=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN054
_____________________________________________________________________

DATE                      : 15/02/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows XP, Windows Server 2003
                              running HTML Help ActiveX Control.

======================================================================

MS07-008 - Vulnerability in HTML Help ActiveX Control Could Allow Remote Code
            Execution (928843)

Affected Software:
    - Microsoft Windows 2000 Service Pack 4 -- Download the update
    - Microsoft Windows XP Service Pack 2 -- Download the update
    - Microsoft Windows XP Professional x64 Edition -- Download the
      update
    - Microsoft Windows Server 2003 and Microsoft Windows Server 2003
      Service Pack 1 -- Download the update
    - Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
      Windows Server 2003 with SP1 for Itanium-based Systems -- Download
      the update
    - Microsoft Windows Server 2003 x64 Edition -- Download the update

Non-Affected Software:
    - Windows Vista

Full MS07-008 advisory:
    http://www.microsoft.com/technet/security/Bulletin/ms07-008.mspx

Vulnerability Details

HTML Help ActiveX Control Vulnerability - CVE-2007-0214

    A remote code execution vulnerability exists in the HTML Help ActiveX
    control. An attacker could exploit the vulnerability by constructing a
    specially crafted Web page that could potentially allow remote code
    execution if a user visited that page. An attacker who successfully
    exploited this vulnerability could take complete control of an
    affected system.

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================