search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows fails to properly handle COM objects

Vulnerability Note VU#641460

Original Release Date: 2006-04-11 | Last Revised: 2006-05-15

Overview

Microsoft Windows fails to properly handle COM Objects. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft COM

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

The Problem

Microsoft COM objects are not properly handled. Specifically, users are not properly warned before COM objects are executed.

More information is available in Microsoft Security Bulletin MS06-015.

Impact

A remote attacker may be able to execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the user running Windows Explorer.

Solution

Apply an Update

This issue is addressed in Microsoft Security Bulletin MS06-015.

Some problems associated with the update (verclsid.exe) and resolutions are described in Microsoft Knowledge Base Article 918165.


Refer to MS06-015

Refer to Microsoft Security Bulletin MS06-015 for workarounds for this vulnerability.

Vendor Information

641460
 
Expand all

Microsoft Corporation Affected

Updated:  April 11, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported in Microsoft Security Bulletin MS06-015. Microsoft credits NISCC with providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2006-0012
Severity Metric: 27.00
Date Public: 2006-04-11
Date First Published: 2006-04-11
Date Last Updated: 2006-05-15 17:18 UTC
Document Revision: 15

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis