Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2008-041

DATE(S) ISSUED:
12/9/2008

SUBJECT:
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution

OVERVIEW:

Six vulnerabilities have been discovered in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. The Visual Basic 6.0 Runtime Extended Files include select ActiveX controls, libraries, and tools that are delivered with a variety of Microsoft products, such as Microsoft Project, Visual Studio, FoxPro, and FrontPage, as well as third party and custom written software. The identified vulnerabilities may be exploited if a user visits a specially crafted web page or opens a specially crafted HTML formatted email, which could allow an attacker to take complete control of an affected system. For all of the vulnerabilities, successful exploits could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete files; or create new accounts with user rights.

SYSTEMS AFFECTED:

• Microsoft Visual Basic Enterprise Edition for Windows, Version 6.0
• Microsoft Visual Basic 6.0 Standard Edition
• Microsoft Visual Basic Professional Edition for Windows 6.0
• Microsoft Visual Studio .Net 2003 Service Pack 1, when used with:
  • Microsoft Visual Studio .NET 2003 Academic Edition
  • Microsoft Visual Studio .NET 2003 Enterprise Architect
  • Microsoft Visual Studio .NET 2003 Enterprise Developer
  • Microsoft Visual Basic .NET (2003)
  • Microsoft Visual C++ .NET (2003)
  • Microsoft Visual C# .NET 2003 Standard Edition
  • Microsoft Visual J# .NET (2003)
• Microsoft Visual Studio .NET 2002 Service Pack 1, when used with:
  • Microsoft Visual Studio .NET (2002), Academic Edition
  • Microsoft Visual Studio .NET (2002), Enterprise Architect Edition
  • Microsoft Visual Studio .NET (2002), Enterprise Developer Edition
  • Microsoft Visual Basic .NET (2002)
  • Microsoft Visual C++ .NET (2002)
  • Microsoft Visual C# .NET (2002)
• Visual FoxPro 8 SP1
• Microsoft Visual FoxPro 9.0 Service Pack 1
• Microsoft Visual FoxPro 9.0 Service Pack 2
• Microsoft FrontPage 2002 Service Pack 3 (SP3)
• Microsoft Office Project 2003 Service Pack 3
• Microsoft Office Project Pro 2007
• Microsoft Office Project Standard 2007
• Microsoft Office Project 2007 Service Pack 1

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Six vulnerabilities have been discovered in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files, that could allow an attacker to take complete control of an affected system. These vulnerabilities may be exploited if a user visits a specifically crafted web page or opens a specially crafted HTML formatted email. The following is a list of ActiveX controls that were found to be vulnerable along with their respective Class Identifiers (CLSID):

DataGrid ActiveX Control for Visual Basic 6
CLSID - CDE57A43-8B86-11D0-B3C6-00A0C90AEA82

FlexGrid ActiveX Control for Visual Basic 6
CLSID - 6262D3A0-531B-11CF-91F6-C2863C385E30

Hierarchical FlexGrid ActiveX Control for Visual Basic 6
CLSID - 0ECD9B64-23AA-11d0-B351-00A0C9055D8E

Windows Common ActiveX Control for Visual Basic 6
CLSID - B09DE715-87C1-11d1-8BE3-0000F8754DA1

Charts ActiveX Control for Visual Basic 6
CLSID - 3A2B370C-BA0A-11d1-B137-0000F8753F5D

Masked Edit ActiveX Control for Visual Basic 6
CLSID - C932BA85-4374-101B-A56C-00AA003668DC

It is important to note that if you are using any of the affected software, a portion of these ActiveX controls may be installed by default. In addition to the affected software listed, there may be other applications that install these ActiveX controls as well. To determine if any of these vulnerable ActiveX controls are installed, we recommend searching for each of the CLSIDs in the Windows Registry.

All of the ActiveX controls mentioned do not correctly handle property values, which causes a buffer overrun when used in Internet Explorer that could allow an attacker to run arbitrary code.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Read all e-mail messages in plain text.
• If the ActiveX control is not required for business functionality, set the kill bit on the Class Identifier (CLSID) {CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}, {6262D3A0-531B-11CF-91F6-C2863C385E30}, {0ECD9B64-23AA-11d0-B351-00A0C9055D8E}, { B09DE715-87C1-11d1-8BE3-0000F8754DA1}, {3A2B370C-BA0A-11d1-B137-0000F8753F5D} and {F2175210-368C-11D0-AD81-00A0C90DC8D9}; further instructions on how to set the kill bit can be found at the following location ( http://support.microsoft.com/kb/240797 )

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-070.mspx
http://support.microsoft.com/kb/240797

Security Focus:
http://www.securityfocus.com/bid/32591
http://www.securityfocus.com/bid/32592
http://www.securityfocus.com/bid/32612
http://www.securityfocus.com/bid/32613
http://www.securityfocus.com/bid/32614
http://www.securityfocus.com/bid/30674

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4252
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4254
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4255
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4256
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3704

Copyright © 2010 - Privacy Policy - Contact Us