CVE-2007-2216
published 2007-08-14CVE-2007-2216: The tblinf32.dll (aka vstlbinf.dll) ActiveX control for Internet Explorer 5.01, 6 SP1, and 7 uses an incorrect IObjectsafety implementation, which allows…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.39%
98.5th percentile
The tblinf32.dll (aka vstlbinf.dll) ActiveX control for Internet Explorer 5.01, 6 SP1, and 7 uses an incorrect IObjectsafety implementation, which allows remote attackers to execute arbitrary code by requesting the HelpString property, involving a crafted DLL file argument to the TypeLibInfoFromFile function, which overwrites the HelpStringDll property to call the DLLGetDocumentation function in another DLL file, aka "ActiveX Object Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of tblinf32.dll / vstlbinf.dll (TypeLib Information Library TLI control) within Internet Explorer processes, particularly when followed by calls to TypeLibInfoFromFile with UNC path arguments. ↗
- →Detect UNC path arguments (\\<IP>\<SHARE>\*.dll) passed to the TypeLibInfoFromFile method — this is the exploit delivery mechanism used to load a remote attacker-controlled DLL via SMB. ↗
- →Alert on access to the HelpString property of TypeLib interface members following a TypeLibInfoFromFile call, as this triggers the DLLGetDocumentation call in the attacker-supplied DLL. ↗
- →Hunt for HTML documents that instantiate the TLI ActiveX control and chain TypeLibInfoFromFile → .Interfaces.Item() → .Members.Item() → .HelpString — this is the full exploit call chain. ↗
- →Exploit delivery is via a maliciously crafted HTML document opened in Internet Explorer; network-level detection should look for SMB/UNC outbound connections from iexplore.exe to external IPs loading DLL files. ↗
- ·The vulnerability stems from an incorrect IObjectSafety implementation in the ActiveX control, meaning the control incorrectly marks itself as safe for scripting, allowing untrusted web pages to invoke it. Blocking or kill-bitting tblinf32.dll/vstlbinf.dll in the registry is the primary mitigation. ↗
- ·Affected versions are Internet Explorer 5.01, 6 SP1, and 7 — scope detection rules accordingly and do not expect this to trigger on modern IE/Edge environments. ↗
- ·Failed exploit attempts manifest as denial-of-service (crash) rather than code execution, so process crash telemetry for iexplore.exe should also be correlated with this CVE. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://secunia.com/advisories/26419http://securitytracker.com/id?1018562http://www.osvdb.org/36396http://www.securityfocus.com/archive/1/476742/100/0/threadedhttp://www.securityfocus.com/bid/25289http://www.us-cert.gov/cas/techalerts/TA07-226A.htmlhttp://www.vupen.com/english/advisories/2007/2869https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2109http://secunia.com/advisories/26419http://securitytracker.com/id?1018562http://www.osvdb.org/36396http://www.securityfocus.com/archive/1/476742/100/0/threadedhttp://www.securityfocus.com/bid/25289http://www.us-cert.gov/cas/techalerts/TA07-226A.htmlhttp://www.vupen.com/english/advisories/2007/2869https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2109
2007-08-14
Published