Internet Explorer tblinf32.dll ActiveX IObjectsafety vulnerability


Added: 08/17/2007 CVE: [CVE-2007-2216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2216>) BID: [25289](<http://www.securityfocus.com/bid/25289>) OSVDB: [36396](<http://www.osvdb.org/36396>) ### Background The [IObjectsafety](<http://msdn2.microsoft.com/en-us/library/Aa768224.aspx>) interface provides methods to get and set safety options for objects which support untrusted clients. ### Problem The tblinf32.dll ActiveX control implements IObjectsafety incorrectly, allowing execution of code from arbitrary DLLs when a user loads a specially crafted web page. ### Resolution Apply the patch referenced in [Microsoft Security Bulletin 07-045](<http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx>). ### References <http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx> ### Limitations Exploit works on Microsoft Visual Studio 6.0 on Windows 2000 and XP and requires a user to load the exploit page into Internet Explorer 6 or 7. As a prerequisite for this exploit, the exploit DLL must be placed on an SMB share which is accessible by the target. To do so, first start the exploit, then download the file http://address:port/exploit1.dll, where address is the address of the SAINTexploit host and port is the exploit port, and save exploit1.dll on the SMB share. When running the exploit, the share should be specified as COMPUTER/SHARE, where COMPUTER is the NetBIOS name of the computer and SHARE is the name of the share. ### Platforms Windows