CERT-In Vulnerability Note CIVN-2006-83
Microsoft Windows Hyperlink Object Library vulnerabilities
Original Issue Date: August 09, 2006
Severity Rating:
Medium
Systems Affected
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based Systems and SP1
- Microsoft Windows Server 2003 x64
Overview
Two vulnerabilities have been reported in Microsoft Windows Hyperlink Object Library that could be exploited by attacker to take complete control of the vulnerable system.
Description
Hyperlink Object Buffer Overflow Vulnerability ( CVE-2006-3086 )
A stack based buffer overflow vulnerability has been reported in the way hlink.dll library used by various Microsoft applications handles overly long hyperlinks. For details please refer CERT-In Vulnerability Note (civn-2006-57)
Hyperlink Object Function Vulnerability ( CVE-2006-3438 )
The Hyperlink Object Library is a collection of Application Programming Interfaces. These interfaces provide functionality to software developers for handling hyperlinks. This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks. This vulnerability could not be exploited automatically through e-mail. For an attack to be successful an attacker must persuade a user to click a link in e-mail message or open an Office file and click a link within that file.
Note: It may be noted that Proof of Concept exploit code for these vulnerabilities are available on Internet.
Workarounds
- Do not click on hyperlinks in Microsoft Office documents from untrusted sources.
- Read e-mail messages in plain text format.
- Modify the Access Control List to deny access to Hlink.dll for all users
- Modify the Access Control List to disable the HLINK registry key
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-050
Vendor Information Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-050.mspx
Refrences
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-050.mspx
US-CERT VU#683612
http://www.kb.cert.org/vuls/id/683612
Security Focus
http://www.securityfocus.com/bid/19405/info
Secunia
http://secunia.com/advisories/20748/
CVE Name
CVE-2006-3086
CVE-2006-3438
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
| 
