News
Vigil@nce: IE, vulnerabilities of several ActiveX of May 2008
May 2008 by Vigil@nce
Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code.
Gravity: 2/4
CVSS: 9.3/10
Consequences: user access/rights, data reading, data
creation/edition
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/05/2008
Revision date: 14/05/2008
Identifier: VIGILANCE-VUL-7813
AFFECTED PRODUCTS
Microsoft Internet Explorer versions 5.0, 5.01, 5.01 SP1, 5.01
SP2, 5.01 SP3, 5.01 SP4, 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1, 6 sous WinXP, 6 sous WinXP_SP1, 6_SP1 sous WinXP_SP1, 6 sous WinXP_SP2, 6 sous Win2003, 6 sous Win2003_SP1, 6 sous Win2003_SP2, 7 sous WinXP_SP1, 7 sous WinXP_SP2, 7 sous WinXP_SP3, 7 sous Win2003, 7 sous Win2003_SP1, 7 sous Win2003_SP2, 7 sous WinVista, 7 sous WinVista_SP1, 7 sous Win2008 Similar products or versions inferior to those indicated may also be affected.
DESCRIPTION
Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code.
An attacker can corrupt the memory of the Yahoo! Assistant 3721 Internet Assistant yNotifier.dll ActiveX in order to execute code on victim’s computer. [grav:2/4; BID-29065, CVE-2008-2111]
An attacker can use the SaveBarCode() or SaveEnhWMF() method of the IDAutomation Linear (IDAutomationLinear6.dll) Datamatrix (IDAutomationDMATRIX6.DLL) PDF417 (IDAutomationPDF417_6.dll) Aztec
(IDAutomationAZTEC.dll) Barcode ActiveX in order to create a file on victim’s computer. [grav:2/4]
CHARACTERISTICS
Identifiers: BID-29065, CVE-2008-2111, VIGILANCE-VUL-7813
CVSS score: 9.3/10 (CVE-2008-2111)
