The vulnerabilities are caused due to the "AddContextRef()" and "ReleaseContext()" methods in the WMI Object Viewer Control (WBEM.SingleViewCtrl.1) using a value passed in the "lCtxHandle" parameter as an object pointer.
An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.
The vulnerabilities are confirmed in version 1.1 (WBEMSingleView.ocx 1.50.1131.0).
Set the kill-bit for the affected ActiveX control.
PoC Exploit is available at:
- Original credit goes to "牛奶坦克" via WooYun.