Microsoft Step-by-Step Interactive Training is the engine used by various training programs.
Problem
A buffer overflow vulnerability in Microsoft Step-by-Step Interactive Training allows command execution when a specially crafted bookmark link file is opened.
Exploit works on Microsoft Office 2000 Step-by-Step Interactive Training with MS05-031 patch on Windows 2000 and Windows XP.
A user must open the exploit file in order for the exploit to succeed.
Platforms
Windows
{"id": "SAINT:3D26BDB245AF9184C7A25DCC9A0D631D", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "Microsoft Step-by-Step Interactive Training bookmark buffer overflow", "description": "Added: 05/04/2007 \nCVE: [CVE-2006-3448](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3448>) \nBID: [22484](<http://www.securityfocus.com/bid/22484>) \nOSVDB: [31883](<http://www.osvdb.org/31883>) \n\n\n### Background\n\nMicrosoft Step-by-Step Interactive Training is the engine used by various training programs. \n\n### Problem\n\nA buffer overflow vulnerability in Microsoft Step-by-Step Interactive Training allows command execution when a specially crafted bookmark link file is opened. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 07-005](<http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/466873> \n\n\n### Limitations\n\nExploit works on Microsoft Office 2000 Step-by-Step Interactive Training with MS05-031 patch on Windows 2000 and Windows XP. \n\nA user must open the exploit file in order for the exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-05-04T00:00:00", "modified": "2007-05-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {}, "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_ssit_bookmark", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2006-3448"], "immutableFields": [], "lastseen": "2022-01-26T11:33:27", "viewCount": 0, "enchantments": {"dependencies": {}, "score": {"value": 8.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:466873"]}, {"type": "cve", "idList": ["CVE-2006-3448"]}, {"type": "nessus", "idList": ["SMB_NT_MS07-005.NASL"]}, {"type": "saint", "idList": ["SAINT:447F3E979CE974941C48F4EC76D6C5F4"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7223"]}]}, "exploitation": null, "vulnersScore": 8.6}, "_state": {"dependencies": 1645363043}}
{"saint": [{"lastseen": "2021-07-29T16:40:21", "description": "Added: 05/04/2007 \nCVE: [CVE-2006-3448](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3448>) \nBID: [22484](<http://www.securityfocus.com/bid/22484>) \nOSVDB: [31883](<http://www.osvdb.org/31883>) \n\n\n### Background\n\nMicrosoft Step-by-Step Interactive Training is the engine used by various training programs. \n\n### Problem\n\nA buffer overflow vulnerability in Microsoft Step-by-Step Interactive Training allows command execution when a specially crafted bookmark link file is opened. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 07-005](<http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/466873> \n\n\n### Limitations\n\nExploit works on Microsoft Office 2000 Step-by-Step Interactive Training with MS05-031 patch on Windows 2000 and Windows XP. \n\nA user must open the exploit file in order for the exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-05-04T00:00:00", "type": "saint", "title": "Microsoft Step-by-Step Interactive Training bookmark buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3448"], "modified": "2007-05-04T00:00:00", "id": "SAINT:C0D3A9DC913F7C3D20418DB2F6F98AD2", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_ssit_bookmark", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:28", "description": "Added: 05/04/2007 \nCVE: [CVE-2006-3448](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3448>) \nBID: [22484](<http://www.securityfocus.com/bid/22484>) \nOSVDB: [31883](<http://www.osvdb.org/31883>) \n\n\n### Background\n\nMicrosoft Step-by-Step Interactive Training is the engine used by various training programs. \n\n### Problem\n\nA buffer overflow vulnerability in Microsoft Step-by-Step Interactive Training allows command execution when a specially crafted bookmark link file is opened. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 07-005](<http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/466873> \n\n\n### Limitations\n\nExploit works on Microsoft Office 2000 Step-by-Step Interactive Training with MS05-031 patch on Windows 2000 and Windows XP. \n\nA user must open the exploit file in order for the exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-05-04T00:00:00", "type": "saint", "title": "Microsoft Step-by-Step Interactive Training bookmark buffer overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3448"], "modified": "2007-05-04T00:00:00", "id": "SAINT:447F3E979CE974941C48F4EC76D6C5F4", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_ssit_bookmark", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "description": "Added: 05/04/2007 \nCVE: [CVE-2006-3448](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3448>) \nBID: [22484](<http://www.securityfocus.com/bid/22484>) \nOSVDB: [31883](<http://www.osvdb.org/31883>) \n\n\n### Background\n\nMicrosoft Step-by-Step Interactive Training is the engine used by various training programs. \n\n### Problem\n\nA buffer overflow vulnerability in Microsoft Step-by-Step Interactive Training allows command execution when a specially crafted bookmark link file is opened. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 07-005](<http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/466873> \n\n\n### Limitations\n\nExploit works on Microsoft Office 2000 Step-by-Step Interactive Training with MS05-031 patch on Windows 2000 and Windows XP. \n\nA user must open the exploit file in order for the exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2007-05-04T00:00:00", "type": "saint", "title": "Microsoft Step-by-Step Interactive Training bookmark buffer overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2006-3448"], "modified": "2007-05-04T00:00:00", "id": "SAINT:4920648E49BA14F9C7DE34D884E87721", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/microsoft_ssit_bookmark", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2021-09-28T17:51:45", "description": "### Overview\n\nMicrosoft Step-by-Step Interactive Training contains a buffer overflow vulnerability. If successfully exploited, this vulnerability may allow an attacker to execute arbitrary code.\n\n### Description\n\nMicrosoft Step-by-Step Interactive Training is a training program developed by MIcrosoft. It is preinstalled by some computer manufactuers and is included in many Microsoft Press books. Microsoft Knowledge Base article [898458](<http://support.microsoft.com/kb/898458>) contains a partial list of software and publications that include the Step-by-Step Interactive training. \n\nThe Step-by-Step Interactive Training contains a buffer overflow. To trigger the vulnerability, an attacker would need to convince a user to open a specially crafted bookmark link file. The bookmark file name extension can be .CBL, .CBM, or .CBO. \n \n--- \n \n### Impact\n\nBy convincing a user to open a specially crafted bookmark link file, a remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the user who is running the Step-by-Step Interactive Training program. \n \n--- \n \n### Solution\n\n**Update** \nMicrosoft has released an update to address this issue. See Microsoft Security Bulletin [MS07-005](<http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>) for more details. \n \n--- \n \n \n**Do not run Windows with administrator privileges** \n \nRunning Windows using an unprivileged regular user account may mitigate the affects of this vulnerability. See the Microsoft Technet article [Applying the Principle of Least Privilege to User Accounts on Windows XP](<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx>) for more information. \n \n--- \n \n### Vendor Information\n\n466873\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: February 14, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx> for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23466873 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx>\n * <http://support.microsoft.com/kb/898458>\n * <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx>\n * <http://secunia.com/advisories/24121/>\n * <http://securitytracker.com/alerts/2007/Feb/1017632.html>\n * <http://www.securityfocus.com/bid/22484>\n\n### Acknowledgements\n\nThanks to Microsoft for information used in this report. Microsoft in turn thanks Brett Moore of Security-Assessment.com.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-3448](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-3448>) \n---|--- \n**Severity Metric:** | 5.13 \n**Date Public:** | 2007-02-13 \n**Date First Published:** | 2007-02-14 \n**Date Last Updated: ** | 2007-02-23 14:16 UTC \n**Document Revision: ** | 24 \n", "cvss3": {}, "published": "2007-02-14T00:00:00", "type": "cert", "title": "Microsoft Step-by-Step Interactive Training contains a buffer overflow", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3448"], "modified": "2007-02-23T14:16:00", "id": "VU:466873", "href": "https://www.kb.cert.org/vuls/id/466873", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T13:14:31", "description": "The remote host is running a version of Microsoft Step-by-Step Interactive Training that contains a flaw that could lead to remote code execution.\n\nTo exploit this flaw, an attacker would need to trick a user on the remote host into opening a malformed file with the affected application.", "cvss3": {"score": null, "vector": null}, "published": "2007-02-13T00:00:00", "type": "nessus", "title": "MS07-005: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3448"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:microsoft:step-by-step_interactive_training"], "id": "SMB_NT_MS07-005.NASL", "href": "https://www.tenable.com/plugins/nessus/24329", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24329);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-3448\");\n script_bugtraq_id(22484);\n script_xref(name:\"MSFT\", value:\"MS07-005\");\n script_xref(name:\"MSKB\", value:\"923723\");\n \n script_xref(name:\"CERT\", value:\"466873\");\n\n script_name(english:\"MS07-005: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)\");\n script_summary(english:\"Determines the version of MRUN32.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the training\nsoftware.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Step-by-Step\nInteractive Training that contains a flaw that could lead to remote code\nexecution.\n\nTo exploit this flaw, an attacker would need to trick a user on the\nremote host into opening a malformed file with the affected\napplication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-005\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:step-by-step_interactive_training\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\n\ninclude(\"misc_func.inc\");\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-005';\nkbs = make_list(\"923723\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nif ( ! get_kb_item(\"SMB/WindowsVersion\") ) exit(1);\n\nif ( hotfix_check_fversion(file:\"mrun32.exe\", version:\"3.4.1.102\", bulletin:\"MS07-005\", kb:\"923723\") == HCF_OLDER ) {\n set_kb_item(name:\"SMB/Missing/MS07-005\", value:TRUE);\n hotfix_security_hole();\n }\n\nhotfix_check_fversion_end();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "description": "Microsoft Security Bulletin MS07-005\r\nVulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)\r\nPublished: February 13, 2007\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows and have Step-by-Step Interactive Training installed\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Important\r\n\r\nRecommendation: Customers should apply the update at the earliest opportunity\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows XP Professional x64 Edition \u2014 Download the update\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2014 Download the update\r\n\u2022\t\r\n\r\nStep-by-Step Interactive Training when installed on Microsoft Windows Server 2003 x64 Edition \u2014 Download the update\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nNote The Step-by-Step Interactive Training software is included with many Microsoft Press titles. Use the information in the section, \u201cFrequently Asked Questions (FAQ) Related to This Security Update\u201d, to help determine whether you require this security update.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly discovered, privately reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update at the earliest opportunity.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tStep-by-Step Interactive Training when installed on Windows 2000 Service Pack 4\tStep-by-Step Interactive Training when installed on Microsoft Windows XP Service Pack 2\tStep-by-Step Interactive Training when installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\r\nInteractive Training Vulnerability - CVE-2006-3448\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Windows XP Professional x64 Edition severity rating is the same as the Windows XP Service Pack 2 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.\r\nBulletin ID\tStep-by-Step Interactive Training\r\n\r\nMS05-031\r\n\t\r\n\r\nReplaced\r\n\r\nDoes this update contain any changes to functionality?\r\nYes. This update also includes the change in functionality introduced in Microsoft Security Bulletin MS05-031. Bookmark links created by the Step-by-Step Interactive Training software before the installation of this security update may no longer function correctly. These bookmark links may have to be recreated to function correctly. In addition, bookmark files can now only be opened from within the Step-by-Step Interactive Training user interface.\r\n\r\nWill this security update be offered through Windows Update and Automatic Update?\r\nYes. The Step-by-Step Interactive Training software is preinstalled by many computer manufacturers. The Step-by-Step Interactive Training software is also offered as part of hundreds of Microsoft Press titles. Because of the wide distribution of this software, we have decided to offer this security update on Windows Update to systems that have this software installed. This software is covered as part of the operating system license on systems where the software is preinstalled. If this software is not installed, this security update will not be offered and is not required on those systems. This software will be offered on Windows 2000, Windows XP, and Windows Server 2003 operating systems where required.\r\n\r\nNote: A non-localized version of the security update may be offered through Windows Update when a localized version of the affected software is installed on a version of the operating system that contains a different localization. For example, customers using a Norwegian version of the operating system that are using the French version of the affected application will be offered the English version of the security update through Windows Update. Customers that require the French version of the affected application should download the French version of the security update using the download links provided in this security bulletin. If the security update is already installed, it will not be offered by Windows Update. No matter which language combination of the affected software you have installed, a security update will be offered to help protect against this vulnerability.\r\n\r\nDoes Step-By-Step Interactive Training ship as part of Windows?\r\nNo, Step-By-Step Interactive Training is not installed on Windows by default. Customers may have Step-By-Step Interactive Training preinstalled by computer OEM manufacturers or by installing Step-By-Step Interactive Training included with Microsoft Press titles.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tEST\tMBSA 2.0\r\n\r\nStep-by-Step Interactive Training\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nWhat is the Enterprise Update Scan Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command-line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scan Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of EST that will determine if you have to apply this update. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should review the following FAQ, \u201cCan I use Systems Management Server (SMS) to determine whether this update is required?" for more information about SMS and EST.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nSoftware\tSMS 2.0\tSMS 2003\r\n\r\nStep-by-Step Interactive Training\r\n\t\r\n\r\nYes (with EST)\r\n\t\r\n\r\nYes\r\n\r\nSMS 2.0 and SMS 2003 Software Update Services (SUS) Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about SUIT, visit the following Microsoft Web site. For more information about the limitations of SUIT, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nHow do I know if I have Step-by-Step Interactive Training installed on my system?\r\nYou can refer to the list of titles provided in Microsoft Knowledge Base Article 898458.You can also use the Add or Remove Programs tool in Control Panel to determine whether \u201cMicrosoft Press Interactive Training\u201d and \u201cInteractive Training\u201d are included in the list of installed software. However, this is not a complete method of verification, because \u201cMicrosoft Interactive Training\u201d does not create an Add or Remove Programs entry. \u201cMicrosoft Interactive Training\u201d is based on the Orun32.exe file. Therefore, you must also manually determine whether the Orun32.exe file is present on your system. Customers can also manually search for all the affected files. If any one of these files is present, the system is likely to be vulnerable to this issue. The affected files are any versions of the following files earlier than the file versions that were released as part of this security update:\r\nFile Name\tVersion\tDate\tTime\tSize\r\n\r\nLrun32.exe\r\n\t\r\n\r\n3.6.0.112\r\n\t\r\n\r\n21-Aug-2006\r\n\t\r\n\r\n22:57\r\n\t\r\n\r\n1,077,321\r\n\r\nMrun32.exe\r\n\t\r\n\r\n3.4.1.102\r\n\t\r\n\r\n26-Aug-2006\r\n\t\r\n\r\n00:19\r\n\t\r\n\r\n1,028,172\r\n\r\nOrun32.exe\r\n\t\r\n\r\n3.5.0.118\r\n\t\r\n\r\n21-Aug-2006\r\n\t\r\n\r\n22:57\r\n\t\r\n\r\n1,077,321\r\n\r\nIf I have none of the above referenced files on my system, am I vulnerable?\r\nNo. Only the files listed in the above table are affected by this vulnerability and require an update. Customers who do not have these files on their system are not affected and will not need this update.\r\n\r\nCan I use SMS to determine if other programs are installed that have to be updated?\r\nYes. SMS can help detect if there are other programs installed that may have installed a version of the vulnerable component. SMS can search for the existence of the file Orun32.exe. Update all versions of Orun32.exe that are earlier than version 3.5.0.118. The registry key information available in this bulletin can also be used to write specific file/registry key collection queries in SMS to detect vulnerable systems.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nInteractive Training Vulnerability - CVE-2006-3448:\r\n\r\nA remote code execution vulnerability exists in Step-by-Step Interactive Training because of the way that Step-by-Step Interactive Training handles bookmark link files. An attacker could exploit the vulnerability by constructing a specially crafted bookmark link file that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.\r\n\t\r\nMitigating Factors for Interactive Training Vulnerability - CVE-2006-3448:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Also, Web sites that accept or host user-provided content or advertisements, and compromised Web sites, may contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger message that takes users to the attacker's Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe vulnerability could not be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message or must click a link that is provided in an e-mail message.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Interactive Training Vulnerability - CVE-2006-3448:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nDisable the handler for Step-by-Step Interactive Training bookmark link files by removing the related registry keys.\r\nDelete these keys to help reduce attacks. This workaround helps reduce attacks by preventing Step-by-Step Interactive Training from automatically opening the affected file types. The content can still be opened from within the Step-by-Step Interactive Training user interface.\r\n\r\nImportant This bulletin contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base Article 256986.\r\n\r\nWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type regedt32, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nIn Registry Editor, locate the following registry:\r\n\r\nHKEY_CLASSES_ROOT\.cbl (for \u201cMicrosoft Press Interactive Training\u201d) \r\nHKEY_CLASSES_ROOT\.cbm (for \u201cInteractive Training\u201d) \r\nHKEY_CLASSES_ROOT\.cbo (for \u201cMicrosoft Interactive Training \u201d)\r\n\r\n3.\r\n\t\r\n\r\nFor each subkey that is found, click the subkey, and then click DELETE.\r\n\r\n4.