CERT had notified Symantec of the vulnerability [WHEN], which occurs in the Get() and Set() functions used by ISAlertDataCOM, a function of ISALERT.DLL.
Symantec and US-CERT warned that for successful exploitation, an attacker must dupe the victim into visiting a malicious website and clicking on a malicious document.
Symantec, in an advisory released on Wednesday, ranked the flaw’s risk impact as "medium." A Symantec spokesman today referred questions to the advisory.
Secunia reported in an advisory released today that researcher Will Dorman of CERT/CC discovered the flaw, which can be exploited to cause a stack-based buffer overflow via an overly long argument.
Secunia ranked the flaw as "highly critical," meaning it can be exploited from a remote location.
FrSIRT yesterday rated the vulnerability as "critical."
_(22).jpg&h=140&w=231&c=1&s=0)
_(20).jpg&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
