cbcvebase.
CVE-2007-2496
published 2007-05-04

CVE-2007-2496: The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1)…

PriorityP264high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.83%
88.8th percentile
The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) GotoPage, (6) Save, (7) SaveWebFile, (8) HttpDownloadFile, (9) Open, (10) OpenWebFile, (11) SaveAs, or (12) ShowWordStandardDialog property value.

Affected

1 ranges
VendorProductVersion rangeFixed in
office_ocxword_viewer_ocx

Detection & IOCsextracted from sources · hover to see the quote

filenameWordViewer.ocx
versionWordViewer.ocx 3.2.0.5
urlhttp://ally.serveblog.net//loading.php?spl=ActiveX_pack
otherCLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61
urlhttp://xxx/DownloaderActiveX.cab#Version=1,0,0,1
otheraHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg==
commandarg1=String(2097512,"A")
  • Look for HTML pages loading the WordViewer.ocx ActiveX control via OBJECT tags with CODEBASE pointing to remote .cab or .ocx files, combined with parameter values containing very long strings (e.g., String(2097512, 'A') pattern — ~2 MB of repeated 'A' characters).
  • Monitor for exploit delivery pages using the pattern 'loading.php?spl=ActiveX_pack' as a URL parameter, which was observed in-the-wild campaigns chaining CVE-2007-2496 with other ActiveX exploits.
  • Flag use of CLSID c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61 in HTML OBJECT tags, associated with the DownloaderActiveX control used in the same exploit pack as CVE-2007-2496.
  • The base64 value 'aHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg==' decodes to a payload URL; detect this string in HTML PARAM VALUE fields as an obfuscation indicator.
  • ·The exploit PoC was tested specifically against Windows XP Professional SP2 with Internet Explorer 7; other OS/browser combinations may behave differently.
  • ·All software that uses WordViewer.ocx is stated to be vulnerable, not just the primary Word Viewer product — scope detection rules broadly to any application embedding this OCX.

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.