HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-15
Microsoft Windows Data Analyzer ActiveX Vulnerability

Original Issue Date: February 11, 2010

Severity Rating: High

System Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2 and Service Pack 3
  • Microsoft Windows XP Professional x64 Edition Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft Windows Server 2003 x64 Edition Service Pack 2
  • Microsoft Windows Server 2003 SP2 (Itanium)
  • Microsoft Windows Vista
  • Microsoft Windows Vista Service Pack 1 and Service Pack 2
  • Microsoft Windows Vista x64 Edition
  • Microsoft Windows Vista x64 Edition Service Pack 1 and Service Pack 2
  • Microsoft Windows Server 2008 (32-bit)
  • Microsoft Windows Server 2008 (32-bit) Service Pack 2
  • Microsoft Windows Server 2008 (x64)
  • Microsoft Windows Server 2008 (x64) Service Pack 2
  • Microsoft Windows Server 2008 (Itanium)
  • Microsoft Windows Server 2008 (Itanium) Service Pack 2
  • Microsoft Windows 7 (32-bit)
  • Microsoft Windows 7 (x64)
  • Microsoft Windows Server 2008 R2 (x64)
  • Microsoft Windows Server 2008 R2 (Itanium)

Overview

A vulnerability has been reported in Microsoft Data Analyzer ActiveX Control. Successful exploitation of this vulnerability could allow an attacker to execute an arbitrary code and take complete control of the affected system in the context of logged in user.

Description

A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control " max3activex.dll " when used in Internet Explorer . An attacker could exploit this vulnerability by constructing a specially crafted Web page & persuade user to open the same. Successfully exploitation of this vulnerability could allow remote attacker execute arbitrary code result in system state corruption and could take control of the system in the context of logged in user.

Workarounds

  • Prevent COM objects from running in Internet Explorer
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Add sites that you trust to the Internet Explorer Trusted sites zone

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS10-008 Microsoft Security Advisory (94871)

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx
http://support.microsoft.com/kb/294871

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-008.mspx
http://support.microsoft.com/kb/975416

AUS-CERT
http://www.auscert.org.au/render.html?it=12364

Secunia
http://secunia.com/advisories/38503/

SecurityTracker
http://securitytracker.com/alerts/2010/Feb/1023560.html

SecurityFocus
http://www.securityfocus.com/bid/38045

Vupen
http://www.vupen.com/english/advisories/2010/0341

CVE Name
CVE-2010-0252

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003