Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Windows Media Encoder, code execution

September 2008 by Vigil@nce

SYNTHESIS

An attacker can use an ActiveX installed by Windows Media Encoder in order to execute code on victim’s computer.

Gravity: 3/4

Consequences: user access/rights

Provenance: internet server

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 10/09/2008

Identifier: VIGILANCE-VUL-8099

IMPACTED PRODUCTS

- Microsoft Windows 2000 [confidential versions]
- Microsoft Windows 2003 [confidential versions]
- Microsoft Windows 2008
- Microsoft Windows Vista [confidential versions]
- Microsoft Windows XP [confidential versions]

DESCRIPTION

The Windows Media Encoder 9 Series product is used to create rich multimedia contents. This product is not installed by default under Windows.

This product installs the WMEX.DLL ActiveX. This ActiveX is tagged as Safe For Scripting, whereas it was not conceived in a secure manner. An attacker can therefore use malicious parameters in order to execute code.

An attacker can thus create a HTML page calling this ActiveX in order to execute code on the computer of the victim displaying the page.

CHARACTERISTICS

Identifiers: BID-31065, CVE-2008-3008, MS08-053, VIGILANCE-VUL-8099, VU#996227

https://vigilance.aql.fr/tree/1/8099




See previous articles

    

See next articles