SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Windows Media Encoder Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020832
SecurityTracker URL:  http://securitytracker.com/id/1020832
CVE Reference:   CVE-2008-3008   (Links to External Site)
Date:  Sep 9 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000 SP4, 2003 SP2, XP SP3, Vista SP1, 2008; and prior service packs
Description:   A vulnerability was reported in the Windows Media Encoder. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will invoke the WMEX.DLL ActiveX control and trigger a buffer overflow to execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSID of the vulnerable control is: A8D3AD02-7508-4004-B2E9-AD33F087F43C

Nguyen Minh Duc and Le Manh Tung with Bach Khoa Internetwork Security Center (BKIS) Hanoi University of Technology (Vietnam) reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?familyid=0cabfbc0-db5d-4a6a-a4cd-e6df89ac2b25

Windows XP Service Pack 2 and Windows XP Service Pack 3, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?familyid=57bcb3c2-49d3-4f18-8d03-36abd03d7403

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?FamilyID=18efea9e-b103-46de-90d9-5e295854cec3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Media Encoder 9 Series x64 Edition:

http://www.microsoft.com/downloads/details.aspx?familyid=ebc1737c-6e78-4244-a1b2-a56d031f16e9

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?familyid=54ce1080-94cf-4e4f-8e09-a7dbab2757c5

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c83011cd-90b8-494c-9cad-fa055e101992

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Windows Media Encoder 9 Series x64 Edition:

http://www.microsoft.com/downloads/details.aspx?familyid=d8f1b782-136b-443f-b5f2-63aa4d1fd94a

Windows Vista and Windows Vista Service Pack 1, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?familyid=99beebc4-553a-46f8-8245-e3d932306c93

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?FamilyID=99beebc4-553a-46f8-8245-e3d932306c93

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1, Windows Media Encoder 9 Series x64 Edition:

http://www.microsoft.com/downloads/details.aspx?familyid=54d1279a-7f26-4727-a39d-5505bcd4fc53

Windows Server 2008 for 32-bit Systems*, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?familyid=5434ca66-5a6b-4517-92fb-72dea0a172ec

Windows Server 2008 for x64-based Systems*, Windows Media Encoder 9 Series:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5434ca66-5a6b-4517-92fb-72dea0a172ec

Windows Server 2008 for x64-based Systems*, Windows Media Encoder 9 Series x64 Edition:

http://www.microsoft.com/downloads/details.aspx?familyid=e30f9427-26d0-4e86-b9b8-bc637c3b5734

* (Core installation not affected)

A restart may be required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms08-053.mspx (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Tue, 9 Sep 2008 13:24:07 -0400
Subject:  http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx


Microsoft Security Bulletin MS08-053  Critical: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)

CVE-2008-3008
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC