Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability

Bugtraq ID:	30674
Class:	Boundary Condition Error
CVE:	CVE-2008-3704
Remote:	Yes
Local:	No
Published:	Aug 13 2008 12:00AM
Updated:	Feb 10 2009 09:48PM
Credit:	Symantec's Security Intelligence Analysis Team
Vulnerable:	Microsoft Visual Studio .NET 2003 SP1 Microsoft Visual Studio .NET 2003 + Microsoft Visual Basic .NET Standard 2003 + Microsoft Visual C# .NET Standard 2003 + Microsoft Visual C++ .NET Standard 2003 + Microsoft Visual J# .NET Standard 2003 Microsoft Visual Studio .NET 2002 SP1 Microsoft Visual Studio .NET 2002 + Microsoft Visual Basic .NET Standard 2002 + Microsoft Visual C# .NET Standard 2002 + Microsoft Visual C++ .NET Standard 2002 Microsoft Visual Studio 6.0 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Visual FoxPro 9.0 SP2 Microsoft Visual FoxPro 9.0 SP1 Microsoft Visual FoxPro 8.0 SP1 Microsoft Visual FoxPro 8.0 Microsoft Msmask32.ocx 6.0.81 .69
Not Vulnerable:	Microsoft Msmask32.ocx 6.0.84 .18

Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability

The Microsoft Visual Studio ActiveX control, MaskedEdit, is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of an application using the affected ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

'Msmask32.ocx' 6.0.81.69 is vulnerable; other versions may also be affected.

UPDATE: Testing indicates that 'Msmask32.ocx' 6.0.84.18 is not vulnerable; we are working with Microsoft to confirm our findings and gain further details. We recommend that users install 6.0.84.18 or a later version.

Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability

The Symantec Threat Analysis Team has observed active exploits in the wild.

To exploit this issue, an attacker must entice an unsuspecting user to open a malicious web document.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit code is available:

• /data/vulnerabilities/exploits/30674.js
• /data/vulnerabilities/exploits/30674-koshi.js

Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability

Solution:
Microsoft has released an advisory and fixes to address this issue. Please see the references for more information.


Microsoft Visual FoxPro 8.0 SP1

• Microsoft Visual FoxPro 8.0 SP1 ActiveX Controls Security Update
  http://www.microsoft.com/downloads/details.aspx?familyid=A6977F81-F7F6 -486B-96AD-8D296D79F205

Microsoft Visual FoxPro 9.0 SP1

• Microsoft Visual FoxPro 9.0 SP1 ActiveX Controls Security Update
  http://www.microsoft.com/downloads/details.aspx?familyid=386D27A6-B2C7 -4ACC-BF3E-EDCBC7358172

Microsoft Visual Studio .NET 2003 SP1

• Microsoft Visual Studio .NET 2003 Service Pack 1 ActiveX Controls Security Update Rollup
  http://www.microsoft.com/downloads/details.aspx?familyid=6AC7CF8F-D046 -43A8-B4EF-253153D65AED

Microsoft Visual FoxPro 9.0 SP2

• Microsoft Visual FoxPro 9.0 SP2 ActiveX Controls Security Update
  http://www.microsoft.com/downloads/details.aspx?familyid=5B1F28A9-DA8D -463A-8AE4-DFC8FCC6C41A

Microsoft Visual Studio .NET 2002 SP1

• Microsoft Visual Studio .NET 2002 Service Pack 1 Security Update Rollup
  http://www.microsoft.com/downloads/details.aspx?familyid=AFAD980D-7F27 -49D9-AA23-B762C7B94CD6

Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability

References:

• Microsoft Knowledge Base Article 240797 (Microsoft)
  
• Microsoft Visual Studio Homepage (Microsoft)
  
• Microsoft Security Advisory 960715 (Microsoft)
  
• Microsoft Security Bulletin MS08-070 (Microsoft)