search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows fails to properly handle COM objects

Vulnerability Note VU#641460

Original Release Date: 2006-04-11 | Last Revised: 2006-05-15


Microsoft Windows fails to properly handle COM Objects. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.


Microsoft COM

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

The Problem

Microsoft COM objects are not properly handled. Specifically, users are not properly warned before COM objects are executed.

More information is available in Microsoft Security Bulletin MS06-015.


A remote attacker may be able to execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the user running Windows Explorer.


Apply an Update

This issue is addressed in Microsoft Security Bulletin MS06-015.

Some problems associated with the update (verclsid.exe) and resolutions are described in Microsoft Knowledge Base Article 918165.

Refer to MS06-015

Refer to Microsoft Security Bulletin MS06-015 for workarounds for this vulnerability.

Vendor Information


Microsoft Corporation Affected

Updated:  April 11, 2006



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Refer to

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported in Microsoft Security Bulletin MS06-015. Microsoft credits NISCC with providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2006-0012
Severity Metric: 27.00
Date Public: 2006-04-11
Date First Published: 2006-04-11
Date Last Updated: 2006-05-15 17:18 UTC
Document Revision: 15

Sponsored by CISA.