CVE-2007-4891

Name of the Vulnerable Software and Affected Versions: Microsoft Visual Studio 6.0 versions 6.0.0.9782 and earlier

Description: The issue concerns a certain ActiveX control in PDWizard.ocx that exposes several dangerous methods, including StartProcess, SyncShell, SaveAs, CABDefaultURL, CABFileName, and CABRunFile. This exposure allows remote attackers to execute arbitrary programs and have other impacts. For example, using absolute pathnames in arguments to StartProcess and SyncShell can demonstrate this vulnerability.

Recommendations: For Microsoft Visual Studio 6.0 versions 6.0.0.9782 and earlier, consider disabling the StartProcess and SyncShell methods as a temporary workaround to minimize the risk of exploitation. Additionally, restrict access to the SaveAs, CABDefaultURL, CABFileName, and CABRunFile methods until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.