Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
BID:25638
Info
Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
| Bugtraq ID: | 25638 |
| Class: | Unknown |
| CVE: |
CVE-2007-4891 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 11 2007 12:00AM |
| Updated: | Dec 18 2007 08:05PM |
| Credit: | shinnai is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Microsoft Visual Studio 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
Microsoft Visual Studio is prone to multiple remote vulnerabilities, including two remote command-execution issues and four unspecified vulnerabilities.
An attacker can exploit the remote command-execution vulnerabilities to execute arbitrary commands with the privileges of the currently logged-in user.
Very little information is known about the four unspecified issues. We will update this BID as more information emerges.
These issues affect Microsoft Visual Studio 6.0.0; other versions may also be affected.
Microsoft Visual Studio is prone to multiple remote vulnerabilities, including two remote command-execution issues and four unspecified vulnerabilities.
An attacker can exploit the remote command-execution vulnerabilities to execute arbitrary commands with the privileges of the currently logged-in user.
Very little information is known about the four unspecified issues. We will update this BID as more information emerges.
These issues affect Microsoft Visual Studio 6.0.0; other versions may also be affected.
Exploit / POC
Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
To exploit these issues, an attacker must entice an unsuspecting user to view a malicious HTML page.
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploit code is available:
To exploit these issues, an attacker must entice an unsuspecting user to view a malicious HTML page.
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploit code is available:
Solution / Fix
Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
References:
References:
- Microsoft Knowledge Base Article 240797 (Microsoft)
- Microsoft Visual Studio Homepage (Microsoft)