Overview
Microsoft Step-by-Step Interactive Training contains a buffer overflow vulnerability. If successfully exploited, this vulnerability may allow an attacker to execute arbitrary code.
Description
Microsoft Step-by-Step Interactive Training is a training program developed by MIcrosoft. It is preinstalled by some computer manufactuers and is included in many Microsoft Press books. Microsoft Knowledge Base article 898458 contains a partial list of software and publications that include the Step-by-Step Interactive training. The Step-by-Step Interactive Training contains a buffer overflow. To trigger the vulnerability, an attacker would need to convince a user to open a specially crafted bookmark link file. The bookmark file name extension can be .CBL, .CBM, or .CBO. |
Impact
By convincing a user to open a specially crafted bookmark link file, a remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the user who is running the Step-by-Step Interactive Training program. |
Solution
Update |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.microsoft.com/technet/security/Bulletin/ms07-005.mspx
- http://support.microsoft.com/kb/898458
- http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
- http://secunia.com/advisories/24121/
- http://securitytracker.com/alerts/2007/Feb/1017632.html
- http://www.securityfocus.com/bid/22484
Acknowledgements
Thanks to Microsoft for information used in this report. Microsoft in turn thanks Brett Moore of Security-Assessment.com.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2006-3448 |
| Severity Metric: | 5.13 |
| Date Public: | 2007-02-13 |
| Date First Published: | 2007-02-14 |
| Date Last Updated: | 2007-02-23 14:16 UTC |
| Document Revision: | 24 |