Vulnerability

CERT-In Vulnerability Note CIVN-2008-0183
Multiple Vulnerabilities Microsoft Visual Basic ActiveX Controls

Original Issue Date:December 11, 2008

Severity Rating: HIGH

Systems Affected

Microsoft Visual Basic 6.0 SP6 and prior
Microsoft Visual FoxPro 8.0 SP1 and prior
Microsoft Visual FoxPro 9.0 SP2 and prior
Microsoft Office FrontPage 2002 SP3 and prior
Microsoft Office Project 2003 SP3 and prior
Microsoft Visual Studio .NET 2002 SP1 and prior
Microsoft Visual Studio .NET 2003 SP1 and prior
Microsoft Office Project 2003 SP3 and prior
Microsoft Office Project 2007 SP1 and prior

Overview

Multiple vulnerabilities have been reported in various Microsoft products, which can be exploited by malicious people to compromise a user's system.

An unauthenticated, remote attacker could exploit these vulnerabilities by convincing a user to visit a website that is designed to invoke the ActiveX control in a malicious manner. If successful, the attacker could execute arbitrary code with the privileges of the user.

Description

1. DataGrid Control Memory Corruption Vulnerability ( CVE-2008-4252   )

The vulnerability is due to an error in the DataGrid ActiveX control when handling uninitialized objects. An exploit could cause the control to access uninitialized memory objects, resulting in an exploitable memory corruption error and allowing the attacker to execute arbitrary code with the privileges of the user who launched the browser.

2. FlexGrid Control Memory Corruption Vulnerability ( CVE-2008-4253   )

The vulnerability exists due to unsafe memory operations on uninitalized memory objects. The Visual Basic FlexGrid ActiveX control may attempt to access previously freed or uninitialized memory areas as a result of processing malformed data.

3. Hierarchical FlexGrid Control Memory Corruption Vulnerability ( CVE-2008-4254   )

The vulnerability is due to unsafe operations on uninitialized memory objects. When processing malformed data, the Hierarchical FlexGrid ActiveX control supplied with Visual Basic may attempt to access memory areas that have been freed or are uninitialized.

4. Windows Common Control Memory Corruption Vulnerability ( CVE-2008-4255   )

This vulnerability exists due to improper processing of AVI files by the Windows Common ActiveX control.

5. Charts Control Memory Corruption Vulnerability   ( CVE-2008-4256   )

This vulnerability exists due to improper processing of user-supplied input by the Visual Basic Charts ActiveX control.  The attacker could leverage the memory corruption to execute arbitrary code with the privileges of the user.

6. Masked Edit Control Memory Corruption Vulnerability ( CVE-2008-3704   )

This vulnerability exists due to an error by the Masked Edit ActiveX control Msmask32.ocx . Msmask32.ocx does not properly validate user-supplied input that is passed to the Mask parameter.

Workaround

Administrators are advised to apply the applicable software updates.

Administrators may consider disabling the ActiveX controls in the Internet zone.

Administrators may consider:

Disabling the DataGrid ActiveX control in Internet Explorer by setting the killbit on the following
CLSID:
CDE57A43-8B86-11D0-B3C6-00A0C90AEA82

Disabling the FlexGrid ActiveX control in Internet Explorer by setting the killbit on the following
CLSID:
6262D3A0-531B-11CF-91F6-C2863C385E30

Disabling the Hierarchical FlexGrid ActiveX control in Internet Explorer by setting the kill bit on the following CLSID:
0ECD9B64-23AA-11d0-B351-00A0C9055D8E

Disabling the Windows Common ActiveX control in Internet Explorer by setting the killbit on the following CLSID:
B09DE715-87C1-11D1-8BE3-0000F8754DA1

Disabling the Charts ActiveX control in Internet Explorer by setting the killbit on the following
CLSID:
3A2B370C-BA0A-11d1-B137-0000F8753F5D

Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.

Users are advised to run applications with the least necessary privileges.

Solution

Apply appropriate patches as mentioned in the Microsoft Security Bulletin MS08-070

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx

Secunia
http://secunia.com/advisories/33035/

SecurityTracker
http://securitytracker.com/alerts/2008/Dec/1021369.html

SecurityFocus
http://www.securityfocus.com/bid/32591
http://www.securityfocus.com/bid/32592
http://www.securityfocus.com/bid/32613

CVE Name
CVE-2008-4252
CVE-2008-4253
CVE-2008-4254
CVE-2008-4255
CVE-2008-4256
CVE-2008-3704

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India