Microsoft Windows Data Analyzer ActiveX Control Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	08/06/2010
Severity:	High
Operating Systems Affected:	Windows 2000 SP 4 Windows XP SP 2 Windows XP SP 3 Windows XP Professional x64 Edition SP 2 Windows Server 2003 SP 2 Windows Server 2003 x64 Edition SP 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista SP 1 Windows Vista SP 2 Windows Vista x64 Edition SP 1 Windows Vista x64 Edition SP 2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP 2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP 2 Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems SP 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems
Identifiers:	CVE-2010-0252

Synopsis

Microsoft Windows is susceptible to remote code execution vulnerability in the way it handles ActiveX control with Internet Explorer. This vulnerability could allow remote code execution if a user opened a specially crafted Web page.

Recommended Actions

Please refer following link provided by Microsoft to apply the appropriate patches:
http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx

Threat Analysis

This vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer.

An attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.An attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data, or create new accounts with full user rights.

A malicious Web site cannot exploit this vulnerability on systems where Microsoft Data Analyzer is not already installed. Microsoft Data Analyzer is not installed in Microsoft Office systems by default.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0252

Write-up by: Ashish Joshi