Microsoft Agent crafted URL vulnerability

2007-09-11T00:00:00
ID SAINT:DEC3B30CBF6D621ABEB3E6DAFB87EAC3
Type saint
Reporter SAINT Corporation
Modified 2007-09-11T00:00:00

Description

Added: 09/11/2007
CVE: CVE-2007-3040
BID: 25566
OSVDB: 36934

Background

Microsoft Agent is a component of the Windows operating system designed to make using a computer easier through enriched user interaction.

Problem

A vulnerability in Microsoft Agent allows command execution when a user loads a web page which calls the Microsoft Agent ActiveX control with a specially crafted URL.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 07-051.

References

<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>

Limitations

Exploit works on Windows 2000 SP4 and requires a user to load the exploit page in Internet Explorer.

Platforms

Windows 2000