Vulnerability Note VU#701121
Gracenote CDDB ActiveX control buffer overflow
The Gracenote CDDB ActiveX control contains a buffer overflow vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
CDDB (CD Data Base) is an internet database provided by Gracenote. CDDB contains track lists and other information about music CDs.
By convincing a user to view a specially crafted HTML document (e.g., a web page, HTML email message, or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.
Apply an update
Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document and the Malicious Web Scripts FAQ.
Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|America Online, Inc.||Affected||08 Dec 2006||08 Dec 2006|
|Gracenote||Affected||11 May 2006||28 Jun 2006|
|Nokia||Affected||20 Mar 2006||29 Jun 2006|
|Sony Corporation||Affected||15 Mar 2006||27 Jun 2006|
CVSS Metrics (Learn More)
Thanks to Dan Plakosh of CERT/CC and Richard Smith for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2006-3134
- Date Public: 27 Jun 2006
- Date First Published: 27 Jun 2006
- Date Last Updated: 15 Aug 2007
- Severity Metric: 7.46
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.