Title: Microsoft Visual Basic 6 TBLinf32.DLL ActiveX Control Remote Code Execution Vulnerability
Severity: HIGH
Description:
The Microsoft Visual Basic 6 TypeLib Information Library (TLI) ActiveX control is prone to a remote code-execution vulnerability.
The vulnerability has been identified in the 'TypeLibInfoFromFile()' function of the Microsoft Visual Basic 6 TypeLib Information Library (TLI) 'tblinf32.dll' ActiveX control with the following CLSIDs:
{8B217746-717D-11CE-AB5B-D41203C10000}
{8B217752-717D-11CE-AB5B-D41203C10000}
{8B21775E-717D-11CE-AB5B-D41203C10000}
The affected ActiveX control can also be found under the name of 'vstlbinf.dll'.
An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document that loads a malicious DLL from a remote location through a call to the 'HelpString' property of the 'TypeLibInfoFromFile()' function.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.
Affected Products:
- Avaya CIE 1.0
- Avaya CIE 1.0.2
- Avaya Customer Interaction Express (CIE) Server 1.0
- Avaya Messaging Application Server
- Avaya Messaging Application Server MM 2.0
- Avaya Messaging Application Server MM 3.0
- Avaya Messaging Application Server MM 3.1
- HP Storage Management Appliance 2.1
- HP Storage Management Appliance 2.1
- HP Storage Management Appliance I
- HP Storage Management Appliance II
- HP Storage Management Appliance III
- Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Internet Explorer 5.0.1 SP3
- Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0 SP1
- Microsoft Internet Explorer 6.0 SP2 - do not use
- Microsoft Internet Explorer 7.0
- Microsoft Internet Explorer 7.0 beta1
- Microsoft Internet Explorer 7.0 beta2
- Microsoft Internet Explorer 7.0 beta3
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows Vista
- Microsoft Windows Vista Business
- Microsoft Windows Vista Enterprise
- Microsoft Windows Vista Home Basic
- Microsoft Windows Vista Home Premium
- Microsoft Windows Vista Ultimate
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
References:
- Avaya: ASA-2007-364: MS07-045 Cumulative Security Update for Internet Explorer (937143)
- Microsoft: Microsoft Internet Explorer Home Page
- Microsoft: Microsoft Knowledge Base Article 240797
- Microsoft: Microsoft Security Bulletin MS07-045
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
