9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.967 High
EPSS
Percentile
99.7%
Added: 01/08/2009
CVE: CVE-2008-1898
BID: 28820
OSVDB: 44458
Microsoft Works is a suite of productivity tools for home users.
The WkImgSrv.dll ActiveX control included in Microsoft Works allows command execution when a user loads a web page which instantiates the control with an invalid WksPictureInterface property value.
Set the kill bit on class ID 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 as described in Microsoft support article 240797.
<http://www.milw0rm.com/exploits/5460>
Exploit works on Microsoft Works 7 and requires a user to load the exploit page in Internet Explorer.
Internet Explorer on the target machine must treat the script server’s host address as in the Local intranet zone or in the Trusted sites zone, and the option Initialize and script ActiveX controls not marked as safe must be set to Enable or Prompt, because the affected ActiveX control is not marked safe for scripting.
Windows