CERT-In Vulnerability Note CIVN-2006-103
Microsoft Windows Object Packager Dialogue Spoofing Vulnerability
Original Issue Date: October 11, 2006
Severity Rating:
Medium
Systems Affected
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition
Overview A remote code execution vulnerability has been reported in Microsoft Windows Object Packager
which could be exploited to take complete control of the effected system.
Description
A remote code execution vulnerability has been reported in Microsoft Windows Object Packager due to an error in the Object Packager (packager.exe) that does not validate the "Command Line" property, this vulnerability could be exploited by a malicious user to construct a specially crafted file that could potentially allow remote code execution if a user visited a specially crafted Web site. A malicious user who successfully exploited this vulnerability could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights; user interaction is required to exploit this vulnerability.
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-065
Vendor Information Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-065.mspx References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-065.mspx
SecurityFocus
http://www.securityfocus.com/bid/20318/info
FrSIRT
http://www.frsirt.com/english/advisories/2006/3984
Secunia
http://secunia.com/advisories/20717/
US CERT
http://www.kb.cert.org/vuls/id/703936 CVE Name
CVE-2006-4692 Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
