CERTA-2008-AVI-308
Vulnerability from certfr_avis

Une vulnérabilité a été identifiée dans la mise en œuvre de l'interface de reconnaissance vocale Windows. Elle avait fait l'objet d'un article dans le bulletin d'actualité CERTA-2007-ACT-005. Il s'agit ici d'une mise à jour cumulative.

Description

Une vulnérabilité a été identifiée dans la mise en œuvre de l'interface de reconnaissance vocale Windows. Elle avait fait l'objet d'un article dans le bulletin d'actualité CERTA-2007-ACT-005.

Il s'agit ici d'une mise à jour cumulative qui consiste à activer le kill bit de certains contrôles ActiveX liés à la reconnaissance vocale sous Windows (en particulier sapi.dll).

Le service de reconnaissance vocale n'est pas activé par défaut.

Solution

Se référer au bulletin de sécurité MS08-032 de Microsoft pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Microsoft Windows Windows 2003 Server (SP1 et SP2) pour systèmes Itanium ;
Microsoft Windows Windows Vista x64 Edition ;
Microsoft Windows Windows XP x64 Edition ;
Microsoft Windows Windows XP Service Pack 2 ;
Microsoft Windows Windows 2003 Server x64 Edition Service Pack 2 ;
Microsoft Windows Windows 2003 Server x64 Edition ;
Microsoft Windows Windows Vista x64 Edition Service Pack 1 ;
Microsoft Windows Windows 2008 Server (pour systèmes 32-bit, x64 et Itanium).
Microsoft Windows Windows XP Service Pack 3 ;
Microsoft Windows Windows 2003 Server Service Pack 2 ;
Microsoft Windows Windows Vista Service Pack 1 ;
Microsoft Windows Windows XP x64 Edition Service Pack 2 ;
Microsoft Windows Windows Vista ;
Microsoft Windows Windows 2003 Server Service Pack 1 ;
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Windows 2003 Server (SP1 et SP2) pour syst\u00e8mes Itanium ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Vista x64 Edition ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows XP x64 Edition ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows XP Service Pack 2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows 2003 Server x64 Edition Service Pack 2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows 2003 Server x64 Edition ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Vista x64 Edition Service Pack 1 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows 2008 Server (pour syst\u00e8mes 32-bit, x64 et Itanium).",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows XP Service Pack 3 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows 2003 Server Service Pack 2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Vista Service Pack 1 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows XP x64 Edition Service Pack 2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Vista ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows 2003 Server Service Pack 1 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans la mise en \u0153uvre de l\u0027interface\nde reconnaissance vocale Windows. Elle avait fait l\u0027objet d\u0027un article\ndans le bulletin d\u0027actualit\u00e9 CERTA-2007-ACT-005.\n\nIl s\u0027agit ici d\u0027une mise \u00e0 jour cumulative qui consiste \u00e0 activer le\nkill bit de certains contr\u00f4les ActiveX li\u00e9s \u00e0 la reconnaissance vocale\nsous Windows (en particulier sapi.dll).\n\nLe service de reconnaissance vocale n\u0027est pas activ\u00e9 par d\u00e9faut.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 MS08-032 de Microsoft pour\nl\u0027obtention des correctifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2007-0675",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0675"
    }
  ],
  "initial_release_date": "2008-06-11T00:00:00",
  "last_revision_date": "2008-06-11T00:00:00",
  "links": [
    {
      "title": "Bulletin d\u0027actualit\u00e9 CERTA-2007-ACT-005 du 02 f\u00e9vrier 2007,    \u00ab La reconnaissance vocale sous Windows Vista \u00bb :",
      "url": "http://www.certa.ssi.gouv.fr/site/CERTA-2007-ACT-005.pdf"
    }
  ],
  "reference": "CERTA-2008-AVI-308",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-06-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans la mise en \u0153uvre de l\u0027interface\nde reconnaissance vocale Windows. Elle avait fait l\u0027objet d\u0027un article\ndans le bulletin d\u0027actualit\u00e9 CERTA-2007-ACT-005. Il s\u0027agit ici d\u0027une\nmise \u00e0 jour cumulative.\n",
  "title": "Vuln\u00e9rabilit\u00e9 li\u00e9e au service de reconnaissance vocale Windows",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS08-032 du 10 juin 2008",
      "url": "http://www.microsoft.com/technet/security/Bulletin/MS08-032.mspx"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.