\r\n\t\r\n\r\nIn the Confirm Key Delete dialog box, click OK.\r\n\r\nThese actions can also be performed at a command prompt by using the following commands in the following order:\r\n\r\nreg.exe export HKCR\.cbl c:\cbl.reg \r\nreg.exe delete HKCR\.cbl /f \r\nreg.exe export HKCR\.cbm c:\cbm.reg \r\nreg.exe delete HKCR\.cbm /f \r\nreg.exe export HKCR\.cbo c:\cbo.reg \r\nreg.exe delete HKCR\.cbo /f\r\n\r\nImpact of Workaround: Step-by-Step Interactive Training bookmark files can no longer be opened. The content can still be opened from within the Step-by-Step Interactive Training user interface.\r\n\u2022\t\r\n\r\nDo not open or save Step-by-Step Interactive Training bookmark link files (.cbo, .cbl, .cbm) that you receive from untrusted sources.\r\nThis vulnerability could be exploited when a user opens a .cbo, .cbl, or .cbm file. Do not open files that use these file name extensions. This workaround does not cover other vectors of attack such as Web browsing.\r\n\u2022\t\r\n\r\nRemove Step-by-Step Interactive Training by using the Add or Remove Programs tool in Control Panel.\r\nTo manually remove Step-by-Step Interactive Training from a system, follow these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, point to Settings, and then click Control Panel.\r\n\r\n2.\r\n\t\r\n\r\nDouble-click Add or Remove Programs.\r\n\r\n3.\r\n\t\r\n\r\nIn the Add or Remove Programs dialog box, click the name of the affected program and then click Remove.\r\n\r\nNote Affected versions are "Microsoft Press Interactive Training" and "Interactive Training." However, removing these programs may not be a complete workaround, because "Microsoft Interactive Training" does not create an Add or Remove Programs entry. "Microsoft Interactive Training" is based on the Orun32.exe file. Therefore, you must also manually verify that the Orun32.exe file is not present on your system.\r\n\u2022\t\r\n\r\nFollow the instructions to complete the removal.\r\n\r\nImpact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.\r\n\u2022\t\r\n\r\nRemove Step-by-Step Interactive Training.\r\nRemoving Step-by-Step Interactive Training will help prevent attacks.To remove Step-by-Step Interactive Training, follow these steps:\r\n\u2022\t\r\n\r\nClick Start, click Run, and type:\r\n\r\n%windir%\IsUninst.exe -x -y -a -f"%windir%\orun32.isu"\r\n\r\nNote You may have to replace "orun32.isu" with "mrun32.isu" or "lrun32.isu," depending on the version of Step-by-Step Interactive Training that is installed. If you have several of these versions installed, you must remove them all.\r\n\r\nImpact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.\r\n\u2022\t\r\n\r\nDelete or rename the Step-by-Step Interactive Training .ini program file.\r\nIf Step-by-Step Interactive Training cannot be removed by using the methods that are documented in this section of the security bulletin, you may be able to help prevent attacks by deleting or renaming the physical file. Delete or rename the %windir%\Orun32.ini file.\r\n\r\nNote You may have to replace "Orun32.ini" with "Lrun32.ini\u201d or \u201cMrun32.ini\u201d depending on the version of Step-by-Step Interactive Training that is installed.\r\n\r\nImpact of Workaround: After you disable the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training may fail.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Interactive Training Vulnerability - CVE-2006-3448:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the process that is used by Step-by-Step Interactive Training to validate bookmark link files.\r\n\r\nWhat is a bookmark link file?\r\nBookmark link files are created by using the Step-by-Step Interactive Training user interface. These files allow a user the ability to quickly and easily link to a particular topic. Bookmark link files are text files that contain the information that is required by Step-by-Step Interactive Training to view a topic.\r\n\r\nWhat is Step-by-Step Interactive Training?\r\nStep-by-Step Interactive Training is used as the engine for hundreds of interactive training titles that are provided by Microsoft Press and other vendors. The list of known titles that contain this software is provided in Microsoft Knowledge Base Article 898458. For more information about other available Microsoft Press titles that may contain this software see the Microsoft Press Web site. This Web site will only document titles that may contain this software. Because of the nature of the distribution of this software by Microsoft, by our manufacturing partners, and by our publishing partners, there is no definitive list of all the titles that may have provided this software or of manufacturers that may have preinstalled this software. We recommend installing the available security update if you believe that this software may be installed on your system. You can also use the information provided in the "How do I know if I have Step-by-Step Interactive Training installed on my system?" frequently asked question to scan your enterprise for the affected files.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAn attacker that could construct a specially crafted file and then persuade a user to visit a malicious Web site that opened this file, or an attacker that could persuade a user to open a specially crafted attachment provided in an e-mail message, could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.