CERT-In Vulnerability Note CIVN-2006-138
Microsoft Internet Explorer ADODB.Connection code execution vulnerability

Original Issue Date: December 28, 2006
Updated : February 14, 2007

Severity Rating: High

System Affected

• Internet Explorer 5.01
• Internet Explorer 5.5
• Internet Explorer

Overview

A remote code execution vulnerability has been reported in ADODB. Connection ActiveX Object that could be exploited by an attackers to take complete control of the vulnerable system.

Description

The vulnerability is caused due to the way the "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects handles malicious script.

The attacker could exploit this vulnerability by creating and hosting specially crafted web page and could persuade the user to visit the website typically by getting them click on a link to the website. Visiting this specially crafted page could corrupt the system memory and allow attacker to execute arbitrary code.

WorkAround

Disable the ADODB.Connection ActiveX control in Internet Explorer or set to “prompt” before running ActiveX.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS07-009

References

Internet Security Systems
http://xforce.iss.net/xforce/xfdb/29837

USCERT
http://www.kb.cert.org/vuls/id/589272

eEye Digital Security
http://research.eeye.com/html/alerts/zeroday/20061027.html

CVE Name
CVE-2006-5559

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003