Executive Summary
Summary | |
---|---|
Title | Particle Software IntraLaunch Application Launcher ActiveX control fails to restrict access to dangerous methods |
Informations | |||
---|---|---|---|
Name | VU#908801 | First vendor Publication | 2009-04-06 |
Vendor | VU-CERT | Last vendor Modification | 2009-04-15 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#908801Particle Software IntraLaunch Application Launcher ActiveX control fails to restrict access to dangerous methodsOverviewThe Particle Software IntraLaunch Application Launcher ActiveX control allows arbitrary code execution.I. DescriptionParticle Software IntraLaunch is an ActiveX control that "... allows web page links to execute anything from applications to associations such as Word or Acrobat PDF documents both locally and across a network without prompts or security warnings." The IntraLaunch ActiveX control, which is provided by IntraLaunch.ocx, is marked Safe for Scripting and by default is not restricted to any specific domain or Internet Explorer zone. This means that any web site has the ability to run arbitrary code on a system that has the control.Note that a vendor may purchase a site-locked version of the IntraLaunch control, but by default the control is not restricted.
{58FEBB79-70F5-48A6-9697-E91591DA3F8E} {858B4F85-E945-4F0C-AF65-059E0AD9EEC0}
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0AE533FE-B805-4FD6-8AE1-A619FBEE7A23}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{58FEBB79-70F5-48A6-9697-E91591DA3F8E}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{858B4F85-E945-4F0C-AF65-059E0AD9EEC0}] "Compatibility Flags"=dword:00000400 Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. Systems Affected
Referenceshttp://www.cert.org/tech_tips/securing_browser/ This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/908801 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
53798 | Particle Software IntraLaunch Application Launcher ActiveX (IntraLaunch.ocx) ... |