-21	1997-01-29	--	no	yes	Can consume all available CPU cycles from across the Net	telnet to port 135
	#1	Paul Greene	1997-02-27	1997-03-09	3.0, 3.01	yes	4.0	Can run arbitrary program on your PC	.url or .lnk file
	#2	David Ross	1997-03-04	1997-03-04	3.0, 3.01, 3.01a	no	4.0 w / SP 1 or 2	Can run program if you double-click, w/no firewall	CIFS
	#3	Chris Rioux	1997-03-07	1997-03-09	3.01	yes	no	Can run arbitrary program on your PC	.isp file
	#4	Aaron Spangler	1997-03-14	1997-03-21	any, or NN	no	yes	Obtains username, hashed password	SMB
	#5	Paul Ashton	1997-03-17	1997-03-21	any	no	yes	Obtains username, hashed password, more	NTLM
	#6	Steve Birnbaum	1997-03-15	1997-03-21	any	no	yes	Obtains plaintext password	SMB
*not a bug*	#7	Tea Vui Huang	1997-03-14	1997-04-04	any	no	yes	Can disable IE security if you agree	.reg file	--
*not a bug*	#8	Jeremy Allison, Jonathan Wilkins	1997-03-31	1997-04-04	--	no	yes	Can be used to obtain plaintext passwords if security policy is lax	SAM (PWdump, NTcrack)	--
	#8a	Dan Gordon	1997-04-18	1997-04-21	--	yes	yes	Can reveal user names and passwords in plain text from ODBC log	ODBC Trace in Office 97
	#9	Andrew Smith	1997-05-07	1997-05-08	3	yes	yes	Can run arbitrary program on your PC	PowerPoint presentation
	#10	"_eci"	1997-05-07	1997-05-22	--	yes	yes	Can crash or freeze any Windows PC from across the Net	TCP/IP OOB data to port 139	sp3 sp2 3.51 95
	#11	Todd Fast	1997-06-18	1997-06-23	--	--	yes	Can crash IIS from across the Net	Request a specific, non-deterministic URL	intel alpha
	#12	Ben Mesander	1997-08-07	1997-08-11	IE3 (also affects Netscape Navigator & HotJava; Macintosh immune)	Can make network connection to arbitrary IP address	Java VM bug	W3.1 / NT3.51 US W3.1 / NT3.51 export W95 / NT4
	#13	Tim Macinta	1997-09-08	1997-09-09	IE3 (Macintosh, Win 3.1 immune)	Can overwrite files on disk	MS extensions to Java	W95 / NT4
	#14	Ralf Hueskes	1997-10-16	1997-10-20	IE4 (Macintosh immune)	Can steal known files from disk	Dynamic HTML, Active Scripting	intel
	#15	dildog	1997-11-10	1997-11-10	IE4 (Windows)	Can execute arbitrary code locally	res:// scheme
	#16	dildog	1998-01-14	1998-01-19	IE4 & 4.01, W95 and NT	Can execute arbitrary code locally	mk:// scheme
	#17	San Diego Source	1998-06-26	1998-07-20	any non-IIS server on NT	Shows contents of scripts	add "." to URL
	#18	Paul Aston	1998-06-30	1998-07-20	any server on NT	Shows contents of scripts	add ":$$data" to URL
	#19	Microsoft	1998-07-15	1998-07-20	IIS 4.0	Allows illicit remote ODBC access	Remote Data Service / DataFactory
	#20	Dr. Solomon's	1998-06-03	1998-07-20	any Win32	Trojan horse mails encrypted password file	Dialup Data Networking


TBTF HOME	CURRENT ISSUE	TBTF LOG	TABLE OF CONTENTS	TBTF THREADS	SEARCH TBTF

Most recently updated 1999-10-01