Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
BID:52375
Info
Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
| Bugtraq ID: | 52375 |
| Class: | Design Error |
| CVE: |
CVE-2012-0016 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 13 2012 12:00AM |
| Updated: | Mar 13 2012 12:00AM |
| Credit: | Laplinker |
| Vulnerable: |
Microsoft Expression Design SP1 Microsoft Expression Design 4 Microsoft Expression Design 3 Microsoft Expression Design 2 Microsoft Expression Design 0 |
| Not Vulnerable: | |
Discussion
Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
Microsoft Expression is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Microsoft Expression is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Exploit / POC
Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
Attackers must trick a user into opening a file on a remote WebDAV or SMB share to exploit this issue.
A general exploit technique has been documented by TheLeader and H.D. Moore for the Metasploit Project; please see the references for more information.
Attackers must trick a user into opening a file on a remote WebDAV or SMB share to exploit this issue.
A general exploit technique has been documented by TheLeader and H.D. Moore for the Metasploit Project; please see the references for more information.
Solution / Fix
Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
Solution:
The vendor has released an advisory and updates. Please see the references for details.
Microsoft Expression Design 3
Microsoft Expression Design SP1
Microsoft Expression Design 0
Microsoft Expression Design 2
Microsoft Expression Design 4
Solution:
The vendor has released an advisory and updates. Please see the references for details.
Microsoft Expression Design 3
-
Microsoft Microsoft Expression Design 3 Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=73b44e97-6dda -4e24-9758-e86a1de4c0c8
Microsoft Expression Design SP1
-
Microsoft Microsoft Expression Design 1 SP1 Security Patch
http://www.microsoft.com/downloads/details.aspx?familyid=899c6860-6081 -429b-971a-4d689444920f
Microsoft Expression Design 0
-
Microsoft Microsoft Expression Design 1 Security Patch
http://www.microsoft.com/downloads/details.aspx?familyid=49e12f3a-718d -4d54-82be-b78efb372d07
Microsoft Expression Design 2
-
Microsoft Microsoft Expression Design 2 Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=2ca4fb5a-3ab4 -410b-b42b-075eb1d70410
Microsoft Expression Design 4
-
Microsoft Microsoft Expression Design 4 Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=be56221e-4271 -42dc-a6e4-ebf0290e4ad8
References
Microsoft Expression 'wintab32.dll' DLL Loading Arbitrary Code Execution Vulnerability
References:
References:
- Exploiting DLL Hijacking Flaws (hdm)
- Expression Homepage (Microsoft)
- More information about the DLL Preloading remote attack vector (Microsoft)
- Microsoft Security Advisory (2269637) (Microsoft)
- Microsoft Security Advisory 2269637 Released (Microsoft)
- Microsoft Security Bulletin MS12-022 (Microsoft)