HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2008-53
Microsoft Works WkImgSrv.dll ActiveX Vulnerability

Original Issue Date: May 06, 2008

Severity Rating: High

System Affected

  • Microsoft Works 7 WkImgSrv.dll 7.3.616 ActiveX control

Overview

A remote code execution vulnerability has been reported in Microsoft Works 7 WkImgSrv.dll 7.3.616 ActiveX control, successful exploitation of which could provide an attacker to run arbitrary code in context to the logged-in user.

Description

An ActiveX control is a reusable component which does not amount to an entire application; rather provides a small building-block that can be shared by different software.

Microsoft Works 7 'WkImgSrv.dll' ActiveX control is an application for image manipulation.

A remote code-execution vulnerability has been reported in Microsoft Works 7 'WkImgSrv.dll' ActiveX control since the application fails to perform adequate checks on user-supplied data in the control identified by CLSID: 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6. Specifically, supplying negative values to the 'WksPictureInterface()' method can trigger this issue.

An attacker can exploit this vulnerability to run arbitrary code in the context of the currently logged-in user. Failed exploits attempts will trigger denial-of-service conditions.

It may be noted that Proof of Concept and exploit codes for this vulnerability is available on Internet.

Workaround

  • Disable the kill bit for CLSID:
    00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6
    The Kill-Bit is a registry entry for a particular CLSID that marks the COM object / ActiveX control referenced by that CLSID as non-loadable in the browser and other scriptable environments. The Kill-Bit is respected in Internet Explorer (all zones) and also in Microsoft Office scenarios where objects are embedded within documents.

    Please refer the Microsoft Knowledge Base Article 240797 for setting the kill bit.

References

SecurityFocus
http://www.securityfocus.com/bid/28820/

McAfee
http://vil.nai.com/vil/content/v_vul38203.htm
http://www.avertlabs.com/research/blog/index.php/
2008/04/17/potential-microsoft-works-activex-0-day-surfaces/

SANS
http://www.sans.org/newsletters/risk/display.php?v=7&i=17

CVE Name
CVE-2008-1898

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003