The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
A bounds check crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
05a60e7019067851141f1787a5bbda75454773b40b9acf97e8b754f2fad758fd
Microsoft Excel 2007 running on Windows 2003 suffers from a use-after-free vulnerability.
460bd27af88f7165a795d698b85d2e4cd8c83732200f70dc5c84e7b8e4818f79
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It's possible execute arbitrary code within the context of the process because it's possible to access the processes threads leading to local EoP.
f0ec77ee8811de8feb9edad30b69fae9734672773f9e5a37d08fdba2317cebd5
A use-after-free crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
3b2e620089c3777eb2d36942713f33cf68f9865e894dbaee83bdbdb3af57385c
A type confusion crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
247823ed9395d266e8674965a149848a04a5b7380aa2bf3723839d71d6ca65a6
Farol suffers from a remote SQL injection vulnerability.
df6cc2ad04df2605a64ef148d68abc88d2f8585d578b3fc546581b6423ee7f3e
This bulletin summary lists one bulletin that has undergone a major revision increment for September, 2015.
5f6f682ba4880eb8f48a1278d89725dd322fec002101dc9129c07563b29930a9
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
Outlook Web Access (OWA) does not properly handle web requests. A remote user can send a specially crafted request to the target web application to view potentially sensitive stack trace information on the target system.
9bdf7b9f1342306a29ba881af9aafb71cc796dc11f06d569ced59e02889dbd3f
An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.
f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
iBooking CMS suffers from a remote SQL injection vulnerability.
f940a1514994a822f9b19f66067c704407e5484e1dded2db9cec7600be48e779
Pentaho version 5.2.x GA BA Suite and PDI allow unauthenticated access to configuration files. The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder. Specifically vulnerable are properties files that may reveal passwords.
0888853ff4779b5907a0ff21cd8ea09daabbccf2686a3c59adcb64e634280c5e
Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.
94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f