BID:25304

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

Info

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

Bugtraq ID:	25304
Class:	Input Validation Error
CVE:	CVE-2007-3032
Remote:	Yes
Local:	No
Published:	Aug 14 2007 12:00AM
Updated:	Aug 28 2007 06:42PM
Credit:	Aviv Raff of Finjan is credited with the discovery of this issue.
Vulnerable:	Microsoft Windows Vista x64 Edition 0 Microsoft Windows Vista Ultimate Microsoft Windows Vista Home Premium Microsoft Windows Vista Home Basic Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Avaya CIE 1.0.2

Not Vulnerable:

Discussion

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

Windows Vista is prone to a remote code-execution vulnerability because it fails to adequately sanitize user-supplied data.

Attackers exploit this issue by coercing unsuspecting users to add or import malicious contact files.

Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Successful attacks may facilitate the remote compromise of affected computers.

Exploit / POC

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Solution / Fix

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

Solution:
Microsoft released security advisory MS07-048 and updates to address this issue. Please see the references for more information.

Microsoft Windows Vista Ultimate

Microsoft Security Update for Windows Vista (KB938123)
http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71 -4529-b4d3-ac57dab59e01

Microsoft Windows Vista Home Basic

Microsoft Security Update for Windows Vista (KB938123)
http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71 -4529-b4d3-ac57dab59e01

Microsoft Windows Vista x64 Edition 0

Microsoft Security Update for Windows Vista for x64-based Systems (KB938123
http://www.microsoft.com/downloads/details.aspx?FamilyId=24443f59-b908 -480b-9b72-7094d4b5e128

Microsoft Windows Vista Business

Microsoft Security Update for Windows Vista (KB938123)
http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71 -4529-b4d3-ac57dab59e01

Microsoft Windows Vista Home Premium

Microsoft Security Update for Windows Vista (KB938123)
http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71 -4529-b4d3-ac57dab59e01

Microsoft Windows Vista Enterprise

Microsoft Security Update for Windows Vista (KB938123)
http://www.microsoft.com/downloads/details.aspx?FamilyId=49a5bd84-da71 -4529-b4d3-ac57dab59e01

References

Windows Vista Contacts Gadget Remote Code Execution Vulnerability

References:

Windows Vista Homepage (Microsoft)
Microsoft Security Bulletin MS07-048 (Microsoft)