36395 : Microsoft IE ActiveX (pdwizard.ocx) Unspecified Memory Corruption
Printer | http://osvdb.org/36395 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
6	882	over 4 years ago	about 1 year ago	1 times	90%

Timeline

Disclosure Date	Vendor Solution Date
2007-08-14	2007-08-14

Description

Internet Explorer contains a flaw that may allow a malicious user to remotely execute arbitrary code. The issue is due to an unspecified vulnerability in the pdwizard.ocx Active X object and is related to MS VB6 objects and memory corruption. It is possible that the flaw may result in a loss of integrity.

Classification

Location: Remote / Network Access, Context Dependent
Attack Type: Input Manipulation, Other
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Microsoft has released MS07-45 to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): prevent COM objects from running in IE and/or configure Internet and Local Intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones.

Products

Microsoft Corporation	Internet Explorer	5.01
		6 SP1
		7

References

Security Tracker: 1018562
CVE ID: 2007-3041 (see also: NVD)
OVAL ID: 2232
Bugtraq ID: 25295
Secunia Advisory ID: 26419
SCIP VulDB ID: 3245
Related OSVDB ID: 36396 36397
Microsoft Knowledge Base Article: 937143
VUPEN Advisory: ADV-2007-2869
News Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9030696
Microsoft Security Bulletin: MS07-045

Tools & Filters

Snort	12261 12262 12263 12264 13321 13322 13323 13324
	25883

Credit

Unknown or Incomplete

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2007-08-15 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

2007/12/02 11:47:00 | Internet Explorer and Firefox Vulnerability Analysis

from: UNIX System Administration: Solaris, AIX, HP-UX, Tru64, BSD.

Jeffrey Jones has published a reather interesting internet browser Vulnerability Analysis of Internet Explorer and Firefox using cross-checked references of common security bulletings such as Microsoft's Security Bulletin page, Mozilla's security announcements as well as NIST, Secunia, SecurityFocus, and many others

2007/08/15 03:33:38 | CVE-2007-3041

from: vdforum : Компьютерные новости

Unspecified vulnerability in the pdwizard.ocx ActiveX object for Internet Explorer 5.01, 6 SP1, and 7 allows remote attackers to execute arbitrary code via unknown vectors related to Microsoft Visual Basic 6 objects and memory corruption, aka"ActiveX Object Memory Corruption Vulnerability." en.securitylab.ru/nvd/301271.php

2007/08/17 13:14:58 | Microsoft Security Bulletin - Aug 2007

from: http://blog.terencelim.net

Microsoft released their security bulletins for the month of August 2007. Of the 9 bulletins released, 6 are rated critical and 3 as important ... pdwizard.ocx’ can trigger code execution CVE-2007-3041 . http://www.microsoft.com/technet/security

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.