Potential Microsoft Works ActiveX Zero-Day Surfaces
Thursday April 17, 2008 at 11:15 am CST
Posted by Kevin Beets
A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)
Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.
On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.
In the mean time, McAfee Avert Labs will continue researching this issue.
April 18th, 2008 at 5:03 am
A few days ago I blogged about a new Word vulnerability that was used in a targeted attack (I know, it’s hard to keep these straight). Later that day Microsoft stated that the vulnerability was limited to denial of service, rather than remote code execution, and the blog was updated accordingly.
April 18th, 2008 at 9:15 am
[…] Sisk’s message follows alerts from such security vendors as McAfee, which warned of a potential ActiveX-based zero-day in the McAfee Avert Labs blog. […]
April 18th, 2008 at 10:40 am