Executive Summary
| Informations | |||
|---|---|---|---|
| Name | MS07-012 | First vendor Publication | 2007-02-13 |
| Vendor | Microsoft | Last vendor Modification | 2007-02-13 |
| Severity (Vendor) | Important | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Significant user interaction is required to exploit this vulnerability. We recommend that customers apply the update at the earliest opportunity. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/ms07-012.mspx?pubDate=2 (...) |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:157 | |||
| Oval ID: | oval:org.mitre.oval:def:157 | ||
| Title: | MFC Memory Corruption Vulnerability | ||
| Description: | The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 and Visual Studio .NET 2000, 2002 SP1, 2003, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. NOTE: this might be due to a stack-based buffer overflow in the AfxOleSetEditMenu function in MFC42u.dll. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2007-0025 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 58785 | Microsoft Windows MFC Component (MFC42u.dll) AfxOleSetEditMenu Function RTF M... |
| 31887 | Microsoft MFC Component RTF OLE Object Memory Corruption Remote Code Execution A local memory corruption flaw exists in Windows and Visual Studio .NET. The MFC component fails to validate OLE objects embedded in a RTF file resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity. |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2007-02-16 | IAVM : 2007-B-0004 - Microsoft Windows MFC Embedded OLE Object Remote Code Execution Vulnerability Severity : Category II - VMSKEY : V0013603 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-02-13 | Name : Arbitrary code can be executed on the remote host through the MFC component p... File : smb_nt_ms07-012.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:45:36 |
|
| 2013-11-11 12:41:04 |
|
| 2013-05-11 00:49:15 |
|
