CERT-In Vulnerability Note CIVN-2006-79
Microsoft Management Console Remote Code Execution Vulnerability
Original Issue Date: August 09, 2006
Severity Rating:
High
Systems Affected
- Microsoft Windows 2000 Service Pack 4
Overview
A Remote code execution vulnerability exists in Microsoft Management Console that could allow an attacker to take complete control of the affected system.
Description
Microsoft Management console is an integrated administration user interface and administration model for Windows-based environments.
HTML embedded resource files in the Microsoft Management Console library can be directly referenced from the Internet or Intranet zone via Internet Explorer, which could be exploited by an attacker to execute arbitrary commands.
Internet Explorer 5.01 users are vulnerable from any URLs in the Internet Zone.
Internet Explorer 6 Service Pack 1 users are vulnerable from any URLs in the Intranet Zone; by default Internet Explorer 6 Service Pack 1 blocks local file access from URLs in the Internet Zone.
An attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. Then, an attacker would have to persuade users by getting them a link or displaying specially crafted Web content by using banner advertisements.
Workarounds
- Disable active scripting in the My Computer zone
- Read e-mail messages in plain text format when using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version.
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-044
Vendor Information Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
Refrences
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
Security Focus
http://www.securityfocus.com/bid/19417/info
US-CERT
http://www.kb.cert.org/vuls/id/927548
FrSIRT
http://www.frsirt.com/english/advisories/2006/3213
Secunia
http://secunia.com/advisories/21401/
Securitytracker
http://securitytracker.com/alerts/2006/Aug/1016655.html
CVE Name
CVE-2006-3643
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
