| VID |
26659 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The hotfix (MS13-090, 2900986) for 'Cumulative Security Update of ActiveX Kill Bits' has not been applied.
The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control.
The security update addresses the vulnerabilities by setting kill bits so that the vulnerable controls do not run in Internet Explorer.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://technet.microsoft.com/en-us/security/bulletin/ms13-090
* Platforms Affected:
Windows XP Service Pack 3
Windows Server 2003 Service Pack 2
Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows Server 2008 R2 Service Pack 1
Windows 7 Service Pack 1
Microsoft Windows 8, 8.1
Microsoft Windows Server 2012 |
| Recommendation |
Apply the appropriate patch (2900986)for your system, as listed in Microsoft Security Bulletin MS13-090 at http://technet.microsoft.com/en-us/security/bulletin/ms13-090
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com. Windows Update detects what version of Windows you are running and offers the appropriate patch. |
| Related URL |
CVE-2013-3918 (CVE) |
| Related URL |
63631 (SecurityFocus) |
| Related URL |
(ISS) |
|
