Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Repost: Buffer overflow in Microsoft DirectX Files Viewer xweb.ocx (<2,0,16,15) ActiveX sample

From: "Andrew G. Tereschenko" <secure.bugtraq () tag odessa ua>
Date: Sat, 17 Aug 2002 01:05:55 +0300
Hi BugTraq reader,

I would like to inform you about security issue in
DirectX Files Viewer control was available
on ActiveX gallery page
http://activex.microsoft.com/activex
site but fixed not so long time ago.

=========================================================
Overview:
Risk: High
Distribution: Low-Medium
Patch available from vendor: True

Systems Affected:
Systems having Microsoft DirectX Files Viewer xweb.ocx (2,0,16,15 and possibly older)

Impact:
A remote attacker may be able to execute arbitrary code with the privileges of the current user.

Description:
A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit 
a remote
attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects 
users visited
ActiveX samples galery at activex.microsoft.com.
Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install 
Microsoft-signed
ActiveX controls are also affected. This control was also available for direct download from the web, but can be 
uploaded on any
website.
The <object> tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into 
visiting a
malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then 
this
vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for 
users who
trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page 
through a
preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office 
(Word, Excel,
etc.) document, it may be executed when the document is opened.

Vendor Information:
secure () microsoft com was informed on 9.May.2002.
MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002

Solution:
Apply a latest IE/OS patches available from Microsoft:
Setting kill bit expected to be included in latest IE Service pack.
Windows 2000 SP3 and Windows XP SP1 expected to solve this problem.

Links:
ActiveX control still available for retrieval from Global Internet "backup copy":
http://web.archive.org/web/20010410194632/http://activex.microsoft.com/activex/controls/directx/xweb.htm

Feedback can be directed to the author:
--
Andrew G. Tereschenko
secure () tag odessa ua
TAG Software Research Lab
Odessa, Ukraine
Previous By Date Next
Previous By Thread Next

Current thread: