===================================================================== CERT-Renater Note d'Information No. 2008/VULN123 _____________________________________________________________________ DATE : 09/04/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Internet Explorer 5.01 SP4, Internet Explorer 6 SP1 running ActiveX. ====================================================================== MS08-023 Security Update of ActiveX Kill Bits This security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update is rated Critical for Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4; Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4; Windows XP Service Pack 2; and Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2. The security update is rated Important for Windows Vista and Windows Vista Service Pack 1; and Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1. The security update is rated Moderate for all supported editions of Windows Server 2003. For all other supported versions of Windows, this security update is rated Low. The security update addresses the vulnerability by setting a kill bit so the vulnerable controls do not run in Internet Explorer. Microsoft recommends that customers apply the update immediately. Affected Software o Microsoft Internet Explorer 5.01 Service Pack 4 o Microsoft Internet Explorer 6 Service Pack 1 Vulnerability Information ActiveX Object Memory Corruption Vulnerability - CVE-2008-1086 A remote code execution vulnerability exists in the ActiveX control hxvz.dll. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user This update includes kill bits that will prevent the following ActiveX controls from being run in Internet Explorer: o Yahoo! has released a security bulletin: http://help.yahoo.com/l/us/yahoo/music/jukebox/troubleshoot/securityupdate.html and an update that addresses the vulnerability in Yahoo! Music Jukebox. Please see the security bulletin from Yahoo! for more information and download locations. This kill bit is being set at the request of the owner of the ActiveX control. The class identifiers (CLSIDs) for this ActiveX control are: o {5f810afc-bb5f-4416-be63-e01dd117bd6c} o {22fd7c0a-850c-4a53-9821-0b0915c96139} ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================