Follow:

Exploit:Win/ActiveXControl.HHCtrl.DoS!CVE-2007-0214

Severity rating
Critical

Class/Type
Exploit

Discovered date
2006-12-12T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in the HTML Help ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page.



Impact

An attacker who successfully exploited this vulnerability could run arbitrary code on a users system. This could allow an attacker to take complete control of the affected system.



Technical details (analysis)

HTML Help ActiveX control methods do not perform sufficient parameter validation. An unitialized variable that is used in certain methods of HHCtrl ActiveX control can be exploited because proper set up is not done in the object param attributes.



Affected software

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition



Non-affected software

Windows Vista



References




Solutions




NIS signature

Name: Exploit:Win/ActiveXControl.HHCtrl.DoS!CVE-2007-0214
Release Date: 2006-12-12T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Temporarily prevent the HTML Help ActiveX control from running in Internet Explorer.