(9) HIGH: Microsoft Visual FoxPro Multiple ActiveX Controls Remote Command Execution Affected: Microsoft Visual FoxPro version 6 and prior
Description: Microsoft Visual FoxPro is an integrated development environment for the FoxPro database language. Several ActiveX controls installed by the application contain arbitrary command execution vulnerabilities. These controls provide methods explicitly designed to execute commands upon request, and do not verify the caller. A malicious web page that instantiated one of these controls could exploit one of these vulnerabilities to execute arbitrary code with the privileges of the current user. Multiple proofs-of-concept are publicly available for these vulnerabilities. Note that these vulnerabilities may be related to issues discussed in previous editions of @RISK. Status: Microsoft has not confirmed, updates are not available. Users can mitigate the impact of these vulnerabilities by disabling the affected controls via Microsoft's "kill bit" mechanism for CLSIDs "008B6010-1F3D-11D1-B0C8-00A0C9055D74" and "A7CD2320-6117-11D7-8096-0050042A4CD2". References: Proofs-of-Concept http://milw0rm.com/exploits/4873 http://milw0rm.com/exploits/4875 Wikipedia Article on FoxPro http://en.wikipedia.org/wiki/FoxPro Microsoft Knowledge Base Article (details the "kill bit" mechanism) http://support.microsoft.com/kb/240797 Product Home Page http://msdn2.microsoft.com/en-us/vfoxpro/default.aspx SecurityFocus BIDs http://www.securityfocus.com/bid/27205 http://www.securityfocus.com/bid/27199 -- Richard Kaye Vice President Artfact/RFC Systems Voice: 617.219.1038 Fax: 617.219.1001 For the fastest response time, please send your support queries to: Technical Support - [EMAIL PROTECTED] Australian Support - [EMAIL PROTECTED] Internet Support - [EMAIL PROTECTED] All Other Requests - [EMAIL PROTECTED] --------------------------------------------------------- This message has been checked for viruses before sending. --------------------------------------------------------- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[EMAIL PROTECTED] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
