ActiveX module in Microsoft Works opens up security hole
A demonstration of a security hole in the Microsoft Works Image Server (
WkImgSrv.dll) ActiveX module contained in the Microsoft Works office suite has appeared on the Bugtraq mailing list. The demo appears to only cause a system crash. McAfee, however, has already found fully functional exploits which allow attackers to inject vulnerable systems with malicious code via specially crafted web pages.
The ActiveX module is not marked as "Safe for Scripting", so Internet Explorer issues a warning before executing the module. However, if a user does allow a crafted web page to execute the module, malicious code may be injected and executed on the system.
No update has been released so far. As a workaround, the kill bit can be set for ClassID
00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6. The vulnerable
WkImgSrv.dll version 7.03.0616.0 and possibly other versions will then not be integrated into Internet Explorer. An article in Microsoft's knowledge base provides assistance.
- Microsoft Works 7 WkImgSrv.dll crash POC, demonstration of the vulnerability on the Bugtraq mailing list
- Potential Microsoft Works ActiveX 0-Day Surfaces, entry in McAfee's security blog