CVE-2008-3704

EXPLOITED IN THE WILD

Microsoft Visual Studio <6.0.84.18 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-3704 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including Metasploit, Koshi, Symantec, including a Metasploit module exploits/windows/browser/ms08_070_visual_studio_msmask.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the Msmask32.ocx ActiveX control in Microsoft Visual Studio 6.0. It delivers a malicious HTML page with JavaScript that triggers the vulnerability via a crafted 'Mask' parameter, leading to arbitrary code execution.

Description

Heap-based buffer overflow in the MaskedEdit ActiveX control in Msmask32.ocx 6.0.81.69, and possibly other versions before 6.0.84.18, in Microsoft Visual Studio 6.0, Visual Basic 6.0, Visual Studio .NET 2002 SP1 and 2003 SP1, and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 allows remote attackers to execute arbitrary code via a long Mask parameter, related to not "validating property values with boundary checks," as exploited in the wild in August 2008, aka "Masked Edit Control Memory Corruption Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16507

This exploit targets a stack buffer overflow in the Msmask32.ocx ActiveX control in Microsoft Visual Studio 6.0. It delivers a malicious HTML page with JavaScript that triggers the vulnerability via a crafted 'Mask' parameter, leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Visual Studio 6.0 (Msmask32.ocx ActiveX Control)
No auth needed
Prerequisites: Victim must visit a malicious webpage or be tricked into opening a malicious HTML file · Target system must have the vulnerable ActiveX control installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Koshi · htmlremotewindows
https://www.exploit-db.com/exploits/6317

This exploit targets a buffer overflow vulnerability in the MSMASK32.OCX ActiveX control (CVE-2008-3704) by crafting a malicious 'Mask' parameter to trigger arbitrary code execution. It uses heap spraying and shellcode (Alpha2-encoded) to spawn a calculator (calc.exe) as a proof-of-concept.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Visual Studio (MSMASK32.OCX ActiveX control)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a malicious HTML file · ActiveX control must be registered and not killed via KillBit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Symantec · javascriptdoswindows
https://www.exploit-db.com/exploits/6244

This exploit targets a buffer overflow vulnerability in the Microsoft DirectShow 'Mask' parameter. It uses a long string of unescaped characters to trigger the overflow, potentially leading to arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft DirectShow (via Internet Explorer)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Symantec, koshi, MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb

This Metasploit module exploits a stack buffer overflow in Microsoft Visual Studio 6.0's Mdmask32.ocx ActiveX control via a crafted 'Mask' parameter. It delivers a reverse TCP shell payload through a malicious HTML page with obfuscated JavaScript.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Microsoft Visual Studio 6.0 (Mdmask32.ocx ActiveX Control)
No auth needed
Prerequisites: Target must visit a malicious webpage · ActiveX control must be enabled in Internet Explorer
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1020710
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2380
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3382
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31498
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5794
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30674
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6244
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-344A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44444
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6317

Scores

EPSS 0.8747
EPSS Percentile 99.5%

Details

VulnCheck KEV 2008-08-18
InTheWild.io 2018-10-12
CWE
CWE-119
Status published
Products (6)
microsoft/visual_basic 6.0
microsoft/visual_foxpro 8.0 sp1
microsoft/visual_foxpro 9.0 sp1 (2 CPE variants)
microsoft/visual_studio 6.0
microsoft/visual_studio_.net 2002 sp1
microsoft/visual_studio_.net 2003 sp1
Published Aug 18, 2008
Tracked Since Feb 18, 2026