SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#810772

Microsoft Agent fails to properly handle specially crafted .ACF files

Overview

Microsoft Agent fails to properly handle specially crafted .ACF files and may allow a remote attacker to execute arbitrary code.

I. Description

Microsoft Agent is a software technology that enables an enriched form of user interaction that can make using and learning to use a computer easier and more natural.

A vulnerability exists in the way that Microsoft Agent handles specially crafted .ACF files. Exploitation can occur when a remote attacker convinces the user to visit a specially crafted web site.

Microsoft states that the following systems are affected:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition

II. Impact

This vulnerability may allow a remote attacker to execute arbitrary code with the privileges of the local user.

III. Solution

Apply an update


Microsoft has released updates in Microsoft Security Bulletin MS06-068 to address this issue.

Workarounds

Microsoft has provided the following workarounds, please reference MS06-068 for further information.

  • Temporarily prevent the Microsoft Agent ActiveX control from running in Internet Explorer
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone
  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones

Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable14-Nov-2006

References


http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx
http://secunia.com/advisories/22878/
http://www.securityfocus.com/bid/21034

Credit

Thanks to Microsoft Security for reporting this vulnerability in Microsoft Security Bulletin MS06-068.

This document was written by Katie Steiner.

Other Information

Date Public:2006-11-14
Date First Published:2006-11-14
Date Last Updated:2007-02-07
CERT Advisory: 
CVE-ID(s):CVE-2006-3445
NVD-ID(s):CVE-2006-3445
US-CERT Technical Alerts: 
Metric:22.57
Document Revision:14

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader