Vigil@nce: IE, vulnerabilities of several ActiveX of March 2009
March 2009 by Vigil@nce
Several ActiveX can be used by a remote attacker to generate a
denial of service or to execute code.
– Gravity: 2/4
– Consequences: user access/rights, data reading, data
creation/edition
– Provenance: document
– Means of attack: 2 attacks
– Ability of attacker: beginner (1/4)
– Confidence: multiples sources (3/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 3
– Creation date: 04/03/2009
IMPACTED PRODUCTS
– Microsoft Internet Explorer
DESCRIPTION OF THE VULNERABILITY
Several ActiveX can be used by a remote attacker to generate a
denial of service or to execute code.
An attacker can use the write() method of the iDefense COMRaider
ActiveX in order to create a file on victim’s computer. [grav:1/4;
BID-33942]
An attacker can use the Imera ImeraIEPlugin Client ActiveX in
order to execute code on victim’s computer. [grav:2/4; BID-33993,
CVE-2009-0813]
An attacker can use the Packagefiles(), SaveDna(), AddFile() and
SetIdentity() methods of the SupportSoft DNA Editor Module
dnaedit.dll ActiveX in order to execute code on victim’s computer.
[grav:2/4; BID-34004]
CHARACTERISTICS
– Identifiers: BID-33942, BID-33993, BID-34004, CVE-2009-0813,
VIGILANCE-VUL-8506
– Url: http://vigilance.fr/vulnerability/IE-vulnerabilities-of-several-ActiveX-of-March-2009-8506