\r\n\r\nThere are several additional ways that an attacker could try to exploit this vulnerability. However, user interaction is required to exploit this vulnerability in each of these ways. Some examples follow:\r\n\u2022\t\r\n\r\nAn attacker could exploit the vulnerability by constructing a malicious Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm file) and then persuade the user to open the file.\r\n\u2022\t\r\n\r\nAn attacked could send a malicious file as an attachment to a user through e-mail and then convince a user to open the attachment.\r\n\u2022\t\r\n\r\nAn attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site to have it deliver a Web page that contains malicious content to try to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site or to a Web site that has been compromised by the attacker.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAny operating system where Step-by-Step Interactive Training is installed is at risk from this vulnerability. Because this software is typically installed only on client systems, servers would typically not be at risk from the vulnerability.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Step-by-Step Interactive Training validates the contents of a bookmark file before Step-by-Step Interactive Training copies the content into the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nBrett Moore of Security-Assessment.com for reporting the Interactive Training Vulnerability (CVE-2006-3448).\r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\u2022\t\r\n\r\nSecurity updates are available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n\u2022\t\r\n\r\nUpdates for consumer platforms are available at the Microsoft Update Web site.\r\n\r\nSupport:\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nSecurity Resources:\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\u2022\t\r\n\r\nTechNet Update Management Center\r\n\u2022\t\r\n\r\nMicrosoft Software Update Services\r\n\u2022\t\r\n\r\nMicrosoft Windows Server Update Services\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer (MBSA)\r\n\u2022\t\r\n\r\nWindows Update\r\n\u2022\t\r\n\r\nMicrosoft Update\r\n\u2022\t\r\n\r\nWindows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n\u2022\t\r\n\r\nOffice Update \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nWindows Server Update Services:\r\n\r\nBy using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.\r\n\r\nFor more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scan Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (February 13, 2007): Bulletin published.", "edition": 1, "cvss3": {}, "published": "2007-02-13T00:00:00", "title": "Microsoft Security Bulletin MS07-005", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-3448"], "modified": "2007-02-13T00:00:00", "id": "SECURITYVULNS:DOC:16052", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16052", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:23", "description": "Buffer overflow on bokmarks files handling (.cbl, .cbm, .cbo).", "edition": 1, "cvss3": {}, "published": "2007-02-14T00:00:00", "title": "Microsoft Step-by-Step Interactive Training buffer overflow", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-3448"], "modified": "2007-02-14T00:00:00", "id": "SECURITYVULNS:VULN:7223", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7223", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:47:04", "description": "Step-by-Step Interactive Training is an engine for interactive training titles provided by Microsoft Press and other vendors. By using the Step-by-Step Interactive Training user interface Bookmark link files (.CBO,.CBL,.CBM) are created. These files allow easier access to a particular topic, and contain the information that is required by Step-by-Step Interactive Training to view a topic.A remote code execution vulnerability has been reported in Microsoft Step-by-Step Interactive Training. The application fails to properly handle malformed bookmark link files. To trigger this flaw, an attacker can specially craft a malicious Web page with a malformed bookmark file. Successful exploitation could result in remote code execution on an affected system.", "cvss3": {}, "published": "2007-02-15T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Step-by-Step Interactive Training Buffer Overflow (MS07-005; CVE-2006-3448)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3448"], "modified": "2007-02-15T00:00:00", "id": "CPAI-2007-027", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T15:28:47", "description": "Buffer overflow in the Step-by-Step Interactive Training in Microsoft Windows 2000 SP4, XP SP2 and Professional, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a long Syllabus string in crafted bookmark link files (cbo, cbl, or .cbm), a different issue than CVE-2005-1212.", "cvss3": {}, "published": "2007-02-13T20:28:00", "type": "cve", "title": "CVE-2006-3448", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1212", "CVE-2006-3448"], "modified": "2018-10-18T16:47:00", "cpe": ["cpe:/a:microsoft:step-by-step_interactive_training:*"], "id": "CVE-2006-3448", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3448", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:step-by-step_interactive_training:*:*:*:*:*:*:*:*"]}]}
