Tuesday, April 22, 2008 3:40 PM
cmosby
Potential Microsoft Works ActiveX Zero-Day Surfaces - McAfee Avert Labs Blog
Potential Microsoft Works ActiveX Zero-Day Surfaces
Thursday April 17, 2008 at 11:15 am CST
Posted by Kevin Beets
Trackback
A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)
Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.
On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.
In the mean time, McAfee Avert Labs will continue researching this issue.
Computer Security Research - McAfee Avert Labs Blog
Filed under: Patch Management, Microsoft Office, Security, Configuration Managment, Software Vulnerabilites