CERTVU:641460Microsoft Windows fails to properly handle COM objects
0.884 High
EPSS
Percentile
98.7%
Overview
Microsoft Windows fails to properly handle COM Objects. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft COM
Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.
The Problem
Microsoft COM objects are not properly handled. Specifically, users are not properly warned before COM objects are executed.
More information is available in Microsoft Security Bulletin MS06-015.
Impact
A remote attacker may be able to execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the user running Windows Explorer.
Solution
Apply an Update
This issue is addressed in Microsoft Security Bulletin MS06-015.
Some problems associated with the update (verclsid.exe) and resolutions are described in Microsoft Knowledge Base Article 918165.
Refer to MS06-015
Refer to Microsoft Security Bulletin MS06-015 for workarounds for this vulnerability.
Vendor Information
641460
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: April 11, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to <http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23641460 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx>
- <http://support.microsoft.com/kb/918165>
- <http://secunia.com/advisories/19606/>
Acknowledgements
This vulnerability was reported in Microsoft Security Bulletin MS06-015. Microsoft credits NISCC with providing information regarding this vulnerability.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-0012 |
|---|---|
| Severity Metric: | 27.00 Date Public: |
Related
