Follow:

Exploit:Win/MSIE.FlexGrid.RCE!CVE-2008-4254

Severity rating
Critical

Class/Type
Exploit

Discovered date
2009-08-07T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in the Hierarchical FlexGrid ActiveX Control for Visual Basic 6. An attacker could exploit the vulnerability by constructing a specially crafted Web page.



Impact

If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.



Technical details (analysis)

When the FlexGrid ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code. An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer.



Affected software

Microsoft Visual Basic 6.0 Runtime Extended Files
Microsoft Visual Studio .NET 2002 Service Pack 1
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual FoxPro 8.0 Service Pack 1
Microsoft Visual FoxPro 9.0 Service Pack 1
Microsoft Visual FoxPro 9.0 Service Pack 2
Microsoft Office FrontPage 2002 Service Pack 3
Microsoft Office Project 2003 Service Pack 3
Microsoft Office Project 2007
Microsoft Office Project 2007 Service Pack 1



Non-affected software

Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Office FrontPage 2000 Service Pack 3
Microsoft Office FrontPage 2003 Service Pack 3
Microsoft Expression Web
Microsoft Expression Web 2
Microsoft Project 2000 Service Release 1
Microsoft Project 2002 Service Pack 1
Microsoft Office Project Server 2003 Service Pack 3
Microsoft Office Project Portfolio Server 2007
Microsoft Office Project Portfolio Server 2007 Service Pack 1
Microsoft Office Project Server 2007
Microsoft Office Project Server 2007 Service Pack 1



References




Solutions




NIS signature

Name: Exploit:Win/MSIE.FlexGrid.RCE!CVE-2008-4254
Release Date: 2009-08-07T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

No known work-arounds at this time.