CVE-2008-4255

Name of the Vulnerable Software and Affected Versions: Microsoft Visual Basic 6.0 Visual Studio .NET versions 2002 SP1 and 2003 SP1 Visual FoxPro versions 8.0 SP1, 9.0 SP1, and 9.0 SP2 Office Project versions 2003 SP3 and 2007 Gold and SP1

Description: A heap-based buffer overflow issue exists, allowing remote attackers to execute arbitrary code via a crafted AVI file. This triggers an allocation error and memory corruption. The vulnerability can be exploited by constructing a specially crafted web page, potentially leading to remote code execution when viewed. If successfully exploited, an attacker could gain the same user rights as the logged-on user.

Recommendations: For Microsoft Visual Basic 6.0, update to a version that includes the fix for this issue. For Visual Studio .NET versions 2002 SP1 and 2003 SP1, apply the necessary patch or update to a newer version. For Visual FoxPro versions 8.0 SP1, 9.0 SP1, and 9.0 SP2, consider disabling the use of AVI files until a patch is available. For Office Project versions 2003 SP3 and 2007 Gold and SP1, restrict access to crafted web pages to minimize the risk of exploitation.