HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-137
Microsoft Visual Studio "Msmask32" ActiveX Code Execution Vulnerability

Original Issue Date: August 26, 2008

Severity Rating: High

Systems Affected

  • Microsoft Msmask32.ocx 6.0.81 69
  • Microsoft Visual Studio 6 Enterprise
  • Microsoft Visual Studio 6 Professional
  • Microsoft Visual Studio 6 Standard

Overview

A Vulnerability has been reported in Microsoft Visual Studio's ActiveX control MsMask32.ocx, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system.

Description

 The ‘Masked Edit Control' allows users to define a display and edit mask for the control which can restrict the use of certain characters and define a default string that is displayed. This ActiveX control offers significant data input and validation features.

The vulnerability is caused due to a boundary error in the Masked Edit ActiveX control (Msmask32.ocx). This can be exploited to cause a stack-based buffer overflow by tricking a user into visiting a malicious website .When loaded by the target user, will invoke the 'Msmask32.ocx' ActiveX control which initializes the object with an overly long "Mask" parameter.

Successful exploitation may allow execution of arbitrary code.

It may be noted that the Exploit for this vulnerability are available on Internet

Workarounds

  • Prevent loading of the ActiveX controls with following CLSIDs in Internet Explorer

    {C932BA85-4374-101B-A56C-00AA003668DC}

    Note: Please refer the Microsoft Support Document 240797 to disable the ActiveX controls

  • Upgrade to Internet Explorer 7 or later.
  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting.
  • Add sites that are trust to the Internet Explorer Trusted sites zone.
  • Do not run Windows with administrator privileges.

    Note: Please refer the Microsoft TechNet article to apply least privileges to a user accounts.

Solutions

  • Upgrade to Msmask32.ocx version 6.0.84.18
  • Users are advised to upgrade to Visual Studio 2008

References

Secunia
http://secunia.com/advisories/31498/

FrSIRT
http://www.frsirt.com/english/advisories/2008/2380

SecurityFocus
http://www.securityfocus.com/bid/30674/

SecurityTracker
http://www.securitytracker.com/alerts/2008/Aug/1020710.html

Securitylab
http://en.securitylab.ru/poc/357438.php

SCMagazine
http://www.scmagazineus.com/Microsoft-looks-into-Visual
-Studio-bug/article/115459/

CVE Name
CVE-2008-3704

CWEName
CWE-119

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003