Vulnerability Note VU#225217
Sky Software FileView ActiveX control buffer overflow vulnerability
The Sky Software FileView ActiveX control contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Sky Software FileView object is an ActiveX control that is provided with several applications, such as WinZip. This ActiveX control contains a buffer overflow vulnerability in the handling of the filepattern property. Exploit code for this vulnerability is publicly available.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
Apply an update
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sky Software||Affected||24 Oct 2006||15 Nov 2006|
|WinZip Computing, Inc.||Affected||21 Aug 2006||15 Nov 2006|
CVSS Metrics (Learn More)
Thanks to Dan Plakosh and Will Dormann of CERT/CC for reporting this vulnerability. Before this vulnerability was able to reach a coordinated disclosure date, this vulnerability was publicly disclosed by Micheal Turner.
This document was written by Will Dormann.
- CVE IDs: CVE-2006-3890
- Date Public: 14 Nov 2006
- Date First Published: 15 Nov 2006
- Date Last Updated: 20 Nov 2006
- Severity Metric: 31.12
- Document Revision: 8
If you have feedback, comments, or additional information about this vulnerability, please send us email.