CVE-2006-4692

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to XP SP3 and Server 2003 SP2

Description The issue allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a "/" character in the filename of the Command Line property, followed by a valid file extension. This could cause the command before the slash to be executed. A remote code execution vulnerability exists due to the way file extensions are handled, potentially allowing an attacker to take complete control of an affected system if a user visits a specially crafted Web site. Significant user interaction is required to exploit this vulnerability.

Recommendations For Microsoft Windows XP SP1 and SP2, and Server 2003 SP1 and earlier, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting the use of the packager.exe until a patch is available. Avoid using the Command Line property with filenames containing a "/" character followed by a valid file extension in the Windows Object Packager until the issue is resolved.