Notes: This CVE list only includes part of the High Risky Vulnerabilities Keen Team discovered. Medium and Low Risky Vulnerabilities discovered are not included.
CVE-2006-7222
Media Player Classic FLI File Processing Buffer Overflow
http://www.securityfocus.com/b id/25437
CVE-2007-2931
MSN Messenger Video Conversation Buffer Overflow Vulnerability
http ://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx
CVE-2007-0071
Integer overflow in Adobe Flash Player 9.0.115.0 and earlier
http://www.securityfocus.com/b id/28695
CVE-2008-1091
Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability
http ://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
CVE-2008-3471
Microsoft Office Excel BIFF File Format Parsing Stack Overflow Vulnerability
http ://www.microsoft.com/technet/security/bulletin/MS08-057.mspx
CVE-2008-5021
Crash and remote code execution in nsFrameManager
http:/ /www.mozilla.org/security/announce/2008/mfsa2008-55.html
CVE-2008-4027
Microsoft Office RTF Consecutive Drawing Object Parsing Heap Corruption Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-08-084/
CVE-2008-4028
Microsoft Office RTF Drawing Object Heap Overflow Vulnerability
http ://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2008-4837
Microsoft Office Word Document Table Property Stack Overflow Vulnerability
http ://www.microsoft.com/technet/security/bulletin/MS08-072.mspx
CVE-2009-1130
Microsoft Office PowerPoint Notes Container Heap Overflow Vulnerability
http ://www.microsoft.com/technet/security/bulletin/MS09-017.mspx
CVE-2009-1690
MULTIPLE VENDOR WEBKIT ERROR HANDLING USE AFTER FREE VULNERABILITY
http://support.apple.com/kb/ht3613
CVE-2009-0563
Microsoft Word Document Stack Based Buffer Overflow Vulnerability
http ://www.microsoft.com/technet/security/bulletin/MS09-027.mspx
CVE-2009-1530
Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-09-038/
CVE-2009-1531
Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-09-039/
CVE-2009-1918
Microsoft Internet Explorer getElementsByTagName Memory Corruption Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-09-047/
CVE-2009-1133
Microsoft Remote Desktop Client Arbitrary Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-09-057/
CVE-2009-1920
Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-09-062/
CVE-2009-2502
MICROSOFT WINDOWS GDI+ TIFF FILE PARSING BUFFER OVERFLOW VULNERABILITY
http ://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
CVE-2010-0244
Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-011/
CVE-2010-0491
MICROSOFT INTERNET EXPLORER 'ONREADYSTATECHANGE' USE AFTER FREE VULNERABILITY
http ://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
CVE-2010-0047
Apple WebKit innerHTML element Substitution Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-029/
CVE-2010-0053
Apple WebKit CSS run-in Attribute Rendering Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-030/
CVE-2010-0050
Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-031/
CVE-2010-0048
Apple Webkit Anchor Tag Mouse Click Event Dispatch Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-146/
CVE-2010-0049
Apple WebKit RTL LineBox Overflow Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-152/
CVE-2010-1119
Apple Webkit Attribute Child Removal Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-091/
CVE-2010-1392
Apple Webkit Button First-Letter Style Rendering Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-154/
CVE-2010-1396
Apple Webkit Option Element ContentEditable Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-092/
CVE-2010-1397
Apple Webkit DOCUMENT_POSITION_DISCONNECTED Attribute Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-095/
CVE-2010-1398
Apple Webkit ContentEditable moveParagraphs Uninitialized Element Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-097/
CVE-2010-1399
Apple Webkit SelectionController via Marquee Event Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-094/
CVE-2010-1400
MULTIPLE VENDOR WEBKIT HTML CAPTION USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=870
CVE-2010-1401
Apple Webkit First-Letter Pseudo-Element Style Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-098/
CVE-2010-1402
Apple Webkit ConditionEventListener Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-100/
CVE-2010-1403
Apple Webkit ProcessInstruction Target Error Message Insertion Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-099/
CVE-2010-1404
Apple Webkit Recursive Use Element Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-096/
CVE-2010-1665
aApple Webkit WebCore::FontFallbackList::determinePitch memory corruption
https://cod e.google.com/p/chromium/issues/detail?id=42294
CVE-2010-1749
Apple Webkit SVG RadialGradiant Run-in Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-101/
CVE-2010-1770
Apple Webkit CSS Charset Text Transformation Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-093/
CVE-2010-2297
Table layout crash bug from wushi
https://cod e.google.com/p/chromium/issues/detail?id=42723
CVE-2010-0183
Firefox Use-after-free error in nsCycleCollector::MarkRoots()
http:/ /www.mozilla.org/security/announce/2010/mfsa2010-27.html
CVE-2010-1786
Apple Webkit SVG ForeignObject Rendering Layout Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-141/
CVE-2010-1785
Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-142/
CVE-2010-1784
Apple Webkit Rendering Counter Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-144/
CVE-2010-1787
Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-153/
CVE-2010-1900
Microsoft Office Word sprmCMajority Record Parsing Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-150/
CVE-2010-1901
MICROSOFT OFFICE RTF PARSING ENGINE MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=877
CVE-2010-1902
MICROSOFT WORD RTF FILE PARSING HEAP BUFFER OVERFLOW VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=876
CVE-2010-3113
WebKit Security issue in SVGUseElement::buildShadowTree
http://www.securityfocus.com/b id/44199
CVE-2010-3114
WebKit Memory corruption with invalid text node cast for edit commands
https://cod e.google.com/p/chromium/issues/detail?id=49628
CVE-2010-3166
Firefox Heap buffer overflow in nsTextFrameUtils::TransformText
http:/ /www.mozilla.org/security/announce/2010/mfsa2010-53.html
CVE-2010-1806
Apple Safari Webkit Runin Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-10-170/
CVE-2010-1822
Webkit Bad cast with svg:g element
https://cod e.google.com/p/chromium/issues/detail?id=55114
CVE-2010-1824
Apple Webkit Error Message Mutation Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-11-095/
CVE-2010-4198
Webkit Memory corruption in accessing floatptr of a textarea
https://cod e.google.com/p/chromium/issues/detail?id=55257
CVE-2010-4206
chrome_55000000!WebCore::FEBlend::apply Memory corruption
https://cod e.google.com/p/chromium/issues/detail?id=60688
CVE-2010-3333
MICROSOFT WORD RTF FILE PARSING STACK BUFFER OVERFLOW VULNERABILITY
http ://www.microsoft.com/technet/security/bulletin/ms10-087.mspx
CVE-2010-3808
WebKit invalid cast issue exists in editing commands
http://support.apple.com/kb/HT4455
CVE-2010-3824
WebKit's handling "use" elements in SVG documents
http://support.apple.com/kb/HT4455
CVE-2010-3772
Firefox Crash and remote code execution using HTML tags inside a XUL tree
http:/ /www.mozilla.org/security/announce/2010/mfsa2010-77.html
CVE-2011-1118
WebKit Security:WebCore::HTMLTextAreaElement::updateValue
https://cod e.google.com/p/chromium/issues/detail?id=71388
CVE-2011-1117
WebKit Stale nodes in Document::recalcStyleSelector
https://cod e.google.com/p/chromium/issues/detail?id=71386
CVE-2011-1448
WebKit stale entries in gPercentHeightDescendantsMap
https://cod e.google.com/p/chromium/issues/detail?id=77130
CVE-2010-1823
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0233
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0234
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0237
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-0240
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1117
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1449
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1453
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1462
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-1797
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-3438
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT4808
CVE-2011-2135
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAY MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=935
CVE-2011-2825
Webkit fontface Invalid Font Family Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-12-054/
CVE-2011-2855
MULTIPLE VENDOR WEBKIT SVG ELEMENT USE AFTER FREE VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=971
CVE-2011-3928
Webkit.org Webkit copyNonAttributeProperties Remote Code Execution Vulnerability
http://www.ze rodayinitiative.com/advisories/ZDI-12-055/
CVE-2011-3035
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5400
CVE-2012-0634
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5191
CVE-2012-0472
Firefox Potential memory corruption during font rendering using cairo-dwrite
http:/ /www.mozilla.org/security/announce/2012/mfsa2012-25.html
CVE-2012-1521
WebKit Heap-use-after-free in WebCore::RenderObjectChildList::destroyLeftoverChildren
http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update. html
CVE-2012-2034
ADOBE FLASH PLAYER ACTIONSCRIPT DISPLAYOBJECT LAYOUT MEMORY CORRUPTION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=987
CVE-2012-3683
APPLE SAFARI RENDERBOX INLINEBOX TYPE CONFUSION VULNERABILITY
http://www.verisigninc.com/en_US/products-and-services/network-int elligence-availability/idefense/public-vulnerability-reports/articles/index. xhtml?id=998
CVE-2013-0961
WebKit Heap Corruption Vulnerability
http://support.apple.com/kb/HT5671
11月13日我们在东京Mobile Pwn2Own 2013上Pwned iOS7.0.3所涉及到的安全漏洞及利用分析,将会在厂商修复以后发布细节。欢迎关注碁震安全研究团队的微信公众号KeenTeam,以及微博@KeenTeam。
On Nov 13th 2013, Tokyo, Mobile Pwn2Own 2013, KeenTeam successfully explioted Apple iOS 7.0.3 Safari within 30 seconds and won the hacking contest. For more detailed infomation, please follow our twitter @K33NTEAM.