Microsoft Management Console Input Validation Hole Permits Remote Code Execution
|
|
SecurityTracker Alert ID: 1016655 |
|
SecurityTracker URL: http://securitytracker.com/id/1016655
|
|
CVE Reference:
CVE-2006-3643
(Links to External Site)
|
Date: Aug 8 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Microsoft Management Console. A remote user can conduct cross-site scripting attacks to execute arbitrary code on the target user's system.
A remote user can create HTML code that references embedded resource files and that, when loaded by a target user, will execute arbitrary code on the management console. The code will run with the privileges of the target user.
Microsoft credits Yorick Koster of ITsec Security Services, H D Moore, and Tom Gilder with reporting this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the management console.
|
Solution:
The vendor has issued the following fix:
Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=87fe4c18-21dc-4d83-a1d8-503b92fdba2b"
A restart may be required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms06-044.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms06-044.mspx (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 8 Aug 2006 14:00:49 -0400
Subject: Microsoft Security Bulletin MS06-044: Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
|
http://www.microsoft.com/technet/security/bulletin/ms06-044.mspx
CVE-2006-3643
|
|
