CVE-2007-2496
published 2007-05-04CVE-2007-2496: The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1)…
PriorityP264high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.83%
88.8th percentile
The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) GotoPage, (6) Save, (7) SaveWebFile, (8) HttpDownloadFile, (9) Open, (10) OpenWebFile, (11) SaveAs, or (12) ShowWordStandardDialog property value.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| office_ocx | word_viewer_ocx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTML pages loading the WordViewer.ocx ActiveX control via OBJECT tags with CODEBASE pointing to remote .cab or .ocx files, combined with parameter values containing very long strings (e.g., String(2097512, 'A') pattern — ~2 MB of repeated 'A' characters). ↗
- →Monitor for exploit delivery pages using the pattern 'loading.php?spl=ActiveX_pack' as a URL parameter, which was observed in-the-wild campaigns chaining CVE-2007-2496 with other ActiveX exploits. ↗
- →Flag use of CLSID c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61 in HTML OBJECT tags, associated with the DownloaderActiveX control used in the same exploit pack as CVE-2007-2496. ↗
- →The base64 value 'aHR0cDovL2FsbHkuc2VydmVibG9nLm5ldC8vbG9hZGluZy5waHA/c3BsPWphdmFkbndiJg==' decodes to a payload URL; detect this string in HTML PARAM VALUE fields as an obfuscation indicator. ↗
- ·The exploit PoC was tested specifically against Windows XP Professional SP2 with Internet Explorer 7; other OS/browser combinations may behave differently. ↗
- ·All software that uses WordViewer.ocx is stated to be vulnerable, not just the primary Word Viewer product — scope detection rules broadly to any application embedding this OCX. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2mhh-8chh-jm97: The WordOCX ActiveX control in WordViewer
ghsa_unreviewed·2022-05-01
CVE-2007-2496 [HIGH] GHSA-2mhh-8chh-jm97: The WordOCX ActiveX control in WordViewer
The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) GotoPage, (6) Save, (7) SaveWebFile, (8) HttpDownloadFile, (9) Open, (10) OpenWebFile, (11) SaveAs, or (12) ShowWordStandardDialog property value.
VulnCheck
Office OCX WordViewer.ocx ActiveX Multiple Vulnerabilities
vulncheck·2007·CVSS 7.8
CVE-2007-2496 [HIGH] Office OCX WordViewer.ocx ActiveX Multiple Vulnerabilities
Office OCX WordViewer.ocx ActiveX Multiple Vulnerabilities
The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) DoOleCommand, (2) FTPDownloadFile, (3) FTPUploadFile, (4) HttpUploadFile, (5) GotoPage, (6) Save, (7) SaveWebFile, (8) HttpDownloadFile, (9) Open, (10) OpenWebFile, (11) SaveAs, or (12) ShowWordStandardDialog property value.
Affected: office_ocx word_viewer_ocx
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
http://moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.htmlhttp://osvdb.org/34334http://secunia.com/advisories/25100http://www.securityfocus.com/bid/23784http://www.vupen.com/english/advisories/2007/1634https://exchange.xforce.ibmcloud.com/vulnerabilities/34027http://moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.htmlhttp://osvdb.org/34334http://secunia.com/advisories/25100http://www.securityfocus.com/bid/23784http://www.vupen.com/english/advisories/2007/1634https://exchange.xforce.ibmcloud.com/vulnerabilities/34027
2007-05-04
Published
Exploited in the wild