The OLE packager component (packager.dll) of Microsoft Windows will automatically download remote files referenced in embedded OLE objects within Office documents. In the case of .INF installer files, packager.dll will automatically run them without prompting the user. This can be abused to gain arbitrary code execution by creating an Office document with an embedded OLE object containing a reference to a remote INF file with specially crafted commands. This vulnerability can be exploited by convincing an unsuspecting user to open a specially crafted PowerPoint document.
A remote code execution vulnerability exists in the way that Windows registers and uses the Windows Object Packager that may allow the execution of any executable file named packager.exe, if this executable is located in the same folder than a .PPSX file. The attacker must entice a victim into opening a specially crafted .PPSX file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
This module exploits a stack-based buffer overflow in the MSCOMCTL.OCX control by sending a specially crafted .RTF file. This module runs a web server waiting for vulnerable clients to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.
This module exploits a stack-based buffer overflow in the msvidctl.dll ActiveX Control included in Microsoft Windows DirectShow. This module runs a web server waiting for vulnerable clients (Internet Explorer) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.
Windows Movie Maker is prone to a vulnerability that may allow the execution of any library file named rsaenh.dll, if this dll is located in the same folder as a .MSWMM file. The attacker must entice a victim into opening a specially crafted .MSWMM file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
Windows Meeting Space is prone to a vulnerability that may allow the execution of any library file named wab32res.dll, if this dll is located in the same folder as a .WCINV file. The attacker must entice a victim into opening a specially crafted .WCINV file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.
Subscribe to Windows