A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by a memory corruption error in the Microsoft Data Analyzer ActiveX control (max3activex.dll) when used in Internet Explorer, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.

This security update also includes kill bits for four third-party ActiveX controls.

Affected Products

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (x64)
Microsoft Windows Server 2008 R2 (x64)
Microsoft Windows Server 2008 R2 (Itanium)

Solution

Apply patches :
http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx

References

http://www.vupen.com/english/advisories/2010/0341
http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx

Credits

Vulnerability reported by Shaun Colley (NGS Software).

Changelog

2010-02-09 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.