|
This exploit penetrates a vulnerability in the Remote Data Services RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8. It allows remote attackers to execute arbitrary code via several attack vectors.
RDS was designed to allow users with ActiveX-enabled browsers, like Internet Explorer, to connect to database servers via a network, download datasets to their local machines, operate on the datasets and then update the results to the remote database server. Unfortunately, due to design flaws in RDS, it was discovered that it was possible to force the download and execution of program code via javascript manipulation of RDS objects, in this case the RDS.Dataspace object.
Addressed in Microsoft Security bulletin MS06-014, released 11 April, 2006, along with updates to the affected MDAC versions.
This is a very commonly used attack vector, often delivered via obfuscated javascript.
CVE-2006-1359
|
Cart
