ActiveX module in Microsoft Works opens up security hole

April 18, 2008 – 8:21 AM

A demonstration of a security hole in the Microsoft Works Image Server (WkImgSrv.dll) ActiveX module contained in the Microsoft Works office suite has appeared on the Bugtraq mailing list. The demo appears to only cause a system crash. McAfee, however, has already found fully functional exploits which allow attackers to inject vulnerable systems with malicious code via specially crafted web pages.

The ActiveX module is not marked as “Safe for Scripting”, so Internet Explorer issues a warning before executing the module. However, if a user does allow a crafted web page to execute the module, malicious code may be injected and executed on the system.

No update has been released so far. As a workaround, the kill bit can be set for ClassID 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6. The vulnerable WkImgSrv.dll version 7.03.0616.0 and possibly other versions will then not be integrated into Internet Explorer. An article in Microsoft’s knowledge base provides assistance.

Source: Heise Security