Lucene search
RootSSV:2940HistoryFeb 26, 2008 - 12:00 a.m.
Yahoo! Music Jukebox AddImage函数ActiveX远程栈溢出漏洞
2008-02-2600:00:00
Root
www.seebug.org
14
0.204 Low
EPSS
Percentile
96.4%
BUGTRAQ ID: 27590
CVE(CAN) ID: CVE-2008-0623
Yahoo! Music Jukebox是一款音乐编辑、管理、刻录软件。
Yahoo! Music Jukebox的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
Yahoo! Music Jukebox所安装的YMP DataGrid ActiveX控件(datagrid.dll)没有正确地处理传送给AddImage()方式的输入参数,如果用户受骗访问了恶意站点并向该参数传送了超长字符串的话,就可能触发栈溢出,导致执行任意指令。
Yahoo! Music Jukebox 2.2
临时解决方法:
- 在IE中禁用有漏洞的ActiveX控件,为以下CLSID设置kill bit:
{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
或者将以下文本报文为.REG文件并导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}]
"Compatibility Flags"=dword:00000400
厂商补丁:
Yahoo!
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://music.yahoo.com/jukebox/” target=“_blank”>http://music.yahoo.com/jukebox/</a>
<!--
Yahoo! Music Jukebox 2.2 AddImage() ActiveX BOF
Discovered by Krystian Kloskowski - [email protected]
&nb
Related
cve
cve
CVE-2008-0623
2008-02-06 21:00:00
CVE-2008-0624
2008-02-06 21:00:00
nvd
nvd
CVE-2008-0623
2008-02-06 21:00:00
CVE-2008-0624
2008-02-06 21:00:00
prion
prion
Stack overflow
2008-02-06 21:00:00
Buffer overflow
2008-02-06 21:00:00
cvelist
cvelist
CVE-2008-0623
2008-02-06 20:00:00
CVE-2008-0624
2008-02-06 20:00:00
kaspersky
kaspersky
KLA10407 ACE vulnerability in Yahoo! Music Jukebox
2008-02-06 00:00:00
cert
cert
Yahoo! Music Jukebox YMP Datagrid ActiveX control stack buffer overflows
2008-02-05 00:00:00
checkpoint_advisories
checkpoint_advisories
nessus
nessus
Yahoo! Music Jukebox ActiveX Controls Buffer Overflows
2008-02-07 00:00:00