CVE-2008-1898

Exploitation Summary

CVE-2008-1898 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, lhoang8500, Shennan Wang, including a Metasploit module exploits/windows/fileformat/msworks_wkspictureinterface.

AI-analyzed exploit summary This exploit targets a vulnerability in Microsoft Works 7 WkImgSrv.dll ActiveX control by passing a negative integer to the WksPictureInterface method, leading to arbitrary code execution. It generates an HTML file with embedded JavaScript to trigger the exploit.

Description

A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16649

View Code ZIP pw:eip

This exploit targets a vulnerability in Microsoft Works 7 WkImgSrv.dll ActiveX control by passing a negative integer to the WksPictureInterface method, leading to arbitrary code execution. It generates an HTML file with embedded JavaScript to trigger the exploit.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Works 7 WkImgSrv.dll ActiveX control

No auth needed

Prerequisites: Victim must open the malicious HTML file in a vulnerable browser

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by lhoang8500 · htmlremotewindows

https://www.exploit-db.com/exploits/5530

View Code ZIP pw:eip

This exploit targets a memory corruption vulnerability in WKsPictureInterface method of wkimgsrv.dll, leveraging heap spraying to execute arbitrary shellcode. It uses a carefully crafted memory layout to bypass NULL checks and redirect execution flow.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Office Suite (2003, 2007) with wkimgsrv.dll

No auth needed

Prerequisites: Victim must visit a malicious webpage · Target system must have vulnerable wkimgsrv.dll

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Shennan Wang · htmldoswindows

https://www.exploit-db.com/exploits/5460

View Code ZIP pw:eip

This exploit targets a vulnerability in Microsoft Works 7 by manipulating the WksPictureInterface property of an ActiveX object, leading to a crash (DoS). The PoC uses JavaScript to trigger the vulnerability via an HTML page.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Works 7

No auth needed

Prerequisites: Victim must open the malicious HTML file in a browser with the vulnerable ActiveX control installed

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC LOW

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Microsoft Works 7 WkImgSrv.dll ActiveX control by passing a negative integer to the WKsPictureInterface method, leading to arbitrary code execution. The exploit generates an HTML file with obfuscated JavaScript to trigger the vulnerability and execute shellcode.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Works 7 WkImgSrv.dll ActiveX control

No auth needed

Prerequisites: Victim must open the malicious HTML file in a vulnerable browser with the ActiveX control installed

MITRE ATT&CK