vulnerability CVE-2008-0024 CVE-2008-2475 CVE-2009-2169 IE: vulnerabilities of several ActiveX of June 2009
Synthesis of the vulnerability

Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code.

Severity: 2/4. Consequences: user access/rights. Provenance: document. Means of attack: 2 attacks. Ability of attacker: beginner (1/4). Confidence: confirmed by the editor (5/5). Diffusion of the vulnerable configuration: high (3/3). Number of vulnerabilities in this bulletin: 5. Creation date: 10/06/2009. Revision date: 17/06/2009.

Impacted products

• Microsoft Internet Explorer versions
• Microsoft Windows 2000 versions
• Microsoft Windows 2003 versions
• Microsoft Windows 2008 versions
• Microsoft Windows Vista versions
• Microsoft Windows XP versions

Description of the vulnerability

Several ActiveX can be used by a remote attacker to generate a denial of service or to execute code. An attacker can use a vulnerability of the MSCOMM32.OCX ATL Loader ActiveX in order to execute code on victim's computer. [severity:2/4; 969898, BID-35218, CVE-2008-0024, >] An attacker can use a vulnerability of the Derivco Microgaming FlashXControl ActiveX in order to execute code on victim's computer. [severity:2/4; 969898, BID-35247, >] An attacker can use a vulnerability of the eBay Enhanced Picture Services ActiveX in order to execute code on victim's computer. [severity:2/4; 969898, BID-35248, CVE-2008-2475, VU#983731, >] An attacker can use the WriteTaskDataToIniFile() method of the McAfee Policy Manager naPolicyManager.dll ActiveX in order to create a file on victim's computer. [severity:1/4; BID-35404, >] An attacker can use the FtpConnect() and FtpDownloadFile() methods of the Edraw PDF Viewer pdfviewer.ocx ActiveX in order to download a file on victim's computer. [severity:2/4; BID-35428, CVE-2009-2169, >]

Characteristics

Title: IE: vulnerabilities of several ActiveX of June 2009 Identifiers: 969898, 973346, BID-35218, BID-35247, BID-35248, BID-35404, BID-35428, CVE-2008-0024, CVE-2008-2475, CVE-2009-2169, MS09-032, VIGILANCE-VUL-8785, VU#983731. Url: https://vigilance.fr/tree/1/8785

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : MSCOMM32.OCX ATL Loader An attacker can use a vulnerability of the MSCOMM32.OCX ATL Loader ActiveX in order to execute code on victim's computer. Severity: 2/4. Identifiers: 969898, BID-35218, CVE-2008-0024. Publications and announces Source example: Microsoft Security Advisory (969898) Update Rollup for ActiveX Kill Bits

Vulnerability : Derivco Microgaming FlashXControl An attacker can use a vulnerability of the Derivco Microgaming FlashXControl ActiveX in order to execute code on victim's computer. Severity: 2/4. Identifiers: 969898, BID-35247. Publications and announces Source example: Microsoft Security Advisory (969898) Update Rollup for ActiveX Kill Bits

Vulnerability : eBay Enhanced Picture Services EPUWALcontrol.dll An attacker can use a vulnerability of the eBay Enhanced Picture Services ActiveX in order to execute code on victim's computer. Severity: 2/4. Identifiers: 969898, BID-35248, CVE-2008-2475, VU#983731. Publications and announces Source example: Microsoft Security Advisory (969898) Update Rollup for ActiveX Kill Bits

Vulnerability : McAfee Policy Manager naPolicyManager.dll An attacker can use the WriteTaskDataToIniFile() method of the McAfee Policy Manager naPolicyManager.dll ActiveX in order to create a file on victim's computer. Severity: 1/4. Identifiers: BID-35404. Publications and announces

Vulnerability : Edraw PDF Viewer pdfviewer.ocx An attacker can use the FtpConnect() and FtpDownloadFile() methods of the Edraw PDF Viewer pdfviewer.ocx ActiveX in order to download a file on victim's computer. Severity: 2/4. Identifiers: BID-35428, CVE-2009-2169. Publications and announces

Attack Exploit 0day or proof of concept

Attack Exploit 0day or proof of concept