ID CVE-2008-4253
Summary The FlexGrid ActiveX control in Microsoft Visual Basic 6.0, Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2, Office FrontPage 2002 SP3, and Office Project 2003 SP3 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "FlexGrid Control Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:office_frontpage:2002:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office_frontpage:2002:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_basic:6.0:*:runtime_extended_files:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_basic:6.0:*:runtime_extended_files:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*
CVSS
Base: 8.5 (as of 12-10-2018 - 21:48)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:S/C:C/I:C/A:C
msbulletin via4
bulletin_id MS08-070
bulletin_url
date 2008-12-09T00:00:00
impact Remote Code Execution
knowledgebase_id 932349
knowledgebase_url
severity Critical
title Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution
oval via4
accepted 2012-11-12T04:00:35.411-05:00
class vulnerability
contributors
  • name Sudhir Gandhe
    organization Secure Elements, Inc.
  • name Pradeep R B
    organization SecPod Technologies
  • name Pradeep R B
    organization SecPod Technologies
definition_extensions
  • comment Microsoft Project 2003 SP3 is installed
    oval oval:org.mitre.oval:def:5755
  • comment Microsoft Office XP is installed
    oval oval:org.mitre.oval:def:663
  • comment Microsoft Visual FoxPro is installed
    oval oval:org.mitre.oval:def:14198
  • comment Microsoft Visual Basic 6.0 is installed
    oval oval:org.mitre.oval:def:15369
description The FlexGrid ActiveX control in Microsoft Visual Basic 6.0, Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2, Office FrontPage 2002 SP3, and Office Project 2003 SP3 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "FlexGrid Control Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:5994
status accepted
submitted 2008-12-09T13:31:00
title FlexGrid Control Memory Corruption Vulnerability
version 68
refmap via4
bid 32592
cert TA08-344A
confirm http://support.avaya.com/elmodocs2/security/ASA-2008-473.htm
sectrack 1021369
vupen ADV-2008-3382
Last major update 12-10-2018 - 21:48
Published 10-12-2008 - 14:00
Last modified 12-10-2018 - 21:48
Back to Top