CVE-2007-2224

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions 2000 SP4, XP SP2, Server 2003 SP1 and SP2 Microsoft Office version 2004 for Mac Microsoft Visual Basic version 6.0

Description A remote code execution issue exists in Object linking and embedding (OLE) Automation. This issue could allow an attacker to execute arbitrary code via the substringData method on a TextNode object, causing an integer overflow that leads to a buffer overflow. An attacker who successfully exploits this issue could make changes to the system with the permissions of the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system, then install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations For Microsoft Windows versions 2000 SP4, XP SP2, Server 2003 SP1 and SP2, consider restricting access to the OLE Automation until a patch is available. For Microsoft Office version 2004 for Mac, avoid using the substringData method on a TextNode object in OLE Automation until the issue is resolved. For Microsoft Visual Basic version 6.0, as a temporary workaround, consider disabling the use of OLE Automation in Visual Basic projects until a patch is available.